First of all, I will have to confess right at the beginning that my over 30-year career at the Finnish Defence Forces in duties related to cyber security, etc. cannot but show in this text as well. At the Defence Forces, matters related to cyber security had already been systematically developed for decades, long before the ‘cyber’ term became commonplace. Before that, cyber-equivalent or related operations were referred to with terms such as information network warfare and/or information network defence.
Whatever the term we use for it, the crucial thing is that performance in that area is developed in a controlled manner with due regard to the bigger picture. According to the doctrine of the Defence Forces, the bigger picture was not – and is not in the current cyber era – a question of mere development of technology. To simplify a multifaceted performance scheme, the aspects to consider are: people, operations and technology. Someone might well question the relevance of the military term ‘performance’ for the operation of non-military organisations. However, in my conception of things, improving the operational efficiency of a civilian organisation means, quite simply, the same thing as improving the performance of that organisation.
Whatever the organisation, its operations are the combined outcome of the people recruited to perform specific work duties, the technology at their disposal and the operational practices and models followed when working.
In the Defence Forces, the high point of the performance model is an exercise to ascertain that the performance is at the targeted level, irrespective of the specific military performance capability being maintained and developed, such as cyber defence. The goal of the cyber exercises is to test the efficiency of competences, processes and technology in various cyber incident scenarios so as to identify strengths, weaknesses and development needs.
All organisations need exercise
Cyber exercises provide organisations with capabilities to operate efficiently in various threat scenarios by training the personnel to observe, analyse and respond to the cyber security incidents that emerge from the operating environment.
Cyber exercising is often perceived as a pastime for technology geeks, but this is not true at all. No personnel group in any organisation can be deemed as having no need for any training in view of cyber incident situations.
A cyber incident situation may well be such that actions need to be taken and/or controlled decisions need to be made quickly. The continuity of operations or a quick controlled recovery of an organisation can only be secured by means of timely and correct actions.
It is not feasible, or even theoretically possible, to have all personnel groups and/or people in an organisation exercise the actions necessary in the event of a cyber incident situation at the same time. An organisation needs to eat the exercise cake in suitable portions, focusing on suitable areas at a time. Cyber exercise operations must be based on realistic needs and consistent, process-like planning and implementation. The planning and implementation of a single cyber exercise meet the defining characteristics of a project. The complex whole of several inter-related cyber exercises consists of consistent, process-like cyber exercising to maintain and improve the operational efficiency of the organisation, i.e. its capability to perform its core function.
When cyber exercising has been deployed, area by area, as part of the organisation’s operations, the next step is to swallow larger pieces of the cyber exercising cake by arranging more extensive and comprehensive exercises with due regard to the entire operating environment of the organisation. A more extensive and comprehensive exercise may involve several areas of the organisation along with partner organisations and service providers, among others.
Regular and continuous exercising will also add to the much-sought-for organisational cost-effectiveness.
Terho Rintanen
Development Manager of Cyber Exercises