In Part 1 of the Plights of the Round Table, the executive staff of Camelot was working on the strategic plan for the following year. Morgan, the CEO, needs to decide how to spend her limited budget for the best interest of Camelot. Lana, the VP of Sales, thinks they should invest in horses for their knights. Susan, the CISO, would rather the money go to upgrading the castle wall and building a moat. Smith, the COO, is content to have a major pothole filled. Barbara, the Chief Compliance Officer, wants to ensure they pass their audits so that she doesn’t lose her head. The first day of meetings has wrapped up. Smith and Barbara both have budgets that are staying relatively flat. Lana and Susan, however, have been tasked to come back the next day with hard numbers in order to make their cases. The VP of Sales decided to head home and spend a cozy evening digging into spreadsheets. Susan, on the other hand, needed to unwind and seek out some advice from a friend, so she decided to visit the local gambling hall. By the time Susan arrived, a healthy crowd had gathered to exchange their money for a bit of hope; each patron thinking, “tonight will be my lucky night!” As the lively staff walked the floor, generously pouring drinks along their way, the hopeful gamblers played their cards, threw their dice, and tossed their chips. Cries of lucky numbers, cheers of triumph, and groans of loss created a festive din. The CISO found a table from which to take it all in. Although not a gambler herself, Susan came for the exceptional food and to observe. There is much to be learned from watching the intricate interplay of humanity here. As well as being good friends, Lucinda the proprietor and Susan had many of the same concerns. There was enough money in this place to compete with Camelot itself. The opportunities for theft were rampant; patrons, card tables, the chip exchange, and the vault itself all posed tempting targets. “How does she protect it all, and how much does it cost?,” the CISO wondered. A voice snapped the officer out of thought. “This seat taken?” Lucinda didn’t wait for an answer and sat down across the pensive executive. With a quick nod and wave of a hand, the casino owner sent a member of the wait staff off to gather a small feast. “Lucinda! Good to see you. I needed a place to think and grab a bite. It’s going to be a long night for me.” “Oh? Big project? You know, most people find a quiet, secluded spot for that. You come to the loudest, most raucous place in town.” “It gives me inspiration. And no, not a project – strategic planning. I need to procure improvements for the castle walls and a moat, but Sales wants horses. Horses! We just upgraded to coconuts last year. We can’t adequately fund both, so I need to make my case tomorrow.” Lucinda, sympathetic to the cause, replied,” I wouldn’t say no to better protection. I just upgraded our security here. We did an audit and discovered we were losing hundreds a night to some very clever thieves. My security guard had several proposals – I had to reject half of them because they would cost us more than we were losing.” “Right,” the CISO suddenly had a bit of inspiration. “So what did you do?” “Hired more guards to work undercover. It was expensive, but a lot less than what we were losing. It turns out most of the thieving was small-time – pickpocketing of our guests and some ingenious table theft. A few prominent arrests, and word got around. We went from loss to profit, so it was well worth the investment. It was just a matter of doing the math about the risk. The probability of loss was high, the amount was substantial, and the solution was fairly obvious.” The meal arrived, and the conversation turned to less serious matters. Susan was cheered by Lucinda's security solution. It had been a revelation, and it gave the CISO an idea about how to approach the morning’s strategic plan meeting. As the plates emptied, Lucinda looked over to her friend and said, “You seemed to have cheered up! Glad we could offer a bit of respite from the corporate storm. You’ve got a long evening ahead, so I won’t keep you. Before you go, though,” the owner reached into her pouch and slid a clay chip to the other side of the table. “Have a go. It may be your lucky night.” Rising, Lucinda smiled and walked off to tend to the business of the evening. Picking up the chip and flipping it over each knuckle, the security officer contemplated what to do next. With a short, quick nod of the head, she strode over to the roulette table and placed the chip on a square. “Lucky 13! Let’s go!” ---- It was a cool and foggy fall morning; a large fire was roaring in the fireplace, and the executives had all returned to their places around the table. Morgan brought the strategic plan meeting to order. “Alright, I hope you got some rest last night and are prepared to get to work today.” The CEO was eager to get through the morning’s work and wrap up the session as early as possible. “Lana, let’s start with you. I’d like to hear what you think Sales can do with those horses.” “Actually, if you wouldn’t mind, I’d like to go first.” Susan interjected. The other executives in the room looked questioningly at the CISO, then back at the CEO. The VP of Sales started to speak, but the Security Officer held up a hand. “I think everyone here will like what I have to say, so please hear me out. I spent last night thinking about this, and I think that we’ve been coming at it from the wrong direction. There’s no doubt upgrading the castle walls and adding a moat would make us safer, but how much safer? Sure, if we were under siege or were expecting a full-scale war, we would need to do everything in our power to reinforce our defenses. We’re not, though. We do need to do some work, but it’s just not as extensive as I first