The cyber security chess game

Cyber security is like a game of chess: an ever-changing game of situations. The complexity is higher, of course, and there may be more than one king to protect. In both games, just a few traits separate good players from the true masters.

Chess is about protecting the most valuable piece on the board – the king. In the same way, traditional strategies in cyber security have revolved around surrounding the most valuable asset with layers of security. This is very much like a chess king surrounded by all the other friendly pieces. Unfortunately, this approach has gradually become less successful with today’s unstructured and abstract game board, consisting of complex networks of mobile devices, Internet of Things solutions and cloud-based services.

As a matter of fact, a new playing style is required when a king can – at any time! – be attacked by a number of malicious pieces. This situation creates a need to see only those details that are of relevance. In this situation, less skillful players will scrutinize the entire current board, concentrating on every single detail. Master players, on the other hand, will know what information requires focus and what can be ignored.

“To the inner eye, a bishop is not a uniquely shaped piece, but rather an oblique force.”

T. Donovan, “It’s All A Game”

The point here is that directing all your pieces towards a long-term goal demands an understanding of the game, not just simple rearrangement. To a master chess player there is no color or shape to a piece, nor does it matter if it is on a white or black square. These details have no impact on winning or losing. What matters is only which squares have pieces and which squares they can be moved to. Anything more than that is just a distraction. The game in itself centers around which strategic position can be gained on the board.

In cyber security, it is equally important to see through the information noise and identify what brings value. Where should time and money be spent to make a system more secure? Just like in chess, the best thing is to form this strategy from a bottom-up perspective:

Position your pawn structure as the foundation of your defenses

This includes traditional products such as firewalls, intrusion prevention/detection systems, and multi-factor based access control.

Stay strategic, flexible and proactive with the rest of the pieces

Use the rest of the pieces and board positions to build a fast moving and adaptable security structure tailored to your organization’s particular needs.

In chess, everyone has the same goal: to capture the opponent’s king. For cyber criminals, the goal is most likely to steal an organization’s sensitive data. Novice players will examine the pieces in front of them and react to the changing structure of the board to prevent an adversary from reaching that goal. A skillful player knows it is all about changing the structure of the board, finding tactics that will improve the setup and only consider the right questions.

”Questions are what matter. Questions, and discovering the right ones, are the key to staying on course.”

G. Kasparov

The right attitude is to take command. Ask “What can be done?” rather than “What is happening?” This clear distinction in mindset is what allows masters to control a situation and purposefully change it to their advantage. Look for those right questions in your current cyber security strategy and setup, eliminate anything that does not contribute towards the goal. In this way, you will continuously improve the game board in your favor. This will allow for many small adjustments to the strategy while always keeping the long-term goal in mind: checkmate.

The bottom line here is that you should actively seek context in a particular board setup, rather than just looking at the appearance of all the pieces. Also remember to constantly challenge your setup, use internal or external teams to identify weaknesses and areas for improvement. It is only through a constant review that continuous improvement can flourish.

In those situations where a king is cornered and no change can take place, Kaikaku, radical change, is called for. When everything else fails, a bold sweeping of the fist through all the chess pieces will allow for a fresh start, one where change can take place.

Niclas Kjellin is a security expert and certified ethical hacker who believes that security emerges from culture and awareness, rather than technology.“Working with people is the beginning of modernizing an industry that in many ways has left the users behind.”