My 16-year old son is currently in his final GCSE year at school and one of his chosen subjects is Computer Science. This involves a topic on IT Security and during a recent class discussion, an analogy given to the class by the teacher was that IT Security is like a game of chess.
I asked him to explain his teacher’s reasoning and after a roll of the eyes and a huge sigh from my son, we discussed the analogy.
Don’t get me wrong, I’m not critical of the teacher’s teaching, I think teachers do a great job considering the pressures and some of the difficulties that they face, and I can understand the reasoning for the comparison between IT security and chess as a means of using the analogy as an easy way to try and describe a complex topic.
Some people may well use the game of chess to compare the never-ending game that security professionals and cyber criminals constantly engage in. On one side, there are the hackers, constantly trying to break defences, and on the other side, security professionals, wary of the oppositions move and trying to stay one step ahead.
In a game of chess, all your pieces are on the board, in full view of your opponent and you can’t hide anything. You can see your opponent’s move and equally, they can see yours. The only way you can defeat your opposition is to out-think them.
So what game are we playing?
I asked my son to consider the analogy of a game of poker.
In poker, each side remains uncertain about the cards held by the opposition as well as the cards remaining in the deck. Bluffing, secrecy and deception are key parts of the game. Many would argue that IT security is more like poker than chess.
The challenge as I see it is that some companies see the game as just chess. They lay out their IT security infrastructure in a similar manner to a stallholder at a market and try to outthink the opposition. Hackers, on the other hand, are playing poker, trying to bluff and gamble their way in.
In chess, you win the game with checkmate, where the opponent has no possible move left. In poker, it’s all about the player with the best hand.
Putting things simply, you can’t win the game if you don’t know what game you’re playing.
So, my suggestion would be to play both games. IT Security is not just chess. Checkmate is the end goal but it’s very unlikely. But you can, however, think several moves ahead.
Also, do what you would do in a poker game, consider your opponent and always remember – it’s the best hand that wins.
Written by: Richard Woods, Senior Consultant, Aditinet UK