Hackback Your Tabletop Exercise: Glen Sorenson on the Benefits of Gamification in Cybersecurity

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Sara (00:04):
Calling all tabletop exercise incident response folks
and tabletop gamers.
Cybersecurity meet tabletopgaming.
Welcome to A Role to Play, anRPG community podcast exploring
the world of role-playing games.
This is episode 10.
This is episode 10.
I'm Sara, your host, and todayI'm talking with Glen Sorensen,

(00:27):
a cybersecurity expert and avirtual CISO, that's, virtual
Chief Information SecurityOfficer.
He has a background inrole-playing games.
He brings these skills togetheras an incident master for
hackback gaming.
Let's face it, tabletopexercising is boring, but
role-playing games are fun, sowhy not put them together?

(00:48):
I'll talk with Glenn todayabout the gamification of
tabletop exercising withHackback Gaming.
Welcome, Glen.
Glen Sorensen, Moderator andvirtual CISO and managing
director Cyber RiskOpportunities.
Is that?
what I should have checked withyou.
That is the correct title.

Glen Sorenson (01:07):
That's a good title, yeah, absolutely.
And also Incident Master forHackback Gaming, as we'll get
into here.

Sara (01:15):
Yes, and that's a pretty exciting piece.
I think that that spawns off ofthe other title, the Virtual
CSO and man director.
Cyber Risk Opportunities musthave had something to do with
leading into Incident Master forHackback Gaming, which is in
itself an interesting title anIncident Master versus a Game

(01:36):
Master or a Dungeon Master.
But before we go to that, Ijust want to say, looking at
your profile here, it looks likeyou have a lot of experience
covering a lot of differentindustries and wow, a lot of
experience also in industries incyber roles security analyst,
engineer, consultant, auditor,regulator.

(01:57):
What haven't you done?

Good question.
I think I've done a lot ofthings, a little bit.
There are certainly more areasthat I've not covered, but I've
always enjoyed seeing at leastenough to understand an area and
be able to manage it to somedegree.

(02:22):
So I've worn a lot of hats and,you know, kind of enjoyed doing
that.
So that is kind of ultimatelywhat led into this, this virtual
seesawing, we'll call it so.

Sara (02:36):
Cool, cool, all right.
Well, before we get fully intothat, I said earlier that I
would surprise you.
Well, surprise, this is thesurprise, and it'll be a
surprise for both of us, becauseI haven't done this before.
But uh, I was gifted a fabulousdeluxe edition of the deck of

(02:59):
many things by a travelingwizard who thought that maybe I
would never like actually pickthis up myself which I wouldn't,
it was right but that I shouldhave it and that it might be
useful for my podcast and that,if my guests are willing, I can

(03:20):
offer that you can pull from thedeck.
Are you game?
Let's do it.
All right, I'll give you theoption.
Do you want to pull from theoriginal 13 cards of the deck of
many things, or do you feelready to, or would you rather
just pull from the, the extendedversion?

oh, great question, let's do the extended
version.
Oh, great question, let's dothe extended version.

Sara (03:48):
Wow, that's a lot of cards .
Look at that.

There are many things in that deck.

Sara (03:54):
There are very many things in this deck.
I assure you.
I just read the book, or wasreading the book and
contemplating the deck and thecards for good couple of weeks
before I actually pulled thecard.
And then, finally, I got up thenerve and I pulled a card from

(04:16):
the original deck of many things, which only has 13 cards and
you know many of them are notcards that you would necessarily
want to pull but I'm happy tosay elite say the least, yeah
but I am happy to say that Ipulled the fates card out of
that deck and that is atransformative card of like.

(04:39):
just overnight, like whateverdire predicament you were in,
your whole world has changed ina way that you never thought was
possible.
So, yeah, I pulled that inrelation to you know, just
thinking about this podcast.
So I think that that's a verygood sign.
So let's see what fortune willhold for you.
You're pulling from theextended deck here and I have to

(05:01):
ask how many cards, sir, willyou pull?
Well, let's do two, two cards,all right, and how would you
like to choose them?
Would you like to like justtell me to stop shuffling, or
would you like me to lay themout or cut the deck a certain
number of times?

you know what I'm .
I'm good with the cards as theymay be, so pull one when you
see fit.

Sara (05:29):
You are very daring.
You're not even going to tellme when to stop.

How about now?

Sara (05:36):
This is your card.
Oh, and there's two.

And there's two.

Sara (05:42):
Well, I'm not sure what these will mean for you, but we
got a pit and a mine.

Well, I have an affinity for dwarves.
So you know, Although the pitis maybe not the kind of pit,
you want to be in there from thelooks of it.
Let's see.

Sara (06:05):
A pit and a mine, an affinity for dwarves and, and a
mind so mining something open,open mining for something, yeah,
digging for treasure,opportunities, opportunities
abound, bringing things to light, finding things, yeah, yeah,
not being afraid to go into thedark and recover what might lie

(06:28):
there and bringing it back tothe surface.

That sounds good, you know, I'll take it.

Sara (06:35):
Yeah.

Yeah.

Sara (06:36):
Yeah, all right.
Well, that's awesome.
Well, thank you for humoring me.
That's fun to play a littlegame, isn't it?

Absolutely.

Sara (06:45):
You know, this podcast is largely around role-playing
games and the role-playing gamecommunity.
Many people in this communitywill know exactly what we're
talking about, but there's alsogoing to be a lot of people that
know of cyber attacks and cyberrisks but aren't really living
it day to day or not having adeeper understanding.
Can you just start, maybe, withgiving like a high level

(07:07):
overview for the lay personabout what this is all about?

Sure.
So I think there's some, maybemisconceptions even around cyber
security and cyber risks, inthat it's kind of the you know,
the dark arts, and maybe that'ssomething that's you know,
mystical and we don't reallyunderstand it.
But it's something that's youknow, mystical and we don't
really understand it, but it's,it's all.
It's pretty grounded when youget into the, the, the details
of it and it's it's really, youknow how do people misuse
systems for their benefit ratherthan the intent of the system,

(07:42):
and we've grown to a place wherethis can be even an existential
threat for businesses out there, with the prevalence of
large-scale ransomware attackswhere, whatever the case may be,
and I think that's I mean,we've gotten to this stage where

(08:03):
it's such a large-scale thingthat we can't ignore it.
It's not that thing.
That is the dark arts thatnobody except the wizards can
deal with and think about andfix.
It's something that everybodyhas a role in.
So that's kind of my high level.
Two cents on it these days.

Sara (08:24):
Maybe it's difficult to comprehend exactly how it's done
, but suffice to say that thereare a number of ways and they're
getting pretty advanced in howthey can occur.
And this isn't just bigcompanies.
We're not just talking aboutMicrosoft getting hacked here.
We're talking about the town ofHuntsville was hacked, like
Hamilton, I think, was hacked.

