Security Experts:

How Crossword Puzzles Can Improve Your Information Security Posture

This may come as a surprise to people who know me, but I’ve recently developed a love for crossword puzzles. Aside from challenging our brains and keeping us sharp, I’ve learned that crosswords can be quite fun. In particular, they are full of puns and jokes that so many of us get a kick out of.

In addition to crossword puzzles being fun, they can also help us learn a number of different information security lessons. What could those lessons be? I offer seven ways in which crosswords can help improve our information security postures.

1. Check yourself first: When something doesn’t go as expected or doesn’t work, many of us have a tendency to search externally for the problem. Crosswords teach us that a well-edited puzzle is usually correct. If the clue doesn’t seem to make sense or the letters don’t fit, it’s seldom the puzzle that’s the problem. In other words, what we learn from crosswords is that if we can’t figure something out, more often than not, we’re the problem.  Rather than looking externally for the source of the problem, we need to look in the mirror. This a valuable lesson in security as well. How many times has feedback been provided to our security teams, only to be met with finger-pointing, blame, excuses, and rationalization on our part. What if we were to shift our perspective and consider that perhaps we are the source of the issues, and that we can adapt our approach and improve our capabilities to address them?

Crossword Puzzle Challenge2. Know what you know:  It’s important to know where you’re strong and what you know.  In a crossword, there are some clues that you get right away and some words that you can fill in immediately with confidence and without needing to think much. On the other hand, there are some clues that cause you to scratch your head in bewilderment and leave you puzzled. In those cases, you must try to fill in the known around the unknown in the hopes that you will recall a word, understand the clue, or fill in enough letters to recognize the word. In security, we can learn a similar lesson.  There are areas in which we are strong and knowledgeable. They are seldom a challenge for us.  However, when we come across an area where are less strong and have little to no knowledge, how we approach it makes all the difference. In many cases, we can fill in the known around the unknown, chipping away at the problem until we make it solvable.  Unfortunately, far too often, we have a tendency to look upon the unknown as an unsolvable or untenable problem. This has the unfortunate consequence of doing our security programs a disservice.

3. Justify your words:  Think you know the answer?  Check some of the neighboring words to see if your answer fits.  The same holds true in security.  If you think you’ve identified a solution to a problem, check in with your security policy, processes, and architecture to see if yours is a good fit.

4. Experience pays off:  Crosswords get easier the more you do them.  Not only do you learn new words, but you begin to notice patterns, make inferences from the clues themselves, and learn common words that often appear in puzzles.  The security profession is no different.  Each time you solve a security problem or work a given issue, you learn.  Over time, this experience pays off in allowing you to approach the next challenge a bit older and wiser.  If you don’t yet have the experience, look for assistance from someone who does.

5. Keep at it:  If you feel stuck and can’t get anywhere with a crossword puzzle, it’s usually helpful to come back to it later with a fresh mind.  Security is quite similar.  Often times, the unsolvable becomes solvable when we look at it from a different angle and with a fresh mind.

6. Sharing is not cheating: Part of the fun of crosswords is leaning on others to help you solve the puzzle.  While looking up answers is considered cheating, sharing with others is not.  In security, our peers have often encountered and addressed situations or issues we may be challenged by.  Swallowing your pride a bit and realizing that you may not have all the answers allows you to be open to help and advice from others.  This, in turn, facilitates better solutions and overall improvement of the security program. Of course, that results in an improved security posture.

7. Fun is everywhere you look: How many people fume at the news but never once look at the crossword puzzle?  Frustration and disappointment is everywhere you look in the paper, but so is joy and amusement.  I believe this to be true in security as well.  It’s all too easy to get lost in everything that is wrong or isn’t going well in a security program. But it’s also possible to focus on the positive and see gaps and opportunities for improvement. When we look at our security programs in that light, we can work towards improving our respective security postures.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.