A changing world requires CISOs to rethink cyber preparedness

History often views the Preparedness Movement as an instance where prominent former politicians like Teddy Roosevelt attempted to persuade Woodrow Wilson’s administration – directly and via demonstrative efforts like the training of volunteers for a future military venture – that American involvement in war was a necessity. However, the movement was highly decentralized and was as much an effort to build a social consciousness of the realities of future conflict as it was a cohesive pro-war movement. In fact, the movement was ardently anti-war and simply promoted a pragmatism that railed against the idea that a purely reactive approach to national security would see American industry and society avoid the worst of war.

The lessons of historical preparedness for today’s cybersecurity industry lie in its emphasis on factors that are social, non-structural, and enabling in nature, instead of just the need for a posture that is continuously active and anticipatory. These latter ideas sit at the core of readiness planning across industry today and essentially amount to the conventional view of risk (with its intendant implications) outlined above. By contrast, the concept of preparedness espoused by the movement a century ago emphasized that:

• Social: Socialcapital, perceptions and culture function as major assets or barriers to response, increasing directly in line with the rising complexity of security conditions.
• Non-structural: Mitigation of such complex conditions will involve pre-engineered tools and systems but will likely require their deployment in ad hoc fashion.
• Enabling: Effective security response comes from better planning for what comes after (i.e., resilience and recovery) and so must take the altruism and capacities of the public into account.

These principles are analogous to precepts that underwrite cybersecurity practice already, including the need to design systems that are available in the face of potential disruption and the reality of thinking about vulnerability in network terms. Given conditions in the world in 2024, now might be a good time to begin the process of codifying these principles as strategic and community imperatives, as well as operational ones.

Potential shape of better cyber preparedness

A cybersecurity posture that is societally conscious equally requires adopting certain underlying assumptions and taking preparatory actions. Foremost among these is the recognition that neutrality and complacency are anathema to one another in the context of digital threats stemming from geopolitical tension. As I recently wrote, the inherent complexity and significance of norm politicking in international affairs leads to risk that impacts cybersecurity stakeholders in nonlinear fashion. Recent conflicts support the idea that civilian hacking around major geopolitical fault lines, for instance, operates on divergent logics of operations depending on the phase of conflict that is underway (e.g., crisis moment, grey zone conflict, or shaping operations).

The result of such conditions should not be a reluctance to make statements or take actions that avoid geopolitical relevance. Rather, cybersecurity stakeholders should clearly and actively attempt to delineate the way geopolitical threats and developments reflect the security objectives of the organization and its constituent community. They should do so in a way that is visible to that community. Neutrality is a security posture to be attained via objective arbitration on appropriate behavior; it requires realism that eschews both idealism and buck-passing. So, if realistic neutrality for private cybersecurity teams and institutions is the goal, industry needs to embrace the notion that reasonable advocacy on expectations of digital security is the minimum requirement for building shared awareness and resilience.

Cybersecurity firms and teams would also do well to double down on the normative framework of digital security as a core social responsibility in the 21^st century. The resilience of any service, platform, or community to disruption is not just a function of technical capacity, workforce, or insurance. If an organization suffers as a direct result of geopolitically motivated hacking, its recovery and subsequent operation are enhanced substantially by the existence of a positive public perception of the firm as a community helper and as an actor whose liability cannot be mitigated entirely by conventional cybersecurity actions. At the level of operational planning, this should mean the construction of a social map of risk for relevant industry communities to leverage structured tools to create potential for non-structural solutions in the wake of a crisis.

Finally, private cybersecurity actors would do well to recognize that preparedness along these lines – i.e., a “macro” or geopolitically motivated preparedness posture – is a robust hedge against crisis-based uncertainty and tumult. It is also prospectively an excellent bid for future patronage on the part of government, public opinion, and industry networking.

The recent development of a US government strategy of “cyber with the brakes on” has made attempts to signal relevance to the national security enterprise beneficial for the average cybersecurity-concerned business. Less government oversight with similar levels of commitment to capacity building and incident response is married to a “campaigning” view of American cyber threat risk. This is not only a demonstration of greater government supportiveness of private-led cybersecurity solutions; it also implies a strong preference for private partners and beneficiaries whose thinking about cybersecurity sees preparedness not as a limited act of static anticipation, but as a dynamic process that is fundamentally social, non-structured, and communal in its appearance.