justinkendra - Fotolia
My organization is considering conducting a security fire drill or even a cyberwar game to test our information security program. This seems like a big undertaking, but are cyberwar games beneficial to organizations?
Testing the information security program should be a continuous process. For example, once hardened, devices should be monitored by SIEM or federated identity management tools to be alerted of any changes that could affect the information security posture of an enterprise. Additionally, enterprises hire pen testers to validate the control structure is working effectively. Then there is the incident response plan. In the event of a breach or incident that affects security, the enterprise needs to ensure it is ready and knows what steps need to be taken to recover back to normal processing.
One of the ways to test the IRP is to exercise across the table incident scenarios with all affected parties involved. Occasional social engineering tests, such as emails to employees to test their ability to detect phishing emails, are always enlightening.
The use of cyberwar games is a method used by some organizations to accomplish the same; however, the operative word is games, and there isn't much value in testing the information security program as a game. Cybersecurity is not a game. Security awareness can include contests, such as cybersecurity-related puzzles on company newsletters or intranets, naming a cybersecurity mascot professionally developed by marketing for the information security group, free cybersecurity videos offered to employees during lunch periods in the company food court, and many other innovative and fun events can go a long way in increasing awareness. But to make them cyberwar games might marginalize the seriousness of cybersecurity. It might also affect employee productivity if they begin to question real work for a game.
If the purpose of cyberwar games is to test the information security program, there are more tactical and pragmatic methods that prove to be much more productive. These include vulnerability scans, penetration testing, monitoring, remediations, secure code reviews, DLP scans and blocks, FIM alerts and follow-up, SIEM alerts and follow-up, system configuration certifications and many more. Cyberwar games would be best served as an awareness tool rather than testing the information security program.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Learn about the latest advances in SIEM products
Find out if a security pledge could replace awareness training
Discover the most important parts of basic security testing
Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments
Related Q&A from Mike O. Villegas
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading
Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading