• Jim Seaman

Command & Conquer


Cyber Strategy

The changing cyber environment has created a new 'battlefront' where any internet connected business faces a consistent threat from enemy incursions. However, unlike the Romans, modern businesses rarely evolve defensive tactics or create an effective strategy with 3 lines of defence. If they have actively sought to develop a strategy it is often owned by the few and supported by a handful of others, with very limited Command oversight and trained team members.

Consequently, the marauding invaders (e.g. Scrypt Kiddies, Organised Crime, etc.) are easily finding weaknesses in their infrastructures and breaching the defences to gain access to the data assets within.

Why is this happening?

Roman 3 Lines of Defence

The Romans identified the benefits of having a well-trained Legion, working as a team of specialists but having their own individual roles and responsibilities to help respond to and defend any enemy actions, establishing 3 Lines of Defence, under the Command of a 'Legatus legionis'. Each member of the legion were fully aware of their duties and had established highly effective lines of communicating, reporting and risk management.

However, these were their primary function and frequently they possessed good threat intelligence of who their enemies were and the common Tactics, Techniques & Protocols (TTPs) that were being employed by their enemies.

In today's cyber battlefront, businesses can rarely afford to dedicate legions of personnel to protect their territories and, as a result, rely on a handful of resources to identify, react and respond to any enemy activities. This results into a model of 'Security through Obsecurity' (organised chaos), where the business doesn't understand, or know, the whereabouts of all their sensitive data assets - where the would be intruder may be delayed by the chaos, or they do not realise their data has gone until it appears for sale on the 'Deep/Dark Web'.

How can things be improved?

After more than 22 years in the RAF Police, having deployed to many a hostile environment, I have a long history of seeing suitable defensive models which were tailored in response to the evolving threats and which applied a 3 line of defence model:

1. Operations Management.

All personnel deploying to hostile environments received operational training, to meet a minimum baseline standards (typically around 1 week for on base and 2 weeks for off base responsibilities). During this training, the trainees received comprehensive familiarisation of the TTPs they could expect and their actions to help mitigate this.

2. Risk Management.

Operational Risk Management

Continually throughout all deployments patrol reports and events were communicated back to Command, ensuring that informed decision-making could be made. E.g.

  • Upgrading vehicles because of the changing Improvised Explosive Device (IED) threat (Iraq = Snatch Landrover; Kandahar = Soft Skinned Wolf Landrover; Camp Bastion = Mastiff) or providing additional operational instructions not to become over-reliant on the armour (manual clearance, rather than just driving over in armoured vehicle).

  • Prohibiting the use of mobile telephones, in theatre, following incidents of the families of deployed personnel receiving malicious calls, as the result of intercepts.

3. Internal Audit.

All personnel were fully aware of the rules that applied to them and any discrepancies were investigated, whilst the compliance status was continually monitored, reported and enhanced.

Command & Control (C&C)

In the virtual world managing the C&C of your 3 lines of defence becomes increasingly difficult to manage without a means to visualise the statuses. I have seen numerous businesses who employ multiple spreadsheets to record the data and then who need to collate an output of these spreadsheets into actionable intelligence. I'm lucky to have experienced a very flexible & intuitive platform which helps to simplify, improve Cybersecurity visibility and reduce the C&C burden. If you are struggling with endless spreadsheets and manual creation of metrics & compliance dashboards, why not see if Acuity's STREAM platform can help you to manage your 3 lines of defence.

Operations Management.

  • Establish your scope (Tree Structure).

  • Identify & establish baseline controls.

  • Assign Roles, Responsibilities & Accountability.

  • Educate personnel.

  • Create suitable documentation.

  • Avoid single points of failure (in the military this is knowing the role of a rank above and a rank below).

  • Create a team of security champions, supporting the internal audit & cybersecurity teams.

  • Embed Cybersecurity into business operations.

Risk Management

  • Periodically review compliance statuses.

  • Carry out Risk Assessments.

  • Identify new threats appropriate to business operations.

Internal Audit

  • Carry out periodic audits to confirm the maturity & status of your baseline controls.

  • Assign actions.

  • Where areas of improvement are identified, carry out suitable & ongoing improvements to mature cybersecurity capabilities.

  • Encourage the members of the Board to Command from the top through regular reviews of the dashboard.


The Romans developed & adapted their strategies in response to the intelligence they gained from numerous attacks against their Empire. Unfortunately this is something that modern business can ill-afford to do and have limited specialist Cybersecurity resources available to support a defensive Legion. Consquently, proactive business need to be prepared for the ever-increasing technology threat landscape so need to look at opportunities to increase efficiency & visibility of defensive efforts and change the business view of the Cybersecurity effort, whilst developing an improved Cybersecurity culture.

Traditionally, the view of Cybersecurity efforts is:

Being very expensive, largely invisible (a virtual Black Hole) until it goes wrong, when it becomes even more expensive!

The reality is that businesses are increasingly embracing technologies, creating an ever-expanding Empire, where both senior management and regulatory bodies require additional assurances.

If you are one of the many struggling with issue and don't have the time to filter through the 1,000s of vendor emails/telephone calls to find a helpful solution but are intrigued by this blog, why not investigate whether STREAM can help you by taking advantage of familiarising yourself with this platform and seeing whether this can assist you in your efforts, by exploring the 30 day free trail?

6 views0 comments