Winning at Cyber

People oftentimes ask, "What is zero trust?" or "What does defense-in-depth mean?" These are challenging questions that imply a desire to understand cybersecurity holistically. However, humans are hardwired to follow the path of least resistance [1]. This concept applies to both defenders and adversaries, and we can use this information to our advantage.

I think real-world analogies can help explain the journey that companies go through when trying to improve cybersecurity. I played competitive tennis for over 30 years, and there is nothing easy about winning when the stakes are high.

When you want to learn something new like tennis, you start with practice. You take lessons. You learn the rules. Players like Serena Williams and Roger Federer won numerous tournaments because of the countless hours they spent improving every aspect of their game, not because they owned the best racket or most expensive tennis shoes. Cybersecurity starts with security awareness programs, policies, and procedures and tabletop exercises. Only once you have built a foundation upon fundamentals does the equipment even begin to matter.

People search for the top three security risks to their organization or one solution that will give them the “single pane of glass” for controlling all cybersecurity efforts. I can understand the feeling that addressing all security risks seems economically and laboriously infeasible. Every tennis match starts with a warm-up where opponents practice ground strokes, volleys, and serves. At the recreational level, players use this time to improve things like depth of their shots, accuracy of their volleys, and power on their serve. Advanced players use warm-ups as a reconnaissance of their opponents’ weaknesses by hitting a variety of shots and looking for opportunities to identify potential vulnerabilities that might give them an advantage during the match.

An advanced adversary in cybersecurity isn't going to congratulate you on your strengths but rather looks for the path of least resistance toward accomplishing the impact they are targeting. Warm-ups for cyber criminals start with open-source intelligence gathering, which can be quite useful for large and small organizations. Large organizations have numerous employees and contractors who love to share the great work they get to be a part of. This often leaves a gold mine of useful information in the form of LinkedIn posts, public requests for proposal packages, and leaked credentials that far too often are shared across corporate resources.

I recently worked with a small utility that published their company newsletter on their public website, which at face value seemed like a good community engagement effort. However, it exposed the full name, title, birthday, and even birth announcements of every employee.

The NIST Cybersecurity Framework provides best-practice activities in the form of functions: identify, protect, detect, respond, and recover [2]. They aid an organization in expressing its management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving cybersecurity measures by learning from previous activities. Not all organizations are going to have the same risks, threats, or even risk tolerance; however, they should want to prioritize investments to maximize the impact of every dollar spent. Most would agree that individual functions, such as respond, are not more important than other functions, such as recover—yet this is oftentimes the way that investment decisions are made. If you search on YouTube for tutorial videos on tennis, you will likely find a video specifically on how to get more topspin on your forehand or how to hit a slice serve. That is because people can only digest so much information at one time. It’s also not as interesting to watch a comprehensive video that includes proper stretching techniques, even though we know the risks of injury would jeopardize all other aspects of our game. Tennis players are notorious for changing rackets or trying new strings because it would be wonderful if buying new equipment could improve our game. In cybersecurity, we often see an interest in new technology that can instantly reduce our risks, yet we might ignore results of assessment or avoid assessment altogether. From what I have seen, this isn't because our industry isn't interested in being well-rounded with cybersecurity. It’s because it’s hard to reconcile a list of improvement areas that span multiple functions and it can be hard to know where to start.

One of the best tennis tools I have found is Dr. Joe Parent and Bill Scanlon’s book Zen Tennis: Playing in the Zone, which focuses on the mental aspect of tennis. Tennis is a complex sport, and it's too easy to get lost worrying about the last shot you missed or how fast your opponent is. With something as important as protecting critical infrastructure, we as an industry have no less of a complicated task. Just like with tennis, we must focus on the fundamentals, practice, set reasonable goals, and understand our opponents. Only then can we realize the benefits of great skills and equipment and appreciate winning!