Back to all blog posts

Dungeons and Data Breaches

It is no mystery that I am a fan of most nerdy things, most of all table-top games like Dungeons and Dragons. Interestingly, the skills necessary to play such games intersect quite often with the skills necessary to build an effective privacy program. Whether it is teamwork, preparation, or knowledge of applicable rules, there is an advantage to be gained.

Privacy programs do not rest upon the shoulders of a single person. While the creation of policies may fall to an individual privacy officer (more on that later), the rest of the company will need to support that program and comply with it. As with any policy or procedure, the whole business and its goals should be considered.
Gamifying this a bit, you wouldn’t roll up a character for a new game without knowing what your teammates were doing, or at least considering them. When you work with your team, building on strengths to cover gaps makes a stronger team and sets you up for better outcomes.

Focusing on Your Change
A common issue for tabletop groups is strategizing. It is easy for one person with lots of knowledge to have a plan for the whole group, knowing what every person should do based on their understanding of a situation. However, individuals are imperfect and sometimes take actions others would call suboptimal. Here, you need to focus on what you can change and control, not what you cannot.
First, you can always provide suggestions or assist others in making a better decision, but where they will not listen or insist on their course of action, you want to focus on what you can do better. You have control over your situation, and by making optimal choices on your end, you better set up your team (and yourself) for success. More importantly, if you regularly perform well, those who were closed to other ideas may open up to your suggestions.

Prevention Over Perfection
We have all heard how much more effective it is to prevent problems than to handle these problems once full blown. When it comes to a breach, this is truer than ever. Data breaches come in all shapes and sizes, from an unintended disclosure to your worst ransomware attack. So, if you cannot get a perfect outcome or have perfect control, what do you do?

In a tabletop situation, you do not focus on the best outcomes, you focus on the expected outcomes. Chances are no one is rolling perfect 20s on their dice every time just as your security systems do not catch every issue. You need to plan on mitigating the expected outcomes and preventing the greatest possible amount of damage.
After you have a plan in place for what you expect, start covering gaps for those unexpected incidents. Have plans for something that has a lower chance of occurring but is still possible. Of course, keep your eyes open for what is happening around you and get an idea of what threats are present to improve your response to those threats.