Small businesses, large businesses, especially
the cyber criminals that are outfor money and deploying
ransomware.
They're going for thevulnerable systems and they
don't care who you are, theyjust want to get paid.
And some of them have somefairly twisted manifestos and

(09:05):
that they think they're they'reactually doing the the world a
favor, but they're not.
And the the the way that wehave built systems, the way that
we have thought about systemsin the past, it has migrated
this into the realm of businessrisk, and a lot of what I do in
my day job these days ismanaging cybersecurity as a

(09:28):
business risk, and that's how wehave to think about it at this
point.
And you know business risk,organization risk, like whatever
you want to use, whatever termyou want to use, it's about
helping keep your mission, doingwhat you intend.
You know keeping, keeping onyour journey and and not getting
stopped by something like this,somebody that wants to.

(09:51):
You know railroad you and youknow get paid.

Sara (09:54):
These are.
These are significant realworld problems and this is.
This is like your, your, yourday job.
It's pretty serious stuff.
It's like there's a lot oftechnical expertise that goes
into this as well as justunderstanding, like the how of
everything.
How does this all work?
But this is also paired withthe gaming side of things, so

(10:17):
tell me a little bit about that.
Maybe let's start with how didyou get into games?

Well, so I played games, including especially
role-playing games, growing upuntil I was in my probably
mid-20s, and then life took meother directions and I didn't
play as much, so that's part ofmy history there.
Where this kind of came upagain was a few years ago in a

(10:48):
Slack group that was full of abunch of CISOs and friends of
CISOs and whatnot, and that CISObeing Chief Information
Security Officer.
So the security leadershipcommunity, I guess.
And Slack is like a chat groupleadership community, I guess,
and Slack is like a chat group.
Yeah, discord and a handful ofother things are similar, and

(11:15):
what came out of that wassomebody was looking for
somebody that could run atabletop exercise, a security
incident response tabletopexercise in the form of a game,
and they'd kind of already hadthe recipe.
And so myself and our now CEOof Cyber Risk Opportunities kind
of latched onto this and saidwe like games, we like security
incident response, let's seewhat we can do and let's see

(11:38):
what this is about.
So it turns out that this isactually a lot of fun.
It turns out that this isactually a lot of fun and
there's a there's a good, a goodbasis for doing a security
incident response tabletopexercise as a game, and some of
the reasoning for that is, youknow, the.
A tabletop exercise is somethingwhere you it can be boring.

(12:00):
It can be boring, it can bestressful.
And let me back up a little bit.
What a tabletop exercise is isgetting people in a business or
in a leadership and technicalteams together to run through a
scenario and think through whatall the pieces are, test their

(12:23):
incident response plans, reallyjust kind of exercise their
capabilities and find their gaps.
One of the problems withtraditional tabletop exercises
is it can be boring or it can bestressful.
It's hard to get everybody in aroom to do it.
There's a lot of people thatwon't necessarily see the value
of it until they get in it.

(12:44):
And then there is you.
The value usually becomespretty clear.
But there's a lot of, there's alot of ego that can be involved
in it.
There's, um, you know, notwanting to look bad in front of
your, your peers and colleagues,and there there can just be a
lot of pressure around it.
Um, so that's where thegamification element comes in
and you let somebody play acharacter.

(13:06):
That's maybe.
That's that's not themselves,it's maybe not their normal day
to day role.
So you might have an IT directorthat's playing a communications
manager role or a chiefmarketing officer.
Move that ego a little bit andthe pressure and let somebody

(13:28):
have some fun with a characterand maybe even learn something a
little bit different, like adifferent perspective.
The communications manager, thechief marketing officer, they
have very different angles,interests, things that they need
to take care of in their rolethan you would as an IT director
, for example.
So I think there's a lot ofbenefit there and every time we

(13:51):
run one of these the folks comeaway saying that was a lot of
fun.
When can we do it again?
So that solves some of theproblems around the traditional
tabletop exercise when you'renot herding cats to get people
in a room if they want to comebecause they know they're going
to have a good time.

Sara (14:09):
Yeah, the traditional approach would be here's the
scenario, here's the list.
Let's run down the list whenare you at with these things?
And it could get pretty,because it's also it's not real,
which makes it safe becausenothing's seriously on the line.
But at the same time, there isan expectation that things will
go well, because it's like atest to say you know, if this

(14:30):
was a real exercise would we beOK, and, of course, if you find
something wrong with it, thenthat's the win is that you're
able to improve it.
But I can see how people wouldwant to come out without having
too many improvements required.
So, yeah, there's a safety inmaking something a game.

Exactly, and so that removes a whole lot of the
pressure and I think it alsoprovides some structure in it in
a way.
That is kind of hard sometimes.
Otherwise In a tabletopexercise you always have the
stronger personalities that talka lot and do everything, and
you have the other ones thatjust like, maybe they don't want

(15:11):
to talk a lot and they kind ofsit back in the corner and want
this thing to be done and getout of the room as quickly as
they can.
But having some structurearound it it gives everybody
opportunities to talk and saywhat they need to say, and
because it's become a saferplace then they're more free to
say what they want to say andyou know, if they see something

(15:32):
in their, in their role, intheir day to day, you know that
that's maybe harder than if theysee it in the game, but you can
still take that that discoveryin the game and, you know, apply
it back to your reality.

Sara (15:45):
I like what you said before too, about having the IT
director play a different role,play the marketing role or
something, for example, becauseplaying a different role gives a
whole different view.
It takes the pressure off.
I don't have to now perform asthe IT director and I get to
play at being the marketingdirector and see what that's
like.

I don't have to know everything.
Yeah, I don't have to knoweverything about being that role
, because I don't.
That's not my, that's not myday to day, and that's okay,
right.

Sara (16:14):
Right, and that really opens up like the mind for for
learning to say like well, whatis this all about?
What is the experience of beingthe marketing director in this
scenario?
What is that about Right?
So there's like learning thatcan happen with that and I would
think a lot of empathy to say,oh, this is what you have to
deal with.

And that's one of the things I really love about
it when you, when you startshuffling you know roles and
characters around a little bitand removing those from the, the
, the individual and their, youknow their own real self, then
you get a lot of opportunity toreally understand what somebody
else goes through in a securityincident, in this case.

(16:56):
But I think the applicabilityis a lot larger than that.
But I mean, I do the same thingwith your communications
manager and your chief marketingofficer and put them in the IT
director's role or the securityanalyst role and suddenly, like
you have to think about things alittle bit different way or you
know, are compelled to, and youdo so and, being a character,

(17:20):
the pressure is not there, youcan have fun with it.
The pressure is not there, theyou can have fun with it.
One of the things we like to dowith characters too is just like
, have that, that one thingthat's just a little bit over
the top that you can have a lotof fun with.
Like, the chief marketingofficer has a book deal, it's on
the table and you knoweverything wants, they want to
talk about the book and you knowthere's, maybe there's a

(17:40):
systems architect that is justlike pro-Microsoft all the time,
and we all know folks that justhave those things.
And lets you exaggerate it alittle bit and really just have
fun with it.

