Calling Cyber-Security’s Bluff
For those that know me at a personal level, they know I am a keen poker player. I’ve been fortunate to make some great friends from this now fashionable past-time and I’ve been lucky enough to play all around the world and in some of the most major Poker Tournaments in the World, for example, the Grosvenor Goliath (the largest live poker tournament in the world) and the World Series of Poker Europe (one of the most prestigious tournaments outside of the US). Poker joins the other passions in my life, along with my friends, family and unashamedly, Cyber Security. I started out in Security when Anti-Virus was king, and a Firewall did nothing more than static packet filtering based on source/destination IP and TCP/UDP source/destination port. It goes without saying… I am a fan!!
There is a certain psychology behind the decisions people make in poker, in fact poker in general is about making calculated decisions, at the right time and most importantly adapting to certain situations at certain points in time, so you make the right decisions. It’s about making calculated decisions, right? Right?? Let me give you an example.
I was lucky enough to travel out to Las Vegas recently, I’ll start out by saying that it was a very good trip. I felt pretty good, I was doing some coaching with a friend who gave me some advice and tasks to complete to help keep my mind sharp and motivated. During a ‘cash game’ where I was playing with my own money, a very good player raised his hand and I look at mine, I see my Aces – the very best hand you can get. This player is good I assure you, so I have to be careful – there are calculations you just have to go through here, “how can I extract the most amount of money?”, “how do I disguise my hand?”, “how do I make him think he is winning?”. I decided that I would raise my hand again, at which point he calls my bet. It’s down to the two of us. The first 3 cards come down 6 of diamonds, Queen of spades, 3 of spades. Now the fun begins. What does my opponent have? What do I have? What does he think I have and what does he think, I think he has? Maths, calculations and good decisions. I was the first person to act, I thought he could have a Queen, he could have 3 queens, that would be bad for me. I don’t think he has much else other than a big hand. I bet a fairly large amount, I think this gives away my hand, I want to do that, so he knows, I am happy to put all my money into the pot. Which he makes me do by going all in. I think for a little while and I make the call for all my money. He had 3 sixes, he has me absolutely crushed. Moral of the story – not all calculated decisions will mean you get it right. The 4th card and the 5th card were both Aces, giving me Quads, 4 of a kind. I made the right choice at the right time and got it wrong, but it was all okay in the end.
Going back to Cyber Security. Enterprise businesses have to make these calculated decisions all the time and the difference between a card game, where you can just go again, if you have to be right all the time. A former colleague of mine, Jose Miguel Esparza, Head of Threat Intelligence at Threat Intelligence company of the Year, Blueliv – Jose suggests that “buying malicious programs will become easier than ever before in 2019, as Cyber Criminals who frankly in my opinion do have the upper hand in this ‘game’, constantly evolve their own tactics for developing new methods to attack and exfiltrate data”.
We all recognise that the ‘bad guy’ has an advantage when it comes to securing your network because you have to be right 100% of the time and ‘he’ only needs you to be wrong once. So perhaps it’s more important to actually “make a decision”, rather than always looking to make the ‘right’ or perfect decision. We have a wealth of knowledge at our disposal. Vendors, trusted advisors, partners, competitors, the ‘industry’, we have a wealth of experience, but we are beginning to see simple errors causing large scale problems, you can only think that this is due to inefficient decision making. From a Security perspective, particularly in an era of Cloud, Managed Services, Products, Services, Outsourcing – it is all about being able to control, enforce, and log what happens to your data will bolster your ability to comply with this new regulatory regime. It’s about just making decisions, calculating the risks and formulating a plan.
At Armadillo Managed Services, this is what we do. We ask questions, we help calculate risk and offer some advice and guidance, utilising best practice, industry knowledge, expert analyst advice as well as years and years of professional ‘hands-on’ experience. All this to help our client make decisions and like you all, we hope ‘good’ decisions, and in the end, the right decision.
Written by: David Newson, Client Director at Armadillo.