Finding The Hidden InfoSec Story

Security’s A Gamble – Just Like Horse Racing

Photo Credit: JPB93 via Compfight cc

Do you like the horses and horseracing? Are you the type that joins the office sweepstake once a year for the Grand National and then watches the race at home hoping that you will pick up a bit of petty cash when your 100-to-1 outsider comes in? Are you one of the lucky ones that gets taken to corporate hospitality by some flash vendor for Royal Ascot? Maybe you don a hat or even a fascinator (yes, I know what one is) to attend ladies days at Epsom; a great excuse to get dressed to the nines.

I love to go to horse races but also regularly bet on them in a seemingly hopeless attempt to outwit an industry to makes billions each year across the globe. I see it as a typical maths problem to be solved, a complex set of differential equations and a whole dollop of luck. Sometimes you win, sometimes you lose, but in the context of information security, is there anything we can learn to stop us losing our corporate shirts?

I think the first thing we can say is that we learn from what happened in the past in all aspects of life, this is as true in horseracing and it is in InfoSec. When following horses, what happened in the past is referred to as form as most of this is publicly available in the racing papers and to a limited aspect in every national newspaper. Like most things in life, if you want better information on what happened in the past, then you pay more for it. The Times has every horse race in the UK every day for just about a pound. However, the Racing Post for nearer three quid will give you the blood lines, the last run dates and percentage hit rates for every jockey and trainer.   Of course there is information that the stable will never let out in to the open, such as the feeding and fitness regimes alongside any injury concerns. Does any of this sound familiar? When your company has been attacked, either internally or from external hackers or phishers, sometimes you can contain the information internally, sometimes you need to tell the regulators but in the worst case the press get to hear and frankly that’s when the finger-pointing is likely to start in earnest.

What I am saying is that in the context of InfoSec, how you dealt with issues in the past is a fairly good indicator of how you will react in future, but we must also analyse our performance and learn from it.

One of the really important aspects of horse racing is that every course and race is different. Variables include the distance, the conditions, the terrain or even hurdles verses flat racing.   Also, the rider and his/her ability is key. Let’s take the course and think about that first. When you view a form guide you can see the letters C&D which refers to a horse that has run this course and distance before. This is important as if you know how the horse performed at this course and distance, it is a good indicator of how the horse will behave next time. In terms of InfoSec set up, one policy and process (horse) does not necessarily work for all companies (tracks) or time periods (distances). Just because it worked at Wolverhampton on Wednesday, doesn’t mean it will succeed at Southwell on a Saturday.

Now let’s get to the horse and jockey combination. If you take the example of a very high profile jockey like Frankie Dettori, just because he won the majority of races for a large Arab stable before his ban, it does not mean that he will automatically get on a horse from another stable and win. The jockey has to understand the strategy of the stable, let us call these the policies. But then in the heat of the race, the conditions change, the horse will not respond, the jockey may need to use the whip or even worst there could be interference. The recent altercation that took place in the St Leger showed that a jockey is the first line of defence if they come under attack from another jockey who is trying to steal their position. In the world of InfoSec, your staff are the jockeys: there are the ones who need to understand the policies of the owners and the legal lines of defence that are open to them. Of course knowing the other horses and riders are there and are going to try and attack in the first place is a good start.

Train your riders, understand your courses, keep your horses fit, but above all else, if you are going to gamble, don’t risk more than you are willing to lose.

Author: Dave Brooks

Share This Post On