Strategic, Tactics, and Logistics
A lot of organizations are great at making grand strategic statements. To quote Christopher Titus, “I am going to build the biggest thing ever!”. After the steps are broken down (the tactics) and the costs of reaching the goal (logistics) are shown you have the second half of the quote “Just remember that you are still you”. This is not to say that the strategy is bad, or even unrealistic, it is just that the goals often exceed the resources present to reach them. This brings us to a quick conversation about what each of these components are.
Strategy – in overly simplistic terms a strategy is a statement of a desired outcome. Some might call it a mission statement or a pillar statement. At its most basic level it is simply “this is what we want to do”. Even in theaters of war the theater level strategy is a listing of outcomes in a desired conflict. I.E., we need to take X-city, then Y-City etc., etc. The strategy does not need to include direct tactical or logistical requirements, it just exists as the statement of outcomes for a particular objective.
Tactics – Tactics are the actual steps required in reaching the stated outcome. If you want to take X-City, you need to understand the tactics required to do so. How do we approach, when and from what direction to we attack the occupying forces. What types of weapons would allow for the best attack on this strategic objective? The same can be said for any business strategic goal. Let’s look at the example of “we want to reduce the numbers of business email compromises year over year” Sounds simple right?
From a tactical perspective, the steps are more complex. You need to understand how email accounts are being compromised, purchase new software/services to deny that attack vector, create and implement policies and rules to minimize opportunities to attackers, and finally create and implement or improve awareness training for all employees as an added layer of protection.
Logistics – Logistics is the cost in terms of money, time, staffing etc. to implement the tactical steps to reach the logistical goal. Crafting a strategy statement is easy, identifying the tactical steps is more complicated, but also relatively simple. Understanding the logistical impact is where things grow in scope. Let’s take the combat example of taking X-City. The capture of X-City is a strategic goal and vital to follow on operations. The tactical steps (pulled out of thin air for this example and over simplified) we need to move into the hillside around the city undetected with the troops, bombard the defensive positions with artillery bombs, and mortars for 4 hours before the ground assault begins. Attack aircraft will move in in front of the ground assault to remove machinegun positions and any tanks and armored personnel carriers (APCs). Once the city is taken reinforcements will come in to secure the town against potential counterattack.
The logistics of this would include the actual accounting and numbers for everything. This attack might need 1,000 foot soldiers, 50 tanks, 100 artillery pieces, 25 mortar units, 10 air to ground jets, 15 anti-tank helicopters, 10,000 gallons of fuel (of different types) followed by a listing of the exact number of rounds needed for the attack, resupply requirements, fuel needed to move the ammo, personnel, equipment into the right location for the attack, and the list goes on. Lofty strategic goals often die on the rocks of logistical reality.
The current problem with many companies is that strategy is being developed and proposed by people that are not truly aware of the tactics or logistics involved in reaching those outcomes. This is not to say they are ignorant of them, just that they are not as deeply involved in them as the people “on the ground”. To make sure that companies/organizations develop realistic and achievable goals the flow of information and conversation needs to go both ways. An understanding of staffing, skill sets, money, and time should inform the creation of outcomes for any component of a business. This is especially true of Information Systems and Information Security. Why single these two out? Well, they are often just seen as expenses with no direct impact on revenue and no true return on investment. It is the war time equivalent of sending in bombers to hit an objective with no ground effort expended to claim the actual objective. The use of jets and bombs cost money and other resources that might have an impact on the overall campaign, but nothing tangible is gained. IT and IT Security might (they do) prevent attacks and other impacts that would reduce revenue, but there is no tangible increase in revenue or profit shown on the P&L sheet.
So how do we change this? Well, the same way that military leaders have for centuries, you listen to the troops on the ground. When the strategic goals are being created, they should be reviewed and informed by the people that are going to do the work and the people responsible for writing the checks. You need to hear from them to know if what you are asking can actually be done. A strategy without a tactical and logistical reality check is just a big statement with no substance. Worse than that it is a losing statement as you cannot accomplish what you are saying you will. Where this impacts businesses the most is in IT and cybersecurity goals and spending. Growth, revenue, and expansion goals are given priority because they are where the money is at. P&L forecasts will always have a projected growth goal for the given time period (month over month, quarter over quarter etc.) Because these goals impact future budgets, salaries etc. they get logistical support. Need to hire 2 new salespeople to meet that revenue growth goal? Great hire them, get them selling to bring in the money! Need 2 new IT or cybersecurity engineers? Sorry, we do not have it in the budget, can you make do with what you have? Because IT and Cybersecurity are internal functions, gaps there can be hidden from the outside world while sales and revenue continue on. At least until there is a breach or outage… then the same people struggling to keep the assault going are often the same ones let go despite failures of leadership to acknowledge the untenable tactical and logistical position those on the ground faced.
