1. Objectively evaluate your capabilities and work to create a well-balanced “party”
In video games, there are typically different “classes” of characters, such as fighters, magic users, clerics, and so forth and there are also specializations within each class. Each of the character classes has different strengths, weaknesses, advantages and disadvantages which means they are not equally suited for every situation. When assembling a “party” of characters, it’s important to balance the members of your party to increase your ability to thrive in a wide variety of situations.
In information security, the same holds true – you have people with different specializations, such as networking, application security, attack, defense, incident detection & response, technical, social, forensics, and so forth. We can begin by assessing the capabilities of our team members (our party) based on a number of criteria, including technical skills, certifications, industry experience, natural abilities (i.e. problem-solving, thinking like an attacker, communications, etc.), and suitability to task.
I encourage organizations I work with to have informal information sharing discussions or brown bag lunches with their teams to capture who knows what, who’s done what, etc. and to revisit these skill sets when a specific problem arises. For example, when a security issue occurs, poll the team to find out who has expertise that might come in handy. And forget job titles or organizational role – I find infosec people to be notorious, boundary-crossing generalists.
As part of this assessment, you should also consider the capabilities of your extended teams – in other words, take a look at the competencies of your partners and service providers. Knowing what they can do ahead of time makes it easier to know how you can leverage them when a crisis arises.
Once you know what your skills are, it is also helpful to look for critical gaps in your capabilities. These gaps can be filled by hiring for different, complementary skills in the future, by finding a new partner, or by bringing in outside help through contractors.
2. Select countermeasures based on your threat environment
Another aspect of understanding your capabilities is knowing what countermeasures you have, where they help and – critically – where they don’t. In adventure gaming, this is where we spend time understanding the relative strengths and weaknesses of weapons, armors, and special items. The advantage in adventure games is that it is easy to find out if one item is better than another – for example, a +2 sword is generally better than a +1 sword – and there may be enhancements that make a particular weapon better in certain situations (i.e. resistance vs. cold attacks).
Unfortunately, in infosec we don’t have a common way of evaluating security controls – there is no such thing as a +3 firewall, for example. However, we can come up with our own factors to evaluate countermeasures so we can objectively compare one product to another.