Security Experts:

InfoSec Lessons from Board Games with a Toddler

Distract Your Enemy While You’re Taking a Few Extra Moves to Kick Them Off the Board

I played a board game with my almost-three-year-old daughter a few days ago. Given how much time I spend away from home I tend to be pretty easy to con into just about anything my twins want to do. Bella picked the one with the little pop-up bubble where you press down and the die jumps, and there are pieces that move around the board. I think it was a modern version of Sorry. Remember that from when you were a kid?

My daughter set all the pieces up (which is impressive for an almost-three-year old) and pointed at the bubble when it was my turn to roll the die. Then, the fun started.

As we started playing, I got the sense that these weren’t exactly the rules from the rule book. But since I didn’t have time to read that, and she doesn’t know how to read, I went along with it. The game got more interesting for the next few minutes. I rolled the die, I moved the pieces and she would rearrange them to some other configuration she preferred. She probably watched some of the bigger kids playing by taking turns and moving pieces and decided she would just figure out the rest.

You can safely assume I lost the game. I think.

I enjoyed the time together immensely, but it was a stark reminder of what my career in enterprise security has been like. I feel like we’re always playing a game of someone else’s design, by rules we aren’t quite sure of – except that we’re pretty sure the outcome is not in our favor. Playing defense is a funny thing. 

I wish the moral of this story was that it’s OK to just play along and have fun. I suppose that’s the lesson when you’ve got a toddler you can’t wait to spend time with – but when you’re defending a company’s intellectual property, that doesn’t work so well. Playing on someone else’s terms isn’t great, and you’re not getting paid to just have fun.

So, how do you win, when you don’t know the rules? Adaptation, I believe, is the key. Even if you don’t know the rules, you know the game. Defending the corporate space isn’t new. And it’s not as if you don’t know your own environment at all. Odds are fairly good that the enemy you’re facing doesn’t know the network, applications and users better than you do – although let’s not take that as a given yet. You’re always playing, you’re just not really sure of the rules.

You may not know the enemy’s target, means of attack, motives or attack timeline, but you know they’re coming. You at least should know your own weaknesses (vulnerability management) and likely points of attack (threat modeling) so you can position your defensive countermeasures most appropriately. You should know your security organization’s limitations and capabilities from red team exercises you’ve done and table-tops in which you’ve engaged.

So, in fact, you’re not playing a totally foreign game, but one that is equally foreign to both sides. You know the playing field – your network – and you should have a handle on the desired outcomes (for the enemy to “win”). Now all you have to do is adapt. When the enemy takes out your pawn with an unexpected maneuver by the knight, jump them with your bishop and take an extra move to take your queen out of harm’s way. In fact, throw out the rules entirely. Liberate yourself from the rules we’ve lived with for more than two decades. If you’re in need of guidance, my daughter can show you how.

Just play defense. Plan it. Build it. Then go run it.

Forget the blinking lights, the routines of checking dashboards for high severity this, and critical that … just play defense. Look for signs of badness, stop them as quickly as possible by playing as dirty as you’re able to, and await the next move. My daughter’s goal was to play and have fun, but yours should be to win. Distract your enemy while you’re taking a few extra moves to kick them off the board. Use resources only available to you and your team, take every opportunity to cheat and win at all cost.

view counter
Rafal Los is Managing Director, Solutions R&D within the Office of the CISO for Optiv, which was created in 2015 from the merger of Accuvant and FishNet Security. Los leads a team developing research-backed guidance addressing key program challenges for enterprise security leaders. Prior to joining Optiv, Los served as principal, strategic security services at HP Enterprise Security Services. Previously at HP, Los served several diverse roles including security strategist of enterprise security products where he advised customers on implementing practical solutions. Los also held various positions at GE entities and various other start-ups. Follow Rafal on Twitter: @Wh1t3rabbit.