Do a search for video games and information security and you will find countless comparisons to how these two seemingly disparate fields go hand-in-hand. I really like this article from last summer, as it examined not just video games, but organized sports and their influence on information security experts. In today’s world, video gaming is a billion-dollar industry, there are professional video gamers, amateur video gamers who record their reviews, critiques, and tips and put them on YouTube, and then there are the professionals (like me) who unwind from their day by playing a few rounds of Turning Point in Star Wars Battlefront.
While video games may heavily influence the world we live in, there are two specific video games that I think will help make your security program stronger. I will now explore how these can relate to your organization.
First: The Games
There are two specific games that I am going to be referencing. If these aren’t your cup of tea, no problem; they follow the same basic elements of many of the first-person shooter multiplayer games. Substitute your favorite.
EA/DICE’s Star Wars Battlefront
This game, released last November is a major hit wit 13 million units sold worldwide by the end of the 2015 quarter, allows players to play as rebel soldiers or storm troopers who square off against each other in a massive Star Wars environment.
EA/DICE’s Battlefield 4
This game, released in 2013, is one of the more popular military simulation first-person shooter games. Players assume the role of a soldier and face opponents kitted out with similar equipment. The in-game environment is set in a fictional conflict between China, Russia, and the US in the near future.
Second: How this Relates to Your Security Program
Both of these games, while simple in concept, require quite a bit of strategy and maneuvering of your in-game character to get a better position, a better vantage point, that puts you in control of the board. To do that, you need a roadmap and some general tips. Here are three tips and how they relate to your security program:
Playing the Objective/Security is Everyone’s Responsibility
In multiplayer games, especially Battlefront and Battlefield 4, there is a term that is commonly used: PTFO. PTFO if you haven’t guessed it, is Play the [EXPLETIVE] Objective. What this means is work with your team to take over control points to gain a stronger position within the board.
As security professionals, we understand, live, and breathe security. Our teammates in IT, HR, and accounting might not have that same deep understanding. Our desire is for everyone to play the objective, ensuring customer data, corporate data, assets and the network are secure. This is how security programs should be built, with a common objective in mind that all players can strive to capture.
Playing the objective requires teamwork. It is near impossible to be successful in Battlefront and Battlefield without the support of your team. Security for your organization is not possible without cooperation and teamwork. Security is everyone’s responsibility. As such, it is important to have a robust awareness and training program to drive home the concept of security. With security awareness, your teammates in HR, IT and accounting will receive the same basic security knowledge, understand what the threats are to your organization and what to do about it when an attempted intrusion occurs.
Know Your Strengths and Weaknesses
In Battlefield 4, you are given the option to play as an assault class, engineer class, support class or recon class. Each class has its own strengths and weaknesses, but choosing your character should be done for the good of the team. The assault class has the ability to provide revives and medical kits, while the engineer is great at repairing and destroying vehicles. Support players have the ability to supply other teams with ammunition and recon provides the ability to play overwatch and spot enemy targets.
In security, it is essential to know your strengths and weaknesses. Every decision and choice around security has to keep two things in mind: How does it improve security and how does it impact the business? In Battlefield 4, your character class choice should both benefit the team and draw upon its strengths. Are you playing a map with lots of vehicles? Then the engineer is your best choice. Lots of assault class characters on your team? Then support class is the way to go so they don’t run out of ammo. In security, your ability to build a functional security program relies on knowing which tools are weak, who among your personnel are strong in security and how the general corporate populace feels about security initiatives. To help identify the strengths and weaknesses, it is best to utilize an information security assessment. This will identify where you stand against a security framework and give you something to work towards and shore up those weaknesses and begin playing the objective.
Avoid Camping and Tunnel Vision/Avoid Security Complacency
Battlefront and Battlefield 4 are extremely active games. Everyone is moving about. Stand in one place for too long and an enemy sniper will take you out. Stare down your scope and get tunnel vision, you are likely to miss the enemy storm trooper sneaking up on your right. Camping is a term that is used in these games for players who sit in one spot. It can detrimentally affect the game, especially if the camper is sitting near a spawn location. In security, organizations have to avoid camping out and becoming complacent. Complacency is dangerous. Organizations who only check the box and rely on tools, or focus all their efforts only on meeting regulatory requirements are at risk of developing security complacency. For example, all of your attention is focused on meeting PCI needs, but you forgot about these two hundred other non-PCI systems that are just as vulnerable.
I see this quite frequently in a game mode in Star Wars Battlefront called Walker Assault. The premise of the game mode is simple; rebels have to activate uplink stations to call in a bombing run against the AT-AT Imperial Walkers, while the stormtroopers have to shut them down. Typically what happens in game, all the focus and attention is directed at one uplink station, leaving the other unguarded and vulnerable. While it may feel like you are playing the objective, in reality, it is only partially playing the objective. In real life, security should be applied across the board. While there might be critical systems that get addressed first, every system should initially be treated equally at a base level. In Walker Assault, players should really team up and defend or attack the uplink stations equally.
Knowing how and when to apply security across your organization is key to having a strong program. Planning goes a long way, identifying which systems are critical, which tools should be applied and how to implement security tools with minimal impact to business function are issues that security professionals tackle every day. This keeps your security organization moving and active. No camping and no complacency. The security team should be following a daily plan to ensure the success of the program.
Whether you are an active gamer or haven’t picked up a controller, the security principles described in this post apply broadly. Making security relatable, and accessible will drive home the importance of it. As I have said, security is everyone’s responsibility. Your program has to give the teammates the tools to be successful. Whatever state your security program is in, CyberSheath can help you capture the objective and secure your assets.
How Can CyberSheath Help Your Organization?
CyberSheath will work with your organization, large or small, to help secure your valuable assets. CyberSheath offers security assessments to help your organization begin with a clear understanding of where you stand in regards to industry standards and regulations.