This post complements the recent RTJ post on the ongoing need for strategic red teaming within the commercial enterprise. In that post we emphasized the importance of hiring a strategic red team leader, someone to motivate, guide, and marshal the enterprise’s strategic red teaming capability. In this post we emphasize the interconnected nature of systems security, and, as a result, the need to adopt a strategic point of view.
The diagram below summarizes at least a portion of the relevant interconnections. Note how cybersecurity—the traditional focus of corporate red teaming—links both upstream and downstream to other elements of security and preparedness.
For example, weak cybersecurity can undermine
- personnel security (and vice versa),
- OPSEC (and vice versa),
- supply chain security (and vice versa),
- business continuity (and vice versa),
- physical security (and vice versa),
- and so on.
Note as well how sources of uncertainty influence the equation, despite our natural inclination to minimize them. These sources of uncertainty include the the insider threat, poor decisions (which probably looked good at the time), luck, misperception, attrition, and so on. The systems-aware red teamer considers each of these (and others) when exploring the sources of risk to the complete enterprise system.
If you doubt the relevance of the strategic, systemic view, just review the public post-attack narratives of major security breaches and notice how adversaries tend to bootstrap, leverage, and exploit weaknesses in the system as a whole. In fact, we view this imbalance between attacker and defender perspectives as a major reason why commercial enterprises continue to play “catch up” in the security race. As we’ve been saying for years, prudent, responsible red teaming can help, but only when it approximates the perspectives of real-world adversaries, who often grasp the immanent “opportunities” in a complex operational system more readily than the defenders grasp the systemic risks.