Do you have a red team and if so do you know how to effectively use it? Do you know what a red team is? Stanley McChrystal is a retired 4 star General that was responsible for forces in Iraq and Afghanistan. He was the primary strategic commander of the war against terror in the Central Asian theater. McChrystal is noted for also being one of the most successful and innovative field generals since George Patton. He teaches a lot of things his book is a good one. But one of the most important is how do you know what is working and what is not before an operation commences. Or how are you sure that as a leader your best-laid plans by your best experts are really the right plan? Will it work?
Well actually you don’t know for sure and there are several reasons for this. The biggest reason is the bias that the team that put the plan has their own plan. It is human nature; it is sometimes hubris, sometimes arrogance, sometimes ignorance. Whatever the reason these are human frailties and should be expected by leadership.
How Do You Really Know?
So how do you get past this? In General McChrystal’s case, this was a really critical question because, if the leadership makes a mistake in your company it can be bad. Sometimes really bad people may even lose their jobs. If the military leadership makes a mistake in an operation in the mountains of Afghanistan, people will die. To make matters worse he was not fighting the type of war that we consider conventional war, moving massive divisions of armor and infantry across a front to achieve a defined objective.
McChrystal was in a new era, that relied heavily on intelligence operations for immediate feedback, special forces that were much smaller and more mobile, independent and aggressive. And an enemy that had adapted well to his environment and knew how to exploit the weaknesses of a big slow moving slow thinking American force. Actually, this sounds kind of familiar don’t you think?
You manage big companies with large numbers of people and you are up against an enemy that is small fast moving, innovative, willing to exploit whatever weakness you have without regard for any rules. This is the Cyberwar that we have to fight every day. (if you don’t think we are in a war then please see other discussions on this)
So the red team was developed by the US military and used effectively not at first but eventually to assist tactical commanders with countervailing information on planning. This gave them feedback on what they could do to make it better before the actual operation. Red teams operate independently of the chain of command in order to maintain objectivity. There is a lot more that can be said about red teams but I believe you understand the importance of this tactic.
So let me ask you the reader. Do you have a red team? If so can this red team operate independently? Is the feedback from this red team showing you vulnerabilities in your IT infrastructure? If not then they are probably not doing their job. Most organizations go through some basic audits. But most do not have any type of red team or red team process. This is hugely important to the success of your security posture. It should be incorporated into your security posture and used to evaluate it’s efficacy regularly.