Not all situational awareness is made equal

The war taking place in Ukraine and the phases that led to the current situation exemplify the importance of having an accurate situational awareness, an analytical ability to reach right conclusions from the information available, and most importantly a capability to act correctly based on the information and analysis. While the Western powers all witnessed the rise of more assertive and aggressive Russia, only few countries can feel well prepared to the current geopolitical climate and thus could now submit their claim to the ”I told you so” trophy. The same is true with the situational awareness in the cyber context.

Having a beautifully designed graphical dashboard showing a near real-time representation of the current information flows and the state of the systems alone is not enough, but can actually lead into a false sense of security. In order to be useful, the organization’s situational awareness needs to be based on correct and valid information or observations, and the information conveyed by the various representations needs to be analyzed and interpreted correctly. Moreover, the conclusions drawn from the analysis need to lead into decisions and a set of corrective actions that have been mandated and properly resourced. Finally, a follow-up should be done in order to see, whether the actions taken have had a positive and anticipated impact on the developing situation.

As it was mentioned above, the observations create a basis for situational awareness. Observations are based both on external and internal information. For example, if the threat information coming to the defensive systems from external sources is outdated and only covering parts of the whole up-to-date knowledge base of known threats, you might falsely believe that all is fine within your organization. Even when known vulnerabilities are actively taken advantage of in operations successfully targeting your organization. Similarly, if the selected internal information sources are invalid, such as monitoring only your organization’s official network entry and exit points, you might miss the data flowing in and out through unofficial and unmonitored access points.

While the observations and their various representations may be correct, they might not be able to convey the right message to your analysts, who as a result fail to orient themselves well with the information they receive. This kind of failure could be a result of lack of training to reach right conclusions, an unexpected situation that gets interpreted incorrectly, dislike of or inability to trust the presented evidence, or simply lack of available resources, such as time or people. Regardless of the type of orientation failure, the end results are badly delayed or altogether missed actions at your organization.

Even if the observations and orientation have both been successful, usually the problem comes with the inability of your organization to make correct decisions and act upon them. There might be an abundance of bureaucratic red tape and jumps through hoops required before the decisions will be reached, actions get properly mandated, and resources become allocated to the actions. Long chains of command, missing leadership, and highly centralized decision-making with disempowered response teams all contribute to the costly organizational paralysis at the time of crisis.

All the above takes place in the perpetual loop, where your organization is all the time responding to its best ability to the situation it thinks that it is in. It is clear that technology is an important part of your organization’s cyber response and it helps you to make sense of it all, but by no means can technology be the sole answer to the question. Successful cyber response demands in addition to the right technology also right information, right people, right timing, right processes, and right leadership.