CISO's perspective from the frontlines

Which security game are you playing?

By yaron
In Blog
November 7, 2023
6 Min Read
W

A few years ago I watched Simon Sinek excellent talk “Most Leaders Don’t Even know the game they are in” and it changed completely how I am thinking about practicing cybersecurity.

In his talk, Sinek presented the concept of finite vs. infinite games, and how this concept applies to leadership.

Finite game vs. infinite game

A finite game as a game with known players, fixed rules, and an agreed-upon objective. He uses the example of baseball to illustrate a finite game. In baseball, the players, rules, and objective are all known and agreed upon. The game ends when one team has more runs than the other.

An infinite game, on the other hand, is a game with unknown players, unknown, not-agreed upon, or changeable rules, and an objective stay in the game as long as possible. Sinek uses the example of the Cold War to illustrate an infinite game. In the Cold War, the players (the United States and the Soviet Union) were known, but the rules were constantly changing. Both countries knew they could not win the game outright so had to keep the game going as long as possible until finally the Soviet Union couldn’t play anymore.

Sinek argues that most leaders are playing finite games in an infinite world. They are focused on short-term goals, such as beating the competition or increasing profits, and they are not thinking about the long-term survival of their organizations.

The cybersecurity game

After watching this talk, I start to think and observe how the people I know think and practice cybersecurity and it dawned on me that most of us are thinking in very finite terms. It starts with the question that we ask or been asked:

  • Are we secure?
  • Are we compliant?
  • What maturity level are we?
  • How our security spend benchmark against our peers?

Many people are looking for some score but these score have little to nothing to do with how effective our defenses against adversaries are. Why is that?

When building a security practice, the first question one need to ask itself is whether they try to defend themselves from the auditor or from the adversary.

Auditors think and operate in finite terms and usually they are looking at controls (do you have them or not) and the control maturity or effectiveness. In short, they are looking for compliance with some kind of a framework as defined by the regulation.

So back to Sinek’s concept, the player are known (the organization and the auditor), the rules are known (a regulation and a framework), and the goal is to win the game. In other words, pass the audit and demonstrate that we are compliant.

When we deal with Threat Actors, we need to think in infinite terms. First, the players are usually unknown (we don’t know who will attack us, and attribution is extremely hard). Second, there are no agreed upon rules. As we saw in recent years, threat actors don’t really care what they hit as demonstrated in attacks against healthcare facilities. And lastly, there is no way for us in the civilian world to take out the threat actors so we can’t win in the traditional sense. Our goal must be to stay in the game as long as possible.

Staying in the game

To stay in the game, first and foremost we need to shift our thinking and recognize that what we do. So instead of starting from compliance (finite game) and hope to get to defense one day (infinite game), we need to reverse the approach and start from defense and back into compliance. Second, we need to stop talking about Security and instead focus on Resiliency.

Resiliency is the ability of an organization to prepare for, withstand, recover from, and adapt to cyberattacks or other disruptive cyber events. It’s like building a strong immune system for your digital world, making it harder for attackers to infiltrate and cause damage, and allowing you to bounce back quickly if they do.

Building Resiliency

Cyber resiliency has the following Key aspects:

  • Prevention: This involves taking proactive steps to make your systems and data less vulnerable to attack.
  • Detection: Being able to quickly identify and respond to cyberattacks is crucial. This means having good security monitoring systems in place and a plan for what to do if an attack is detected.
  • Containment: Once an attack is detected, it’s important to contain it to prevent it from spreading and causing further damage. This might involve isolating infected systems or shutting down access to certain data.
  • Recovery: After an attack, the goal is to recover as quickly as possible and with minimal disruption to operations. This means having good backups of your data and a plan for how to restore them.
  • Adaptation: The cyber threat landscape is constantly changing, so it’s important to be able to adapt your defenses accordingly. This means staying up-to-date on the latest threats and vulnerabilities and being willing to change your security practices as needed.

Other Resiliency considerations

Here are some additional things to keep in mind about cyber resilience:

  • It’s not just about technology. Well trained staff is critical for an organization resiliency.
  • It’s a shared responsibility. Everyone in an organization needs to play a role in cyber resilience, from the CEO to the front-line employees.
  • It’s constantly evolving. The cyber threat landscape is constantly changing, so it’s important to stay up-to-date on the latest threats and vulnerabilities.

Measuring resliency

Security can’t be really measured, because at the the end of the day security is a feeling. Resiliency on the other hand can be measured empirically. For example, cyber attacks can be simulated in a controlled manner and one can measure how well they are prevented or if not, how well they are detected, contained and then recovered from. This needs to be done continuously due to the dynamic nature of our systems and business.

I will explore the topic of Attack Simulation in a different post.

Conclusion

Cyber resilience is an ongoing process, not a one-time event. It requires continuous effort and investment to maintain a strong security posture. But the benefits are clear: a more cyber-resilient organization is less likely to be the victim of a successful attack, and even if it is, it will be able to recover more quickly and with less damage.

Which game are you playing?

EmailLinkedInXRedditFacebookStumbleUpon

About the author

yaron

Yaron is a seasoned multi-industry Cyber Security Leader. He is 2x CISO, Research Fellow for the Cloud Security Alliance, Security Tinkerer, Advisory Board Member for several cyber security startups and venture firms, and a Mentor to other CISOs and members of the security community.

View all posts

Read more

By yaron November 7, 2023
CISO's perspective from the frontlines

Topics

Board Books Budget CISO Cybersecurity Defense Incident Response Leadership Life Strategy Vendors

Follow me

Get in touch

Do you want to get in touch? have a question? want me to speak at your event? need advice? please use the form below. No sales messages please!
Please enable JavaScript in your browser to complete this form.