Information Security Practice as a Game of Chess
Ted.Phelps [@] suny [.] edu

Welcome to Part 2 of ” Information Security Practice as a Game of Chess.” In Part 1, Ted Phelps explained the analogy. During this post, he explores the different pieces and roles they play. Which are you? How would you represent things differently? 

King: Information.
The King in chess is defensively weak; it can only capture or kill attackers that are right next to it and can only move one square at a time. Yet, it is the only piece that must remain in place throughout a game. Lose it, and you lose the game. Information is like that. It needs others for its defense, yet provides the foundation and meaning not only to the ISec “game” but to much of the life of the organization. Because our game is information security, not just computer, network or
IT security, our client is our information, especially our mission-critical and sensitive information. Good players keep their eyes on their Kings at all times, and analyze the shifting field of risk. In contrast, new players focus on the heat of the battle, often far from the King, and have a hard time keeping an effective, ongoing awareness of how those battles affect the shifting risk posture of their Kings. Parallels with protection of information are strong. Pouring attention into firewalls, IDS, IPS, and even encryption, keeps the new security players from doing risk assessments and data classification. The actual risk posture, which changes at least a few times a year, is not well understood. This takes practice. Kings, like our most secure information, are not out in the middle of the arena for all to see. We are usually surprised when information is breached. New ISec players focus on what is most visible in the battle. This is often the machinery used to defend against outside attacks on computers through the Internet or through physical penetration of buildings. We lock doors and put up firewalls. Meanwhile, the opponent can work through these defenses and attack our Information. Even a new player can, however, easily learn to shift the King into a well-known position of safety early in the game, a maneuver called “castling”. There are well-known moves in ISec, too, that protect Information, such as password protections on the applications that create and control sensitive information.

Queen: Executives and Policy.
The Queen is the most powerful piece in chess. It is considered about twice as powerful as the Rooks and three times as powerful as the Bishops and Knights. The reason for this designation is that a Queen can move anywhere there is line of sight, i.e., in straight lines across vacant squares. What element in an organization has such wide-ranging influence? Clearly, this is the key distinction of jobs in top management. It also is true of policy. Good players know the power of the Chiefs and of policy and plan carefully to engage it strategically as early as is wise. Using it too early can cause problems, both in chess and ISec. If Queens, Executives, and Policy are not well played, or if they are taken out of the game, winning is extremely difficult. Many battles can continue the game for a long time, but in time, the organization will crumble. A new chess player can be enthralled by the power of the Queen and use it far too much in the opening moves, exposing it too greatly and creating an unbalanced strategic position. Occasionally, an ISec player has access and influence with an Executive or has the power to create a policy early on. Doing so without also engaging the other critical elements of the organization is a classic management mistake resulting in missed leadership opportunities and the squandering of power. Policy and Executive powers must work as a team with the other elements to win the game.

Bishops: Business and IT Managers.
Like the Queen, the left and right Bishops can move as far as they wish along lines of sight, but only along diagonal channels. One operates on the black diagonals  and never touches anything on white. And the other is the opposite. They are like powerful agents with long-range control and power reaching across the organization at all times, yet kept within channels of power and influence. Chess players try to operate their Bishops as a team because taken together, they can touch every square.  The business and IT managers provide one of many interesting parallels to the Bishops. Business and IT operate in every region of the organization, but control distinct aspects of the organization. We could view HR, Building Security, and Legal Counsel also as Bishops.

Rooks (Castles): Systems and Applications.
Traditionally, the two Rooks are considered the strongest pieces after the Queen. Each Rook can play on every square. Their capability compliments the Bishops in that they also move as far as they wish along lines of sight, but only along the orthogonal lines (rows and columns, “ranks” and “files”). The orthogonal nature of the Rook’s motion reflects the structural nature of Information Technology infrastructure, which includes computers, networks, stored data, and computer applications. These structures touch the full matrix of the organization. The angular nature of the Bishop’s and Knight’s motion reflects the dynamic, fluid nature of people and process. An early move in chess, “castling” places the King in close protection of the Rook (Castle). Similarly, Information has a long-established relationship to Technology (Systems and Applications) as its most reliable protectors. A new chess player may think a castled King is perfectly safe behind a wall of Pawns, and that reflects an early, but unfounded, confidence managers can develop with respect to the security of their information and systems once firewalls, anti-virus, and password systems are in place. But a strategic, dedicated attacker, in chess and in ISec, will see ways around those defenses. “Social engineering,” for example, passes right through those defenses, somewhat like the surprising motion of the Knight.

Knights: Behavior and Security Practice.
Knights are not powerful agents, but they are tricky and have a special kind of illusive power. They can’t move or capture anything more than two squares away. Their move is often visualized as a 3-by-2 “L,” but it need not take a specific land route to get to the landing square. It can just arrive at that target by passing through or over other pieces, the way
cavalry can jump (the piece is shaped like the head of a horse) over obstacles in the field or a Ninja can somehow sneak past guards and walls. This means the Knight’s range of targets and strategic possibilities are more difficult for new players to visualize and control. What is like this in ISec? Certainly, human behavior with information is like that. It is largely unseen and out of direct control. The effects of worker’s behavior on the organization’s information is not as sweeping as that of policy and executives, but it can lead to some surprising benefits and painful losses. So, ISec strategy must include human behavior with information. Done well, it fills in many holes in an otherwise strong program, and can do so at a relatively low cost. The Knight has another parallel in ISec, which are the specialists, such as ISOs, security administrators, and auditors. The strategic action of the security specialists is often hard to grasp and their power and influence are not as far-reaching as the major business functions. But they finds their way into all parts of the organization when done well and they jump over departmental lines and functional silos.

Pawns: Projects, Procedures, Protections.
The chess board at the start displays a row of eight Pawns aligned like foot soldiers leading the battle or guards at a gate. Pawns have these primary attributes: 1) they are the weakest pieces (only move one square and only forward); 2) there are lots of them, 3) many live short lives. At least one Pawn is usually the first piece played and also the first to be captured. This has parallels with ISec projects and tactical defenses, such as firewalls and antivirus software. These go into the game early on and, like Pawns, are the easiest thing outside observers notice early in the game. Like Pawns, there are many of these. They also come and go at a faster rate than executives, business and IT managers, computer systems, applications, and the workforce. They are used by these for specific purposes and then get taken down or end. Good early moves with Pawns as well as projects and protections can create a strategic framework that lasts throughout much of the game.
Join us next week for the third and final posting where Ted explains the ‘endgame’ as well as several other points to ponder. 

About the Author Michael Santarcangelo

The founder of Security Catalyst, Michael develops exceptional leaders and powerful communicators with the security mindset for success.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.