Does Your Cybersecurity Strategy Include Jedi Knights and Imperials?

Posted on by David Lewis

What makes for a good cyber security strategy? There are all sorts of directions we could take this discussion. For instance, do you handle security issues in a reactive or proactive manner? Do you become unnecessarily preoccupied by the possible threat posed by the sharks in the ocean? Or better still, on how you will deal with all of the potential eventualities that could spring forth from that ocean? Your approach is key.


A security practice isn’t about being merely reactionary. It has to have a solid long game. One that is built with a strong base. What I’m most interested in for the purposes of this discussion are some foundational aspects of security, namely your staff. When you are working to build out your organization what types of people do you hire? What are they going to be doing in your organization? The Star Wars movie franchise provides a fantastic allegory for describing this problem. Are you building a practice from the construction of the hull of a new starship or handling the day-to-day running a star destroyer? 

How do you grow your organization? As that organization grows who do you hire? 

When Darth Vader sweeps into a room everyone knows he is there. All of the rank and file cower over their consoles wondering who will be the next one to be force-choked for not updating the antivirus definitions, er, weekly report. These folks are the ones that make sure that operations continue on unabated. Imperial staffers are there to ensure that the lights, and lasers, remain operational. 

Or are you building a security practice from the beginning? In this case do you hire Jedi Knights? The Jedi invariably are highly qualified staff who prefer to build their own lightsabers by hand. While Jedi can be great to have on staff they can, on occasion, cause a bit of a kerfuffle with a slaughter and a switch to the dark side of the Force. 

In the case of Kylo Ren, however, I often wonder if he was using Red Star OS or Hannah Montana Linux to build his saber. Always looked a tad unstable. 

Whatever the plan is for your organization, you will need to hire people to do the less glamorous work too. It should always be kept in mind that Jedi/Sith and Imperial officers and rank and file really never work well together. There will be conflicts, but this is true of any staffing situation. Be prepared with a plan of action on how to manage those when they occur. 

In order to maintain a smooth running ship, you’ll need something to add to the mix in addition to your troopers. Is your solution to buy boxes with blinky lights? No. Boxes don’t scale. You need to have defined processes. This is something that you can develop in-house to help improve operations and reduce the rate of incidents in your organization. This is an operational expenditure of staff and coffee and it is achievable if you have the willingness to get it done. 

How does the organization weather adverse conditions? An organization can continue to operate after losing staffers along the way. Whether that employee is Obi-Wan Kenobi, Darth Maul, Jyn Erso or the diabolical Jar Jar Binks, organizations will survive their departures. Equifax as an example, sacrificed a bunch of pieces to save the whole. Case in point after their data breach that came to light this year the CEO, CIO and CISO were all sacrificed to save the company. 

Later one lone IT staffer was blamed as being responsible for that breach. If that was true, then the security program was a house built on shifting sands as opposed to a solid foundation. I don’t believe this to be the case. It would outline a severe breakdown akin to leaving a small thermal exhaust port open… oh. 

When you look at your security practice make sure that you have a solid vision for the future. A future that will continue long after we have left the organization for new adventures of our own.

David Lewis

Global Advisory CISO, Cisco Systems

Security Strategy & Architecture

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs