Welcome to Part One of a three-part series focused on optimizing security operations for long-term success.
Growing up in the ‘80s and ‘90s, I loved playing quest-style video games and continue to enjoy RPGs and action-adventure games. This passion has fueled my interest in gamification and automation in both my consulting and teaching. I've merged those interests in this series, beginning with a strategy that approaches security operations as an infinite game.
In the SANS Institute course on building and leading security operations, which I co-authored with John Hubbard, we utilize a compelling metaphor: the Security Operations Center (SOC) as an infinite game. Drawing inspiration from Simon Sinek's influential book, The Infinite Game, we understand security operations not as a finite project but as an ongoing process to be sustained for as long as possible. Unlike games with clear beginnings, endings, and winners, the SOC represents a continuous journey with no ultimate victory condition—only a series of evolving challenges to address to improve our defensive capabilities daily.
Understanding the Infinite Game Paradigm
As Sinek explains, infinite games differ fundamentally from their finite counterparts:
- They don't have fixed, unchanging rules.
- There's no defined start or end time.
- Players continuously enter and exit the game.
- Traditional scoring doesn't apply.
- The objective isn't to win but to sustain successful operation indefinitely.
Security operations perfectly embody this infinite nature. Like adventurers on a never-ending quest, we'll never reach a state of "complete security" where we can declare victory and retire to our castle. Instead, the threat landscape constantly evolves, with new dragons to slay, puzzles to solve, and territories to defend, requiring adaptability, persistence, and a long-term vision.
Equipping our SOC for the Infinite Game
Our priorities shift when we approach SOC design and management through this infinite game lens:
1. The Adventurer's Arsenal: Resilient and Modular Toolsets
- Adapt to emerging threats without requiring a complete reforging of their weapons
- Scale with the expanding territory they must defend
- Integrate new magical tools and enchantments as they're discovered
- Gracefully retire outdated spells and potions that no longer affect modern adversaries
Practically speaking, this means favoring open standards, well-documented APIs, and systems designed for interoperability. Here are just a few of the standards and frameworks we cover in the LDR551 course:
- The NIST NICE framework defines competencies, tasks, skills, and abilities
- MITRE’s ATT&CK and D3FEND matrices for aligning defensive capabilities to known threats
- The PICERL and DAIR models for incident response
- The 4DX framework for prioritizing and executing on strategic goals
2. The Quest Strategy: Process-First, Technology-Second
A common pitfall for SecOps adventurers in the security realm is enchantment by magical artifacts (technologies) without a clear strategy for their use. As Sinek warns, players who become fixated on tools rather than purpose often lose their way.
With an infinite game mindset:
- Chart your journey first. Define product-neutral security processes based on your specific threat model and SecOps goals rather than have those goals dictated by the capabilities of your tools.
- Select tools that enhance your established strategy, not those that dazzle but distract (looking at you, pew-pew maps and AI-enhanced next-gen products).
- Continuously refine your processes based on previous investigations and incidents.
When strategic processes drive technology decisions, the SOC gains independence from vendor lock-in and maintains the flexibility to adapt as adversaries evolve.
3. The Fellowship of Defenders: Sustainable Team Development
Most importantly, our infinite quest requires heroes who can endure the journey. As Sinek emphasizes, organizations playing the infinite game invest heavily in their people. Your SOC fellowship isn't just a collection of analysts but the living core of your security saga.
To build that fellowship:
- Commit to continuous training to level up skills, not one-time tutorials at the beginning of the adventure.
- Provide career development paths that offer specialization trees (see NICE!), keeping your guardians engaged and growing in power.
- Preserve institutional knowledge as veteran adventurers move on to other quests.
- Foster a culture of continuous learning that studies failed encounters over casting blame spells.
- Allow for rest and regeneration periods to prevent your analysts from burning out their reserves in a realm notorious for exhausting its defenders.
Measuring Progress on the Infinite Quest
In any epic adventure, heroes need ways to gauge their progress, even when the journey has no end. Measuring SOC effectiveness presents unique challenges in the infinite game:
- Activity vs. Impact: It’s not about how many external attacks were repelled by our defenses, it’s about knowing which controls protected critical assets.
- Improvement Trajectories: Track how your fellowship's capabilities evolve, not just point-in-time performance.
- Balanced Scorecards: Create a comprehensive adventurer's journal that measures defensive capabilities, offensive reconnaissance, and fellowship readiness.
The greatest challenge in the infinite security quest is measuring improvement initiatives that strengthen defenses over time. Each completed project, hunt, or response should advance your strategic position, even if the benefits aren't immediately visible in daily reports. This kind of comprehensive measurement is so important (and challenging to get right) that we’ll cover it in the second part of this blog series!
The Kingdom's Grand Strategy: Aligning for Impact
Your SecOps adventurers must connect their daily monster-slaying to the broader objectives of the realm:
- Banners to Rally Under: Establish explicit goals that align security operations with organizational objectives.
- Visible Connection Points: Ensure team members understand how their individual efforts contribute to SOC success, and reinforce that understanding with regular check-ins.
- Strategic Scorekeeping: Create mechanisms that show how tactical metrics (e.g., dragons defeated) relate to strategic outcomes (e.g., kingdom safety improved).
When your security champions see the connection between their daily skirmishes with adversaries, the metrics that gauge their effectiveness, and progress toward the kingdom's strategic objectives, they fight with greater purpose and resilience—essential qualities for any infinite game player.
Embark on the Ongoing Adventure
In the realm of security operations, there is no final boss battle, no ultimate treasure chest to unlock. By embracing Sinek's infinite game paradigm, SOC leaders become quest masters who can vanquish today's monsters while preparing for tomorrow's mythical threats. We may never complete the cybersecurity campaign, but with the right approach, we can ensure our fellowship remains strong and our kingdom secure for generations to come.
Stay tuned for Part Two of our series, A Consensus-Driven Approach to SOC Metrics!
