Good poker players are known to perform well under pressure. They play their cards based on rigorous probability analysis and impact assessment. Sounds very much like the sort of skills a security professional might benefit from when managing information security risks.
What can security professionals learn from a game of cards? It turns out, quite a bit. Skilled poker players are very good at making educated guesses about opponents’ cards and predicting their next moves. Security professionals are also required to be on the forefront of emerging threats and discovered vulnerabilities to see what the attackers’ next move might be.
At the beginning of a traditional Texas hold’em poker match, players are only dealt two cards (a hand). Based on this limited information, they have to try to evaluate the odds of winning and act accordingly. Players can either decide to stay in the game – in this case they have to pay a fee which contributes to the overall pot – or give up (fold). Security professionals also usually make decisions under a high degree of uncertainty. There are many ways they can treat risk: they can mitigate it by implementing necessary controls, avoid, transfer or accept it. Costs of such decisions vary as well.
Not all cards, however, are worth playing. Similarly, not all security countermeasures should be implemented. Sometimes it is more effective to fold your cards and accept the risk rather than pay for an expensive control. When the odds are right a security professional can start a project to implement a security change to increase the security posture of a company.
When the game progresses and the first round of betting is over, the players are presented with a new piece of information. The poker term flop is used for the three additional cards that the dealer places on the table. These cards can be used to create a winning combination with each player’s hand. When the cards are revealed, the player has the opportunity to re-assess the situation and make a decision. This is exactly the way in which the changing market conditions or business requirements provide an instant to re-evaluate the business case for implementing a security countermeasure.
There is nothing wrong with terminating a security project. If a poker player had a strong hand in the beginning, but the flop shows that there is no point in continuing, it means that conditions have changed. Maybe engaging key stakeholders revealed that a certain risk is not that critical and the implementation costs might be too high. Feel free to pass. It is much better to cancel a security project rather than end up with a solution that is ineffective and costly.
However, if poker players are sure that they are right, they have to be ready to defend their hand. In terms of security, it might mean convincing the board of the importance of the countermeasure based on the rigorous cost-benefit analysis. Security professionals can still lose the game and the company might get breached, but at least they did everything in their power to proactively mitigate that.
It doesn’t matter if poker players win or lose a particular hand as long as they make sound decisions that bring desired long-term results. Even the best poker player can’t win every hand. Similarly, security professionals can’t mitigate every security risk and implement all the possible countermeasures. To stay in the game, it is important to develop and follow a security strategy that will help to protect against ever-evolving threats in a cost-effective way.
Images courtesy of Mister GC / FreeDigitalPhotos.net
I’m passionate about helping people understand security better. In my experience, using analogies has proved to be one of the best tools to help them learn. People have a far better and long-lasting understanding when they can relate to an experience that illustrates the concept they are to comprehend. Describing situations and possible outcomes can be just as easily done by telling stories: They are not only pleasant to read, hear or imagine, but they also transfer knowledge in the most effective way.
That’s why I decided to contribute to The Analogies Project.
Here’s what their website say about about the project:
The aim of the Analogies Project is to help spread the message of information security, and its importance in the modern world.
By drawing parallels between what people already know, or find interesting (such as politics, art, history, theatre, sport, science, music and every day life experiences) and how these relates to information security, we can increase understanding and support across the whole of society.
Why use analogies?
Many aspects of information security are highly technical and require a deep specialist knowledge. However, we know that all security depends ultimately on the awareness and preparedness of non-specialists.
Information security professionals cannot rely solely on technology to protect their organisations. They must engage with senior management and users in a way that their message is understood, fully appreciated and implemented. In this way they can drive changes in attitude and behaviour that will make the organisation more secure.
To do that, they must find a new language to get their points across to the non-specialist. And this is where the Analogies Project comes in….
Our past is littered with examples of how the prosperity or decline of individuals, enterprises, governments and nation states has depended to a greater or lesser extent, on the confidentiality, integrity and availability of information. By using storytelling, analogies and metaphor we can transform these real life events into powerful tools for engagement.
Please feel free to check out my profile and read my analogies.
This week I was really happy to be back at the University College London where I got a degree in Information Security from. I was invited to the Technology & Entrepreneurial Start Ups Insight session organised by the Management Science & Innovation Department. I met many bright students interested in technology, including current MSc Information Security students. It was very interesting to find out how the curriculum changed to address modern industry trends and needs.
The day after I was proud to represent KPMG at the UCL IT and Technology Careers Fair. It comes as no surprise that there were many students interested in starting a career in the information security field. I was happy to help out with some suggestions, especially remembering that I attended the very same event some years ago.
I delivered a 1,5-day Information Security Concepts course at KPMG UK.
We covered a wide range of topics, including information security risk management, access control, threat and vulnerability management, etc.
According to the feedback I received after the course, the participants were able to understand the core security concepts much better and, more importantly, apply their knowledge in practice.
Leron is very engaging and interesting to listen to
Leron has the knowledge and he’s very effective making simple delivery of a complex topic
Leron is an effective communicator and explained everything that he was instructing on in a clear and concise manner
There will be continuous collaboration with the Learning and Development team to deliver this course to all new joiners to the Information Protection and Business Resilience team at KPMG.
I was invited to the University of Greenwich to discuss career opportunities in the information security field. We had a productive discussion with the young people who are finishing their degree in Computer Security and Forensics. After the presentation I was introduced to several PhD students who are currently researching various issues around privacy and social media. I’m very happy that people are becoming more interested in solving information security and privacy issues.