Security Is the Kobayashi Maru — An Unwinnable Game. No Wonder You’re Burnt out.
I’m Givin’ Her All She’s Got, Captain!
I’m not the first person to point out that burnout in infosec is hitting a fever pitch. 2020 was a tremendously difficult year for security. Fueled by the pandemic and work-from-home, ransomware and other attacks boomed, high-profile breaches littered the news, and the business world continued its mass exodus from on-prem storage and operations to the cloud. Research by CIISec indicates that over half of security professionals have either left a job due to burnout or have worked with someone who has.
As your friendly neighborhood hacker, I’m going to make the argument that a philosophical shift in the way we think about “security,” could curb the burnout problem and help our industry source the right people for the job.
The Kobayashi Maru is a fictional exam conducted on Star Trek’s Starfleet Academy cadets before their graduation. It features a combat scenario in which the subject is given command of a ship that is under attack, and doomed to be destroyed. The point of the exam is not to win the battle, but rather to experience defeat.
Security pros work in a constant Kobayashi Maru exercise — being asked to win an unwinnable game.
C-Suites expect their security teams to create a secure system. But these days, there is no such thing as a “secure” system — only a resilient one. This must be reflected in the organization’s expectations of them.
Organizations wish they could have dedicated security teams, but in this world, “security” itself exists purely as a hypothetical. What organizations can and should have are resilience teams.
Where No One Has Gone Before
It may be unsettling to accept that there is no such thing as a secure system: that all companies will get hacked, and that safeguarding them doesn’t come down to stopping compromises, but rather to assessing how and how frequently attacks will come, and being prepared to withstand them. It’s scary because it indicates that we have no control at all. However, it should actually comfort you. CISOs and security teams are frequently used as scapegoats when companies experience large-scale attacks. C-suites read the negative news headlines and watch their share prices drop, and they ask: who or what went wrong here, and how can we eliminate it?
This approach is highly illogical, as it assumes that the goal of security is to create an airtight environment. This cannot be the goal — instead, it must be to reduce risk of attackers achieving their objectives and respond appropriately to mitigate damage when they do. Compromises will happen, but resistance is not futile.
The Needs of the Many
Just like on the USS Enterprise, communication between the bridge and main engineering is critical to the success of any mission. Currently, the executive team and the security team operate mostly in isolated silos and therefore, when they do have to interact, speak completely different languages. A perfect example of this is the word security itself, as noted above. These two parties must be on the same page about their mutual goal: creating a system that is resilient to attack.
As a security professional, you can learn to get better at speaking the language of business and it will help you. But the onus should not be entirely on you — it should be on the business’s leadership to adopt a comprehensive business plan that includes an effective and realistic resilience program.
The Needs of the Few (Or the One)
Aside from the major philosophical shift that needs to take place, a reckoning which will see the light of day, here are some more immediate concrete solutions for you to consider:
- Boldly go to your board and come to a realistic understanding around risk. Don’t assume they speak security, go back to the basics and explain the fundamentals of what your program can realistically accomplish.
- Normalize a new mentality and vocabulary. This must happen within your own security team as well. Groupthink is powerful and panic can spread easily. Make it your mantra: my job is not security, it is resilience.
- Work smarter, not harder. Nailing down an effective process will go a long way to reducing workload for security teams. Risk = likelihood * impact. Find ways to assess the real-world risk your assets hold, and focus your energy on those with both a high probability of attack and a blast radius your organization can’t afford.
- Automate more, burn less. The sheer volume of work for security practitioners is exploding right now, and there is frankly not enough hacking talent out there to meet the demand. But it’s also the 21st century. A lot of the work you do can be automated out of your routine and if it can be, it should be. Don’t burden yourself with unnecessary work.
- Go to therapy. If you’re overworked and haven’t taken this step, it’s something you need to consider. The stigma is in your head — take care of yourself first. Contrary to popular belief, work comes second.
- Consider that security might not be for you. If you need to operate within a winnable system, the Kobayashi Maru is not for you. You probably have a ton of relevant skills that will translate well over to an adjacent field. Give some thought to what you really want.
Make It So
Passing the Kobayashi Maru itself was never the issue for the characters in Star Trek, and it isn’t your issue either. You’re seeing a bunch of enemy ships on the viewscreen and that is causing you to panic, as it should. But the only way to win the Kobayashi Maru is to change the rules of the game, as Captain Kirk inevitably learns. This is the lesson you must learn too: you have been handed an impossible task, and it’s not your fault that you can’t accomplish it. What you can do is help yourself in the ways you need and participate in an industry-wide shift of how security is perceived and what is expected of you and your fellow crew members.
The industry must move from a binary-results-based approach to an approach structured around real-world risk, in a manner that is supported by the C-suite. Organizations need to understand where an attacker would strike first, so they can devote resources there first, rather than treating all threats as equal in radius and impact. The goal of eliminating all vulnerabilities in a network is impractical and debilitating, leading to burnout, frustration, and scapegoating. Reducing surface area, understanding which threats can be left alone, and automating and operationalizing the tasks you do have, are the first steps toward reducing these effects.