Personality, Chess & Cyber Defense
Oct 21, 2013 1:25pm
In today’s marketplace the pressure to produce more with less – year over year – creates a bias towards practical, no frills, bottom line conscious workers. Most of the time this is exactly what is needed, particularly where services or goods are reasonably standardized. The question is whether these traits, as a primary mind set, serve your organization when creativity, curiosity and novel approaches are required. A classic example is from Cliff Stoll’s The Cookoo’s Egg, where his curiosity about a minor computer billing discrepancy led to the discovery of an industrial espionage ring. Who worries about 75 cents?
The attackers are not doing the same thing every day; they are not worried about a three sigma deviation in their production line. Low level intruders may start with out-of-the-box hacker tools but the elite cyber criminals thrive on variety, novelty and subtlety. Advanced persistent threats (APTs) for example, are typically installed and lay dormant for weeks or months before activation. Spear fishing exploits depend on an understanding of the organization’s culture and what would appear as completely legitimate to a higher level employee or executive.
So given that any organization is potentially up against attackers who will attempt almost anything conceivable, from social engineering to complex infrastructure exploits, what kind of person should lead your defense team? Of course humans are complex and unique, so there is no definitive list of optimal traits; yet there are personality markers that help identify the best defenders. You should not hire “generic good workers” for your security defense. Instead, ask yourself the following questions when looking for security leadership:
Can you envision this person playing chess well? Logic, deep strategy, and anticipation of the opponent’s moves are part of what defines a grand master versus a class B player. The “whack-a-mole” player, solving only the immediate threat, stays at the bottom rankings. Historically, knights in the middle ages were encouraged to play chess so that they gradually became more strategic military planners. Chess, puzzles and strategy games are markers for those who think many moves ahead.
Would this person say “with my system in place, we can never be penetrated?” If so, his or her ego supersedes judgment. Nearly every single Google employee, for example, would qualify for Mensa membership (the high IQ society), yet Google has been successfully hacked on at least a few occasions. In a gesture only slightly less rash than daring a hurricane to strike the Texas coast, the former president of LifeLock, Todd Davis, publicly presented his personal social security number on billboards and dared anyone to steal his personal information. The Phoenix New Times reported that Mr. Davis’ identity was stolen at least 13 times. Other high profile tech firms get hacked as well. Everyone is vulnerable; the best defended firms assume eventual penetration and have steps in place to limit the damage.
Does this person read and talk to peers? Powerful defenders are always looking for the latest exploits and defensive techniques. The velocity of change in IT security is increasing and leaders must take a bath in the ideas and experiences of others. Cyber security as a profession may be slightly tinged with the image of the late night pizza and coke quaffing nerd, but the best in the profession go way beyond working in isolation. They know smart people in both business and technology; they know what is important to guard; and most importantly, they can get into the mind of the attacker.
Please enter the text in the image above. Get a new image.