SC magazine published an article recently entitled “Has UK business lost the plot on cybersecurity spending?” It was begging for an analogy, so here we are:
[tweet https://twitter.com/S_Clarke22/status/609411092884942848 hide_thread=true align=’centre’ width=’900′]
The article says hedge your bets (familiar advice with a tinge of post market crash negativity about it), but is that really the answer?
Much of the current spending on defensive products and services looks to me like high stakes roulette. In our casino, like all others, those running the game are winning by default. Not to add to the FUD (goodness knows it’s my mission in life to cut through it), but many of you seem to have put the bad guys in that management seat.
How? By focussing on compliance and tools, while they gather better intel and master more advanced techniques. Making them better able to tackle your remaining technical and people vulnerabilities. More concerning still, they understand the value of assets exposed better than their owners.
In other words, we leave far too much to chance. Betting the budget on guesses and popularised misconceptions about risk reality.
The House Edge
The house edge in roulette (also called the expected value) is the amount players lose on average, relative to the aggregate of all bets made. If a player bets on a single number in the American game, there is a probability of 1/38 that the player wins 35 times the bet and a 37/38 chance that the player loses his bet. The expected value is therefore (and this is the simple version):
- −1×37⁄38 + 35×1⁄38 = −0.0526 (5.26% house edge)
For European roulette, a single number wins 1⁄37 and loses 36⁄37:
- −1×36⁄37 + 35×1/37 = −0.0270 (2.70% house edge)
So you lose £2.70 or $5.26 for every £/$100 bet. All assuming that the game isn’t fixed in the casino’s favour mechanically or otherwise.
Well no. By putting all eggs in one basket some punters will win big and win often, others will consistently lose. Overall, averaging things out, the house always ends up with a profit. So why, if these calculations are indisputable mathematical truths, have folk spent years creating and honing systems to try and beat the odds?
Have a browse through Wikipedia’s bit on roulette for lots more maths. Sure odd/even, red/black and other broader bets up your chance of winning…but at the expense of your potential return. Perhaps a fix for every recent audit finding and buying all the tools your peers have, while deciding you can’t stretch the budget to cover data governance, vendor security assessments, secure development or security education.
Breaking all of it down, roulette is a game of pure chance. You can’t, with random bets, reliably reduce the likelihood of being that day’s big loser. The only partial mitigation is enough budget to constantly place very broad bets, then withstand periodic losses…and who can afford that?
Streaks and Systems
In a world as uncertain as roulette or cybersecurity, we seek patterns and big confidently stated ‘truths’. News of a big win (that ‘foolproof’ security solution seemingly keeping incidents at bay), or a big loss (sending you scrambling to place mitigating bets, egged on by fear validating vendors), masks the real local odds. To borrow a warning from another expensive game of chance: Past performance is no indication of future results, but those with a vested interest spend hundreds of thousands on encouraging that perception gap.
Compliance (of myriad flavours) is probably our best example of a system. Can’t go wrong with compliance. If everyone believes in it – especially your auditors and regulators – you will at least maintain an acceptable status quo…until that breach.
Even then it’s a relatively comfy place to be career-wise, because so many respected bodies go down with you. Better the devil you and everyone knows. You can all club together and sing a chorus of “Non, Je ne regrette rien” while you find the next generic bandwagon to tie your horses to.
But what if there’s another way? Instead of fighting unbeatable long-term odds in the same way as everyone else, while hoping you stay lucky (the only safe bet is you won’t), why not change the game?
Re-injecting The Intelligence a.k.a. Pokerising Cybersecurity
Now Poker is a whole different game (references here are to Texas Holdem). The odds of getting good cards matter, but you can also finesse a win just by reading and manipulating people. In this analogy you compete for the upper hand against everyone playing.
Rock steady players watch the people more than the cards and chuck in periodic well-executed bluffs. They also damp down ‘pocket fever’ (how many of you bet the farm on a pair of aces dealt, only to get beaten on the river by trip 4s, 5s or 6s?).
Those guys can stay profitably ahead of the game the vast majority of the time. I had a free holiday to Sicily paid for by 6 months profits from my resident rock steady – if small time – player. They outstrip the odds by respecting the statistics and predicting then reacting appropriately to duplicitous, misguided, crazy and over-conservative urges of others. Urges which they learn through careful and consistent observation.
That better represents our reality, both in terms of the challenge and a way forward.
Planning Your Game
- Make sure the odds aren’t unbeatably stacked against you – Check for fixed wheels or marked cards. In our cybersecurity world that’s represented by shockingly easy to compromise pre-existing vulnerabilities and practices (Hacking Team and pathetic passwords…yes really!)
- Switch to the poker table – Make the decision to move to a game you can influence, rather than one you get enticed to play with free drinks and hot hostesses. A game you just throw money at then watch with fingers crossed.
- Know the odds – All types of gambling have baseline statistics (e.g. the chance of getting your flush completed with the next card dealt from what’s left in the deck). Our equivalent is knowing your inherent risks. What and where are critical data stores and highest availablility processes and how exposed are they to people, suppliers and other systems in the normal course of doing business?
- Watch the people more than the cards – What’s their history? What’s their typical MO and temperament? Do they have a personal grudge against you? Are you a rich enough target to entice hard core legendary players to the table? How do they react to their first glance at dealt the cards. What’s their ‘tell’ when they’re up to no good? Over a few hands are they careful, arrogant, excitable, consistent?
In real security life, work out what standard behaviour looks like, both for the good and bad guys. ‘Tells’ might be dectectable by tech, but still need a long-time expert to interpret implications. What motivates threatening behaviour and what’s the potential fall out from both everyday and malicious modes of play? Then work out what you can do to block, change or mitigate the impact of that, including upping your game if you’ve attracted the big bad boys.
- Don’t bet more than you can afford to lose – An old and worthwhile chestnut. I’m not asking if you’ll lose what you spend, I’m asking if you can afford to lose your most valuable assets and critical operations. How good are controls in place for remote access, internal access, suppliers, changes and user behaviour? Is associated monitoring and security knowledge up to scratch? If all is compliant, is that good enough for THAT asset?
That’s the question security spending ‘systems’ don’t answer. All non-compliance is not created equal and you need to know what’s at stake to differentiate: What’s worth a punt and what needs to be as close as feasible to a safe bet?
So that’s my take on gambling with your security budgets. Nothing wrong with calling it that. Execs gamble millions on what will safeguard the future of the business every year. We’re just struggling to gain the same understanding of our risks and level the skill and knowledge playing field in time for the next battle with our adversaries.
I asked (bribed if I’m honest), my other half to listen to this in draft. He’s a great benchmark for sense and he suggested an alternative way – buy the casino. Absolutely fair suggestion…if you have a massive bribery and corruption budget. Go hence, with appropriate law enforcement avoidance, to strongarm and/or pay off the residents of the darknet (I’ll leave your common sense to decide if I’m joking). But if you mitigate that risk and don’t mind looking over your shoulder for the rest of your life, have something in reserve to stop or mitigate folk who don’t understand fallout from bypassing security, or just mess up.