Cybersecurity and the Infinite Game

Cyberspace.  The infinite game.  Sounds like a pitch meeting for the next Tron meeting.  Alas, it’s just another ham-fisted attempt to glean Sec+ CEUs via blogpost.  Today’s stretched metaphor will crib from Simon Sinek’s book The Infinite Game and the concept of, well, infinite games.

Let’s start with defining a finite game.  This is the easiest to grasp as it comes up all the time in our lives.  In it, you have defined roles of who is playing, what the rules are for the players, and what the end state looks like.  Chess is an example of a finite game: two players, pieces can only move in prescribed ways to agreed upon effects, and the game ends either when one side checkmates the other or a stalemate is reached where no checkmate is possible.  Easy peasy.

Infinite games, however, throw all that out the window.  They have no set number of players.  In fact, players coming and going as resources and will allow is a major part of what makes something an infinite game, so the number you play against today might be different than the number tomorrow.  The rules are also in flux, as anyone—you included—has the ability to toss expectations out the window and flex to something new.  Most importantly, an infinite game has no end set.  There is no “winning” an infinite game, just the effort to keep playing as long as possible. 

Running a business is an example of this.  No one “wins” at business.  You can have a good year and rake in some profits, but topping arbitrary metrics in no way makes you the best and forces other players to cede the field to you.  The game continues as long as the company can operate, until eventually it can’t.  But even at that point, the game goes on with whatever players remain until the cows come home.

Now let’s translate this to cybersecurity.  Players shift, rules vary depending on the day, and just like in business, no one can win.  You can go an entire year with zero breaches, but that gains you exactly nothing when it comes to the next attempt to crack your network.  What does this mean for cybersecurity professionals?  You have to view your efforts through an infinite lens if you have any hope of succeeding.

Another example.  Say that you are considering educating your workforce on social engineering.  A finite game solution might involve genning up a briefing, providing it to everyone in the organization, then chalking it up as a win with no need for future efforts.  You’ve accomplished all the metrics, after all!  Every player has been briefed, the rules are clear in that everyone had to attend and possibly pass a knowledge check to verify they paid attention, and you assess your victory if no one clicks on a suspicious link.

Cybersecurity (and organizational reality), however, do not fall in such clean lines.  You have no guarantee that the organizational members you briefed today are the same as the ones who are a part of your team tomorrow, and you have zero control over what tactics and techniques adversaries may use trying to trick them.  Rules mean less than nothing to a creative threat, and there’s every chance that threat can come from inside your organization.  And finally, there can never be a victory in cybersecurity because there’s always another attack on the horizon.

Maintaining an infinite mindset is difficult.  Our minds crave patterns, and a finite game provides those for us.  By its nature, an infinite game forces us to look beyond the simple solution and accept that we do not have the level of control we’d hope for.  But its in viewing that infinite horizon that a cybersecurity professional can protect his or her network for another day, which is as close to victory as we can hope to get.