Mar 24, 2023
Security is often a thankless job. The only time it makes headlines is when it fails, or things go wrong. Like Tetris, success in cybersecurity simply disappears as new problems come into focus.
Security is often a thankless job. The only time it makes headlines is when it fails, or things go wrong. No one opens a web browser and pulls up a news feed about companies that have not been breached for several years. A business’s cybersecurity program only captures the public’s attention when disaster strikes. When things go right, there is no thank you, no gratitude.
Coincidentally, I was geeking out this week by playing some old-school Tetris. For those who are not aware, Tetris is a simple video game that focuses on a user creating horizontal rows of blocks. These blocks, of various shapes, drop from the top of the screen. When a block placement creates a continuous row with no gaps, that row is cleared.
The player must rotate, move, and drop blocks to create complete rows quickly. Sounds easy, right? Unfortunately, pieces that fall often don’t fit together easily. Incomplete rows cause falling blocks to stick and accumulate until no more can be added, and the player loses the game. As you might guess, having the foresight to fit blocks into the optimal space, while up against the clock, requires a thoughtful strategy.
(As an aside, those interested in the stranger-than-fiction Cold War origins of the game can check out the film Tetris on Apple TV beginning March 31.)
How does Tetris relate to cyber? In Tetris, when everything works out well, and you complete a horizontal line, do all your problems simply disappear? Not by a long shot. In fact, because you were successful, the next Tetris piece may fall a little faster! This is similar to the situation infosec teams are facing. When our controls work and a potential attack is prevented, there is no fanfare. One attack is successfully cleared off of our plate, but the next one is on the horizon and closing in. The only recognition of our success, or our long record of successes, is in some log written to the SIEM.
Unfortunately, Tetris is also like cyber when things go wrong. As much as it's great when you successfully place a block and a row disappears, problems quickly start to mount when things go wrong. Blocks pile up until the screen is full and no more pieces can be dropped. Game over. This is similar to life in cybersecurity. When things go wrong, they can go really wrong. One system gets compromised, and a multitude of problems pile up from there. Data may be exfiltrated, privileges escalated, systems encrypted – until it’s game over.
Unlike Tetris, where you can lose in private, the victims of a major or material cyber breach are often publicly humiliated. Newspapers and blogs may report and condemn the security team, commenting on what they could have done better. Every potential mistake or misstep will be analyzed to death through the unforgiving lens of hindsight.
This is why working in information security is often thankless. It's done on the backend, where solutions are simply expected to work, and amazing successes are completely invisible to others because the status quo is expected. Adding to the challenge, security solutions are expected to effectively stop all hostile activity with minimal impact and inconvenience on the user base.
Like Tetris, when things align and processes go smoothly, security teams can clear threats from the threshold of their organization. When things go wrong, problems quickly compound and cut short the time available for finding solutions. Once momentum favors the adversaries, it doesn’t take much before an organization is staring at their own “game over” message, written in public headlines.
As Dan Ackerman describes in his book The Tetris Effect, on which Apple TV’s upcoming film is based, the game likely only made it out of the Soviet Union due to collaboration among potential adversaries. Here, Tetris offers us another metaphor for the cybersecurity industry today. Cooperation among organizations and the wider cybersecurity community is critical to stopping critical threats and encouraging widespread healthy cyber hygiene.
Let's work together to keep our threat queues clear and cyber problems at manageable levels.
Stay safe out there.
What to read next
Should we be freaking out about CISO scapegoating?
Learning not to step on Lego: Blast radius, cloud sprawl, and CNAP
Recommended