Cybersecurity, it’s all about the Infinite Game.

As a seasoned technology & security executive, I look forward to our community gathering at the RSA Conference this year. I've come to realize that Cybersecurity and how organizations and the security marketplace today interact with it is the epitome of Simon Sinek's concept of "The Infinite Game." For those of you who have not read this book, basically, from my point of view, it's a never-ending struggle where the rules constantly change, new players or antagonists emerge, and there's no definitive endpoint.  

In my experience leading security programs across various sectors, I've seen firsthand how the cybersecurity landscape mirrors the characteristics of an infinite game. We're not just dealing with known adversaries or fixed rules; we're up against an ever-evolving threat landscape that requires constant adaptation and a focus on the long game - resilience.

So, as we start, I want to provide a couple of definitions for context:

• Finite Game: This game has known players, fixed rules, and a clear endpoint where a winner is declared. Examples include sports like football, soccer, baseball, and chess.

• Infinite Game: This game has unknown players, changing rules, and no defined endpoint. The objective is not to win but to continue playing and adapting. Examples include business, life, and Cybersecurity.

The Infinite Nature of Cybersecurity

The key to success in the cyber infinite game is to understand that we're not aiming for a final "win." Instead, we strive to stay in the game, continuously improving our defenses and strategies. This “resilient” mindset shift is crucial for CISOs and security teams. Consider how we approach emerging technologies like artificial intelligence. It's not about finding a one-time solution but developing comprehensive strategies encompassing policy development, staff training, and ongoing risk management. We must view these emerging technologies as opportunities with potential risks, leaning forward and capturing innovations and gains while managing possible negative impacts on business.  

In the following discussion, I will review how companies, CISOs, and the security marketplace can view and implement an infinite game mindset. I will also discuss how threat actors are currently ahead of us and already implementing this mindset.

How Business can adapt to the Infinite Game mindset

So now, with some context of what an infinite game is and why I believe businesses, CISOs, and the security marketplace operate in one, let’s look at how companies can thrive in this environment:

1.   Maintain a long-term perspective: Focus on building resilience rather than seeking quick fixes. This perspective involves educating the business that Cybersecurity is a continuous life cycle that impacts and supports business decisions. Cybersecurity today is not just a one-off technology you buy and forget but a critical business service like Human Resources, Finance, or Sales. One final point about this vital service is that it needs to be managed by an adequately resourced CISO and security program.

2.   Champion continuous learning: Stay informed about industry trends and emerging threats. Change is the one constant in Cybersecurity. To manage its risks, CISOs, security teams, and leadership teams must proactively educate themselves on new risks/threats and potential opportunities to gain from them. This ongoing learning process keeps us engaged and at the forefront of the cybersecurity landscape.

3.   Adopt collaboration across the organization: Security isn't an IT issue; it's a business imperative that requires buy-in from all levels. To manage security in an infinite game, the CISO must build trusted relationships with peers, stakeholders, and vendors across the business. The business must require security to be visible, and the CISO should be involved in order to be effective. This collaborative approach fosters a sense of community and shared responsibility in the cybersecurity landscape. 

How does the Infinite Game mindset impact the CISO and how they develop security strategies

As CISOs, our role has evolved from purely technical to strategic and business leadership. We're not just implementing security measures but aligning security strategies with business objectives, managing risks, and fostering a security-aware culture.

This infinite game mentality also influences how we interact with vendors and partners. We're not just looking at solving immediate problems when evaluating new technologies or services. We're assessing how these solutions integrate into our security stack and contribute to our long-term resilience and strategic initiatives.

The CISO should integrate this infinite game mindset into the strategic plans they develop in several key ways:

1.   Embrace continuous adaptation: The only constant in Cybersecurity is the lack of a finish line. We're not playing to 'win' in the traditional sense; we're playing to stay in the game. Our strategies must evolve constantly because the threat landscape and threat actors are always shifting. One day, you're dealing with ransomware; the next, it's AI-enhanced attacks. There is no taking a break; our strategies must be flexible enough to adapt to these changes. This continuous adaptation mindset ensures we are always prepared for any challenge in the cybersecurity landscape. 

2.   Long-Term Vision: I've seen too many organizations fall into the trap of seeking quick wins. But in this infinite game, it's about the long path. We need to build resilience and focus on continuous improvement. It's not patching that one vulnerability; it's developing and deploying robust systems that can withstand incidents and be continuously resilient over time, no matter the changes in threats or new technologies.

3.   Measuring Progress: Beyond traditional metrics, success in Cybersecurity isn't about declaring victory. It's about continuous progress. We need to shift our metrics from binary "secure/not secure" to more nuanced measures like time to detect and respond to threats. It's about improving daily, not reaching some mythical state of perfect security. CISOs and businesses must establish a baseline of acceptable risk for long-term growth and innovation in an infinite game mindset.

4.   Collaborative Approach: One of the most crucial lessons I've learned as a 5x CISO is that Cybersecurity is a team sport. We're not competing against threats, but collaborating with peers, sharing intelligence, and contributing to the broader security ecosystem. This collaborative mindset is essential in the infinite cybersecurity game, where the long view is what matters most.

5.   Preparedness: Expect the unexpected. In this infinite game, surprises are guaranteed. Our strategies must include robust incident response plans and data protection procedures. It's not about if we'll face a crisis, but when. Preparing for these inevitable challenges is a cornerstone of a solid cybersecurity strategy.

6.   Intelligence-Driven Strategy: Know your adversary; understanding our adversaries' capabilities and intentions gives us an edge in this ongoing game. Our strategies should leverage threat intelligence and community knowledge. It's about staying one step ahead or not falling too far behind. This means that the government and private industries must work together because this isn't about winning the game but about staying in and owning it.

7.   Holistic Risk Management: We must integrate Cybersecurity into the broader business strategy. It's not a separate, finite challenge; it's an ongoing part of business operations and risk management. This holistic approach ensures that security aligns with and supports business objectives. The impact of security, its controls, technologies, and services should be a part of all business decisions and initiatives.

How threat actors are adapting their strategies to leverage the infinite game mindset

CISOs are not the only ones looking at Cybersecurity as an infinite game. Cybercriminals have been doing this for years, and through embracing an infinite game view, these threat actors maintain flexibility and resilience in their operations, constantly adapting to new challenges and opportunities in several of the following key approaches:

1.   Continuous Evolution: Cybercriminals are experts in adaptation. They're continually developing new attack vectors, exploits, and malware to stay ahead of our defensive measures. It's like a never-ending digital arms race, where they recognize that Cybersecurity is an ongoing process without a defined endpoint.

2.   Strategic View: Playing the long game, gone are the days when cybercriminals were just after quick wins. Now, we're dealing with sophisticated actors and criminal organizations who employ advanced persistent threat (APT) techniques. They're in it for the long haul, maintaining access to compromised systems and networks over extended periods. It's a marathon, not a sprint.

3.    Resilience: Continuously adapting to technological change. As corporations and their CISOs roll out new security technologies and practices, threat actors adjust their approaches accordingly. They view Cybersecurity as a dynamic landscape where the "rules of engagement" constantly shift. It's like chess, but the board and rules continuously evolve.

4.   Community: The power of the collective mind. As CISOs and today’s security community come together to share information and collaborate, threat actors do the same. One of the most challenging aspects we face is the collaborative nature of the cybercriminal community. They participate in underground forums and marketplaces, sharing techniques and tools. This collective approach helps them adapt to new challenges in the infinite game much faster than many organizations can keep up with.

5.    Human Factor: It's all about humans and the path of least resistance. Cybercriminals have long recognized that technology alone can't provide perfect security. That's why they're increasingly targeting the human aspects of Cybersecurity through social engineering, phishing attacks, and deepfakes. It's often easier to trick a person than to break through a firewall.

6.   Innovation: Embracing automation and artificial intelligence. Threat actors are adopting automated tools and AI-driven techniques to keep pace with evolving defenses. This allows them to scale their operations and adapt more quickly. It's a game of speed and agility, and they're using every tool at their disposal. Instead of fixating on a single approach or target, savvy cybercriminals maintain a diverse portfolio of techniques and potential victims. This approach allows them to pivot as needed in the ongoing game. If one avenue is closed off, they shift to another.

How the Security Marketplace should adapt to Cybersecurity and its infinite game mindset

Finally, the fourth group impacted by the infinite game mindset comprises founders and companies operating in the cybersecurity marketplace. Cybersecurity is not a problem to be solved; it is a continuous challenge to be managed. This concept aligns with Simon Sinek’s “infinite game” mindset, where the objective is not to "win" but to keep playing by improving capabilities, adapting to new threats, and creating sustainable value over time. The cybersecurity landscape exemplifies this philosophy, with ever-evolving threats, shifting attack surfaces, and persistent adversaries. For the security marketplace to thrive within this infinite game, it must also embrace a mindset of continuous evolution and collaboration.

The security marketplace encompasses a vast ecosystem of vendors, service providers, and solution integrators. This ecosystem must adapt to an infinite mindset by prioritizing long-term resilience over short-term gains to remain relevant and effective in facing modern cybersecurity challenges. Let’s explore how this adaptation can be achieved.

