Red teaming is the practice of viewing a problem from an adversary or competitor’s perspective.1 For most businesses, it surfaces as a method of enhancing cybersecurity (and so it is), but it’s potentially much more. After all, the practice itself is agnostic; a business can aim it at just about any issue, from cybersecurity to proposals to strategic plans to competitive analysis–each is worth a second look from the red teamer’s critical eye.
Red teaming is particularly suited to business strategy and planning because red teams characteristically adopt the perspective of an adversary (the bad guy). Few businesses have adversaries in the traditional military sense, but nearly all have competitors and more and more face constant probing from online criminals and faceless hacktivists. Fortunately, it’s possible to switch hats and red team from the perspective of a competitor rather than a traditional adversary.
So, how might a business use red teaming in this broad sense, and how might it benefit from the practice? A good place to start answering this question is Carroll and Mui’s 2008 book Billion Dollar Lessons. In it, the authors cite several instances in which businesses lost at least a billion dollars. Interestingly enough, one of their proposed remedies is to institute the practice of devil’s advocacy, a close cousin of red teaming which some consider to be the same practice with a different name.
Another way to answer these questions is to run a simple thought exercise. Consider a decision in your company that went wrong. Ask yourself why it went wrong (which is harder to answer than you might think, even in hindsight). Did you overlook your customers’ preferences? Did you underestimate your competitors’ ability to adapt? Did you overestimate your ability to deliver on your marketing promises? Did your core market shift beneath you? Now, posit how a red team might have led your company to a better decision. Would a good red team have challenged that faulty assertion or questioned that rush to market? Maybe–and that maybe could be worth a lot.
Red teaming’s not a silver bullet, certainly, but it is a hedge against poor, rushed, and overconfident decision making. (Of course no one ever thinks, “I’m a poor, rushed, and overconfident decision maker, so this is going to go well!”) Red teaming’s arguably of most use when all signs are good and the stakes are high–the times when you’re most tempted to dash to the finish and one of the times when you’re most susceptible to surprise. Consider the possibility that it’s also when your competitor is most susceptible to surprise; your red team may be able to identify opportunities as well as risks. Either way, a red team is almost always a good bet. For big decisions, the cost of maintaining the team is usually a fraction of the cost of failure or the reward of success.2
That said, red teaming is an exercise in caveats, and red teaming should always be applied judiciously. Not every issue or question is usefully red teamed, and poor red teaming can do more harm than good. Further, not everyone–even when trained–is a good red teamer, and even good red teamers have blind spots and biases. In fact, red teamers and red teams can themselves become quite arrogant. And this is just a start. Real-world red teams have to juggle a variety of stakeholder concerns, process and method issues, and plain old project management tasks.
Here’s the bottom line: red teaming is a good bet when done well, and to do it well, you need to approach it prudently. It won’t solve all your problems, and it could introduce new ones. You should tap into experienced red teamers from the start and always aim your red team at the most appropriate issues. If you do that, you might just ask the right questions, get the right answers, and truly secure your business.
- See a more complete discussion here. [↩]
- Red teaming is also a potentially useful tool for public decision makers, although I suspect that it’s the rare public official who’s willing to submit his or her plan to a well-informed red team. One could argue that the opposition party is the red team, but that belies an understanding of good, objective red teaming. Red teaming used for factional ends is no longer red teaming and should itself be red teamed. [↩]