I’ve been working a project identifying a comprehensive cyber curriculum. The various standard infosec curriculums are primarily for non-conflict oriented entities, and NIST/NICE is really a human resources hiring tool. One aspect of this tasking is looking at the idea of leadership “levels” and the second aspect is looking at the disconnect between info sec (regular information asset management) and computer network operations (bad shit in the ol’ town tonight). I’m not a fan of placing cyber warfare entirely in the realm of network centric operations because your systems and supply chains “r belong to us”. The NSA concept of operations identifies this issue but I’m more interested in looking at what it means in a slightly broader construct.
The following figure depicts the divergence of educational goals and the absolute requirement (REQUIREMENT) that people who lead technologists should already have a background in technology (growing our own is best left to dope smoking silicon valley venture capitalists). To be honest the absolute worst thing we have done in the information systems and information security field is accepting the lie that you don’t need to be apprenticed within the discipline to manage the discipline. It is stupid, ignorant, horrible, despicable, and the primary mode to failure of why we’re stuck doing the stupid stuff we’ve been doing. Did I mention allowing MBAs to manage information security and dumbing down the curriculums is STUPID!
Here is the diagram I’ve posted before.
Educational tracks for a cyber paradigm (click to make larger)
Well what about this leadership thing and the idea of strategy, operations, and tactics. I’m lucky I work with a bunch of people who are the current, and past experts at strategy. Did I mention allowing people who never apprenticed in information technology disciplines to manage it is STUPID! So, the following are two work sheets with some very specific purposes in mind. The first work sheet shows “what, who, when” with who inside of the triangle. In the terms of strategy very few people get to determine strategy, but they have extensive decision power in what and when. The operations folks have a lot more people doing this stuff, but much less effective control of “what and when”. Similarly those of use who have lived at the tactical pointy end of the spear get almost no say, but there are a lot of us bitching about it.
A mapping strategy for strategy, operations, and tactics (click to make larger)
You could fill each of these blocks in with roles (for the who) and tasks for everything else. The real purpose though of this is to get you looking at the concept and thinking about the different roles. It isn’t anything but a heuristic preparing you for page two.
Page two is a work sheet for looking at a course, a job, or an activity. What are the knowledge, skills, and abilities at the strategic, operations, and tactics levels? Mistake one is trying to map this using something like Bloom or Gagne. This diagram has NOTHING to do with a taxonomical learning or objective learning outcomes structure. But, yes we’re likely going to use those learning objectives. The Bloom taxonomy has nothing to do with any of the levels below. This has everything to with identifying the KSA’s for each level. Few organizations that say they teach strategy actually can point at knowledge objectives, skills objectives, or abilities objectives and say “that is strategy”. Much like the how STUPID it is to allow MBAs to manage information technology assets the act is disconnected from the art.
Mapping knowledge, skills, and abilities at different levels (click to make larger)
There is a lot of musing around the concept of strategy and much less actually pointing to “what” teaching strategy is, and when you talk about information technology and information security (including operations) there is nearly zero of this kind of thinking. A lot of people say they do computer network defense which is more about information security. The computer network defense most organizations do is peewee football against the nation state actor who is the entire NFL offensive frontline, hopped up on steroids, carrying min guns and howitzers, shouting “kill” while chewing on the thighbone of grandma. Computer network defense against those odds isn’t done by MBA cigar smoking frat boys.
I don’t hate MBAs but I get sick and tired of people with no clue setting the assumptions for risk heuristics that are completely fallacious.
Have fun working through it and socialize as you can. I’m available to come to your organization and explain in detail how screwed up it is to allow MBAs to manage information technology and how STUPID anybody who thinks that will work is…
Oh, and I know that West Point and other entities put politics above strategy but we’re talking about different aspects of the schema here. Did I mention it is absolutely freaking STUPID to allow people who have no background in information technology to manage it?