Mission-Ready: Military Principles for Cyber Success

Let me paint you a quick picture.

It is 2003, the whole world has changed after the tragedy of 11 September 2001, and most of the militaries over the world are on heightened alert. Australia, like many countries, has committed service men and women to multiple operational theatres. As part of this, I deployed to the Iraq War of 2003 in a forward deployed amphibious landing ship HMAS KANIMBLA, spending most of that year in mine infested waters off the coast of Iraq executing various mission critical tasks. I was 24 years old but in that moment, I knew I was ready for whatever came before me.

Many things happened during that campaign, most of which don’t need to be recounted in this article. What I do want to focus on however, is how the Australian Defence Force prepared us for such a deployment; to be able to deploy, execute our mission, and return home safely. Why? Because I think there is a lesson in that for organisations who truly want to be cyber ready.

The quick answer - highly effective, well structured and purpose driven preparation that ‘ramped up’ over a period of time, so that we were at peak when it counted.

For a bit more detail, here are the trademarks of how we prepared and why it worked so well:

• Time: We planned for and allowed ourselves enough time to be able to put the work in when we needed it most. If you prepare appropriately, hard but safe, you often come home safe.

• Facilitation: We began by preparing ourselves and when we had exhausted the effectiveness of that, the experts came in and gave us a real workout! There is no substitute for a facilitated exercise, where you are fully immersed and you play the role as you would on game day.

• Real: The scenarios were based on real world situations that we would (and for the most part did) encounter, played out in real time with our nominated team stepping into their actual roles. In my view, nothing beats a realistic, hands-on rehearsal.

• Scale: We started small and manageable, and progressively scaled to high impact, high stakes, catastrophic scenarios. You need to rehearse for the worst case even if it is seemingly highly unlikely, because trust me when I say that you don't want to ‘wing’ that one on the day.

• Assessment and Debrief: Everything we did was assessed and every exercise was debriefed. Measurable and visible. That is how you learn, improve and build readiness.

Now, if you take away the military aspects of the above and replace them with cyber preparation, I don't think there is much that needs to change in the approach, right?

Yes, the stakes in cyber are not as high as deploying for war, but the risks are still pretty significant and can sometimes even be business-ending. So why are so many businesses in Australia not preparing for the hard, or even for the real?

I am here to tell you that a 2 hour PowerPoint presentation on cyber threats is not going to prepare you for, or mitigate your risk, of having a cyber incident, no matter how fancy the slides are. It can be a helpful introduction to what a cyber event entails and help you get through some of the compliance mechanisms, but there is no substitute for actually subjecting your teams and your business to a facilitated cyber scenario that is representative of what it is actually like in that moment. If given the choice, I am certain that most people wouldn’t want to learn that on the fly during an actual incident.

I recognise that budgets are tight, calendars are jammed and no one likes training anyway, so making a decision to back yourself in the event that an incident happens is an easy decision. I just don't think it is the right decision.

As trusted advisors, it is our job to deliver this message even if it is not the most popular. Because when a cyber event hits, how you respond is entirely shaped by how you’ve prepared. And preparation isn’t just about ticking off compliance or watching a slide deck, it’s about building real, scenario-tested readiness.

That’s why at NSB Cyber, we support our clients across the full life-cycle of a cyber event:

• Before: Helping you understand risks, uplift defences and rehearse real world scenarios.

• During: Standing beside you in the thick of it to contain, respond, recover.

• After: Conducting threat intel and forensics, managing ransomware negotiations, and helping you bounce back stronger.

If you’re serious about being ready, we’re here to help.

Head to our website for more information about our team and services.