Sara (17:53):
Right, that's neat.
So each role kind of gets likethey get like sheet or a card or
something that says these areyour character traits and the
things that are important to you.
Can you describe that a bit?

Yeah, so we have a number of kind of pre-built
characters that we've used.
We've also experimented with alittle bit of character creation
and I think there's probablysome middle ground that we want
to try again, where thecharacter is partially built out
but you let the player thencustomize it a little bit.
But we have let the player thencustomize it a little bit, but

(18:25):
we have, depending on thescenario, because you need
different scenarios all the time.
There's plenty of room tocustomize that and I mean really
the sky's the limit, just likeany other RPG.
But we have those roles likethe chief financial officer,
chief marketing officer, some ofthe C levels, and then you have
, you know, on down into youknow, kind of middle, middle

(18:46):
management, it, um, security, um, uh, I guess your your
frontline service, desk help,desk, sorts.
So we've got a number ofcharacters like that that are,
you know, prebuilt that way, um,and the way the, the way the
game plays out, you have the,the incident master, that's kind
of keeping the facilitationgoing, much like your dungeon

(19:09):
master or game master.

Sara (19:11):
This is you, yeah, yeah.

And that's the role I typically play.
But we usually have a secondperson that is like an assistant
or assistant incident master,for lack of a better term.
But you know they keep track ofsome of the turn orders and
some of the, you know, thecompany health, the things that

(19:34):
we like as the game there.

Sara (19:38):
Sorry, I love it.
You just said company healthand turn orders.

Company health.
Yes, Exactly so.
Like this is a little bit ofstructure and rules to the game,
which I can get into here in aminute.
Npcs or play roles that arejust like, okay, I'm the third

(20:07):
party vendor coming in to sellyou incident response services
or digital forensics or thingsthat you might need, and I mean
that can be a lot of fun in andof itself, but if there's not
any reason to have the CEO as afull player in there, that's how
you can have the, you know the,the NPC come in and, you know,
have a little minor role in it.

Sara (20:29):
I would love that.
It just sounds so fun.

Yeah, so uh, we always have a good time with it.

Sara (20:38):
So how many people are typically involved in an
exercise like this?

lose attention span, in that we have
experimented a little bit withteam games, where a couple of
people can play a character ormaybe a function in the exercise
, and some of the things thatwe've done have worked fairly
well there.
So that's a way that you canexpand it to have a much larger
audience, but it becomes adifferent game at that point,

(21:27):
which is okay too.

Sara (21:28):
Well, there must be a lot of planning that goes into even
just negotiating to get this setup.

Yeah, absolutely.
We do this for a number ofaudiences actually and we've
done it as a security vendor,sales and marketing event,
marketing event to where theywill invite their customers or
prospects or whatever, and thenwe play the game and that's.
That's a different, that's more, more fun, more salesy sort of
event.
The other case is reallytraining your incident response

(21:55):
team.
When you you have somebody fromthe same organization or you
know it can be multipleorganizations, organizations too
, depending on how you do it.
But understanding the goals ofthe exercise up front and the
audience that's going to be init are extremely important.
I mean, it's it's easy to missthe mark and have uh, you know,
if you're not conscious of that,have a have a scenario that

(22:16):
doesn't make sense or haveelements in it that doesn't make
sense in the context of thepeople you've got.
I guess, when it comes tocharacters and roles, there will
be people that aren't going tobe that comfortable in moving
well, outside of their role.
So not everybody's going to becomfortable moving from an IT
director to a marketing officer,communications manager role.

(22:38):
So you have to be conscious ofthe personality involved there
too.

Sara (22:42):
What would you say has surprised you the most about how
this has gone over, how it'sbeen received?

It's almost universally positive.
Everybody has a good experiencewith it, which is not always
something that you expect, andmaybe that's just me that
paranoid, cynical part of mybrain it's like not not
everybody's going to have funall the time, but it's.
It's really been prettypositive.

(23:08):
On that front, I think one ofthe challenges that we we run
into with it is not everybody'sreally on drunk the Kool-Aid yet
, in that that you can actuallyhave a gamified exercise that
has a lot of learning value init.
It's this.
There's still that, that gap.
In some cases, when I'm, whenI'm trying to sell the concept

(23:29):
in conversation, like you cansee the people that light up and
get it.
Those, those are the folks.
They get excited about itpretty quickly and you can just
see it.
You know those are the folksthat'll that'll champion the
game and get other peopleinvolved and, you know, make it
happen.
What I found, too, is there's aremarkable number of people who

(23:50):
have some sort of history withrole-playing games, people you
wouldn't expect Like you know,in technology and security
communities that's a prettyprevalent thing, I would say to
have been involved in games inone way or another.
But lawyers and executives andmarketing people and financial
people.
They've come out of thewoodwork.

Sara (24:14):
Really.

Yeah, yeah.
So I've seen that quite a bit,and what you end up with in a
game like this is you'll have amix of people that have some
experience with RPGs and whatnotand some that won't, and then
the ones that do are easier toget into their character and
they pull the other people alongwith them, so it becomes a well

(24:37):
, it's okay to do this, so let'shave fun doing it.

Sara (24:42):
It would be kind of neat if there was like a I don't know
like an epilogue game, that,where the stakes aren't as high,
but you can just go and playthis for fun, understanding what
it's like to be in the hot seatof the CISO, for example.

Yeah, and we have a lot of plans for this and we
have a GitHub repo that we'replanning on open sourcing some
of this stuff with in the future, and the idea really is that
you know, you let somebody justpick it up and do whatever they
want with it.
When we get that done, I wantto I'll just be really
interested to see where thecommunity takes that and what

(25:13):
they, what they come up with,because you know as much as I
talk about it and have been init like I have my silo in how I
view this and there will bepeople that have completely
different ideas.

Sara (25:25):
And can you expand on that a little bit?
You said GitHub repo.

That is a place where you can let other people
one see what you've done, butthen take it and branch off and
take, then take it their owndirection.
So it's.
It's commonly thought of as asoftware development code
repository, something that onlydevelopers use, but you can do
that with documents and otherthings too.

(25:51):
So that's kind of where we'regoing with it and it just like
you can take it and do whateveryou want with it.

Sara (25:57):
So sharing some of the foundations of the game itself,
like to say you can take thisand then build your own exercise
off of that or turn it in a newway.
So the value that is comingthat Hackback Gaming is offering
then is the facilitation of theexercise and all of the
expertise that goes into thatand the game itself, the rules

(26:17):
of the game.
It's kind of like an opensource gaming license, you know.
Kind of comparable to that,like wizards, yeah exactly we
want to.

