The 2 Worst Games to Play in #infosec

The 2 Worst Games to Play in #infosec

The “Hot Potato” Game

The goal of the Hot Potato Game is to simply pass off responsibility to the next person as soon as you can before something bad happens.  When the responsibility lands in your lap again, you pass it to someone else as soon as you can.  Eventually, someone gets caught holding the hot potato and they lose (and you win!!).  A similar version of this game is “Musical Chairs” game or “Kicking the Can Down the Road” game.  By the way, it sucks to lose this game.

I have seen this game played in both the government and the private sector.  Any long-time government employee can point to dozens of managers who are experts at this game.   I believe there are so many experts because it is rare for a government employee to actually suffer when losing this game, which only encourages more people to play and gain experience in tossing the hot potato to the next guy at the table.

In the private sector, losing this game is an entirely different matter, especially when PII or PHI has been stolen.  When that happens, fingers get pointed awfully quick and the government comes in with a hammer to smash as many thumbs as they can find.  Did I mention that losing this game sucks?

  1. The “Are We There Yet” Game

The "Are We There Yet" game is another popular game played in both the public and private sector.  This particular game is also known as “We’ll Cross that Bridge When We Come to It” game.   In this game, you know bad things are coming one day, and you accept that being worry-free today is worth the stress of dealing with an incident tomorrow, because we all know that tomorrow never comes.

I have actually seen budgets with anticipated expenses planned for incidents that could be avoided with preparation and less money.  I guess some organizations believe that if they don’t spend money now on preparation (defense), they may not need it for remediation after a breach, so it may make a better business decision.  This game is also known as “Craps”.

When I consult for corporations and government entities, I always advise to not play these games (in a professional manner rather than saying 'don't play these games').  Fortunately, I find that many organizations are spending money now to prepare rather than hope for the best.  The organizations that want to prepare are doing really good, taking advice, and in some cases, going beyond what is required.  In technical terms, I call this a great job.

I have gotten to the point that when I hear a client choose to play either of these games, I don’t laugh out loud anymore, especially when I hear verbatim, “We’ll cross that bridge when we come to it”.   When I hear that, I usually leave a half dozen business cards…

Hopefully you aren’t forced to play in these games and that when you say that you need money and time to prepare for unexpected breaches, you get it.  This same thing applies to internal employee matters too.  Any organization that haphazardly gives out electronic devices without any controls to employees….is an organization playing the hot potato game.  I tend to believe that with so many attacks, so many breaches, and so many organizations frozen with Ransonware, organizations start to take notice.  It's kind of like everyone in your neighborhood getting burglarized.  You can choose to either hope your house is not burglarized or you can install an alarm, lock your doors and windows, and prepare just in case.

Article Link: http://www.brettshavers.cc/index.php/brettsblog/entry/the-2-worst-games-to-play-in-infosec