How Your Cybersecurity Strategy Can Benefit from Looking to Las Vegas
Back in college, my fraternity had a monthly casino night. We’d rent all manner of table games, put on ESPN, invite our sister sorority over and proceed to bet on everything from Australian rules football to camel races in the Middle East.
Each time, our house usually won enough money to host the next party and then some. I, on the other hand, always lost. As a result, I became a student of all-things Vegas, odds-making and how big-time gambling business works in general.
As I dove into the subject, I quickly realized gambling is a serious business. One that serves as a time-tested model of near-guaranteed success.
Some of the first big lessons I learned from studying how Vegas operates explain why they’re so successful week in and week out. You see, odds-makers:
• Are great at gathering comprehensive data and doing research - every day, all day
• Continuously monitor, adjust and react to changing conditions
• Don’t care about being right or even who wins, they care about eliminating risk
• Seek the right balance each and every day
Following these guiding principles,
At the heart of odds-making is data gathering and analysis. In fact, a very well-organized and standard business intelligence approach is the ground floor of the gambling business.
For example, for team contests, odds-makers do more than look at the team’s won-loss record, they look at simple and available high and low-level data from every angle possible to get a complete perspective on how to evaluate possible winners and losers. They look at:
• Historical performance of the teams
• Who’s coaching
• Key player stats
• Relevant injury info
• Who the team played previously
• Location of the match
• What’s on the line
• Weather data
• and myriad other data points from many, many different perspectives
What’s more, they collect, store and analyze this data each and every day in the context of each specific match.
The game of cybersecurity is itself a continuous competition against different foes. However, in today’s cybersecurity world, it’s de rigueur to prioritize a technology approach to winning cybercrime matches. It’s called “throwing technology at the problem.”
As a result, most enterprises are awash in data outputs. Most of it is low-level, incomprehensive operational data. Most of it is not well organized with appropriate context.
In other words, too much data at the wrong levels and without the relevancy to an enterprise’s specific threats and risks required to inform a game-winning strategy.
Much as Vegas has proven over time, enterprise security organizations can immediately benefit from the same sort of well-organized data and analysis approach to their contests.
Vegas odds-makers also know that, hand-in-hand with this kind of data analysis, it’s paramount to react with precision to changing circumstances.
If a key player gets hurt the day before a match or the weather suddenly changes before game time, this triggers pivotal changes in strategy designed to protect their interests. Lines are changed, odds are changed and more. Their daily diligence in analysis drives continuous tuning and simple, decisive actions. When a risk pops up, they immediately counter with studied, pre-established moves to close the holes. For Vegas, profit is preserved through swiftness of action, efficiency, economy, decisiveness, and established protocols commensurate with the risk. The key here? A solid strategic data foundation that enables tactical reaction to risks.
Speaking of risks, Vegas seeks, above all else, to eliminate risk to the house in each individual contest. It is their singular focus and is most directly supportive of their main goal, profit. Enterprises today are focused on being defensive across a broad waterfront, as opposed to offensive when it comes to risk reduction. It’s a subtle difference, but a distinction worth a lot.
For Vegas, eliminating risks means paying attention to the context of each individual contest and using their resources to zero-in on just those elements that shift the see-saw of priority, estimation and judgment one direction or another.
It’s continuous, individual triage.
In simpler terms, they take on each contest one at a time and determine riskiness (and required reactions) for each specific set of circumstances. They treat each contest, each set of risks on it own and react offensively to address those risks at the top of the triage lists in ways individually designed to achieve the most immediate positive results.
For enterprise security efforts, cyber defense is often seen as a long-term strategy. It’s too often a top-down focus, as opposed to a bottom-up approach that bubbles up metrics to a higher level from each individual risk area. And, at the top, there’s no unifying KPI-driven analysis and monitoring in ways typical of other business areas. Under these conditions, real triage is impossible. It becomes a strategy of policy as opposed to one informed of data-driven, atomic building blocks. Couple all this with the lack of a practical, contextual data and analysis approach mentioned earlier and enterprises are themselves competing in blindfolded dart games where true chance is their only hope of stopping a threat.
Can you imagine Vegas acting this way? Being this out of balance? There’d be no $5 lobster buffets and free drinks if they did.
Speaking of balance, it’s arguably the one principle Vegas odds-makers live by. Each and every day, lines are tweaked, odds adjusted and numbers slid up and down. This is no accident. It’s a sacred process. It’s the odds-makers’ way of continuously tweaking their “budgets” to ensure maximum profit. If too many bet on a competitor, odds are adjusted to even up the betting balance sheet and ensure losses are minimal, profit is as high as possible.
Enterprise security efforts can also benefit from this type of continuous balancing, but rarely do so. Again, a preference for technical solutions is almost always prioritized by good old-fashioned day in, day out diligence. Cyber budgets aren't analyzed nearly often enough, and they aren’t kept in sync and up-to-date with today’s trends both inside and outside the enterprise walls.
The bottom line is, very few enterprises maintain their cyber defense budgets as, say, and elite athlete would train for his or her weekly performance. Still fewer take this budget health into consideration as Vegas would do when handicapping any given match. For Vegas, balance in every area of their operations is and end in and of itself.
Much as I fared as a novice, uninformed and undisciplined gambler, taking chances with cyber defense is all too often a losing proposition for enterprises. But it doesn't have to be. Sure, Vegas doesn’t win all the time, but, in the end, it isn’t winning and losing they care about. No, they care about an informed, controlled and balanced process that has as its only goal to reduce risk each and every day.
They seem to come out on top in the end. Every time.