To add another complicated twist to this, you have compliance. Compliance is a wonderful item that gives most companies an exact map of exactly how little they need to spend on cybersecurity. The phrase, “we want to make sure we are compliant” is one of the most depressing things a cybersecurity engineer can hear. I like to think about compliance this way; “regulatory compliance is the least we can do, and we always want to do, the least we can do.” For those in the back row, compliance is a start, it is the MINIMUM required of you. It does not even come close to being secure.
Ok so I started off with the goal of giving you an idea on how to make realistic strategic goals connected to tactical and logistical realities for your organization. I suppose after writing the article above I should get to that. In strategic planning is a lot simpler than you might think. In sitting down and planning a mission or attack the first questions are often, “what do we have and what do we need?” This is a question about logistics, pure and simple. It can be translated into what is our budget, what staff do we have, what tools do we already have in place. Knowing what you have to work with allows you to understand if there is a need to get anything else. The next questions are about operational windows and locations (when and where). This is your planning and implementation time frames and the windows to complete the work. From a business perspective the where can be translated into what effects the implementation will have on what parts of the business. These items allow you to understand what you are working with and build a strategy that is achievable from and IT and cybersecurity perspective. It is not much different than revenue forecasting for business growth, there is just no revenue attached to it.
I know the next question from the accountants and other business leaders, “if there is no revenue attached, why put in the extra effort?” It is not a bad question; it is just one that ignores the realities of modern business. Most modern businesses rely on information technology to exist. Those same systems need to be protected from very real threat actors. Having realistic and achievable goals for cybersecurity and IT operations creates a healthier environment for those staff members. They can do what they are being asked to do, they get satisfaction from knowing they are able to do that and that their leadership understands what they are facing. The difference between a team with high morale and low morale is an order of magnitude. Soldiers with high morale from good leadership have won battles when heavily outnumbered. The same can be said for a small IT/Cybersecurity team that knows they are valued and are given achievable goals. They will move the moon for the right leadership.
The road to building realistic and achievable cybersecurity and IT operations started with not looking at these two vital functions as just an expense. They are not only insurance against loss of revenue, but they can also be used to bolster sales. As we have talked about with Software Build of Materials (SBOM), having proper cybersecurity strategic goals backed by proper tactical and logistical resources are of value to potential clients. If you can show the effort that you put into securing customer and corporate data that has real world value. I know I have shopped for personal services based on how they show they secure their services and data. When companies look to buy third party resources, they look at this (SOC1 and 2), but when presenting to the consumer they seem to ignore this.
This line of reasoning by executive teams should stop if anything is going to change from a cybersecurity perspective. In fact, it is interesting to note that many regulatory agencies require a “covered entity” to maintain a list of all cybersecurity events that happen during the year. Having heard from many businesses while providing consultation they are looked at as a hassle. They are collected, submitted during the reporting/ attestation window, and then ignored. Maybe, just maybe they should be used to see exactly how hard your team is working to keep things safe. Take a look at the program and then translate each significant event into a full breach. Each time a user clicked on a phishing email and submitted credentials can be translated into potential loss of income. If you add even 50% of that amount into your P&L when you consider cybersecurity spending in your revenue forecasting, you will have a better understanding of where you sit from a general strategic perspective (See I was going somewhere with this). In military terms you now know the enemy’s situation and what they have been doing (tactically and logistically), this will also inform your own strategy in countering their efforts.
To sum up the summary of the summary, creating good cybersecurity goals involves using the right mindset and information. You must know your own strategic situation, what the enemy has tried and succeeded at, as well as your own tactical and logistical status. Those items will inform a realistic and achievable goal for your teams to execute. Allowing the boots on the ground to reach those goals improves morale and builds a better work environment which only serves to build more morale and make the next set of goals even more achievable. These can be translated to revenue by evangelizing the efforts of those teams in presenting their hard work (trust me this works). Failing to make this change will just end up creating a repeat of the same thing over and over again with the same minimal effort and compromises, the same staff turnover and burnout. It is up to you, but I personally feel that the former is a much better outcome and builds a team that will stand out over just another company.