Advice for Leaders—Think Like Your Adversary

Advice for a Cybersecurity Leader

How do cyber bad actors, a.k.a., our adversaries, think? Easy, like the rest of us. Well, with a slightly different optic. If you're leading an organization, you are charged with staying one step ahead of your adversaries — your data, earnings, and business future depend on it. My advice: Think like your adversary.

The more you can train yourself to think like your adversary, the more you'll be able to access the range of potential vulnerabilities they see in your company. This will guide you in devising effective defensive countermeasures unique to your needs.

Easy, right?! Well, maybe. Let's take a closer look at how it plays out in practice.

Getting in the right mindset: The burglar analogy

When I give presentations about effective cybersecurity defense, I like to begin with an interactive mental exercise. I ask the audience to assume the role of a burglar. First, I show four different homes. As a group, we discuss the pros and cons of each home from the mindset of a burglar. We talk about perimeter security, the pattern of life, police response time, entry points, egress routes, etc. The more we go on, the more we think and feel like burglars.

Cost-benefit analysis

Thinking through these topics leads to the crux of the exercise: How the burglar works through cost-benefit analysis. We all understand this concept: Is the risk worth the reward? It's a simple, elegant way of thinking because it applies to our professional lives (justifying costs) and personal lives (things to buy, activities to do). But most of us probably think about it positively: saving money, ensuring security, and achieving big goals that help people. How many of us see it as a way to do harm?

From theoretical to practical: Surprising results

As my audience members work the exercise, the cost-benefit analysis from the perspective of their adversary helps them see themselves differently. It forces them to ask questions like: If I wanted to rob a house, how would I actually do it? 

At the end of the exercise, I compare robbing a house to hacking a network. Hackers go through the same activity that thieves do. Why? Because that's what a hacker is, a thief. The audience then starts to think, "If I wanted to hack a company to steal its money and data, what would be the easiest and most effective way to do it?" I use this exercise because it allows the audience to see the situation (aka an "opportunity" from the vantage point of their adversary) from the mind of the bad actor

As a leader, you should focus on the same critical topics in my burglar exercise when it comes to your organization: Perimeter security, the pattern of life, police response time, entry points, and egress routes, with the underlying thought of whether all the risks contained in these elements will be worth the reward to a bad actor. Depending on your company, the exercise will vary because every organization possesses a different value proposition to various bad actors. For example, an ice cream manufacturer will have a lower value proposition than a large financial institution to most bad actors. Right? Well…

Key Observation

No matter the particulars of your company (size, earnings, industry, location, etc.), a cyber bad actor will find something of value within it.

Therein lies the surprise. I have been doing this exercise in this presentation for years, and every single time, someone in the group always picks at least one of the homes (there is never a consensus). In other words, no matter the particulars of your company (size, earnings, industry, location, etc.), a cyber bad actor will find something of value within it. If you determine there is enough value to start a business, sell a service, or launch an idea, bad actors will see that value too. To them, it also holds importance. It is an opportunity to make money, gather intel, or wreak havoc. This is why, as a leader, you must devise effective defensive countermeasures unique to your needs.

What are those countermeasures? Let's identify four highly effective ones that every leader should consider.

4 countermeasures to consider

1. Hire personnel with first-hand experience in addressing the threat

When you understand the threat from your adversary's perspective, you develop a new appreciation for the unique range of skills you need to defend your company. As you build a cybersecurity team, you want to hire a variety of experts who will work together cohesively. Here are some professions to recruit from: Incident responders, federal law enforcement personnel (with cyber expertise), threat hunters, US military personnel (with cyber expertise), and white-hat researchers. 

"Cyber expertise" is too general; it comes in wide varieties. Notice how in this list, "cyber expertise" is a skill within a person's professional experience, not a primary qualification itself. The objective is to find someone with that skill actively deploying it professionally. For example, suppose you were to hire an FBI Special Agent. In that case, you should hire one that investigates cyber bad actors instead of terrorist cells.

