Right now, the battle between hackers and security teams feels like an unrelenting poker game with high stakes: your data.
You don’t know what tool sets cybercriminals have — or what hand they’re playing — and they don’t know what you have, either (unless you’ve got a clear tell). Your data is powering the pot, and it’s growing relentlessly whether you like it or not.
After working in the cybersecurity space for 25 years, I think there will always be some elements of murkiness or chance when it comes to cybersecurity. But I also see an opportunity to lean into what you can control, learn to play the hand you have now and graduate to a more measured game.
As the national director of network and cloud security for Cloud + Data Centre Transformation at Insight, here’s how I help organisations do it.
It all starts with the north star of cybersecurity maturity: The National Institute of Standards and Technology (NIST) Cybersecurity Framework. The framework offers best-practices guidance across five areas: Identify, Protect, Detect, Respond and Recover. It was created precisely because too many organisations were betting most of their resources in one area and getting compromised in others.
Here’s my take on the NIST Cybersecurity Framework — along with some poker mantras that will put you on a path to mastering it.
Know thy hand, know thyself.
Let’s say you’re brand new to the game of poker. You have no concept of hand rankings. If you’re playing a three of a kind, how would you know that it’s better than a pair? If you have a strong hand, such as a flush, how would you know that a full house can beat it? Getting good at anything — a sport, an art or cybersecurity — requires arming yourself with foundational knowledge around what you have and how it works.
Admittedly, it concerns me when security teams say, “I don’t know what I don’t know.”
When it comes to cybersecurity, you can’t protect what you don’t know exists. It’s why assessments are wildly important to Insight’s approach. It’s also why governance falls under this bucket, which means defining what your objectives are, the overall risk associated with those objectives, and the assets or endpoints you’re trying to secure.
The good news is that this mantra spans across the entire NIST Cybersecurity Framework. There are assessments built to improve your awareness in every one of the five areas across a variety of use cases, so it’s always possible to know what you’re bringing to the table.
But even once you have that foundational knowledge, you should always be evolving your cybersecurity program — the way the best poker players continue studying the game and learning new strategies. Remember: The game of poker is ongoing. You’re regularly getting dealt new hands (new technologies, tool sets and methodologies). So are cybercriminals. Because of that, you always need to know what you’re working with, because it will change.
Ace your poker face.
In the NIST Cybersecurity Framework, the Protect category is all about prevention — making sure you aren’t letting your guard down or exposing a weak spot that can be exploited.
I find that organisations’ security controls are largely protective and include:
But even with the wealth of protective solutions available, many security teams remain unsure. According to Cybersecurity Insiders’ 2020 State of Enterprise Security Posture Report, 64% of organisations said they lack confidence in their security posture.
Perfecting your cybersecurity poker face isn’t so much about concealing a good or bad hand. Rather, it’s about doing what needs to be done to keep people from even thinking about taking advantage of your team. Someone with a great poker face sends the same message that good protective controls do: I’m a fortress, and I can’t be rattled.
Phishing emails: Top subject lines helping hackers cash in, according to Q4 2020 analysis from KnowBe4:
- Password Check Required Immediately
- Touch Base on Meeting Next Week
- Annual Leave Policy Update
- COVID-19 Remote Work Policy Update
- Important: Dress Code Changes
Watch the table. Play your opponent.
I’m a big fan of the poker scene in the 2006 James Bond film, "Casino Royale." In the scene, Bond spends the first few rounds keenly observing his main opponent, Le Chiffre, to find out what his tell is. Bond even mucks his cards on purpose early on, eventually learning Le Chiffre’s tell: placing a single finger on the left temple. This know-your-enemy strategy pays off for our hero to the tune of $115 million in winnings.
In many ways, it was a masterful display of tuning in to the table (the way great security teams invest in thoughtful detection processes). In the NIST Cybersecurity Framework, the detect layer is about scanning for anomalies and events, and continuously monitoring your software, hardware and network. It’s also worth noting that detection is largely procedural. It’s critical to have a clearly defined process in order to detect, as well as know what to do once something is detected.
With the variety of tool sets hackers use to exploit your environment, threat intelligence can play a huge part in shifting your cybersecurity strategy. Take advantage of the array of premium and free threat intelligence feeds to validate the traffic you see on your network. Operationalising this technology — and making it your security team’s modus operandi — is very much worth the effort when playing the long game of cybersecurity.
Remember: If you don’t have the best hand during the game, it’s possible to tip the scales in your favour simply by paying attention.
Don’t let setbacks throw your game off.
Tilt is a fascinating phenomenon in poker. It hits when a player is mentally unnerved by a bump in the road, whether it’s a string of bad hands or a trash-talking opponent. Tilt causes players to play emotionally, make bad calls or even lose entire games. Even though it’s widely dreaded, many players don’t have a thoughtful plan to deal with tilt. They’d much rather work on other aspects of their game.
It’s common for organisations to silo a lot of money, time and resources into one cybersecurity category, leaving response for last. If and when a breach occurs, this proves to be a flawed approach. Mitigate the chances of getting caught off guard by building a response playbook guided by questions like:
Every minute you put into planning your response is going to save you days, hours and dollars on the backend.
Live to play another day.
Cybersecurity response is planning what you’ll do in the heat of a setback to prevent a downward spiral — and avoid tilt. Recovery is your process for picking yourself back up and playing on.
Classic security has long been about putting up walls, keeping the bad guys out or locking down your protective controls. There’s a wealth of options for protection. But how many options are there for recovery-corrective-based controls? Not a lot. Because of this, it’s critical to take the corrective options that do exist, such as restoring from backup or malware deletion, and get very clear about the how these types of tools integrate with your environment. Beyond that, it’s all about rebuilding and getting back to business with as little disruption or further damage as possible.
This can be done through:
When it comes to cybercrime, it’s no longer if, but when. The goal shouldn’t be to never have a security event. It’s that when an incident occurs, it doesn’t decimate your business.
Are you going to take some hits in poker? Yes. But you can employ strategies that could help you win your money back — or even the whole game in the end.
Five data breach downswings in 2021 as reported by Identity Force:
- Guess: A ransomware attack on the retail fashion giant resulted in a data breach compromising sensitive customer information. The breach exposed Social Security numbers, passport numbers and financial account numbers.
- Volkswagen & Audi: A third-party marketing services supplier disclosed the personal information of 3.3 million customers, including names, addresses and phone numbers.
- Facebook: The personal data of 533 million Facebook users from 106 countries was leaked and released to a low-level hacking forum.
- Hobby Lobby: A cloud-bucket misconfiguration led to a database leak of 300,000 customer records, including names, the last four digits of payment cards and the Hobby Lobby app source code.
- California DMV: Personal information from the last 20 months of California vehicle registration records were stolen, including names, addresses and license plate numbers.
There’s hot debate whether poker is mostly skill or chance. I think it’s both.
A single hand of poker is an irrefutable instance of chance. Playing a full game, or a tournament, is a different story. That’s when you can use the controllable aspects of the game to your advantage: your understanding of the deck, the players and the rules; the risk you have related to what you’ve got; how much you’re betting and how much is at stake.
Organisations already have people, processes and technologies in place. That’s why poker is a good analogy for the current state of most organisations. Maybe you already have a king and an ace. Maybe your protective controls are over a 10. Maybe you have all hearts, or products, that integrate well together. But remember that in poker, you don’t just play one hand, and you certainly don’t bet it all on the first hand. That’s the iterative process of security — it’s many hands.
With a programmatic approach, I believe that organisations can transcend the chance aspect of poker and even graduate to a new, more measured game.
And on we’ll play.