TORONTO—Metaphors are always a fun and easy way to try to describe complicated topics. In the security world, metaphors have long been part of the vernacular helping us to draw comparisons and build understanding.
This week at the SecTor security conference here, I heard G. Mark Hardy, founder and president of National Security Corp., give a keynote on the state of cyber-security in 2013. Aside from the requisite statistics that I’ve seen many times before, Hardy also provided an interesting metaphor for understanding the modern information security game.
“As a chess player, all you have to play with is your own raw intelligence,” Hardy said. “All your pieces are on the board, and you can’t hide anything. The only way you can defeat an opponent is to outthink them.”
In chess, if your opponent thinks two moves ahead and you can think four moves ahead, you’re going to be in good shape, he added.
Poker, in contrast, is somewhat different. Players hide their cards, and bluffing is a key part of the game. Hardy suggested that what is happening with information security is that a chess game has now been turned into a poker game.
So, is information security a game of poker or is it a game of chess?
The challenge as I see it is that enterprise organizations see the game as chess, laying out their own assets in a strategic manner trying to outthink the adversary. Attackers, on the other hand, are playing poker, trying to bluff and gamble their way in.
In chess, you win the game by with a checkmate position, where the opponent has no possible move left. In poker, it’s all about the player with the best hand, real or imagined.
Fundamentally, you can’t win the game if you don’t know what game you’re playing.
So my suggestion for enterprise IT is to play both games. Security is not chess; all of your intelligence is not on the board (but a lot of it is), and though a checkmate might be desirable, it’s unlikely. You can, however, think several moves ahead, and you do have intelligence on what you do in fact have on the board and what your own capabilities are.
In the final analysis, what I suggest is that just like you would do in a poker game, consider your opponent and remember: The best hand wins.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.