Cybersecurity CEOs: find your "big why" or get out of the way

I never grew out of my "why" phase. I made my problem worse by getting an Intelligence Studies degree from Mercyhurst & became an Army Intel officer.

One thing I loved about the Army was the mission statement in the Operations Order. Nothing really happened without an Operations Order and the mission statement's purpose was simple: tell the Soldiers why you're about to do something. By giving "commander's intent," the troops know the "why" behind the mission so that if everything goes to hell and  you forget all the other details, the objective is completed & the mission is accomplished. Rescue the hostages, destroy the machine gun nest, capture/kill the target. If nothing else happens right, do this one thing no matter what.

Of course I'd ask "ok, but why are we doing that?" The Army had an answer: read the mission statement in the Operations Order published by the highest headquarters -it's there for everyone to read!

The key of the mission statement is simplicity - one single task. It may have multiple subcomponents and "phases" but the end result should be crystalline so that any - and I mean ANY - Soldier understands. Done well in lower units, you can accomplish missions quickly & usually with minimal setbacks. Done well in higher units, you get a peek into the minds of generals and can understand the strategic significance of what you're doing. It's the "big why" - the reason for all the other missions. Destroy enemy air support, disrupt communications, establish peace - major goals to keep everyone moving in the same direction.

What does it look like when mission statements are impresise, vague or too complex? See: post-invasion Iraq. The work my team & supported units did in Eastern Baghdad reduced violence in our area by 90%, but ours were a series of tactical victories to clean up a strategic mess that was probably unnecessarily created. Our mission statement, our "why" for going to war in the first place & the plan to secure peace after was.... wanting. I'll let you look it up on Wikipedia. But you get the idea - knowing the "big why" behind what you're doing is critical for staying on track and solving the real problem at hand.

However, sometimes discovering the real problem at hand is more difficult than it sounds. In the movie Moneyball, there's a scene where Billy Beane (Brad Pitt) gets into a skirmish with his scouts. After losing in the playoffs, they then lose 3 star players that they cannot afford to replace; yet they try to replace them anyway, ignoring the fact that it's basically impossible. Beane's frustration palpable, he scolds the scouts for acting like it's business as usual and missing the bigger problem (Scene (explicit) https://youtu.be/pWgyy_rlmag).

I've felt this same frustration in the cybersecurity industry because let's face it, we're getting our butts kicked - we're not winning and it isn't business at usual. A  ramsomware attack every week on another school, a breach at a Fortune 100, or another small business forced to close because they were swindled out of $50,000 via an email hack/scam (Business Email Compromise- https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity/business).

Yet the cybersecurity industry's initiative always seems focused at developing the cleverest tech, producing the newest product, or making more sales. But why? Reduce the number of attacks? Fool the hackers? Stay one step ahead? Reduce risk? Ok - but why do any of that? We don't seem to be making a dent...

There's probably no one right answer to why we cybersecurity practitioners do what we do,
but here's my mission statement, my "big why:" protect the space that allows the ideas that will change this world for the better, to flourish. Defend the dreamers, the innovators, the brilliant ones, and the progress-makers from the thieves, brutes, & destroyers. 

All I ask of my fellow cybersecurity CEOs & entrepreneurs is make sure you have a damn good answer for that or find another line of work. Because if it isn't damn good, you'll lead our industry astray & erode the public trust in our profession with your own greed or ego. I saw it happen before and lived through the cost on sisters and brothers that took an oath of honor. We're the "higher headquarters" and to have a strategy that works, our mission statement -our "big why"- must be crystalline.

We must make an impact if we ever hope to defend freedom, progress, & our way of life or else we'll wander the battlefield aimlessly, wondering why the battles continue. By entering this line of work, you assume a duty. This isn't business as usual, this is a war for independent thought. Act like it - find your "big why;" let it be the mission statement that leads your defenders to victory before it's too late.

Comments

Popular posts from this blog

What Facebook Must Do To Regain Our Trust

Do you need a VPN to protect your internet traffic?