What we want to sell is really the experience,
exactly what you said and what.
What I think we're going tofind is that, in the same way we
do a lot of other things, we weshare knowledge as as freely as
we can, and I mean I'm talkingto the cybersecurity business
side of it.
We share as much knowledge aswe can, and I mean I'm talking
the cybersecurity business sideof it.
We share as much knowledge aswe can because that just opens
doors and broadens horizons,makes everybody a little bit

(26:51):
better.
But what we find is theknowledge is not the same as the
experience.

Sara (26:57):
And the things that are going on in the cybersecurity
world.
They're always changing.
There's so many different waysthat you need to interface
within a company and externally,like with vendors or law
enforcement or regulators.
So it would take quite a bit ofcoordination and knowledge and
then even just to run theexercise like having a basic

(27:18):
understanding of how all thosepieces are like.
It's one thing to run theexercise for the company and
following your plan, and thenit's another to take that and
actually gamify it.

So that's like a whole next level piece.
You understand that whateverscenario you craft, you never
know exactly what the playersare going to do or what
direction they're going to takethings or where they're going to
want to go.
So you may find yourself.
So you have to think on yourfeet and adapt a little bit.
And I would say a securityincident response is a little

(27:58):
bit more defined in how thatworks than you know, kind of an
open world where you knowplayers can do anything they can
imagine, but the same principleapplies and things do.
I'm like I don't have a goodexample off the top of my head,
but players take things in adirection you just did not
expect and you're like, well,now I've got to adapt to this

(28:23):
and and rein it back in towardthis, the, the, the story that
we intended, somehow in a waythat makes sense.
So, like, that's where some ofthe experience comes in.
And uh, having lived through myshare of incidents, um, like I,
that's that's where theexperience comes in.
I think and uh, and I think wethere's plenty of room for, for

(28:44):
people who've maybe not livedthrough incidents the same way,
to still learn how to do thatand adapt quickly.

Sara (28:52):
Yeah, yeah yeah.
But even just like runningturns and keeping track of whose
turn it is and the effects fromwhatever decisions have been
made, it could be a lot.
So did you have a lot of gamemastering experience behind you
in addition to the securityincident response?

I did a little bit of game mastering back in
the day.
I was more a player, more oftenthan I was doing any mastering
myself.
More often than I I was doingany um mastering myself, um.
So I I had, I had theexperience that way and, you
know, quickly latched on.
But then I think when it cameto to hack back, I had plenty of
experience leading incidentsand surviving them, I guess,

(29:37):
because that's usually what youdo.
I had that experience and thatkind of helped really get into
the incident mastering I guess.

Sara (29:52):
I think this is why you had the pit and the mine cards.

Yeah.

Sara (30:01):
Going in there pulling that stuff out.
Yeah, oh, that's interesting.
So in terms of of games then,was it like so obviously we're
talking about role-playing gameslike dnd, dungeons and dragons,
probably earlier editions.
Anything else that helpedinform your experience?

warhammer fantasy roleplay.
That was one of the big staples.
I played that for a number ofyears, Well, well into my 20s, I
would say.
So that was, that was good andthat was one of the main
foundations.
I'd say Played a lot of likevideo games that were, you know,
RPG types as well and I'llalways gravitate toward them

(30:40):
over a number of other genres soI haven't actually played
warhammer myself or a game likethat.

Sara (30:47):
Certainly played some video games, but warhammer it's
much more of a tactical game.

Like you have, you're not just playing an
individual character, you'replaying like whole troops and
things, so you're thinking onthat level I would say there's,
uh, there's a distinctionbetween, like warhammer 40K and
Warhammer Fantasy Roleplay,which is Warhammer Fantasy
Roleplay was much more likeDungeons and Dragons.
Oh, okay.
Some of the tactical element, Iwould say, but in much the same
way as D&D was.
So it really was playing acharacter and, like we, there

(31:16):
was a group of us that had thesame set of characters for years
and years and I was a dwarf, Imean, that was my.

Sara (31:29):
Oh, there we go.
This really holds true, then,with the mines.

Oh yeah, I also used to work at a coal mine back
in the day too in a past life,so I mean I have actual mining
experience.

Sara (31:43):
So so was it like a pit, or did you go down into a mine
it?

was, it was an open pit, but uh, yeah, really
yeah, wow, that's fascinatingyeah, so I uh, one of the things
I did was I I drove a, a truck,but it was the sort of truck
that was like the size of yourhouse, so you get in the, you
know, go up the ladder and takeyour house for a drive.
That's kind of what it was like.

(32:11):
So yeah, that's a little bitabout my past life and mining
experience.

Sara (32:17):
Wow, I'll go back to what I said at the beginning.
Is there anything that youhaven't done?

Wow, I'll go back to what I said at the beginning
.
Is there anything that youhaven't done?
Well, I mean a lot of things,but yeah, I do have to say that
it took me all of about an hourto realize I didn't want to be
doing the mining thing for therest of my life, because it was
kind of rough work in a lot ofways and I have a lot of respect
for the people that make acareer out of it.

(32:44):
But that was not me, and I wasalways more interested in the
devices and computers andwhatnot which led me into
technology and securityultimately.
And now I pretty much just dealwith people, which is not the
reason I got into technology andsecurity to begin with.

Sara (33:04):
But yeah, You're right, like the IT stuff, the technical
stuff, the security stuff, youcan get into that pretty deep.
You could just stare at ascreen all day and be fascinated
with just figuring out a know,investigating something or
looking at logs or whatever ithappens to be, and then you got

(33:24):
to turn around and talk tosomebody.
It's like it's using a wholedifferent part of your brain.

And I.
What I, what I learned early onin my career was that in order
to do the things that were rightwith the devices that I wanted
to work with, I had tocommunicate with the people that
pulled the purse strings andallocated resources and whatnot,
and if I was ineffective atthat, I didn't get the things

(33:49):
that I needed to do what I.
You know that.
That ultimately led me down apath where I deal with people
more often than I deal with withmachine technology directly
anymore.

Sara (34:10):
Do you miss working with the technology more directly?

Yes, I definitely do, and sometimes my I mean one
of my, one of my vices then islike I'm just going to, I'm
going to block off three hoursand, you know, whatever that may
be, usually doesn't happenduring the workday because
there's too much work going onduring the day.
But and I'm just going to, youknow, play with something, and

(34:35):
you know, so that's, that's, Iguess, an outlet for me
sometimes.

Sara (34:41):
You use the word play there again, like play with
something, and it just goes backto I guess I was thinking about
this like it's the importanceof play.
Yeah, the importance of play tobe creative, to learn new
things, have new experiences,yep.
Also, it's not a new thing touse games or gaming in strategy

(35:03):
or for I don't know if we wantto call it warfare or just
attacks in general, likewhatever you want to call it,
like a simulation.
This is the origin of manygames is strategies and tactics.

