I was recently looking over my collection of board games. As my eyes moved from game to game, I thought about the strategy and approach with which I play them. But, then, an entirely different set of thoughts went through my head. I started to think about the security lessons each game can teach us, and in this piece, I'd like to share those valuable lessons with you. What can old-fashioned board games teach us about security? More than you think.
Risk: Where You Start from Matters
If you've ever played Risk, you know that starting in Australia gives any player a unique advantage. Since attacks can only come from one direction, there is only one direction to defend. This allows the player to focus on advancing more quickly. Likewise, in real life, reducing the attack surface gives security organizations a distinct advantage. If there is less risk exposure to defend, the security organization can focus its efforts on improving and maturing its capabilities, thus defending the enterprise more effectively.
Risk also teaches us about strategic distribution of resources. That means to avoid concentrating all of your resources in one area, and to be careful not to spread your resources too thinly. This is an important lesson in security as well. Determining the right mix of resources dedicated to a specific area is a key part of properly reducing risk and defending an enterprise.
Monopoly: Knowing When to Capitalize on Luck
While there is some skill involved in the game of Monopoly, there is also quite a bit of luck. A good Monopoly player knows how to turn a stroke of good luck into a strategic advantage. A good security team should understand how to do the same. On the other hand, it's important for security teams to know how to account for bad luck: We all encounter bad luck from time to time. The question isn't whether or not misfortune comes our way but, rather, what we do with it. In Monopoly, knowing how to account for bad luck and play through it is an important part of playing the game successfully.
The same holds for security. For example, when staring at a stack of Monopoly money, it can be tempting to buy up everything in sight. The problem with this approach is that it can leave a player overextended and unable to pay expenses that may arise as the game unfolds. In security, it's important to reserve resources for events and incidents that may arise over time rather than overextending and being left without any means with which to handle bumps in the road.
Clue: If It Isn't Written Down, It Didn't Happen
I once worked with someone who enjoyed repeating the mantra, "if it isn't written down, it didn't happen." In the game of Clue, it's important to document each piece of relevant information to ensure that it isn't forgotten and that it can be leveraged later, as necessary. The same is true in a successful security program. Whether you are talking about security operations, incident response, engineering, compliance, risk management, or any other aspect of security, you must ensure that each relevant detail is properly described.
It's also critical that you understanding the impact of each piece of information. When confronted with information, what possibilities does it eliminate? What possibilities does it allow? As with Clue players, successful security teams understand how to map each relevant piece of information to the impact it has on the organization. This allows the team to continue to react, adapt, and improve as additional information comes to light, which is an important component of a mature security team.
Life: Every Security Program Is at a Different Stage
In the game of Life, different life events happen at different times. An event that may be welcome and joyful in one stage of life may be less so at a different stage. The same is true in security. Security teams vary in their capabilities and maturity. What may be a sensible undertaking for one organization may be either overwhelming or woefully inadequate for another. It's important to understand where your organization stands in order to properly recognize which efforts are right and appropriate.
The path through development and maturity needs to be planned out. A victory in the game of Life does involve some luck, but it also involves some skill and a strategically planned trajectory. In security, it's important to strategically plan the improvement, growth, and maturing of your company's security capability. Further, this strategic plan needs to be executed well at each different phase. This is easier said than done, of course, though example after example shows that haphazardly managing the evolution of a security program yields inferior results.
Checkers: The Pieces in Motion Matter
The pieces you move around a checkerboard, and the order in which you move them, directly affects the outcome of the game. The same holds true in security. A successful security program has many moving parts. Knowing which parts to move, at what time, and in what order is a challenge. Start by prioritizing resources to protect the crown jewels. No checkerboard allows for unlimited playing pieces. Knowing how to prioritize limited resources to protect the king is also an important skill for resource-constrained security teams. Every enterprise has crown jewels that need protecting, and resources need to be prioritized accordingly.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.