13 February 2023

Bringing military thinking to cyber security

Iain Lindsay-German MBE

elevenM Principal Iain Lindsay-German MBE recounts an experience from his time in the military and describes how adopting a military threat-based approach could benefit organisations in managing cyber security challenges.

In early 2010, I led a team of 140 people, including Afghan Commandos and a small US Marine liaison team, into Taliban-held territory in Helmand Province, Afghanistan. In the dark of a cold pre-dawn morning, all 140 of us landed and simultaneously disembarked from four CH-47 Chinook helicopters which we had squeezed into, standing pressed shoulder to shoulder. 

We were conducting an air assault operation, the first action in a wider effort to seize a large area from the insurgents. Our role was to draw the attention of insurgents, so other NATO forces could get into position – we were honey to the Taliban’s bees. Sure enough, as dawn broke and we got to see our surroundings in a natural light (as opposed to the two-tone green of our night vision), we came under an increasing amount of fire from a growing number of positions. 

We had to fight to keep insurgents from overrunning our positions in the compounds that we had secured ourselves in. During the fighting, one of my men, whom I had known for ten years, was shot through the leg and needed to be extracted – a course of action that brought the extraction helicopter under fire as well.  

As time went on, the distance between the insurgents and us rapidly decreased. I was faced with a dilemma: how do I continue to achieve my mission, reduce the immediate threat to my force and change the situation so that we were not in the increasingly untenable position we had found ourselves in? 

Deliberate and Dynamic risk management 

In the military, risk is managed both deliberately and dynamically. ‘Deliberate’ happens prior to an operation as part of a planning process. Obviously, 140 soldiers do not simply get on helicopters and get dropped off with little or no planning. My team and I had invested a significant amount of time and effort trying to understand, identify and mitigate the risks and threats we were likely to face. 

‘Dynamic’ risk management occurs when responding rapidly to changes in the situation or environment that could impact the likelihood of mission success or increase the threat posed to the force. In the circumstances we now found ourselves in, I needed to reduce the risk my force faced in having to expose themselves through continuous engagement with the advancing insurgents, while also buying time till darkness fell, when it would be safer to move to a more defendable position.  

To do this, we decided to coordinate a series of air support platforms – pairs of Apache attack helicopters, armed drones and fast jets – which gave me a better understanding of what was happening around us in the surrounding compounds and drainage ditches, allowing me to prioritise and engage insurgents based on the threat they presented to us. 

Bringing military thinking to cyber security 

I could write at length about this operation but, ultimately, it was a success. I believe experiences like this one, and military thinking in general, offer many valuable lessons for cyber security. 

One key aspect of military threat and risk management is the presence of an adversary who intends to do you and your organisation harm, attempting to prevent you from achieving your mission whilst achieving their own.  

This adversarial element also exists in cyber security, which is why I have been drawn to it. In my current role, I’m able to look at new environments, organisations and situations and apply what I have learnt from my 30 years of experience in defence across sixteen countries and five continents. 

Conventional cyber risk management approaches also often focus on securing individual technologies and systems, rather than taking a holistic and integrated approach to security. A great deal of conventional cyber risk management is also about building foundational controls and lifting maturity – without the same focus on threats or adversaries. 

Below are six areas in which organisations could benefit by bringing a military threat-based approach to cyber security: 

  1. Holistic security posture: A military threat-based approach takes into account the interconnectivity of different systems and technologies, providing a more comprehensive and integrated view of an organisation’s security posture. 
  1. Proactive risk management: Military risk management emphasises the importance of proactively reducing the likelihood of a threat occurring. By incorporating this approach into cyber security, organisations can identify and mitigate potential threats before they can cause harm. 
  1. Improved incident response: A military threat-based approach incorporates incident response planning into the risk management process, ensuring that organisations are better prepared to respond in the event of a security breach. 
  1. Continuous monitoring: Military risk management requires continuous monitoring of the threat environment. A military threat-based approach to cyber security would bring a similar focus on continuous monitoring of the cyber threat landscape, allowing organisations to quickly respond to evolving threats. 
  1. Focus on critical assets: Military risk management often focuses on protecting critical assets. By incorporating this approach into cyber security, organisations can better protect their most critical information and systems. 
  1. Integration with overall security strategy: A military threat-based approach to cyber security aligns with an organisation’s overall security strategy, providing a consistent and integrated approach to managing risk and protecting assets. 

If you’re interested in learning more about how elevenM is helping organisations incorporate threat-based thinking into their cyber security strategies, contact us at hello@elevenm.com.au.