Part 2 of 10: Analyzing Higher’s Plan, by Chris Ruel, Full-Time Instructor at SecureSet Denver campus.
“What’s the use of running if you are not on the right road.”
Security isn’t a self-licking ice cream cone. It doesn’t exist in a vacuum. It exists as a part of a broader business plan and should be nested within a holistic strategy. It is critical that security professionals understand the five W’s (Who, What, When, Where, Why) of their company’s plan, so that they can best understand how to execute. Planning is one thing the military does well. Yes, it is a large bureaucracy at the upper echelons, but units at the level of brigade (+/- 5,000 people) and below could plan circles around any similar sized organization. The answer lies in the process.
The seven-step process is called MDMP (Military Decision Making Process). MDMP, with its quite literally, hundreds of steps can at first seem cumbersome and overwhelming; In actuality, it is intuitive, adaptable and scalable. Special Forces teams use it for activities that range from planning a training exercise to the clandestine infiltration of a hostile country. It can be done over weeks, or even hours if under a tight timeline. According to GEN Patton: “A good plan violently executed now is better than a perfect plan executed next week.” This series focuses only on Step Two — Mission Analysis (MA). The first part of MA is “Analyzing Higher’s Plan.”
I have broken down Analyzing Higher’s Plan into 5 subsets that represent what you need to understand BEFORE you begin planning.
- Decision maker’s intent
- Concept of the operation
- Available assets
I’m sure doctrinal purists at the Staff and War College will have a field day with my bastardization of their most sacred texts, the Field Manuals (FM), Joint Publications (JP), and Army Doctrine Reference Publications (ADRP), but I’m trying to sum up years of study in under 10,000 words.
- Decision Maker’s Intent: What is it that your boss (or your boss’s boss) really needs to have happen? You may get told that your company is moving everything to the cloud. Great! But, why? Is it a cost issue? Scalability? Interoperability? Knowing the intent allows you to adapt to unforeseen changes or implement novel solutions.
- Mission/Objectives/Tasks: It is rare in the civilian world to get your assignment spelled out for you in a short, concise statement. In the military, this is the standard and it’s implemented down to the lowest levels of leadership.
- The Mission Statement spells out the five W’s of your job and is easy enough to memorize after reading only a couple of times. Example: “Acme Co SOC (Who) will be fully operational (What) in Room 100A (Where) no later than midnight, 01 October (When) in order to secure company infrastructure and prevent compromise of intellectual property. (Why)”
- Objectives provide greater clarity for subordinate departments or sections. Objectives, when completed, determine mission success. As part of the larger mission of standing up the Security Operations Center (SOC), your team might be assigned to “integrate the Security Event and Incident Management (SEIM) into existing systems”.
- Tasks should be specific and objective oriented, that is to say they should all be direct support of your objectives. Your tasks would be something like:
- Determine the best SEIM for implementation
- Purchase license for SEIM
- Install SEIM no later than 1 August
Even if you don’t get the information in such a concise manner, make sure you get it all the same.
- Concept of the Operation: The concept goes into greater detail about the endeavor. It explains more about the “why” of the operation. Continuing with the example above, it may look something like this: “Acme Co intellectual property is the foundation of its competitive edge and financial success. Compromise of IP could lead to a weakened market position and loss of revenue. The SOC will utilize an integrated monitoring system (SEIM), defense in depth, develop an employee training plan, and create processes and procedures to ensure mission success.” A good concept should also state what adjacent teams are doing and why, as well as a description of the end state.
- Available Assets: It is hard to plan without knowing what resources you have. This list should include what is on hand (people, money, equipment) and what can be borrowed, bought, or built. Make sure your assets support your objectives. If your budget for the SEIM is $1,000 a year and you want it monitored 24/7 by your two person team, how likely are you to succeed?
- Timeline: At a minimum, you need to know deadlines. For larger projects, have things broken down into macro and micro timelines. At the core of timelines is the concept of backwards planning or backward design. I’ll go more in depth into this concept later in this series.
Unless you are the Founder/CEO/Chairman of your own startup, you’re going to have a boss. More than likely, your boss will have a boss, who has a boss. Projects will be handed down to you and will be nested within a larger company strategy. Before you expend time and resources on an initiative, make sure you understand not just what you are doing, but why you are doing it. This will not only save time and money, but possibly your sanity.
The next step in the process is the Intelligence Preparation of the Environment (IPE). Although it is only Step 2 in Mission Analysis, it is about half of the work. IPE consists of 4 Sub-steps:
- Define the Operational Environment
- Describe the Effects
- Evaluate the Adversary
- Determine Adversary Course of Action (COA)
Each step will be covered in detail, in the following posts of this 10 part series. If you’re just joining us for this series, you can catch-up by reading Formalizing Cyber Threat Intelligence Planning: Part I.
Christopher Ruel is a Full-Time Instructor at the SecureSet Denver Campus. He teaches Cyber Threat Intelligence as well as Strategy and Analysis. Chris is an Army Special Forces Officer with years of operational experience overseas. He has also worked closely with the Intelligence Community in pursuit of US strategic objectives. He has earned a BA in history, as well as an MBA with a concentration in Business Analytics.