Yeah, long, long history, going back to, you know
, military endeavors, I wouldsay I feel like that's just
changed form in the modern dayand we're dealing with cyber
attackers.
The game is just different.
You're not necessarily shootingother people, for example,
you're attacking their systemsto insert your goal here, goal

(35:43):
here.
In a lot of cases it's justlike steal money from somebody.
But I mean, the point is reallypretty similar in the grand
scheme and you know where we arewith technology now is that
even 2025 years ago, if somebodywas going to rob you, they
probably had to be within acertain radius of your physical
presence.
Right, and you know for themost part.
And now that's no longer thecase.
Now you have, you know,billions of people behind

(36:04):
keyboards that are, you know,that potentially have some sort
of access to you via theInternet.

Sara (36:09):
And they'll always be trying new things or figuring
out ways to to do the attacks.
I mean, they have nothing tolose and everything to gain.
Right, just try this, try thatand something works yeah.

Until something does or you know, move on to the
next organization, which maybeis more vulnerable.
So how do we, how do we protectagainst that?
Well, I mean knowledge andunderstanding and practices, and
you know this.
This gaming element is just onemore way that that you can
raise people's awareness andunderstanding, and the more that

(36:41):
people have fun doing it, themore likely they are to continue
doing it.
I guess another way to thinkabout play, too, is, if you talk
to most of the hackers andpenetration testing types, they
think of their work as play, andthat's how they learned in most

(37:02):
cases.
I would say.
Until a few years ago, there wasno training you could really go
get to teach you how to be anethical hacker or not ethical
hacker, for that matter.
I'm just going to bang away onthe keyboard until I get this
thing to do what I want it to dorather than what it's intended

(37:23):
to do.
That is really how a lot ofhackers, for good or ill,
started.
I mean, that was a little bitof my background too.
It was fun.
It was fun to do.
It was fun to learn how to dothis thing, to make this thing,
to get access to this thing whenmaybe you weren't supposed to.
I didn't make a career path outof that particular you know

(37:45):
focus in in security.
I did everything but the, thefolks that are really good
penetration testers.
You, you get them in a room andhave them start talking and
they go down the deeper than Ican follow in in the rabbit hole
of you know systems andtechnology and the ins and outs

(38:06):
of it.

Sara (38:07):
Indecipherable from magic.
Right, you get to a certainlevel and it's just like the
common person is not going tohave a clue what any of that
means.

There.
There are some people that Iknow that I talk to on a
somewhat regular basis, that I,I, when they, when they start
talking about that, I have toreally focus.
There are a lot of, there are alot of conversations that I can
have with a part of my brain,but when they, when I if I'm
going to actually track whatthey're saying they have to get
my full attention.

Sara (38:34):
Right.

Because otherwise I can't process enough to, and
I mean, that's that's me, who'sbeen dealing with technology and
security for 20 plus years atthis point.

Sara (38:46):
So I had a former coworker explain some trials that he
went through as he got into theworld of security as well.
Yeah, I have some high levelappreciation for what that is.
I saw on your profile that youhave and you just mentioned it
here briefly about your misspentyouth bending technology.

And that was.
You know that was a little bitof that too, and I never went as
deep as some down that path.
But I remember doing thingslike my mom ran a small business
and, um, had, you know,expensive software that she had
to.
You know that they wantedlicense fees for.

(39:28):
And she's like I'm a smallbusiness, I can't do this.
And granted, I mean this was inthe nineties and I so I started
messing with a little bit andyou know, oh, there's a text
file sitting here.
Okay, well, let's just seewhat's in that.
Oh, license equals zero.
Like, well, what if I changethat to a one?
They're like oh well, and youknow that's a pretty simple
example, but like that's, thatis a reality, like that is

(39:52):
something that that you know,that that happens, that that did
happen, at least back then.
I mean, you don't see it, it'snot as simple as now, as it was
then, but I mean that was theidea.
And well, one of the otherthings I did was well, how do I
play this game that I want toplay on this system?
Because the system, what I'vegot, how do I, how am I going to

(40:12):
make this work?
Yeah, well, if I.
Okay, well, if I load thememory here in this upper memory
block then I can do this.
And you know, and that you knowthat was some of that misspent
youth.

Sara (40:25):
I would say my father worked at a university in the
computing services departmentand I may or may not have you
know, I may or may not have likeaccess to mainframe.

You know, cannot confirm or deny.

Sara (40:40):
I cannot confirm or deny, except that you know my focus,
my passion, was games Like maybeeven especially then, though I
did poke around and actuallylearn a few things too, but
that's never bad.

I remember playing Ultima VII.
That was one of my biggestdrivers for making this work on
this machine and it had anunusual memory management system
.
That was kind of a pain in mybutt.
I played a few of them and thenyou know, all right, I have
this opportunity to play UltimaVII, so I'm going to make this

(41:20):
work one way or another, and soI did.

Sara (41:24):
You can learn something new if you take the risk.

And I really like it when we get executive
leadership from a business thatis outside of technology into
these games, because they reallystart to see the whole breadth
of an incident and realize, youknow, the thought was always,
it's just the technology.
But it's not.
It's not just the technology.
The technology is maybe the youknow the component of it, that
is, you know how the riskmanifests.
But I mean you have to manageit in the same way that you

(41:59):
would manage other things Likeum, you're, you're, you're still
making business decisions, uh,and it, it affects your, your
money and reputation and how, umhow, this thing goes or doesn't
go.
And I mean we can.
You have to think about thingslike communication.

(42:20):
Well, who in your organizationdo you need to communicate with
if you're in the midst of anincident and you have some
disruption in your services?
Well, maybe you have customersand partners that need a certain
message.
Maybe you have the generalpublic that needs a little bit
different message.

(42:40):
Your internal employees well, Imean they need some guidance too
.
They need to know thatsomething's going on and that
it's being handled.
They need to know what they canand can't say to anybody in the
public or the media.
Who is authorized to talk tothe media?
Because it's pretty easy, formaybe there's a ransomware event

(43:01):
or something and somebody justgoes and starts talking to the
media about that without reallyknowing what's going on and
pretty soon the speculation andthe you know, the gossip and the
half-truths and the not reallytrue at all you know spreads
like wildfire out there and thenyou have a reputation problem

(43:21):
and I mean, that's all justabout communication.
That's that's not about youknow the elements of the
incident that are actuallyhappening and the teams that are
dealing with those internally.

Sara (43:30):
Yeah, Plus, there's aspects to that like not just
what you say, but when you sayit and what that could mean at
different times.
You don't really know what yourresponse is until you're
actually tested.

