Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

InfoSec Lessons from Board Games with a Toddler

Distract Your Enemy While You’re Taking a Few Extra Moves to Kick Them Off the Board

Distract Your Enemy While You’re Taking a Few Extra Moves to Kick Them Off the Board

I played a board game with my almost-three-year-old daughter a few days ago. Given how much time I spend away from home I tend to be pretty easy to con into just about anything my twins want to do. Bella picked the one with the little pop-up bubble where you press down and the die jumps, and there are pieces that move around the board. I think it was a modern version of Sorry. Remember that from when you were a kid?

My daughter set all the pieces up (which is impressive for an almost-three-year old) and pointed at the bubble when it was my turn to roll the die. Then, the fun started.

As we started playing, I got the sense that these weren’t exactly the rules from the rule book. But since I didn’t have time to read that, and she doesn’t know how to read, I went along with it. The game got more interesting for the next few minutes. I rolled the die, I moved the pieces and she would rearrange them to some other configuration she preferred. She probably watched some of the bigger kids playing by taking turns and moving pieces and decided she would just figure out the rest.

You can safely assume I lost the game. I think.

I enjoyed the time together immensely, but it was a stark reminder of what my career in enterprise security has been like. I feel like we’re always playing a game of someone else’s design, by rules we aren’t quite sure of – except that we’re pretty sure the outcome is not in our favor. Playing defense is a funny thing. 

I wish the moral of this story was that it’s OK to just play along and have fun. I suppose that’s the lesson when you’ve got a toddler you can’t wait to spend time with – but when you’re defending a company’s intellectual property, that doesn’t work so well. Playing on someone else’s terms isn’t great, and you’re not getting paid to just have fun.

So, how do you win, when you don’t know the rules? Adaptation, I believe, is the key. Even if you don’t know the rules, you know the game. Defending the corporate space isn’t new. And it’s not as if you don’t know your own environment at all. Odds are fairly good that the enemy you’re facing doesn’t know the network, applications and users better than you do – although let’s not take that as a given yet. You’re always playing, you’re just not really sure of the rules.

Advertisement. Scroll to continue reading.

You may not know the enemy’s target, means of attack, motives or attack timeline, but you know they’re coming. You at least should know your own weaknesses (vulnerability management) and likely points of attack (threat modeling) so you can position your defensive countermeasures most appropriately. You should know your security organization’s limitations and capabilities from red team exercises you’ve done and table-tops in which you’ve engaged.

So, in fact, you’re not playing a totally foreign game, but one that is equally foreign to both sides. You know the playing field – your network – and you should have a handle on the desired outcomes (for the enemy to “win”). Now all you have to do is adapt. When the enemy takes out your pawn with an unexpected maneuver by the knight, jump them with your bishop and take an extra move to take your queen out of harm’s way. In fact, throw out the rules entirely. Liberate yourself from the rules we’ve lived with for more than two decades. If you’re in need of guidance, my daughter can show you how.

Just play defense. Plan it. Build it. Then go run it.

Forget the blinking lights, the routines of checking dashboards for high severity this, and critical that … just play defense. Look for signs of badness, stop them as quickly as possible by playing as dirty as you’re able to, and await the next move. My daughter’s goal was to play and have fun, but yours should be to win. Distract your enemy while you’re taking a few extra moves to kick them off the board. Use resources only available to you and your team, take every opportunity to cheat and win at all cost.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem