The idea of the US and UK working together on war-games is a good one. It recognizes that we are in a war, and that we are losing. We need to improve our defensive game. Chris Inglis, the former NSA director, has commented that the state of security today massively favors the attacker – he suggests that if we kept score, it would be 462-456, just 20 minutes into the game, because our defense is so poor.
The continuous stream of announcements of new breaches, along with the UK stats indicating the vast majority of large companies are suffering serious breaches, adds up to clear evidence of weak defense. War games are a good way to get one step ahead, shifting to a proactive rather than purely reactive stance. Nation states can do this with teams of people, but this is too labor intensive and expensive for most organizations. This is why the security industry puts so much emphasis on automation – not just the automated discovery of weaknesses, but automating the critical process of prioritizing these vulnerabilities. The inconvenient truth is that most organizations know about far too many security gaps to be able to fix them all. War-gaming is a proven approach to dealing with this reality – find the gaps that are most likely to be used in a breach, and fix those first. Perfect security is not possible, but realistic security comes from understanding your defensive readiness, stack-ranking your risks, and acting on the most critical ones.