Exploring the mystery surrounding 'red teams'
Lina Kolesnikova explains the somewhat mysterious concept of ‘red teams’ in organisations seeking to improve their structures and processes.
Red team crisis management exercises have an air of mystery. Red teamers are often tied up by non-disclosure contracts with their clients and do not share their professional experience. Image: peterkai/123rf
In his book, Red Team: How to succeed by thinking as the enemy, Micah Zenko says: “Red teaming is a structured process that seeks to better understand the interests, intentions and capabilities of an institution – or a potential competitor – through simulations, vulnerability probes, and alternative analysis.”
Among crisis management exercises, red team exercises have an air of mystery. Red teamers are usually tied up by non-disclosure contracts with their clients and do not share their professional experience.
Meanwhile, clients themselves might be reluctant to talk about such exercises and their interest in them, as well as what came out of them, because they are afraid to let people know their shortcomings.
Conversely, considering the number of consultants and consultancies that offer this type of service, we may conclude that the current demand for red teams is fairly high.
In the military, red teams got a boost after a 2003 Defense Science Review Board recommended increasing their employment to help guard against the shortcomings that led up to September 11, 2001. Private businesses, such as IBM, and government agencies such as CIA have long used them to help to improve their organisations.
During my professional career I also noticed that the notion of a ‘red team’, in itself, created some confusion among people. Not many people either understand how red teams function or whether they could be employed in non-military environments. For the most of my interlocutors, red teaming was a synonym of war-gaming.
Meanwhile, by using a red team exercise, an organisation can get a new and alternative perspective on how the organisations do things. Red teams could be part of the organisation – in-house – or externally hired, such as freelancers or consultant companies, which offer red team as a part of their services.
Drawing inspiration from Albert Einstein’s quote: “We cannot solve our problems with the same thinking we used when we created them,” organisations that seek to improve, grow and develop might request the assistance of a red team.
With the help of a red team, an organisation tests how it would do in a particular situation. It is different from the desk-top exercise as members of the red team play active roles in the scenario and can create ‘tough situations’, playing Devil’s advocates.
Vulnerability probes test cyber networks, facilities and people for reliability. All of these could be targeted by a red team in a very realistic way and their aim is to find the weakest links and spots in the organisation; the latter should be understood as combination of people, systems, etc.
Cyber security, for example, could be challenged by white- and black- hats – ethical and malicious hackers. In such a context, the aim of the red team would be to play from a point of view opposite to that of the organisation, aiming at testing its detection and response capabilities rather than finding as many vulnerabilities as possible.
This is a harsh version of the well-known peer review. However, it is expected that any critics are welcome. The goal is not to flatter and say how good your organisation is, but to be sharp.
However, if you do not have the support of the institution’s leadership or a real willingness to hear, quite possibly, a bitter truth, all these efforts are useless. If the red team meets obvious confrontation from staff and top managers then their work will be jeopardised. The red team must have the independence and a license for ‘radical’ actions in order get the results which could lead to improving effectiveness.
As mentioned, the red team is intended to help improve both the staff and the organisation as a whole. Its mission is to challenge that organisation in order to make it better.
Lina Kolesnikova, 21/08/2020