In a situation that makes you really think
about it, and I love challengingassumptions, and one of the
common assumptions that we seein tabletop exercise, gamified
and otherwise, are well, youknow, we'll just restore the
system from our backups, right,oh, okay, let's think through

(44:01):
this a little bit.
And okay, so what are yourbackups actually backing up?
And when you dig into that alittle bit, well, it turns out
maybe they're not backing upeverything because that's too
costly.
Maybe it's backing up thesethings that we think are
important.
Maybe it's this server and thisserver and this server, and you

(44:23):
get into it well, okay.
Well, maybe the incident is with, you know, server four over
here that wasn't backed up onthe same cadence or the same
schedule, and so maybe there's,you know, maybe it's further
behind, and you run into otherthings too, like, okay, well, do
you know for sure that yourbackup is going to work?
Have you tested it?
And then you often get deer inthe headlights, look and like
well, you know, I just assumeit'll work.
Like, well, if you know, therehave been a number of occasions

(44:48):
that I've run into in real lifewhere we thought we had this
backed up and turns out wedidn't, or it wasn't what we
thought it was.

Sara (44:57):
At what point do you start communicating to your customers
?
Or maybe they're reaching outto you sooner than you thought
that they would.
There could be a whole slew ofthings that could happen that
weren't foreseen as to.
That could be driving aresponse that you didn't plan.

Yeah, exactly, and you know, you never know.
Even with the bestcommunication management, you
never know who.
Who may say something to thewrong person, who may say
something to the wrong person,and pretty soon you have, you
know, media on.
You know, I always like to useBrian Krabs, who's famous in the
security community, for, youknow, reporting and maybe he's

(45:31):
coming to knock on your virtualdoor and ask you questions.
You know, do you have astatement on this ransomware
event that you're experiencingright now?
Like that's a question that youwant to be out in front of, not
reacting to.

Sara (45:46):
Do you have intelligent answers?
Does it seem like you havethings under control?
Having the experience of beingunder pressure to do this in a
game-like setting is going toincrease the odds that you're
going to say somethingintelligent.
I would expect any company willstill go through a lot of rigor
before they say anything, but Ithink it might make it come a
little bit easier.

Yeah absolutely, and I think there's always a
right level of communication,and that's not oversharing,
that's not undersharing, that'stiming it right.
Companies that are experiencingincidents or breaches you see
them fall flat on that all thetime.
The example that comes to mindis oh, we had an incident, it

(46:29):
was only these systems wereaccessed and maybe just like two
customers.
And then it turns out well, theinvestigation goes on and a day
later it's like okay, well,actually it was bigger than we
thought and you know it wasactually this.
And then pretty soon it growsand grows and grows.
So you have the, the poorexpectation set up front where,
oh, it's just this little tinything, it's not really

(46:51):
consequential, and turns outit's actually a big, friggin
deal.
So you know, then they have to.
Their communication is verypoor in that case, when what
they should have said instead ofit's not a big deal is this is
what we know.
Here are a couple of facts.
We are progressing with ourinvestigation.
We'll update you again in fourhours or tomorrow or whatever.

Sara (47:14):
What's your favorite part about running the exercises?

The learning watching people.
You can almost visibly watchpeople grow in their knowledge
and experience when goingthrough either the traditional
or a hackback game.
We ran an impromptu game atWild West Hackenfest in Deadwood
last year and there were acouple of security operations

(47:38):
center analysts that wererelatively new, I would say, and
so they were faced with asituation where, okay, they
needed to investigate this thinga little bit and they, like one
in particular, would say well,I'm going to go look at this in
my SIM system, which is, youknow, security information event
management system.
So it's kind of a place thatyou send all your logs to and

(48:01):
there's some, you know, someanalytics magic.
That's some analytics magicthat happens and you find
information that's important toyour investigation.
And I think I blew this guy'smind when I said you don't have
one of those Like thisorganization you have that
doesn't exist.
So now, what no-transcriptYou're going to adapt?

(48:53):
And I don't have to tellsomebody how to adapt.

Sara (48:54):
They will naturally go learn and figure it out, and
that's one of the things that isamazing about all of this, and
it opens pathways that were notopen before in people's minds,
and thank God it's a simulation,because if it wasn't and I
imagine that there must be somekind of a report that comes out
of this like you mentionedearlier that there was like you
know the company health.
And what does that look like atthe end of the exercise?

We can talk about the game and some of the rules
a little bit here too, just forthat background.
And we've experimented withthis and sometimes we'd use it
and sometimes we don't butrolling for initiative, so that
every player has a turn order.
Sometimes that works andsometimes that doesn't work that
well, depending on the scenario.
But having a turn order can beimportant in this structure,
just so that if everybody hassomething to do or wants to do

(49:41):
something or say something, thatthey have the opportunity.
But the other part of it isokay, well, you want to go do
something, now roll the dice,and so the D20 roll.
We kind of do it as like an easy, medium or hard thing,
depending on what it is.
So, like you know easy things,you give me, give me greater

(50:02):
than a five and you're, you'regood, whereas something that's
hard, maybe you need 15 plus.
Your character has certaincertain skills and abilities
that modify that a little bit.
So you may have a plus two andyou know something highly
technical or security or whatnot, and if that's what you're
trying to do, okay, there's amodifier to your role.
But at the end of the day, I Ifind that this is really good at

(50:24):
simulating reality because youroll the dice and oh, I'm gonna
go investigate this log for thisparticular thing, like well
dice say, turns out you weren'tlogging what you thought you
were, which is like like tuesday, in incident response, like
Like, oh well, I thought I waslogging those assumptions again.

(50:44):
And why having these thingscome out in a game is much
better than having them come outin a real incident.
Oh well, okay, we need to startlogging these events that we
weren't logging before and wedidn't know we weren't logging
before.
That randomness is a goodrepresentation of reality in a
lot of cases.

Sara (51:04):
That element of chance, I think, is also what keeps it
interesting, like the chancethat something could go right or
could go wrong.

And sometimes the beauty of that too, is you
don't necessarily have to tellthem the outcome.
There can be ambiguity in thattoo, Like they may know one more
piece, but they don'tnecessarily know if they got the
piece they wanted or not.
Usually, if you're the onerolling the dice, you can
probably assume that you knowsome something did or did not go
right, but but you don't alwaysknow exactly how the how the

(51:34):
success or failure will play outin relation to what you're
trying to do.
So the way the game isstructured is there's three
rounds.
There are things in thescenario that I want the players
to identify and succeed at, andthere may be six or seven
things in each round, and someof them can bleed over between
rounds too.
But what we're really doing is,at the end of the round, we

(52:00):
have 10 D6 and we'veexperimented with numbers here
too and for everything thatplayers find that we wanted them
to and we're in succeeded at,we remove one of those at the
end of the round that's rolledagainst, uh, the company health,
and that is what comes off of acompany health.
If, if you're above zero at theend of the game, you're still
in business, oh no.

(52:22):
And if not, well okay,Everybody needs to go get a new
job.

Sara (52:34):
So you know, not huge consequences in terms of the
game, but it is another elementthat we like, even if the
company health is below zero atthe end of it.
That doesn't mean thateverybody should be fired.
It just means that there wassome learning and maybe a couple
of things that could be done,and maybe some just like luck of

(52:55):
the rolls as well, right?

