Red teaming is considered one of the most effective ways to assess an organization's resilience and response capabilities to cyber threats. It's considered the holy grail of cyber security consulting. We've seen it described as "gloves-off," "real world," "no holds barred," "full scope," and "live fire."
It's also one of the most exhilarating roles in cyber security. Imagine getting to break into buildings, send malicious emails to your CEO, and having the ability to steal millions of dollars with the click of a button, all legally.
The Stakes Are High
The very essence of a red team exercise is to make it as realistic as possible. The stakes feel incredibly high for the responders, whose primary job is to prevent the red team from achieving their objectives.
Ask any red teamer if their goal is to "win." Chances are, you'll be told varying phrases such as "We don't necessarily want to win" and "When we win, we lose."
Now, ask a few defenders if the red team wants to win. You're sure to hear a resounding "yes."
It's not to shame red teamers. I, too, was there at one point. However, the incentives are flawed. My incentive was to grow in my career, to perform highly technical work, to bypass defenses, and to show the organization how talented I was. By allowing the blue team to "win," by getting caught by cyber controls, I was doing myself a disservice.
And when we did let the blue team "win", it was often patronizing.
Emotional and Psychological Costs
A study by IBM on cybersecurity professionals' mental health pointed out that more than 75% of respondents have experienced stress and anxiety during their jobs due to cybersecurity incidents.
So why are we okay with performing these types of engagements? While it may be a great learning opportunity for the team responding, what cost does it entail?
Imagine you're training your bank tellers how to deal with bank robberies. You decide to test their response to a simulated incident, so you hire a team to rush the bank with ski masks and fake guns. Sounds silly, doesn't it?
Team Dynamics and Morale
The impact goes beyond individual stress levels. The constant tension and pressure can create cracks in team dynamics. Since red teaming generally grades the defenders on their ability to respond to attacks, the outcome often causes blame shifting, distrust, and lowered morale among team members.
A Necessary Evil?
The merits of red teaming for cybersecurity are well-documented. It's a rigorous method that can provide an organization with valuable insights into its security posture. However, considering the emotional and psychological toll on the responders, it's worth pondering whether the traditional approach to red teaming is genuinely effective in the long run. Are we trading off emotional well-being for a snapshot of our cyber vulnerabilities? Is there a way to simulate real-world scenarios without causing undue stress on the workforce?
Alternatives to Consider
Methodologies like wargaming involve broader stakeholder participation and strive for collective improvement rather than a zero-sum game of attackers versus defenders. While wargaming also has challenges, the emotional toll on participants appears to be lower, as the focus is on collaboration and constructive feedback.
A Thoughtful Pause
Perhaps it's time to take stock of the human element in cybersecurity. Instead of asking solely whether our systems and networks are secure, maybe we should also be asking, at what cost? As the landscape of cybersecurity evolves, so should our approach, ensuring that we don't lose sight of the well-being of the people behind the screens.