THE INFINITE GAME

Written By Dan Eggleston

Imagine you are playing a game.  This game involves strategy, tactics and not a little bit of luck. It is a game of skill, and knowledge, but it can’t be won. In this game, the closest measure of success is survival.  It is unclear when exactly you started playing, but you are playing. You are on the blue team, which means you are on defense. In fact, you are on defense always, and everywhere; seldom if ever getting the chance to go on offense.

This isn’t chess, football or soccer. There are no real rules.  Your opponents, on the red team, have not identified themselves.  They are numerous and come from many different parts of the world. Your only real clue that they are even on the red team is when they expose themselves by attacking.  

You might think you could choose not to play such a game, but that wouldn’t stop the red team from attacking.  There are no time outs and no half time. The game doesn’t stop for holidays, or even overnight to sleep.  You can choose to huddle and strategize with your team, but nothing prevents the red team from attacking while you do. The damage the red team can do is finite and real, but everything else about the game is infinite.  In fact, the game is called cyber-security, and the best way to think about it is to understand it is infinite.

Another example of an infinite game is health & fitness.  There is no point in your life where anybody hands you a trophy proclaiming you have won in health and fitness.  You don’t get to polish the trophy, brag to your friends and eat exclusively donuts for the rest of your life. You can’t win fitness, but you can do better than the day before.  And doing better than the day before has distinct and real benefits.

That’s where you are with Cybersecurity.  There is no point when you can stop, rest and proclaim that you are secure. You can ignore the entire game, if you want to be a fat and easy target.  Or you can choose to be more secure than you were yesterday.

The best strategy with an infinite game is pure stoicism. Get up in the morning and do the best you can do and understand that no matter the results of that day, you can be better tomorrow. Take your wins by measuring improvement. Do not mistake an uneventful day for greatness when it very easily could be luck.  But also understand that if a foreign government backed red team attacked you, they would do very real damage.  They are better funded and outnumber your team.  But if you have the resilience to get up the next morning and strive to do better, you haven’t completely lost either.

The best tactics with an infinite game are:

·         Discipline.  The brilliance of one particular cyber strategy matters less than its execution.  Or put another way, any cyber strategy you implement is more brilliant than one you don’t.

·         Learning.  Learn from yesterday, be better tomorrow.  Your goal isn’t to become a world class fitness trainer, you can hire that.  Your goal is to become fit.  Learn enough about cybersecurity to become fit, lean on experts for the rest.

·         Resilience.  Begin by strengthening your ability to take a hit and get up. The objective is to keep playing. As such, dodging a hit is nice.  Assuming you will be able to block or slip every punch is foolhardy.  And the ability to rise the next morning and continue on is all important.

As a non-technical manager, if you begin to understand cybersecurity in these terms it should become obvious that you have a very real role to play in the health of your organization.  The skills required to “win” at an infinite game are cultural, not technical.  As such, they are very much the purview of management.

The reason organizations don’t have appropriate backups is not because technicians didn’t understand their importance.  It is because the IT team lacked the focus and discipline to maintain them.  And frankly, management abdicated their responsibility to verify they were being done.  

There are no easy solutions, and any vendor that promises complete security with no effort is a snake oil salesman. The game is infinite.  It takes continual effort, and your team will not execute unless you show regular interest.  If what gets measured gets managed, then certainly what gets abdicated atrophies. As a non-technical manager, you must remain involved.  You must lead. The first steps simply involve getting the easy things right. The steps after that are to get better.  Are you ready for the journey?  Well, let’s go!.

Dan Eggleston
Previous

YOUR IT GUY CAN’T COUNT.