After a long break, here’s myth #5: Red team it, and they will listen. If only it were that simple! Unfortunately, there’s much more to red teaming than just thinking clever thoughts. In order for the practice of red teaming to fulfill its potential, the following chain of functions must be completed.
- The red team must (a) adequately understand the system or situation of interest, (b) understand how the adversary or competitor of interest thinks, (c) effectively red team the system or situation, and (d) effectively communicate the team’s findings.
- In turn, the customer must (a) listen to the red team, (b) understand what the red team is saying, and (c) possess the will and authority to make a difference.
If any link in this chain fails, the practice fails.
While we tend to focus on thinking clever thoughts, we must not overlook the importance of culture and communication, particularly the culture of the customer. If it’s one that suppresses contrarian ideas, red teaming will tend to be either ignored or co-opted. While the typical red team for hire might say “The customer’s culture is the customer’s business,” a superior red team will factor the culture into its presentation.
An enterprise seeking to build an internal red teaming capability must think carefully about the culture in which its red team will operate. It’s one thing for management to want the capability, it’s another thing entirely for management to listen openly to important findings it would rather ignore. For more on culture and red teaming, see our recent post “Red Teaming and ‘The Library of Babel.'”