The Militarization Of Information Security

Does something like this sound familiar? "We need to find, fix, finish, exploit, analyze, & disseminate this intrusion set along the kill chain via force multipliers so we can observe, orient, decide, and act according to tactical, operational, and strategic priority intelligence requirements." I bet that part of it does. 

These days it seems that we cannot escape military concepts making their way into information security strategy. Firms are attempting to implement the kill chain, and vendor-marketing headlines these concepts. I've contributed to it as well. See: "Force Multipliers - What Security & Risk Professionals Can Learn From Special Forces.

I think that it is important to keep in mind that we aren't the military and don't have the resources of the military. While military concepts can be useful, buzzwords won't secure your environment; you could become distracted and utilize your limited resources in the wrong manner. As I was sorting out my Black Hat calendar tonight, I fortuitously saw a talk that is very applicable to this topic: "The Library of Sparta," with David Raymond, Greg Conti, and Tom Cross. Here is part of their abstract: 

"Many people in the computer security community use words like "OPSEC," "Kill Chain," and "intelligence-driven" without fully understanding the underlying concepts. Even worse, many show their ignorance by using military jargon incorrectly, thereby alienating clients, customers, and colleagues. These concepts are powerful and should not be ignored, but they must be well understood before they can be leveraged in your network."

I couldn't agree with these statements more and I look forward to listening to their talk. If you attend the session, look for me; I will be securing the perimeter in MOPP Level 4 (joke for military and fellow veterans).

Image source: Wikipedia

Comments

Milthink > compliance think

I was pondering that very question a while ago (e.g. see here http://blogs.gartner.com/anton-chuvakin/2013/04/12/bye-bye-compliance-th...) and came to realize that while there are risks in over-militarizing infosec, milthink is better than compliance think that many still hold on to.

That might be an interesting

That might be an interesting debate for an infosec conference. We have the advantage 20/20 hindsight on compliance, but we don't have that for milthink in the private sector. Milthink has its problems too.

Interesting indeed

>that might be an interesting debate for an infosec conference

Very much so -- maybe we can submit a panel for something upcoming [maybe even RSA 2015?]

I suspect the whole "think about adversary / threat this or that" has no equivalent in compliance thinking which tends to be "assets and vulns" only.

Post new comment

If you have an account on Forrester.com, please login.

Or complete the information below to post a comment.

(Your name will appear next to your comment.)
(We will not display your email.)
Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.