BLUF – Predicting and influencing actions, before crucial incidents or decisions are made, requires considerations Left of Launch. Whilst normally reserved for adversaries, how we gain ground for preventative programs within an organisation without clear evidence forces internal analysis focused prior to decision-making.

Background

A common military term – Left of Launch (LoL) – deals with adversary timelines, referencing everything prior to the launch of a missile (although with the new space race, we could be talking about a rocket program). After the launch occurs (conceptually we could call it Right of Launch, although I don’t believe it’s a term) Left of Launch considers prevention measures, taking into account both sides’ risks/ decisions/ environmental factors contributing to the choice of launching. Ideally searching for factors – that we can influence – of control to keep the adversary from launching, though adapted for business we examine more internally. How do we map out operational resilience/ risk/ fragility, factor in inclusion elements, thread security into product development, evaluate third party connections upstream and downstream, create digital continuity of business ecosystems: the list goes on with considerations needed before incident.

Despite sharing the letters of a digital humour marker, LoL is no laughing matter.

In part because there is so much to consider, in part because success means something didn’t occur. Goes past the fun logical exercise of proving a negative (I’ll tell you the ending, you really can’t!) into proving the value of an absent incident. The following are challenges found LoL.

1. Looking for known unknowns: Often identified unknowns are factored into areas such as risk/ control. The issue is these have known elements based on anticipation from observed patterns/ behaviours etc. That makes the unknowns less so. A cyber comparison would be the surfacing of vulnerabilities versus zero-day vulnerabilities utilised in exploitation. In the former, the vulnerability wasn’t known, but it usually surfaces in known information channels from security researchers or Microsoft’s Patch Tuesday. In the latter we scramble as the reveal comes at compromised organisations’ expense.
   • Dealing with unknown unknowns is complicated, but not impossible if you establish well understood knowns within the processes/ tech/ risk/ controls etc. of the organisation and its ecosystem beforehand, developing flexible incidental adaptability.
2. Business expenses without result metrics: Frustration abounds making cases for prevention – programs cost money, even if they are worlds less expensive than fixing what was broken. Advantage of heists and incident recovery? A definite dollar value is now associated. Justifying preventative measure expenses without sharply relevant comparisons invites challenge in proving absent incidents. Doing something because you can or it’s right/ moral/ ethical doesn’t qualify it as a budgetary line item for most (I’d say nearly all, but I’m sure there are a few noble outliers) organisations.
   • Infinity plus one is not an acceptable metric, but comparisons to known losses may suit. Look at losses to victim organisations both from the incident (ransomware is convenient in this) as well as estimated resources levied to clean up the preventable mess. Cost considerations for what you are saving the organisation has to balance with their perception of the threat and impact.
3. Faith versus proof: Unlike evidences provisioned for Internal Audit and regulators, working to influence LoL is a near-religious experience. Not only are you operating on faith, but there will never be proof of your success. There will not be assurance that the preventative cause was your efforts versus other extenuating factors. The viability/ sustainability/ contribution unseen by the organisation is often founded on fear.
   • Re-adjust VCAT so preventative efforts are clear and known, focusing on messaging and controlling the narrative. Whilst there may not be known evidence from results, there should be plenty for the work.

We’ve yet to develop the response options adequately addressing our enemies’ decisions/ resources Left of Launch – to build options we need to address internal organisational matters. At best, our organisations should be able to resiliently adapt to what’s thrown at them without requiring massive resource infusions.

As we move our conversations LoL, we’ll see who has the last laugh.

-scl