Yeah, and that comes out in the report too.
So, really, what we like to doin the report is and this can be
sometimes it's just aconversation Somebody doesn't
necessarily want a writtenreport, but in a lot of cases
they do but we want to talkabout how the game went and,
more importantly, what were thetakeaways?

(53:18):
What did we really learn fromthis?
Like, what were the takeaways,what did we really learn from
this?
It may be something like well,okay, we need to go back and
check what we're logging on thesystems that we think we are,
even if it's just a verification, because maybe we're not
actually logging the things thatwe think we are.
If we were in a situation wherewe needed to see which account

(53:39):
accessed what data, could we dothat?
Well, we don't know.
So we need to go investigatethat.
You have things like that.
Maybe we need to rework ourcommunications plan because we
didn't take into account whatmight happen if some rumor got
out.
Or maybe there was this partnerthat was actually pretty key

(53:59):
that we didn't think about, butin the course of the game,
somebody thought about that andsaid that Like okay, well now
let's go make sure that they'rebaked in properly to the
communication plan.

Sara (54:09):
How much prep is required to set up the scenario?

It depends a fair bit, but it can often take me
eight or 10 hours to properlyset everything up.
What's maybe different than atypical RPG and you know your
D&D type game is you get to knowyour players pretty good and
you know your audience there.
In cases like this, where youdon't know your audience, you
have to do some research and youknow LinkedIn, stalk them if
nothing else, and see what youcan learn about them.

(54:36):
You know, ask people that mightknow them about personalities
and that kind of helps withcharacters and roles and what
the expectations are.

Sara (54:44):
One of the things that I read up on this was it was the
gamification and thezoomification of the incident
response planning.

I think a lot of this gamification of security
incident response tabletops cameout of a talk or a set of talks
at DEF CON, circa like 2018.
Def CON being one of the likehacker security conferences that
sparked a number of, I guess,those pathways again where a
bunch of people started doing abunch of different things, and
the hackback was one of them,and you know, I wasn't involved

(55:12):
with it then, but when, whenthey initially spun this up, it
was right before the pandemichit, and so there was some
in-person events, there was alot of fun was had, and then,
when suddenly everybody wasremote, well, zoom was the only
way that this could be conducted, and so it was, and I mean, my

(55:33):
introduction to it was duringthat time.
So I started from the Zoomifiedversion, and it turns out you
can have a lot of fun with itand do similar things without
necessarily being in the sameroom.
I think there are differentdynamics, not necessarily just
positives or just negatives.
It just changes the nature ofit a little bit, but it also

(55:54):
expands your player base.

Sara (55:56):
Where do you see things going from here?

I am hoping that this really expands the way that
people think about having funand learning and having a real
professional experience too.
I think there's a lot of roomfor that and I think there's a
lot of appetite for that.
I've seen some real energy andexcitement about hackback,
gaming and the idea ofgamification of some of these

(56:21):
things that were traditionallymaybe a little bit less fun or
higher pressure, and when you'renot as pressured, learning
happens a little bit better.
A lot of things happen a littlebit better.
I mean, we have cybersecurityskills gaps and that's been
pretty highly publicized.
So if this can help interestpeople in cybersecurity that

(56:42):
maybe weren't before, that's awin.
If it can influence businessleadership to learn a little bit
more about hesitation for, youknow, for paying for a game in a
way that a lot of timescompanies have no problem
dropping $5,000, $10,000,$15,000 on a tabletop exercise,

(57:14):
it's like, well, how about youdo that for, or some portion of
that, for a version of that?
That's just more fun and thatgets everybody interested in
coming back, and then that keepsshelter over our heads and food
on the table while we continueto do this.

Sara (57:31):
You said a few things there.
You said cybersecurity skillsgaps, and by that I think you
were referring to just a gap ingeneral, that there aren't
enough people that have thoseskill sets that are available to
fill the roles that arerequired in order to ensure
security for, like acrossindustries, right?

Yeah, and I think there's a couple of layers to
that.
There's, you know, not enoughpeople that are qualified to
fill the roles that are outthere.
So that's one, but I think someof the others are really just
that the awareness ofcybersecurity needs to expand
into other areas.
And there may be people thatare systems administrators and,
you know, it directors, that areperfectly content in that role,

(58:11):
but an organization need tohave an awareness of cyber risk,
and I mean it's a materialbusiness risk and it's something
that they can't ignore.
So I mean let's expand thoseskills too.
There's room for theadvancement of security
awareness in culture at large,and I think that is one of those

(58:45):
skills gaps too.

Sara (58:48):
It doesn't have to be about the deliverable of the end
report.
It can be the deliverable ofthe experience right.
And it's a team buildingexercise and I think it could be
a lot of fun.

Yep, and I, having been on incident response
teams in organizations myself,like you, grow together as you
live through real incidents.
Maybe let's grow togetherbefore that in you know a more
fun setting before we have to.
You know, before we're actuallylike worried about it and doing
you know check-ins every twohours, including in the middle

(59:21):
of the night.
Build that a little bit moredeliberately, instead of having
to do so organically in themidst of high-stress chaos.

Sara (59:28):
You mentioned earlier about how there's a lot of
people in IT and in security whomay have a background in
playing the games.
So I find that interesting.
It almost seems like theremight be some kind of a
correlation or some benefit tohaving that exposure or
transferable skills, at leastfrom one to the other.

It might not seem like a straight line to make
that correlation, yeah but Ithink it is there, and I've seen
that too, in that the peoplewho have that experience at
least some of that experiencetranslate better into this game.
But that same sort ofpersonality can also do well in
a traditional tabletop exercisesetting too.
It helps think outside the boxa little bit and expand.

(01:00:11):
I mean open new pathways, forexample.
I mean that may not beavailable otherwise, and the
more that that can imprint onpeople who've maybe not had that
experience, the more thosepathways that open.

Sara (01:00:24):
Some people may not realize the gifts or the
strengths that they have andthey might be really great
thinkers or outside of the boxthinkers, and maybe the only
place they're really expressingthat is in games, and not
recognize that there's so muchvalue in being creative and
having that ability to thinkdifferently.
Because if everyone is thinkingthe same and you're the one

(01:00:44):
person that's thinking somethingdifferent, that thing that
you're thinking might be thething everybody needs.

Glen Sorenson (01:00:50):
Well and I love using this example but you've
got your castle and you've builtthe walls and then somebody
comes in a drone strikes you.
Well, that is one of thosethings.
Well, that is one of thosethings, and you know so.
Kip, the CEO of Cyber RiskOpportunities, wrote a book
called Fire Doesn't Innovate,and the idea of that is fire

(01:01:12):
doesn't innovate, but cyberattackers do so.
That's why you get dronestrikes on your castle because
you weren't thinking about thatin that context, you weren't
thinking about the possibilityof being attacked in a
completely different way.
I mean, we need more thinkinglike that, that is, preparing
for the things that maybe theyseem outlandish now, but they

(01:01:33):
might not in a few years Quantumcomputing and artificial
intelligence and attacks basedon those things.
Computing and artificialintelligence and attacks based
on those things.
We're not ready for those andwe need more people thinking
about those things and helpingus get ready for those and the
things that we don't see comingyet.

