The days keep spinning hot and cold in the world of Westeros. The seventh season’s final has come and gone for Game of Thrones fans, who now find themselves in for another, even longer wait until the series’ return. An HBO adaptation of George R. Martin’s popular novel series, A song of Ice and Fire, the series is a popular drama of medieval fantasy meets zombie apocalypse, with knights, kings, wars, treachery and, oh yes, dragons. In a land of crowns with winner take all, the series has become known for its brutal universe of backstabbing and treachery, where a character is alive one day, dead the next, particularly in the earlier seasons.
While the game has yet to be won, there have certainly been some cautionary tales along the way. With a warning of spoilers of the first few seasons, here are five lessons security teams should take to heart:
1. Don't Expect Hackers to Play by the Rules.
Arguably one of Eddard Stark's greatest mistakes, along with leaving his safe haven of Winterfell in the first place. Ned is an honourable man, who doesn’t quite get that just because he acts with honour and is true to his word, doesn’t mean he should count on others. When he discovers Cersei’s secret, he considers ordering her to leave King’s Landing merciful. At King Robert’s death, he recruits Peter Baelish and the City Watch as aids to enforce the King’s final will, and assert his role as lord protector. These of course, are monumental mistakes: had he not taken pity on Cersei and told her to leave in private, she would not have the backing or be in a position to uphold her son’s illegitimate claim to the throne. Likewise, Baelish and his City Watch have no particular loyalty and are in it for power: when siding with the Lannisters gives them an opportunity for more, they betray Ned instantly.
Hackers don’t play by the rules: they play to win. If there’s a flaw in the software that can be exploited assume it will be used. This is the primary argument against government access to encryption: once a backdoor or key exists, there will be a push to find it, and once the key is in the wild it will be abused, regardless of the original intent. A key to encrypted files isn’t a key only law enforcement will be able to use; it will be a key that makes all data vulnerable to data breaches. Conversely, if legal encryption channels are open books to law enforcement and heavily under surveillance, criminals won't continue to use those channels; they'll find a new way of communication. There may be some honour among thieves, it’s not something you can count on.
2. It's Never to Late to Hatch a Dragon: Small Things Are Worth the Effort
Remember those three small fledglings Daenerys Targaryen hatched during the funeral pyre of Khal Drogo? Remember how small and nearly helpless they appeared during those early days as Daenerys taught them how to eat, or saved them after having been kidnapped by Xari Xhoan Daxis and Pyat Pree? Remember how by season 4 they were these huge, man eating creatures of scale and fire? Daenerys never would have her dragons if she insisted they turned into large beasts of majesty the moment they were hatched: it took patience, efforts and persistence for them to develop into the current force.
Good security planning doesn't need to start big: it just needs to start. Operations will grow bigger as your business grows, when you can or need more robust measures. You'll have growing pains, times when you need to backtrack and reconsider your plans, but even this means you've already something to work with. By contrast, if you're putting off all measures until you can pull in something big, you're leaving yourself vulnerable, and potentially missing out on more steadfast strategies that take time to mature. Things like a good governance program and a disaster recovery plan take time, but are fully worth the effort.
3. Look at the Man Behind the Shadow: Consider Who You're Really up Against.
When Renly, younger brother of Robert Baratheon is killed in his tent, the only witnesses to the murder are Lady Catherine Stark, at his camp to forge an alliance for her son, and Brienne of Tarth, one of Renly's Kingsguard. When Renly seemingly dies at the hands of a shadow, it is Brienne who catches the shadow's face and recognizes her true opponent. "Stannis is a man, not a shadow, and a man can be killed."
Cyber weapons have come a long way: today, a DDos attack can be executed with the click of a button, using an army of IoT devices doing bulk of the work. An entire power grid can be shut down with ransomware, and a hospital unable to open it’s doors due to system failure. However, never forget that the one planning attack is still a human. Hackers certainly haven't forgotten that your security forces are in the hands of people, and use that to their advantage for finding weak points. A honeypot, by contrast, is still a valuable weapon against attackers, because it preys on the very human temptation of showing valuables they want, learning of vulnerabilities that can later be fixed. Always remember that no matter what you’re up against, the real threat isn’t an infected machine, it’s the programmer or developer on the other side.
4. “I try to know as many people as I can. You'll never know which one you need.”
Tyrion Lannister might come from a family known for gold, but his is truly the silver tongue of Westeros. So much so that many a travelling companion has told him he needs to shut up! This quote however, illustrates another talent in his ability to recognize the individual values of different people, a good eye that takes him far in the Game of Thrones. No doubt due to being judged his own life by a lower standard (literally), Tyrion doesn’t discriminate against others. While others might snub the likes of Bronn, who is low born, or the Stone Crows who are considered savages, Tyrion doesn't care: he also knows they can fight well and keep him alive, which is all that really matters.
Security and privacy operations need leaders, but don't forget the rest of your troops, and don't underestimate insights or abilities in solving the problem from different backgrounds and perspectives. A strong security team should involve talents from different sectors: not just IT, but also HR, communications and operational management. Consider some of the following responsibilities and challenges you’ll need to overcome:
- Securing network infrastructure, keeping software up to date and backed up for quick reparations when things go wrong.
- Communications to data subjects in the event of a breach or change, and potential communications with a commissioner or state supervisory authority.
- Training staff on how they can better improve their own awareness and operations. Developing visual aides, tutorials and materials.
- Developing proper procedures, guidelines and compliance checks. Auditing processes, responsibilities and regular operations to gauge data need-to-know access and disclosures.
Get a team that balances both hard skills and soft skills. Bring together professionals that can look and discuss the big picture, with at least a few sets of eyes that are better at watching out for the details.
5. You Know Nothing Jon Snow; so Keep Learning.
Security means keeping on top of trends. Software has moved from zero-day to zero hour: there’s simply no such thing as knowing all there is to know about the industry. Professional development is key for any career, but for security specialists getting overwhelmed by all of the different scenarios, software and regular changes is part of the job. Encourage training and re-training whenever possible, pay attention to industry developments, and if it’s been a while since you came across something new, it’s likely time to try and climb a new wall.