What Game Are You Playing?

I recently watched “The Assets,” a mini-series based on the real-life hunt for a CIA mole. Aldrich Ames was a Cold War CIA employee who passed the identities of US spies to Russian intelligence.  For years the CIA chased clues to the mole’s identity, while the Russians did all they could to prevent his discovery.

In one telling scene the head of Russian intelligence plays chess with a subordinate, discussing future moves to protect Ames.  The intel boss compares the spy chase to their chess game.  His subordinate asks if they should change strategies as any good chess player would.  The boss knocks the chessboard to the floor.  “Let the Americans play chess!  We’re playing a different game!”

For too long the CIA played a metaphorical chess game they could not win.  Whenever they got close to identifying Ames, management would get in the way.  Not until agents were granted permission to change up their game were they able to breach the Russian web of protection surrounding Ames.

“The Assets” scenario offers several parallels to the insider threat and cyber security wars we currently wage.  Many companies play the game of organizational chess, while simultaneously spending hundreds of millions of dollars, yet remain vulnerable.  Why?

Heads of IT refuse to grant permission for needed tool installations.  COOs turn a deaf ear to negative news and curtail responses that might worry shareholders.  General Counsels insist on approving all counter threat activities.  Such organizational chess moves place rules and stove pipes ahead of operational security.  It can take days and even months to gain requested permission to implement threat responses.  Companies that play such organizational chess are engaged in a different game than threat actors—a game they cannot win.

Threat actors, on the other hand, care nothing about laws, organizational boundaries, rules, or stove pipes.  In fact, artificial barriers make their jobs easier.  All they need are mere seconds or hours to accomplish their aims.  The longer it takes organizations to respond, the better it is for the threat actors.  They are playing their own game – and will win.

Stop playing organizational chess.  Play your own game and win.