I often reflect on how difficult choices in our industry can be. Do we invest more in prevention, detection or response? Do we automate or add more staff? Do we use a managed service or keep it in house?
These represent some of the strategic decisions defenders are faced with on a yearly basis. This does not even address the various tactical questions that come up on a daily basis. Do we approve the request or deny it? Do we block that IP or keep it open? Do we call HR or not?
For defenders, every day is a labyrinth of choices and decisions to be made. Most of the time, we don’t have the luxury to take the time we need to gather all the data to a decision. Sometimes (arguably most times) we make the best decision we can with the best data we have at the moment. This myriad of choices got me thinking about a set of books I read as a kid. The “Choose Your Own Adventure” series.
These books were like video games before everyone had a computer. These books inspired lots of early game designs. In this series, you could decide the fate of the protagonist by making various choices throughout the book. Some led to victory. Some led to alternative endings and some led to death. Such is life in information security.
One of my favorites was “The Cave of Time.”
Each book had a map which showed all the possible choices and outcomes.
The decision tree:
A really simple decision point, such as sleeping or not ,could lead to the best or the worst possible outcome. You could read through the book 20 times and try all the possible combinations of decisions (the old brute=force technique) to drive the outcome you wanted, or you could skip to the end and reverse the outcome of the decisions.
I read a few of the books brute-force style but was then obsessed with picking a new one up and doing one perfect run through. This was all a fun exercise. I had no idea that 30 years later I would think about the time spent reading them and how they have helped me avoid the pitfalls of security management.
These books helped me understand that each choice made had a benefit or a consequence and subsequent iterations through the book made it easier and easier to avoid the bad outcomes. This process also helped frame decisions in terms of “if” and “then.” SPOILER ALERT: If you join the caveman, then the story continues. If you don’t, then the story ends.
So what exactly does this have to do with infosec?
We are still making a lot of the same mistakes we always have. We are brute forcing our way to the outcome instead of truly thinking about the outcome and what choices we need to make to achieve it. We need to make better choices and put more strategic thoughts behind them.
If we do even a quick mapping exercise of the worst possible outcomes, we gain the ability to make better decisions sooner upstream.
Considering all the points at which your program or a technology initiative could fail is imperative to success. Planning for failure will put your program miles ahead of anyone who doesn’t. This exercise does not need to be exhaustive or comprehensive. However, knowing the big ones is always a good place to start.
A simple one would be:
What if a security project is delayed due to resource constraints? Does that kill the project or lead to a regroup and restart?
This will help your team map dependencies and choices downstream to avoid the worst outcome (cancelling the project)
Performing this exercise will also help you better understand your threats.
What’s a more likely scenario for your organization? An insider accidentally releases confidential information? Or a nation-state actor wants your intellectual property?
Each would present its own set of choices, but the first question that needs to be answered is: “where do we focus?”
How would the insider accidentally do that?
What’s missing that could help avoid the accident?
Instead of a decision that leads to restarting the adventure like in the “Cave of Time,” your risk is a breach.
What led to this breach?
How long did it take you to respond?
What could your program have done differently now to avoid this scenario?
These are just a small representation the thousands of decisions made by defenders on a daily basis. Each decision made by a cyber defender has with it certain benefits or consequences.
Have you taken the time to run through these scenarios with your team offline? Each day, you are able to choose your own infosec adventure. What paths are you considering and how do you go about avoiding pitfalls?