Cybersecurity might not be on your mind when singing along to Kenny Loggins’ ‘Danger Zone’ or while watching any of the “Top Gun” films. However, once you get past the iconic phrases, mustaches and aviation equipment, there are a lot of parallels one can make between cybersecurity and the realities around what Top Gun training represents.
For starters, the need for security decision-makers to have access to timely and actionable cyber risk intelligence is critical for their ability to address the risk facing their organization quickly and confidently. This isn’t that dissimilar from the intelligence that is used for political or military purposes. The common denominator is that the most current, accurate, and actionable information needs to be available to those who need it most when they need it.
One of the aptest examples of this is the massive amount of intelligence our military pilots need for each mission. From weather reports to adversary disposition, friendly and adjacent unit positions and course of action analysis, among others, there is a mountain of intelligence placed in the hands of our service members. This not only makes sure the pilots have everything they need for mission success, but it can help to inform their tactical decision-making from takeoff to landing. The fighter pilot life was glamorized in the classic 1980s movie “Top Gun”. While the films may not always be the most realistic portrayal of life as a naval aviator, the release of its sequel, along with a heaping of nostalgia, made me think of how we can apply some lessons from the movie to our cybersecurity and threat intelligence practices.Go Inverted
In one of the more iconic scenes of the movie, U.S. Navy Lt. Pete “Maverick” Mitchell, played by Tom Cruise, inverts his fighter jet over a Soviet MiG 28 in order to distract the Soviet pilot away from a fellow U.S. pilot. While inverted, Maverick chose to “keep up foreign relations” with the Soviet pilot by utilizing a very specific hand gesture. While I can’t condone this hand gesture’s use in the business world, I can state emphatically that some problems require us to “go inverted” and look at them from a unique perspective.
Now, you may be asking yourself, “Why do I need to look at cybersecurity from a different perspective?” Consider this: you’ve spent an exorbitant amount of time and money building an extremely robust security posture. Yet, you work with thousands of outside vendors and partners and have not vetted and assessed their security posture. That means your security posture is not as strong as it seems. If you change your perspective and dig into your third-party ecosystem, you will likely identify vulnerabilities, such as susceptibility to ransomware, DDoS and web application attacks, that could have a direct impact on your organization.
Too Close for Missiles? Switch to Guns
During a simulated dogfight with a Top Gun instructor, Maverick determined that he was too close to use missiles to take down his target, and instead relied upon a different armament for close range. This demonstrates the importance of choosing the right tool for the job, and cybersecurity is no different. For example, if you’re using basic anti-malware software to protect your organization from Advanced Persistent Threats (APT), you may not get the results you’re hoping for. Cybersecurity budgets are strained, and organizations don’t have the funds to invest in cybersecurity tools that cannot realistically provide the necessary level of protection.
Investing in the right tools, especially ones that provide information in a manner that reduces noise and empowers organizations to be decisive, is key. Remember, noise only makes the decision-making process more difficult, and providing intelligence without analysis or in a disorganized manner only makes a CISO’s life more difficult.
The Need for Speed
Maverick was quoted as saying that he (along with his co-pilot Goose) had the “need for speed!” Pilots are certainly not the only profession that has this need. Speed is a major differentiator in our line of work and can be the difference between mission success or failure. It is understood that time is of the essence when it comes to identifying and responding to cyber threats. The “assess and wait” game has plagued risk management, and it is past time for a change.
CISOs are inundated with work that they often don't have the bandwidth to constantly patch constant vulnerabilities or consistently analyze and monitor their threat landscapes etc. When structuring your security strategy, organizations need to keep in mind how it will enable their security teams—if it increases their workload or requires a lot of manual oversight then it won’t be effective—and the speed of which the program can operate. If you are deploying security technology with significant latency, leaving your security team waiting for insights, then you are wasting valuable time that could be spent actually remediating security findings.
Remember: Every Maverick Needs a Goose
Maverick and Goose’s relationship provides some entertaining, and heartbreaking (it's still too soon), moments throughout “Top Gun.” In Goose, Maverick had a wingman that always had his back, but was also unafraid to tell him hard truths that he needed to hear. Relationships that are forged over time, and grow into trusted partnerships, will never go out of style. This is a truth that can be applied to any industry and role. In cybersecurity, collaboration is more important than ever. Developing a community and sharing relevant cyber risk data and insights amongst your network will not only help to navigate the danger zones of cyber risk but also helps to check your ego at the door with your decision-making when needed. We are all in this together.
About the author:David Stapleton is the CISO for CyberGRX anda cybersecurity risk professional with over a decade of experience in both the public and private sectors. David began his career at the Department of Health and Human Services (HHS) where he developed and managed Risk & Compliance functions for the Food and Drug Administration (FDA) and Indian Health Service (IHS). David is a Certified Information Systems Security Professional (CISSP).