2. Implement an effective employee training program

A security awareness training program is critical for keeping your company safe. Think about it from the perspective of your adversary:

“Hmm, how am I going to get into their network? Well, they have pretty solid defenses… but I bet they are behind on software updates. Let’s see if I am right. The end of the month is the perfect time to slip a phishing email into their system and catch a few busy employees off guard. If they fall for it, then I will see if the latest exploit I have works. Here goes nothing!” 

Would you rather your employees be your greatest threat… or your greatest asset if adequately trained!?

No matter how dedicated they are, they should never be too busy to undergo cybersecurity training. In fact, you should treat training as a critical component of work, not some annoying decree from HR, and you don't need to develop an in-house solution yourself. There are solid off-the-shelf options out there. I'm partial to Curricula's stylish, hilarious musings, and KnowBe4 is good too. 

The most important thing? Don't make it boring. Then employees will tune it out, get annoyed by it, and the whole thing will backfire, making you less secure.

3. Rely on software solutions to assist in identifying threats

Your company might already utilize dozens of software solutions and cybersecurity defenses with varying degrees of depth and scope (such as endpoint protection, advanced intrusion detection systems, or the zero-trust model). Ideally, your software solutions should seamlessly work together to create a secure environment that can flex and scale as you grow. This doesn't happen overnight or without thoughtful oversight. Plus, every company is different; one size doesn't fit all.

You need to hire the right personnel and empower them to create the right plan for you and your company. They will help you determine an ideal software mix for your unique situation. However, you'll have to rely on outside counsel (like a consultant or a trusted advisor) if it is just you.

4. Ensure your partners are reputable and prioritize security

This is easier said than done. As you build out your supply chain, you must consider security threats to those partner organizations (including vendors) as a significant potential vulnerability to your organization. Suppose one of your valued partners suddenly races to market to solve a new problem with little thought about whether your data will be exposed. How will you handle this new risk? Or what if you source materials from a company in a country where their government essentially owns and operates said company? What if that government enters a global conflict and forbids your partner company from exporting goods or services to foreign organizations, including you? Could you adjust? 

If this sounds too hypothetical, consider the massive cloud computing giant Rackspace breach. Rackspace was hit by a ransomware attack that left many of its customers without access to email. Imagine you were one of their customers. What might this look like to you? According to news reports, you would be without access to your data, including archived email, contacts, and calendar items. How would you adjust? Would you reconsider that partnership? 

You can circumvent many issues by being proactive early before you enter into any formal agreement. You should do things like:

  • Ask trusted people their opinions on the proposed partner organization

  • Ask pointed due diligence questions to the proposed partner about their cybersecurity program (assuming they have one)

  • Read their terms and conditions to see how they handle cyber incidents

  • Research where the proposed partner is physically located (including where their data storage facilities are located) and seek guidance on cybersecurity reporting requirements in said locations

Those are just a few things you can do. Again, this is where your team (or outside counsel) will come in and help you think through this process.

By partnering accordingly, you can mitigate supply chain risks before they affect your organization.

Conclusion

Every company poses a different challenge, but this proposal applies to all of them. All leaders should assess potential vulnerabilities from their adversary's mindset and devise effective defensive countermeasures unique to their needs. Do this, and collectively we'll build a safer, more secure cyber community.

Do you want to use our content for your site or training material, or would you like us to write curated white-label content for you? We can help you! Let’s talk.

Share this article. We dare you!

Are you looking to go to a persona page?

Cyber 101 | The Solopreneur | SMB | BoD

Michael F. D. Anaya | Founder

I’m a techie who’s been in cybersecurity for over two decades. My passions are being a top-tier dad, helping others, speaking in public, and making cyber simple. I am also partial to cheesecake and bourbon, but not together… well, come to think of it, it might be a killer combo! TBD.

https://www.mfdanaya.com
Previous
Previous

Why You Need a Cyber Expert on Your Board of Directors

Next
Next

Understanding and Mitigating Cybersecurity Supply Chain Risks