Formula 1 technical director and former Brawn GP team principal Ross Brawn gives his perspectives on strategy and decision making in his book Total Competition – and there are more parallels with cyber security than you might think.
You could make a good case that Formula 1 shares a lot with cyber security. Both are fields that bring together technology and politics, often with a high level of urgency and tight deadlines. Success in either requires a combination of technical know-how and careful stakeholder management.
In his book Total Competition, Ross Brawn – whose career spans Ferrari, Brawn, and Mercedes among others – lays out his principles in strategy and success. I finished it last month and would recommend reading everything the Formula 1 technical director has to say, but to whet your appetite here are some of the key messages I picked out that can be applied to strategy and decision-making in cyber security.
1. Consider the three components of strategy
Brawn says Formula 1 is a balancing act between politics, economics, and technical ability. But his objective as team principal wasn’t just to push these to the highest levels possible – it was to ensure they were properly aligned with each other and collaborating in an effective way.
“I think [strategy] goes back to those three elements: politics, economics and technical capability. Putting all these into a place and a level that enable them to achieve the objective of success… Behind all of that you have the planning, the timescales, you have projects and innovation. But as the team principal of a Formula 1 team, for me it was getting all of those elements to the right level, but importantly, all crossing over to really get the most out of them.”
The same holds true in cyber security. You can have the best technical people and ideas on the planet, but if you’re not engaging senior stakeholders in a way that speaks the language of the business then you’ll struggle to get funding and implement change. Likewise, using a large budget in a way that’s not technically savvy could leave you with a posture that’s not much better than what you started with.
2. Listen to others at all levels
These days in Formula 1, the top three teams – Mercedes, Ferrari, and Red Bull – are expected to perform and have budgets to match. But it’s important to pay attention to the cars further down the grid, Brawn says, where teams are forced to do more with less in order to compete.
“The modesty and the ability to listen can come from all levels. You go to a meeting and there’s a tendency to listen to the top teams, like Ferrari or someone. But often from someone like Minardi, or these days Haas, you can pick up little things. You’ve got a team like Force India out there who seem to fight above their weight, above their budget and their political position. They must be doing something quite interesting to achieve what they are doing.”
In cyber security, ideas and innovation come from all angles, at both large and small organisations and also from individuals, whether they’re professionals or hobbyists. The breadth of the field also means that everyone has different specialties – an expert in server hardening is unlikely to be a mobile device forensics expert, for example – so it’s important to take in a variety of perspectives.
3. After consulting, make a decision
However, there’s a time to listen and a time to act, and if you listen to opinions and arguments indefinitely then you’ll be struck by decision paralysis. In Total Competition, Brawn emphasises the importance of demonstrating decisiveness after weighing up the evidence.
“My management style was to be consultative, but then making a decision and expecting everyone to stick by it. I was very happy and wanted to get advice from people and hear their opinions and put everything on the table… But in the end I would say, ‘Right, this is the way we’re going.’ So people always left the meeting knowing what we were doing.”
Needless to say, your security team need to be on the same page with clear objectives and an agreed path to reach them. This ensures effort is focused and everybody is pushing in the right direction – and minimises time wasted working in isolation waiting for direction from management.
4. Keep solutions simple
Formula 1 is as much about reliability as it is about speed – just ask Red Bull or McLaren about their experiences over the last few years. For this reason, Brawn advocates simple solutions over more complex ones, as they are usually cheaper and easier to maintain.
“There is no doubt that the more complex the solution, the more unintended consequences you can have… I would always advocate simple solutions. These things have got to be made, and they have got to be serviced and they have got to be used in the field. And reliable. Complex solutions are nearly always heavier, more expensive to make, and use more resource.”
The same considerations apply to changes in cyber security. An alteration to configuration setting could have unforeseen knock-on effects, for example, and complicated software with many lines of code has more room for vulnerability-inducing oversights. It’s often best to keep things as simple as possible.
5. Stick to your word to build trust
When you’ve decided on your solution – or in any other situation where you need to make a decision – Brawn says it’s important to stay true to your word. Even if you’re sticking with a decision they don’t agree with, this will show your colleagues that you’re reliable and trustworthy.
“People have got to know that what you say you are going to do is what you do. And it may mean often having tough decisions to make but which still create trust… It can be a personal topic. It can be a professional topic. They need to know they can trust you, even if they don’t agree with you.”
This applies not only in Formula 1 and cyber security, but in business as a whole. In both my journalistic and security careers I’ve seen instances where teams have been demotivated due to sudden changes in direction that went against previous instructions, and the best managers I’ve worked with have always been those who have been up-front and consistent with the people working for them.
6. Communicate early to avoid crises
In Total Competition, Brawn discusses some of the pivotal moments in his success, including the investigation into Brawn GP’s 2009 car, which eventually went on to win the championship. But that may never have happened if the team hadn’t won a crucial decision allowing the use of its controversial double diffuser. Brawn puts this down to his straightforwardness with the FIA, having gone to them to discuss the issue rather waiting for the question to be raised.
“I built a relationship again: approach these issues before they become a crisis.”
Brawn says the same approach also worked to enable cooperation with groups initially opposed to a mill renovation he was involved in. This also works in cyber security – the teams and people affected by your processes, decisions, or actions will appreciate it much more if you consult with them ahead of time, let them know what’s coming, and incorporate their feedback into the finished product.
Ross Brawn’s book – Total Competition: Lessons in Strategy from Formula 1 – is available now.