Let's talk about what we have now. We may have all the tools and blueprints necessary to build a house, but it doesn't mean that we can. Having all of the tools and the resources available to defend the network is meaningless unless we know how to be effective in using them. It would also be a pipe dream to think that we can look at our strategic Capability Maturity Model and build things one by one. In many organizations, these capabilities are at different levels of maturity. As discussed in Chapter 3, Integrating Cyber Intel, Security, and Operations, level 1 of our maturity model is the most important as it will provide us our scope, and the other capabilities are prioritized based on the needs of the organization. If we look at the building capabilities at the other levels in the same way we look at building a home, you can imagine that all organizations have their own version with their own challenges of building their dream home. Some will have their homes built on a solid foundation but lack a roof and vice versa. However, we will leave planning and building (projects and development) the dream home to the top leaders, our mid-level leaders need to use their current capabilities to secure the home that they are in.
I've always used the term ugly baby to describe a situation that you're put in that is less than desirable. We all have our ugly babies, but when you are talking IT and security, there always seems to be ugly babies all over the place. While top-level management is diligently working on building that house, you are handed the ugly baby to take care of. Maybe your vulnerability management program is weak or you don't have the authority to patch up your house. Guess what? This house and all of its ugly babies are our responsibility to defend. We have to make it work.
We can make it work by delivering the cyber intelligence capability to power the OPSEC process that will make our OODA loop smaller. When we make the OODA loop smaller, we can be proactive and prioritize our defenses using Active Defense.