Cybersecurity, like theoretical physics, grasps constantly for useful metaphors in order to engage with those outside of our tribe.
One aspect of cybersecurity that is fundamental to the discipline is that it is adversarial in nature.
Compare this to QA, a field adjacent to cybersecurity that is sometimes confused with cybersecurity. QA asks “Does this thing work as desired?”
Cybersecurity asks: “Can someone pump a bazooka through this thing?”
If QA is playing paint by the numbers (unfair, but stay with me here), then cybersecurity is playing chess.
“If I do this, what will my opponent do?” To two, three, four, five moves ahead.
The difference is that, in cybersecurity, you are not playing regular chess where there is only one opponent, you know their identity, and all the pieces are visible on the board.
No.
In cybersecurity you are playing chess against several dozen players, all of whom are wearing masks, and some of whom are invisible.
And some of the pieces are bazookas that can destroy you without any warning at all.
One or multiple opponents may even hold invisible pieces that are the equivalent of a cyber nuclear weapon that destroys all the players and ends the game for everyone.
Also, did I mention you are playing chess blindfolded? The blindfold is not completely opaque but you’re never actually sure where your piece is moving.
Also there are no turns, everyone just plays whenever they feel like it.
No wonder that defensive cybersecurity produces high levels of anxiety in practitioners. Offensive security practitioners, I feel, have an easier mental task. You can know if something is broken by breaking it. But you can never know, really know, as a defender, if something is broken or not.
Schrödinger's Cat, anyone?