Like puppies, cupcakes and Taylor Swift, innovation is something everyone loves.

It's the potential to utilize new technologies, to reduce operational costs, to improve the quality of work. It’s so compelling that nearly everything in IT claims to be innovative.

But in cyber security, innovation is often at odds with your core responsibility. Virtually all activities associated with cyber security are defensive in nature – with stopping threats and preventing data breaches. It’s a profession where risk aversion is a virtue and the long-time practices of cyber security serve as something of a dam against a flood of consequences. Depart from any established practice and you run the risk of enabling the very vulnerabilities you have worked so hard to prevent.

But preparing against the threats of tomorrow means more than mastering the threats of today.

So how can we foster innovation in an environment aiming to impede specific adversarial activities?


The One Rule: Don't innovate. At least, not yet. 

The first rule of cyber innovation is … don’t. At least not until you first establish a mature cyber posture.

A settled procedure, a systematic, established way to conduct an activity, forms the core essence of computer network defense. Scanning IT infrastructures for defined vulnerabilities is a known process. Filtering email traffic, blocking ports and using two-factor authentication are all examples of well-known cyber processes. Implementing these may be necessary, but they are not sufficient to prevent successful attacks.

Enabling innovation may entail reducing or removing a known process, but maintaining good core cyber hygiene is the prime directive and should be built upon, not compromised.

Tips for Cyber Security Innovation

1. Deviate from existing workflows

Successful attacks are not conducted via known threat vectors; otherwise, those attacker activities would be blocked already (assuming, again, that you practice good cyber hygiene. If not, refer back to the one rule of cyber innovation). In this regard, innovation argues for bringing in new methods not previously used and also altering existing methods.

Cyber innovation means taking the time to define ‘standard’ processes – and then purposely deviating from them. Attackers strive to gather data and map out an environment before starting an attack. But what if the attack surface, vulnerability assessment and threat response were always changing? A moving target is harder to infiltrate and exploit.


2. Think like an attacker, not a defender

Adversaries are thinking creatures – humans who react to what they find and alter their actions. If one attack vector is blocked, they will try another. A successful cyber attack occurs when the probing for defensive weaknesses finds a single access point, a single vulnerability that can be exploited.

Start with penetration testing. (For more information on why you should be penetration testing, read this post.) Think up the chain and beyond the vulnerability itself. What is at risk? If an account can be accessed, what resources are contained within it? What additional resources can now be accessed? Were any unexpected assets obtained? Have any new vulnerabilities been observed?


3. Hire creative cyber analysts as well as engineers

An innovative workflow that places roadblocks for attackers requires creativity. It starts with the cyber work force. Mature organizations typically have cyber engineers, firewall engineers and other technical specialists on staff. These folks implement existing workflows.

Innovation requires the creation of new job categories. Create new job objectives and mix in non-traditional titles. Do you have a Cyber Defender on staff? How about a Cyber Guru? A Cyber Analyst? A Cyber Wizard? Innovation can be fostered through a work culture that rewards new ideas and resonates by continually creating and altering workflows to thwart attackers based on knowledge of what is going on in the industry at large. It can start with a creative job title – one that employees will want to obtain. And it's more than just a name change, it's a mindset change, freeing up someone on your staff from checklists and compliance to be creative.

Creative thinking fosters innovative workflows which create an active defense.


4. Get your entire team in the game

Job objectives can bring built-in limitations. For instance, if someone has the job of running through a compliance checklist to find gaps, that is what will be achieved – but that may be all that is achieved. However, if a threat analyst has the daily objective of identifying the most likely threat vector and making sure gaps are closed, that is equivalent to having an ever-changing checklist, or never depending on a checklist for protection.

Have an eclectic skill mix – engineering backgrounds augmented with creativity – all working as an integrated cyber team. Nontraditional thinkers will be some of the most innovative and valuable cyber analysts, able to evaluate whether a new process is providing true value, or has simply become part of an ever growing ‘checklist’ mentality.

Threat analysts should not do what they did last week; in order to be innovative, they should purposely do something different than what their activities were the prior week.


5. Look for the weakest link

A good base set of workflows is necessary when conducting cyber security operations, but it will not be sufficient to stop all attacks. Disrupting one of the steps in an attacker workflow is the logic behind the Lockheed Martin Kill Chain process, which seeks to thwart advanced attackers. Thwart one step in an attack, and the entire attack can be disabled.

As new threats are modeled, evaluated and mitigated, where are the organization weak links? Are new applications moved into operation with minimal testing? Are daily security alerts thrown in log files but never evaluated? Are anti-virus signatures continually updated?

In order to probe for weak defense methods, having a robust configuration management system in place can create a technical baseline against which changes can be evaluated. A company needs to know what operational assets and devices it has in place in order to protect them.


6. Conduct better security focused testing

Application software may undergo functional testing before deployment, but what about security focused testing? Using fuzzing techniques in software testing probes for unlikely and unanticipated application inputs. Using automated tools allows for hundreds or thousands or millions of unique data inputs to be evaluated and tested before issues are uncovered in production, where they are far more expensive to correct.

Software can also be evaluated from both a static and dynamic perspective. Programmers should be taught about common software weaknesses, how to avoid them and the dangers of assuming all open source software has been rigorously tested. Just because a product is in widespread use does not mean it is free from programming errors. Consider the Heartbleed bug, a vulnerability in the OpenSSL open source cryptographic software library. Literally millions of eyes were on it, and still there was a bug in the source code.


Cyber innovation is hard, in particular because standard IT engineering process improvements (business process re-engineering) are not helpful in the discipline of cyber security.

Cyber innovation is not impossible, it just requires thinking like an attacker and fostering an environment that encourages the generation of innovative workflows that continually adjust to an evolving external set of threats.

True cyber innovation can only occur after a core base infrastructure has been built and methods to establish good cyber hygiene are in place. Old threats should not be able to penetrate current defenses.

Cyber security is not simply a matter of ensuring your front and back doors and windows are locked, it is a matter of imagining new attack methods, and closing those avenues before data is breached. This requires changing the motivations of cyber engineers – and rewarding innovative thinking and innovative workflows.

Bringing innovation into the domain of cyber security does not mean simply cutting existing processes. It is a matter of maintaining a balance between risk and reward. Remove or adjust or add workflows as needed, but always consider what that is doing to the organization risk profile.

About the Author

Robert J. Michalsky has served government and commercial customers for more than 30 years. As NJVC Principal, Cyber Security, he quantifies and pursues new business opportunities in cyber security. Mr. Michalsky spent more than 15 years providing cyber security-related IT engineering services for classified Intelligence Community and Department of Defense customers. Read More | Contact Us