Force Multiplying Security: A Playbook

A few days ago I was catching up with two friends, a former US Army Green Beret and an IDF (in the reserve) recon soldier. We were chatting about small teams and how to really focus on being effective. Of course the topic of force multiplication and focusing on the right priorities took center stage.

I shared the different posts I have written on the topic (Force Multiplying Security and Force Multiplying Security: A Guide for example) and of course they chew my ass, in a good way. I have to agree with them that those two posts are not the clearest or the easiest to follow. Well, from there, we dove deep into the topic. Two hours later, we had a sort of playbook for how small and efficient security teams can amplify their impact by leveraging existing systems and capabilities, and collaborating with other teams to achieve bigger results with minimal added resources. That’s a win in my book.

We identified several key elements to focus on security minimalism and force multiplying:

• Identify leverage points, such as current capabilities that can serve security purposes.
• Build strong partnerships with the teams that will ultimately deploy, develop, and enhance the new capabilities.
• Utilize technology effectively.
• Empower individuals by allowing them to continuously optimize processes to achieve better outcomes with greater efficiency and effectiveness.

The core principles we need to keep in mind are those already outlined in the guides above:

• Automation first. Prioritize automating repetitive tasks to free up team members for higher-level and more critical work.
• Intelligence and information sharing. Foster internal and external collaboration to leverage collective knowledge transfer and stay ahead of threats.
• Proactive security. Shift from reactive actions to more proactive threat hunting and vulnerability management.
• Continuous improvement. Regularly evaluate processes and tools to identify areas for optimization and further enhancement.
• Training and development. Invest in team members' skills and empower them to take ownership. Focus on decentralized command.

The playbook, once you understand the end result, can be listed as follow (bear in mind that you might need to adapt it to your own team and organization):

Strategic Assessment

Identify Goals and Objectives: Clearly define the goal and the desired outcomes. Make sure you list the key performance indicators (KPIs) to measure success; it’s important to keep track of how things are going so you can course-correct if needed.

Analyze Current Capabilities: Evaluate existing strengths, gaps, and resource availability within the teams and organization.

Identify Leverage Points: List the areas where small investments can yield significant results, such as leveraging existing technology, expertise, or partnerships. Make sure to create a visual map of these points, documentation is a key piece here.

Prioritize Key Areas: A subset of the Leverage Points, focus on high-impact projects and tasks that will deliver the greatest return on investment.

Build Partnerships and Collaborations

Stakeholder Mapping: Identify key internal and external allies who can contribute to achieving goals of security and build strong relationships with them.

Cross-Functional Teams: A buzzwordy way of saying that collaborative teams with diverse skillsets are needed to tackle complex security and other challenges. This “team of teams” can leverage each other's expertise to support a larger objective as well.

Shared Vision and Alignment: Ensure all teams and stakeholders understand the overall goals and are committed to working together effectively.

Leverage Streamlined Technology and Automation

Identify Automation Opportunities: Analyze processes to identify tasks that can be automated to free up human resources for higher-value activities. If something can be automated, automate it. If it can’t but it can be self-served via a web app, service, or script, then do that instead. Manual work should be the last resort.

Focus On Data-Driven Decision Making: Utilize data analytics and AI (carefully) to gain insights and make informed strategic decisions and support automation.

Tools and Platforms: Explore and implement technology that can streamline communication, collaboration, and project management. If you can build it, keep it simple. If you need a vendor, try to “platformize” all needed moving parts under one vendor. Keep it simple.

Lean Operations: Minimize waste in processes and resources. Streamlining operations leads to more effective use of time, money, and effort.

Outsourcing and Partnerships: Identify areas where external partnerships, outsourcing, or leveraging external expertise can complement in-house capabilities and accelerate progress. Treat this with a grain of salt, since it can be both expensive to do and add complexity to the entire plan.

Continuous Improvement

Feedback Loops and After Action Reviews (AARs): Establish mechanisms to gather feedback from individuals in each team and use it to identify areas for improvement. Conduct AARs after each successful and failed efforts. Learn from what worked and what didn’t.

Prototyping and “Red Teaming”: Encourage a culture of experimentation to test new ideas and approaches. Red team those ideas, finding issues and gaps before it’s too late.

Remain Fluid: Adopt flexible and iterative processes to adapt to the ever changing world of security and risk, and rapidly deliver value.

Scaling Up With Minimal Cost

Use "Replication": Once an effective process or piece of technology is identified, find ways to replicate it on a larger scale without significantly increasing costs.

Use Modular Systems: Design solutions that can easily be scaled by adding components (people, technology, processes) as needed, rather than completely redesigning systems from the ground up.

Empower Each Individual And The Teams

Leadership Development: Foster a leadership culture that encourages initiative, creativity, and ownership within teams. Each member is a leader. Give the junior members the chance to lead often, making sure that a more senior member shadows them.

Development and Training: Provide necessary training and development opportunities to enhance capabilities of individuals across all teams. The more people understand risk management and security in general, the more they will apply the fundamentals.

Delegation and Accountability: Clearly define roles and responsibilities, enabling team members to take ownership and deliver results. Again, focus on decentralized command.

Innovation and Risk-Taking: Encourage a culture that values innovation and is willing to take calculated risks in pursuit of breakthroughs.

Resilience and Persistence: A force-multiplied security team is one that can maintain momentum even when there are challenges. Developing a resilient culture is critical; it will get the team ready when the breach occurs.

Important Business Considerations

Alignment With The Business Strategic Goals: Ensure all force multiplication strategies are aligned with the overall organizational objectives. We do not work in a vacuum. Security is part of a larger world and is here to protect the business and organization.

Communication And Transparency: Clearly communicate the force multiplication strategy to all business leaders to gain buy-in and support. If we can’t have the leadership support this effort, it will most likely fail.

Monitoring And Issues Detection: Regularly track progress and adjust tactics as needed to optimize the impact of force multiplication efforts. Keep an eye on external and internal factors that may indicate a new approach is needed.

To Close

By implementing the playbook described here, security teams can effectively multiply their force, achieving greater impact, improving the overall security posture of the organization, and helping other teams be more successful by making their process and products better. It’s a two way win. This playbook also can be used as a framework for building a more efficient, proactive, and resilient security program.

Remember that force multiplication is an ongoing process that requires continuous improvement and adaptation to the ever-evolving threat landscape of the modern security world.