Reframing Cybersecurity as an Infinite Game
Because “good enough” isn’t possible against a determined adversary
Back in 1986, James Carse wrote a book called Finite and Infinite Games. He describes Finite Games as those with known players, specific rules, and a clear “win” definition. Think of chess, basketball, or poker.
An Infinite Game, in turn, is one with an unknown number of players, shape-shifting rules, and a peculiar objective: not to win, but to keep playing the game. Think of politics, business, and life itself.
There’s a lot we can learn from Carse’s worldview, which Simon Sinek built upon in The Infinite Game. One key lesson centers on knowing which game you’re playing. There are two valid game types: (1) Finite players playing each other and (2) Infinite players competing against one another. But a Finite player cannot go against an Infinite player — their incongruent objectives lead to an unstable system.
Businesses with big digital aspirations must take this lesson to heart. Specifically, leaders need to convert their mindset around cybersecurity. Rather than applying a long-standing Finite mindset to making it “good”, we need to view it as an Infinite Game.
Let’s explore what that means.
Businesses are now more infinite-minded, especially in digital
“Winning” in business is a silly concept. Many companies talk about being number one, but by what metrics do we agree someone is beating the competition? These are artificially-created battles.
Nonetheless, the world has a long history of businesses seeking to “win” in the market. It’s a zero-sum mentality where leaders adopt a finite mindset — perceiving there’s only so much reward (i.e., market demand) available, so they believe they must grab their share or become irrelevant. Far too many organizations make short-term bets which spawn disastrous long-term consequences. Kodak is a preeminent example of this — doubling down on film even after they invented the digital camera.
The reality is that business is inherently an Infinite Game. Overnight successes aren’t real, so it’s always about long-term advancement.
Companies need to be diligent and strategic over the long term. The idea is to constantly learn and adapt —always working to be competitive. Infinite-minded leaders consistently work on the system, considering how to tweak products, services, ecosystem partnerships, infrastructure, and the business model to align with evolving customer needs and shape them.
The infinite mindset is especially applicable to digital business. With COVID-19 accelerating digital transformations and creating a new normal, organizations are quickly learning the pain and promise of using digital technology to:
- Create new types of value and revenue streams
- Design memorable and delightful customer experiences
- Streamline internal capabilities that support core operations
Understandably, organizations tune their digital efforts toward improving the bottom line. To keep playing the Infinite Game of business, digital capabilities need to be strong and fresh, forever. Why, then, are some capabilities treated as finite?
Cybersecurity is one of those. Outside of those in the cybersecurity profession, there’s a widespread belief that we can get to “secure” — we can reach a finite objective and then just live there. Turning items from “red” to “green” on a risk register isn’t a linear process; it’s a continuous and vigilant cycle.
It’s dangerous to think of cybersecurity as a Finite Game. Today’s digital “bets” require organizations to weave cybersecurity across people, process, and technology elements of the business. It’s how risk is managed and how value is captured. Cybersecurity must become part of organizational DNA and the mental models used across the company.
If there ever were an Infinite Game to be played, it’s cybersecurity.
Treating cybersecurity as an Infinite Game
“Finite players play within boundaries; infinite players play with boundaries.”
As Simon Sinek says, “The minute you have senior executives obsessing about the short game, the game is lost.”
But that’s exactly how a great majority of business leaders treat cybersecurity — as a Finite Game to be won.
On the surface level, cyber might seem finite. You might check compliance boxes to satisfy a regulator or “securely configure” devices, but that only brings deceptively-superficial and fleeting results.
The challenge is highly dynamic and your approach must be equally so.
Cyber practitioners know the truth. They know cybersecurity is a constant battle against a relentless and adaptive adversary. Sometimes the organization is the target, other times they’re an innocent bystander or simply collateral damage. Take NotPetya as an example—encrypting malware that wreaked havoc across the globe starting in 2016, causing massive financial and operational damages to organizations across sectors.
Businesses must be on their toes. With all this investment in digital transformation and high hopes of creating customer value that boosts the bottom line, we can’t neglect this challenge.
Here’s why cybersecurity is an Infinite Game:
- Unknown players: the environment you’re protecting (e.g., your business’s users, identities, devices, and networks) is nearly impossible to fully quantify and the adversary community is essentially limitless
- Boundaries and rules can be modified: businesses are shape-shifting organisms with digital “doors” constantly opening and closing, and attackers have plentiful tactics at their disposal to launch an assault
- The objective is not to win: the offense (attackers) seeks to accomplish an objective — theft, disruption, or destruction — and evade capture while the defense (the organization) works to keep business operations functioning day after day
This is a game that requires constant diligence, sensing, and adaptation. Businesses are desperately seeking states of resilience and antifragility, and if we don’t get cyber right, the whole business vision falls apart.
3 Strategy Modes That Make Your Organization Antifragile
Ensure that vigilance and agility are part of organizational DNA
Here are specific parts of the business where we must boost cybersecurity using an infinite mindset:
- Board oversight: directors must practice enduring governance and consistently ignite exploratory conversations to stress test how cyber strategy is infused across business strategy
- Business model: organizations must continually analyze cyber risk and value creation opportunities across their evolving business model components — value proposition, customer segments, channels, and more
- Technology strategy: the push to cloud and digitization of business operations generates a host of dynamic threats and risks that must be tracked, managed, and measured
- Supplier management: organizations are increasingly reliant on a vast network of inherently-risky third parties (who have their own third parties) to bring expertise, code, products, and capabilities in-house; careful assessment, monitoring, and remediation needs to happen here
- Applications, products, and platforms: the actual products and services delivered to customers represent your organization’s reputation and potential — you can’t afford for them to be insecure
- Risk Management: all of the above means that cyber risk is highly dynamic and requires meticulous and persistent analysis, dialogue, and testing
Good cyber leaders already champion an infinite mindset. The game is always in play, with both sides (offense and defense) continually pitted in a battle to better understand one another and position to live another day. The game is fluid and there are no rules. This is the norm.
The problem is that many business leaders fail to embrace the necessity and value of cybersecurity. Many treat it like just another cost center — one that should be minimized to keep profits in good condition. That Finite mindset no longer works in digital business, and inattention to cybersecurity can delete the value a company hopes accrue from digital investments.
Simon Sinek highlights the need for existential flexibility in modern business — the ability of an infinite minded leader to be humble and courageous when circumstances require a shift. We need this shift to occur in cybersecurity.
Reframing cyber as an infinite game is an important move. It’s a mindset shift that needs to be understood and adopted across the company, at all levels. For companies with big aspirations in digital business, make sure to treat cybersecurity as the Infinite Game that it is.