This blog on security training is adapted from an upcoming RSA presentation Cyber Security Lessons from the Great General of the Ancient World.
Security training is important. I can’t think of a single person in our industry who would disagree. If you’re trying to address a recurring threat, shouldering the burden and relying on technology alone is a one-way ticket to breach-ville. But what exactly does security training look like? Is it a 30-page packet, phish testing, an annual module that every employee blows off as long as possible? Security training is hard.
So let’s turn the clocks back, I’m talking way back, and take a page from the one of the greatest minds in all of military history.
The Alexandrian plan of battle
Alexander deserves his epithet: the Great. He was undefeated in battle and conquered from Greece to India in a time when powers such as Athens and Sparta, less than 100 miles apart, couldn’t establish dominance over one another. In 12 years he built an empire larger than Rome’s empire at its height — and keep in mind Rome required dozens of emperors and hundreds of years to expand their borders. Did I mention he did all this before the age of 30? He was crowned king of Macedon as a 20-year-old, at a time when most college students are unsure of whether to major in psychology or physics.
In many of Alexander’s most famous battles — Issus, Gaugamela, Hydaspes — he led from the from the front of the cavalry. When you think about that for a few minutes, it’s completely absurd. Sure it’s courageous, but it’s also extremely reckless and inflexible. What happens if the king takes an arrow through the eye on the opening volley? What happens if the infantry needs a mid-battle decision on how to handle an unanticipated enemy maneuver. What happens if the cavalry would be better deployed at a different spot on the field? Alexander had no way of knowing this and no way of surveying the entire battlefield. But this was Alexander’s MO; to quote from the not-so-great Oliver Stone film, Alexander, “the first rule of war is to do what you’ve asked your men to do. No more, no less.” Many of history’s great generals would disagree.
However, the reason that leading from the front of the cavalry worked so well for Alexander is that he had some of the most competent generals in history; men that would themselves become accomplished kings and generals after Alexander’s death. (Credit where credit is due: Alexander’s father, Phillip, was responsible for building the army and training the generals that Alexander relied upon during his campaigns. Phillip deserves as much recognition as Alexander.) Anyone familiar with Greek history will recognize a few of their names — Ptolemy I, Antigonus Monopthalmus, Craterus, Seleucus I, Lysimachus, Perdiccas, Antipater. They were founders of some of ancient history’s great empires — Ptolemaic Dynasty in Egypt and the Seleucids to name the two most successful.
When Alexander was embroiled in intense fighting in the vanguard of his cavalry, he could trust that his generals were handling themselves elsewhere on the battlefield. They were the best in the business, and, collectively, they constituted one of the most successful armies in the history of mankind.
So what the hell does this have to do with security training?
Too many security teams nowadays try to shoulder all of the responsibility for the entire organization. In an age where every employee has a mobile device, 3 or 4 social media accounts, and bad habit of clicking on too-good-to-be-true links, effective security training across an organization is an increasingly Sisyphean task for the modern infosec team.
The lesson is to take a page out of Alexander’s book and start realizing that you have other generals you can lean on elsewhere in the organization. Start building security into the architecture of other departments. Incentivize heads of marketing, sales, and so on to take security seriously. Have them establish the culture of security within their department rather than trying to impose it from the outside. If you can create security-savvy managers elsewhere in the organization, security and security training will trickle down.
What does this look like in practice? If a breach comes from within the marketing team, the CMO ought to be on the chopping block. Run phishing tests with departmental incentives for the most secure. (Shameless plug: ZeroFOX has developed, to my knowledge, the industry’s first social media phish testing platform. Considering that phishing is increasingly being carried out on social networks, it’s time to extend your scope for testing.)
If the only people in your army who know how to fight are other cavalrymen, certainly your infantry or artillery corp will crumble. Don’t try to train every single hoplite; just make sure that your CMO, VP of Sales, Head of HR and so on act like Ptolemy, Seleucus and Antigonus. Establish them as allies, give them robust security training and incentivize them to treat organizational security like a well-oiled army.
People are your Achilles heel
Alexander was a master of psychological warfare. He understood how to exploit people and their emotions to win battles. He was a social engineer at the conquerer level.
- At the battles of Ipsus and Gaugamela, heavily outnumbered at both, Alexander charged directly at the opposing king, Darius. He understood that if Darius fled, the entire army would break.
- At the Sogdian Rock, a fortress atop a massive cliff, the opposing king jeered that Alexander would need “men with wings” to lay seige. That night Alexander equipped his best climbers with wings and had them scale the walls — as the sun rose the next morning, the stunned Sogdians surrendered to the winged Greeks without a fight.
- At the battle of river Hydaspes, Alexander feigned river crossings nightly in order to deprive his opponent of sleep, who were forced to deploy in full strength at 2 or 3 in the morning. By the time Alexander actually crossed the river and engaged the enemy, his opponent was exhausted. (Spoiler, Alexander won.)
The point is this: your adversary has already taken a page out of Alexander’s book by targeting your people. Hackers are increasingly turning to social media to conduct reconnaissance and launch attacks against individual employees — never in the history of information security has the adversary had such intimate access to troops on the ground.
It’s time for you to take a page from Alexander’s book as well, and begin establishing a culture of security across your organization. It starts with the heads of other departments. Find your Ptolemys across the organization, and let them lead the charge into battle.
Spencer Wolfe is the Head Security Research Writer at ZeroFOX. He studied ancient greek history at Columbia University before making the jump to cyber security. His presentation, Cyber Security Lessons from the Great Generals of the Ancient World will be featured at RSA 2016.