RUN CISO RUN: the retro video game about security awareness

RUN CISO RUN: the retro video game about security awareness

A few days ago we released the retro video game RUN CISO RUN. We have been using it for a few years now at our trade shows and conferences. I have to admit it has evolved a lot over time, and we hope it keeps evolving, since we find it as catchy as the other games from the 1980s thanks to its simplicity (all credit to our genius Pablo Abratte).

How the game works

In the game we find a screen split vertically into three sections:

  • On the left, a scenario of complete inaction, where attacks come from the outside and only technical tools try to stop the cybercriminals.
  • In the center is our character, the CISO, who runs to create content and deliver the cybersecurity awareness program to end users.
  • On the right is SMARTFENSE as an awareness platform, launching campaigns constantly.

As the pace of the game speeds up, we find ourselves running to create content and deliver it. This happens reactively and, in the frenzy of the game (and of our work as CISOs), we often realize that we are not doing it effectively or efficiently. And this game, which lasts barely 90 seconds, leaves us exhausted…

Analyzing the results

Only when the round ends can we compare the costs of each option. The same ones we face in real life as the CISO of our organization…

RUN CISO RUN results screen comparing inaction, the CISO and SMARTFENSE

On the left you can see that, in the case of inaction, the investment in information security awareness for end users was obviously zero, but unfortunately the threats were ruthless, forcing us to spend that saved money, and much more, on remediation.

On the right, SMARTFENSE was at work. As an awareness platform that lets us schedule campaigns according to the awareness program we designed, it ensures that safe habits are built in users with a low investment. This makes it possible to reduce the risk of phishing, spear phishing and ransomware.

The results on the middle screen will depend on how we did it ourselves, whether we saved or invested, and on our ability to respond to external conditions. Here we note that it is not easy to think when we act reactively to the situation in front of us, and we do not know the effects until the game ends (or the year ends, in the case of our organization).

Is it possible to “beat” SMARTFENSE?

In the video game, yes, because it is designed for threats to be launched randomly, so it is normal for the instance on the right, where SMARTFENSE sits, to also come under attack (as can happen in real life). The middle situation depends on us, so it will be up to each person’s expertise to find a way to invest as little as possible in training while still stopping most of the threats. For that we need many practice attempts (or years, in real life). Even then, we would be running all the time… is that what we want?

That was the question I asked myself several years ago, and the answer was a resounding ”no”. In fact, it was the reason we created SMARTFENSE. For those who do not know, several years ago I was working as a CISO and I spent my time running without knowing how effective our effort really was. Realizing this, we noticed that, at best, achieving an awareness program with acceptable quality and efficiency would take us years. And in the end we would become experts in something that could have been outsourced from the start, with far better quality, effectiveness and control.

Given all this, the shortage of cybersecurity staff, and knowing that many other CISOs across Ibero-America were in the same situation, we decided to stop complaining and act, in this case by creating a dedicated awareness platform.

In the early days of our company we also found that the vast majority of CISOs were overwhelmed with tasks and, however simple the solution was, in many cases they could not even find the time to implement it. That is why we found the perfect ally in the partners who deliver added value, supporting them not only in implementation and troubleshooting, but also in establishing the baseline, scheduling, analytics, and creating and adapting specific content. Today it is hard for us to imagine working without that added value, since every organization that wants to build safe habits in end users needs an accurate diagnosis and a message adapted to its reality, and that is why the integrating partner plays a key role.

Final thoughts

Although the game is about user awareness, every CISO faces this situation daily on several fronts, so we hope the game can help them take that step back and think about what they want from their cybersecurity function and from their quality of life.

Mauro Graziosi

Experto en Seguridad de la Información, fundador y CEO de SMARTFENSE. Cuenta con 20 años de trayectoria en ciberseguridad. A lo largo de su carrera profesional generó diferentes proyectos enfocados siempre en la ciberseguridad y la educación a distancia. En 2016 fundó SMARTFENSE con la misión de satisfacer los requisitos y urgencias de los CISOs de Iberoamérica, obteniendo el Primer Premio del programa Cybersecurity Ventures 2018 del INCIBE. Su objetivo personal es convertir a los usuarios en un componente clave de la estrategia de ciberseguridad de las organizaciones a través de la concienciación.

Leave a Reply