Sara (01:01:52):
I'm hearing like six years thereabouts.

Yeah.
Yeah, and I think a lot ofpeople won't even know what that
means but solving very complexproblems in very little time
that traditional computing can'tsolve, like with, I don't know,
50 years, a hundred years, yeahexactly, and I mean in security
, we're still wrestling withsome of the same issues we we
have for for 10, 15, 20 years insome cases, where you know,

(01:02:16):
clicking on a bad link and nowthat still leads to a data
breach and it's like, well, howhave we not solved this problem
yet?
Well, because it's a complexproblem.
It's a lot harder than we think.
So now, if we have a wholedifferent paradigm in another
six years, what are we going todo with that?

Sara (01:02:35):
I don't know, but I'd like to hear what your suggestions
are.

We need more thinkers that think differently.

Sara (01:02:41):
we need more thinkers that think differently.
So this is a call to therole-playing game community to
start thinking about gettinginto cyber, I think.

Explore different things, and I mean there's
cybersecurity and there'sprivacy and there's so many
different pathways that thosethings can go down, and maybe
it's just doing things a littlebit differently in your own life
that you hadn't thought aboutbefore and that you translate
into your your work life too.

(01:03:10):
I mean, one of the one of thesimple examples I like to use is
separating your your workdigital life from your personal
digital life.
So I mean, don't use your workemail for personal things and
don't use your personal emailfor work things.
And just having some awarenesslike that that you know if, if
something happens on one side ofthose, it doesn't bleed into
the other, it's limiting theblast radius and, uh, you, know,

(01:03:33):
some, some, some cyber hygiene.
Um, and I I love and hate thatterm, both.
You know here, here we are.
It's some, some of the, some ofthe good habits and some of the
not good habits that we caneliminate, that that go a long
way.
A lot, of, a lot of cyberattacks happen because of some
of the foundational things thatweren't, that weren't practiced

(01:03:56):
well, and that's that can be assimple as you know updating your
systems, patching your systemson a quick and regular basis.
You know, just like you have aset of characters that can grow
over the course of years, so toocan you, and you know the
things that you know right now.
If you went and ran a hackbackgame yourselves, or you know,

(01:04:18):
even with us, the things youknow right now will grow.
And after you've run it, thenthere's a whole other next level
, and then there's a level afterthat, and it's it's training
and iterations of it, and youknow in the experience.

Sara (01:04:33):
So so do you have like a feedback loop then, like with
the like putting the informationout there on the GitHub?
Does this include some kind ofuh like?
Is there feedback from the,from the community, and where
and where this is going, wherepeople are taking it?

We are in our uh, infancy of that, I would say,
but we, we have started adiscord server, um, and I'll get
information for that if peopleare interested in joining that
too.
Um, ultimately, we want tostart building a community
around this and letting thecommunity use their brain power

(01:05:11):
and motivation and drive to takethings in, to advance things,
and maybe in directions that wedidn't see.

Sara (01:05:20):
I think that's pretty exciting and I think the
role-playing game communitythere's going to be, like you
said, there'll be some greatoverlap between people who play
games, people who understandcyber, people who would be able
to look at this and say, hey,yeah, I could do something with
this.
I could take it broader.
I could bring this to the cityor the hospital or whatever

(01:05:42):
group it is that has experiencedan attack and or is afraid that
they're next.

Yeah, exactly so.
I mean we've used it assecurity incident response, but
I mean this could be, you know,attacks and penetration testing.
It could be, you know, justcrisis communications.
It could be disaster recovery.
You know, I think theapplications for it are much
broader than we've we've beenusing it so far.

Sara (01:06:05):
So, yeah, that's cool.
Is there anywhere or any way tosee it in action?
Like I realize, companies arepaying for this and that would
be private information, but isthere like sort of like a sample
scenario or something that canbe watched on a YouTube or
something like that?

That is our hope and one of the other things that
we intend to do and, granted,I've been restricted by the
amount of time I've hadavailable but what we want to do
is run a semi-regular game,monthly maybe, where people can
join and see, and I think wehave the interest there.

(01:06:45):
Now it's just a matter of doingthe coordination and blocking
off time on my calendar for oneto make it happen, because I
think that would be veryinteresting for a lot of people
to see this, to hopefully evenget to play.
We've got, I think, to startthis out.
I've got to have people thatthat know a little bit about

(01:07:08):
hackback and get started thatway, but then once somebody's
watched a game, maybe they'reready to play.
How I'd have to do it on a uh,on a regular basis.
But uh, um, you know, I, Ithink there's.
I want to bring more people inultimately, and I think that's a

(01:07:33):
good way to do it.
Um, so um, I, I think, watchingthe website, um, I think you
know I I probably need to starta newsletter for it too.
And then, you know, advertisein, advertise in our Discord
channel and get more peopleinvolved in our Discord channel.

Sara (01:07:45):
So it's a really wonderful thing to make the tool set
available and then grow this,create the community and have
that expertise available throughHackback Gaming for the
companies and the industriesthat want to get serious about
actually running the exercise.
I think that's wonderful.

Yeah, that's the hope I mean.
Cybersecurity has crossed overinto literal life safety at this
point, hospitals and criticalsystems that we use,
manufacturing.
If you disrupt those in theright way at the right time,
people's lives are on the line,and I wish that were not the
case, but that is the world thatwe live in these days.

Sara (01:08:27):
Yeah, and is there anything else that we haven't
touched on that you'd like tobring up before we close?

If there's any interest in doing this
yourselves, or you just want toknow more, feel free to reach
out to me and I'm happy toconnect and see what kind of
trouble we can cause together.

Sara (01:08:45):
You got a lovely website, hackbackgamingcom, and yeah, I'm
excited to see where this isgoing to go.

Yeah, looking forward to it too.

Sara (01:08:54):
Yeah, all right, thanks so much.

Glenn, thank you, been a pleasure.

Sara (01:09:01):
This concludes episode 10 of the A Role to Play podcast.
Be sure to head over tohackbackgaming.
com for more information.
Fill out the contact form thereor connect with Glen Sorensen
on LinkedIn.
A Role to Play is an UntamedDandelion production.
Thanks for listening.
Until next time.
Make a wish, Dream it true.

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Hackback Your Tabletop Exercise: Glen Sorenson on the Benefits of Gamification in Cybersecurity

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

All Episodes

Hackback Your Tabletop Exercise: Glen Sorenson on the Benefits of Gamification in Cybersecurity

On Purpose with Jay Shetty