1.   Focusing on Agility and Innovation: Cyber threats evolve exponentially, and the security marketplace must stay one step ahead. Agility in product development and service delivery is critical. Vendors need to:

• Continually invest in research and development to create adaptive solutions.

• Adopt iterative development cycles to address emerging threats quickly.

• Leverage artificial intelligence and machine learning for proactive threat detection and response.

Innovation should not be limited to technology but also extend to business models. For example, adopting subscription-based pricing or delivering solutions as a service (e.g., managed detection and response) allows businesses and their CISOs to be efficient with security budgets and flexibly scale their defenses.

2.   Building Collaborative Ecosystems: The adversaries CISOs face are increasingly organized, and the cybersecurity marketplace must respond in kind. Collaboration is a force multiplier in an infinite game. Vendors, customers, and public-sector entities must work together to:

• Share threat intelligence through platforms like ISACs (Information Sharing and Analysis Centers).

• Develop interoperability standards to ensure seamless integration across solutions.

• To address systemic risks, engage in joint efforts, such as public-private partnerships.

No single vendor can solve cybersecurity challenges in isolation. By building collaborative ecosystems, the security marketplace can amplify its collective impact. Remember, the infinite game view is about long-term resilience, so we need to develop and nurture this community. 

3.   Embracing a Customer-Centric Approach. The infinite mindset prioritizes enduring relationships over transactional interactions. Vendors must move beyond selling point solutions and focus on empowering their customers to build long-term resilience. This means:

• Shifting from a "set-it-and-forget-it" approach to ongoing support and optimization.

• Offering tailored solutions that align with the customer’s risk profile and business goals.

• Educating customers on best practices and emerging risks to foster a culture of security awareness.

A customer-centric approach ensures that security vendors are seen as partners in resilience, not just suppliers of tools. It’s about establishing a relationship to provide technology and other services for the long-term health of the customer.

4.   Promoting Continuous Learning and Adaptation: Cybersecurity professionals operate in perpetual uncertainty. The marketplace must support this reality by providing avenues for continuous learning and adaptation. This includes:

• Offering training and certification programs to upskill the workforce.

• Developing platforms that integrate real-time threat intelligence and analytics.

• Ensuring solutions are designed to evolve with changing threat landscapes.

By enabling continuous improvement, vendors contribute to a more resilient cybersecurity ecosystem.

5.   Prioritizing Transparency and Trust: Trust is the currency of the infinite game, especially in Cybersecurity, where risks are ever-present. Vendors must build trust with customers by:

• Being transparent about product limitations and known vulnerabilities.

• Providing clear metrics and evidence of solution efficacy.

• Ensuring ethical practices in data handling and privacy compliance.

Trust is not earned overnight, but it is critical for fostering lasting partnerships in a highly competitive and fragmented marketplace.

6.   Anticipating Future Trends: In an infinite game, looking beyond the horizon is essential. The security marketplace must prepare for future challenges by:

• Investing in quantum-safe cryptography to mitigate risks from emerging technologies.

• Addressing the cybersecurity implications of AI, Cloud, and other transformative trends.

• Supporting global initiatives to close the cybersecurity skills gap.

Proactively addressing future trends ensures that the security marketplace remains relevant and integrated as a core partner for the business and CISO's resilient-focused strategic plan.

In Conclusion

Viewing Cybersecurity through the lens of the infinite game fundamentally changes how we approach our strategies. It's not about winning or losing; it's about staying in the game, continuously evolving, and building resilience in the face of ever-changing threats. As CISOs, our job is to lead this ongoing effort, fostering a culture of security as dynamic and adaptable as the threats we face.

As security executives, we will encounter organizations and individuals who don't understand the infinite "resilient" mindset. They're focused on today and unable or unwilling to adjust to a long-term operational view. That's fine; what's essential is that as the CISO and senior security executive for the business, you follow the infinite path and continuously evangelize its value. Remember, Cybersecurity is a team sport, and we are all playing the long game together, so be patient and don't forget your community. We should all be here to support each other. Good luck!

***In addition to having the privilege of serving as a Chief Information Security Officer, I am a co-author with my partners Bill Bonney and Matt Stamper on the CISO Desk Reference Guide Volumes 1 & 2 and the Executive Primer. I have also authored The Essential Guide to Cybersecurity for SMBs and Developing your Cybersecurity Career Path. All are available in print and e-book on Amazon. To see more of what books are following in our series, please visit the CISO Desk Reference website.