Tradecraft: Putting the Security back into Cybersecurity
Experience and ability are two sides of the same coin in all areas of human performance, from art and sport to business and technology. The skills acquired through experience in a field, what we refer to as tradecraft, has been associated with craftsmanship going back to the guilds of the middle ages, leading to the coining of the term.
New developments in strategy and analysis might emerge occasionally to elevate expectations, but time and again it is the domain experts who properly integrate these innovations that consistently deliver.
Tradecraft is what leads countless world leaders to stop off at London’s Savile Row for their suits. It is the reason Norway leads the world at the Winter Olympics with a population smaller than that of Barcelona. It is consistently synonymous with success across all human pursuits and while it can be supplemented, it cannot be replaced.
In cybersecurity, threats and vulnerabilities change on a daily basis, but the principles that underpin high level security expertise, the sector’s tradecraft, have been around for over a century.
In the field of national security, tradecraft arguably began with Francis Walsingham, Spymaster to Elizabeth the First. Walsingham pioneered intelligence gathering, espionage and cryptography in his service of the monarch, averting a proposed Catholic rebellion and a potential Spanish invasion.
National security developed throughout the twentieth century and the Cold War, going on to form the basis of information security tradecraft. The most advanced Security Data Science remains firmly rooted in tradecraft principles stretching back to the Victorian era.
Mastering tradecraft in any field is a lifetime’s work, but determining its importance to protecting data is straightforward. It provides the first principles of security; identifying and evaluating assets, determining and categorising risks, and applying models and solutions. Tradecraft in cybersecurity is a mindset and a skillset that draws from domain expertise and emphasises situational awareness. Technology, in turn, provides tools that offer value according to their application.
Tradecraft in practice
This domain expertise requires a deep understanding of the cybercrime landscape within an organisation’s industry, as well as in IT more broadly. Experienced practitioners are able to spot patterns and draw conclusions on the bad guys’ mindset from disparate attacks across different sectors. They can evaluate assets from the perspectives of their owner and potential attackers, blending behavioural psychology with quantitative risk assessment.
Tradecraft is what allows security professionals to position each improvement in attackers’ capabilities or increase in a company’s budget within a cyber mosaic, where computer networks and nodes are overlaid by human traits and biases. It even allows them to present recommendations to a company’s board in a way that the chief executive can understand and approve.
Tradecraft and technology
The Tradecraft mindset should dictate how a company actively monitors for threats, prepares for events and sets in place principles that allow for uncertainty in planning. This approach is often more important than the strength of a security team’s products and tools, and is applicable right across the security function.
New technology such as machine learning is a boon to the industry, but it is not a silver bullet. To use a sporting comparison, investing in advanced technology is like buying the world’s best international football players to line out for your team, without putting in place a management team who can coach them to play together. We are all familiar with stories of sporting underdogs who beat well-resourced favourites against all odds, but we do not want this to be a team of hackers overcoming our (costly) defences. The most advanced solutions will offer subpar security unless they have been built and implemented from a basis of tradecraft.
Where to find it
Tradecraft talent is hard to come by and is growing in importance. LinkedIn data shows that 24% of corporate executives have financial experience and yet couldn’t prevent the 2008 crisis, so the 3% with cybersecurity experience have a mountain to climb to avert a growing cybersecurity menace. Organisations need to find and enable tradecraft experts to keep their reputations and customers safe.
A lot is written about how AI technology is displacing human input across a number of sectors, but in other ways it is making expertise all the more valuable. As a company’s endpoints, data, tools and solutions grow exponentially, the central security strategy underpinning it becomes crucial.
This strategy is designed with tradecraft and implemented by technology. For the majority of companies, staying safe means looking to the market for both.