COMMENTARY: During my years in cybersecurity over the last 10 years, I've discovered that the mindset required to master those retro arcade games from the 1980s often mirrors the strategic thinking needed in security operations.
The parallels between these disparate pursuits are surprising and can teach us quite a bit. There’s also a lot more to it than just quick thinking – it's about pattern recognition, resource management, and protecting critical assets.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Let’s start with looking at "Space Invaders," where waves of unknown attackers descend in increasingly complex patterns. Today, in my everyday work, I face sophisticated cyber threats that follow similar principles.
For example, in ransomware attacks, malicious actors systematically encrypt critical data, mirroring the persistent barrage experienced in "Space Invaders." Another common occurrence is phishing, where attackers impersonate trusted entities to trick individuals into revealing sensitive information. This approach uses varied tactics and social engineering, reflecting the increasingly complex patterns seen in the game. Just as I learned to anticipate alien movement patterns and respond swiftly, organizations must adopt proactive and continuous detection methods.
Then there’s the game's bonus UFO, a high-value target that earns the player extra points. Similarly, in cybersecurity, we identify critical choke points where a single remediation effort can deliver major security benefits. It's about maximizing the impact of limited resources – working smarter, not harder.
Although less well-known, I loved playing "Volfied," which offers major lessons about attack surface reduction. As I drew lines to capture territory while avoiding enemies, I learned principles that would apply to network segmentation and defense-in-depth strategies.
Reducing the attack surface and minimizing potential impact, means implementing segmentation across various areas of an organization’s architecture. Network segmentation confines segments of the network so that even if an attacker gains access to one part, they face barriers that restrict movement. We can also apply segmentation to account access and permissions. Implementing strict access controls ensures users are granted only the permissions necessary for their roles.
The principle of least privilege limits attackers' access points, which makes it harder for them to exploit vulnerabilities and propagate attacks. This multi-layered approach ensures that if one layer gets breached, others remain intact, which lowers the overall attack impact. Adversaries often use diverse techniques, therefore, effective segmentation cn improve defenses and reduce the attack surface, similar to drawing lines in "Volfied" helped me strategize territory capture while dodging threats.
Further, cybersecurity requires optimized resource allocation, parallel to the complexity of protecting critical assets that was perfectly demonstrated in both "The Legend of Zelda" and "Donkey Kong." Navigating Zelda's dungeons required careful resource management and strategic thinking. Just as players must smartly allocate limited resources – whether health, weapons, or time – organizations must deploy security budgets, personnel, and technologies in a strategic way to ensure comprehensive protection of critical assets.
With this, organizations can allocate financial and human resources commensurately, focusing on high-priority areas where they can achieve the most significant impact against potential threats. Taking cues from "The Legend of Zelda" and "Donkey Kong," organizations can better comprehend the importance of optimized resource allocation, easing the complex task of asset protection into a more manageable and effective endeavor.
Donkey Kong's mission to rescue the princess compares to protecting organizational crown jewels. And just as the eponymous Mario navigated increasingly treacherous terrain, we must overcome increasingly complex challenges to secure our most valuable assets as attack surfaces become more complex and difficult to secure.
To keep vital areas safe, metrics reflecting actual risk and business impact must guide executive communication. It’s essential that these metrics are presented in plain language, clearly demonstrating how potential threats could affect core operations and revenue.
For instance, at a transportation company, its route dispatching systems are not just backend technology; they are critical to the business's success. A breach or failure of these systems could lead to significant financial loss and customer dissatisfaction. Executives must understand that protecting these systems are not just an IT concern – they are a business imperative.
Evidently, the stakes in cybersecurity are much higher than in gaming – we're talking about real organizations, sensitive data, and critical infrastructure. But the fundamental principles are essentially the same: understand the environment, anticipate threats, implement effective defenses, and stay ahead of adversaries. As the threat landscape changes, we must adapt our strategies – the tools and techniques in use today are often obsolete tomorrow, so we need to constantly learn and adapt.
In cybersecurity, the game never really ends: we must keep leveling-up our defenses to meet new challenges. Success comes when we maintain the same persistence, strategic thinking, and adaptability that made us successful gamers.
The only difference? Now, instead of saving virtual princesses, we're protecting real-world assets from very real threats.
Hezi Nagar, exposure management service team lead, XM Cyber
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.