thought. "I was only thinking of the impact and not about its likelihood. When it comes to strategic risk, probability is everything. We’re trained to look for threats and vulnerabilities and, let’s face it, assume a worst-case scenario. You’ve tasked me to keep you safe...” “No”, the CEO interjected, “I’ve tasked your team to manage security risk. Yes, we need to protect Camelot and its assets, and we also need to consider running the place and making a profit. Every coin spent on security is one less spent on Marketing or Sales or Operations. I need to make sure what we spend returns that value back to us. But I’ve interrupted you, I apologize. Please carry on.” Feeling a bit sheepish after the gentle correction, the Susan cleared her throat and proceeded. “So, security risk. Last night I had a bit of an epiphany while chatting with Lucinda and watching the gamblers throw away their money at the tables” The VP of Sales laughed. “So that’s where you went last night. That’s the last place I would have expected you to go.” “Lucinda and I go way back. We were in school together, and I find the casino a good place to learn a lot about people. Also, Lucinda is shrewd. She told me about her own security and risk challenges. Do you know how many times the casino has been robbed?” The executives silently shook their heads. “Zero. No heists, no straight up robberies, none. Instead, she was losing money on pickpockets and small-time thefts. She was getting a bad reputation, and patrons were spending less. That was the problem she needed to solve. This got me thinking about our own security, and I ran the numbers. We haven’t had a siege or major incursion in decades. The last attack was a band of marauders out of the north, and they couldn’t breach the wall. From what I could tell, it was a drunken bachelor party. A stray arrow did make it through one of the older sections and injured a guard, so that’s something we need to investigate. "We’ve also had a few costly mistakes – threats of our own creation. Forgetting to drop the portcullis, some unlocked doors, and one upgrade on the west side wall used the wrong sized stones and shoddy mortar. "On the other hand, we have stopped several people trying to sneak in at the gate. One person claimed to be a Nigerian prince, several claimed to have package deliveries, and it looks like we have CEO impersonators on a monthly basis asking for cash to perform ‘top-secret land acquisitions.” “Well, that seems fishy!,” Smith exclaimed, having taken an interest in the prior year’s mishaps. “Indeed.” The Security Officer replied, raising an eyebrow. “Fortunately, all turned away by the guards. You must be vigilant if you want to catch a fish. The key point is this: the probable frequency of a major attack is close to zero – though if it did happen, the loss would be enormous....” The COO added, “Like an earthquake.” “Exactly," said Susan. "Except we can better predict an invading army – they have to get here to do the damage, and it’s hard to do that quietly. Now with these smaller losses, we can make better predictions. Based on the number, we can assume two events a month, and those will result in either some moderate injury – our unlucky guard took an arrow to the knee – or cost; minor theft, some repairs, rework. So, given that risk, how much do we need to invest to decrease our vulnerability or remove threats?” Patiently listening with furrowed brow, Morgan the CEO spoke. “That is precisely what I want to know and why we are here. You seem to have grasped the essence of my request from yesterday and it appears that the wall upgrades you were so excited about have become less exciting. Still, I have to imagine you are still wanting a piece of the pie.” “A piece, yes, but significantly less than I thought. We need to step up managing the castle’s weaknesses, so I am requesting additional staff to regularly survey the walls and report back on any vulnerabilities they find. I’ll also need one more person for patching and repairs based on last year’s data.” Nodding, the CEO seemed to approve. “We should be able to accommodate this. I’m liking this plan. It also looks like we have plenty to fund our horses for market expansion.” “Excellent. There’s one more thing that I am requesting: we need to train our guards to spot infiltrators. They’ve done an excellent job so far, but these charlatans are only going to get cleverer. I would like to hire a troupe to do regular exercises and try to infiltrate the gates. Simulating these fishy folks will help our staff become more adept at spotting the real thing and turning them away.” “OK...,” Morgan seemed a bit skeptical at this. “I trust your instincts, though I’m not sure I trust actors. I’ll carve out a bit for this but if I don’t see results, I’ll reallocate that money. That still leaves plenty for expansion. Now about those horses....” --- Cybersecurity is an important part of an organization’s overall risk management program. While it is important for security professionals to understand the current threat landscape, know about the latest vulnerabilities affecting their systems and be cognizant of cutting-edge technologies. The tactical implementation of that knowledge must be driven by a sound risk strategy. As Susan learned from Lucinda in the casino, a risk-driven strategy revolves around assessing the threats, vulnerabilities and impacts to the organization and adopting technologies and processes appropriate to that assessment. If we define risk as “probable frequency and probable magnitude of future loss,” a good start is developing an effective vulnerability management program along with capturing good metrics around incidents and security events in your organization.
Plights of the Round Table – Strategic Lessons from the Casino
Posted on January 27, 2020