I'm optimistic with Allied Government's new approach to cyber defense: Persistence should be the focus, not deterrence.

I encourage you to read the fantastic article (by Richard J. Harknett, Ph.D.) about a strategic shift in combating cyber-attacks.

America's policy in cyberspace is about persistence, not deterrence (cyberscoop.com)

Those responsible for cyber defense in the United States (and many allies) have traditionally leaned upon hard earned historical lessons and (non-cyber) military doctrine regarding large state conflicts to create an approach to national defense in cyberspace. The “In Real Life” defensive plan for nuclear capable nation states is deterrence since the impact of such a weapon is so dramatic. With historical inertia guiding decisions, a similar approach of deterrence has been the operational standard for cyber, and with unsatisfactory results.

At top leadership levels of allied governments, a shift in thinking has taken hold and the realities of a completely different environment (cyberspace) are being factored into the best way to defend national interests. The pivot is to change mindset from Deterrence to Persistence and is called Cyber Persistence Theory (CPT).

“Deterrence promises to react to something; but in cyberspace, it is all about being proactive. Since cyberspace is a realm of seeking ubiquitous opportunity to exploit, remaining persistently engaged in order to get in front of such exploitation is the logical strategic choice.” (Harknett)

This change aligns with the realities CISOs deal with while protecting commercial interests. A defensive approach only involving technical controls has proven to consistently fall short of protecting data, people, and environments. A thoughtful and comprehensive Cybersecurity Program with the right mix of preventative and reactive controls provides organizations with the highest assurance attacks are mitigated to a degree of acceptable risk.

With governments pivoting to this new approach, I’m optimistic our digital interests will have a more robust defense, and malicious actors will have less success with attacks.