“The Witcher 3 – Wild Hunt” is a massive open world role playing game (RPG) by Polish game studio CD Projekt Red. Based on the books by Polish fantasy author Andrzej Sapkowski, the games center around the character of Geralt of Rivia, a famous monster slayer. The games series and books are so popular that Netflix has created a series about them, starring Henry Cavill in the role of Geralt. Not entirely relevant to the world of information security, you may say? Think again because here’s what “The Witcher” can teach us about information security.
Not a review
Very briefly for those who don’t know, a Witcher is a man who through magic, alchemy and training has mutated to have greater strength, speed and agility than normal men. They also have an enhanced immune system, heal much faster than regular people and live longer too. That is, if they aren’t killed by some monster in the line of their work. Witchers are created to be monster slayers.
While I enjoy “The Witcher 3 – Wild Hunt” and found the television series well made, this article is not a review of the game, nor does it have advice on how to play. Instead, I decided to take a look at what “The Witcher” can teach us about information security. Does that seem like a stretch? Well, perhaps but it allows me to look at one of my favorite games from a different perspective. So, let’s look at what “The Witcher” can teach us about information security (what follows applies mainly to higher difficulty levels of the game).
In the fantasy world of the Witcher, monsters are real and so are magic and alchemy. All Witchers undergo training to fight monsters, wield basic magic and brew potions. As the player explores the world and accepts contracts on monsters, he or she earns skill points. With these skill points, the player upgrades the abilities of Geralt or unlocks new ones. Improved sword fighting, magic signs and decoctions are necessary to survive as the game progresses. In effect, Geralt is constantly training and improving his impressive skill set.
If you want to be effective in information security, you need to do the same thing. The skill set that was cutting-edge 10 years ago, isn’t sufficient today. New threats, new techniques, new vulnerabilities and new adversaries pop up all the time. It’s imperative to stay on top of new developments. It’s also recommended to get a relevant certification and to keep it up to date.
Being a Witcher means being on your guard. Geralt travels the world mostly by himself, which means he has to take care of himself. He needs to know where to find contracts to earn a living, he needs to be aware where monsters may lurk or where bandits hide out. To help him, the special mutations Witchers possess give him improved eye sight, hearing and smell. It’s almost impossible to sneak up on a Witcher and not much gets by them without being noticed.
Information security is all about risk management but you can’t manage risks that you fail to recognize. So like Geralt, people in information security need to have a very keen awareness of where risks are and what forms they take. Where others don’t see an issue, you are able to point them out to people in such a way that they recognize them too.
Being aware of your surroundings is one thing. A Witcher needs more than that if he is to survive to fight monsters another day. The world of The Witcher is a dangerous place and death lurks everywhere, be it from monsters, bandits or simply the local wildlife. Geralt needs to identify and correctly assess risks as part of his job. Is that monster poisonous? Will that vampire be able to sneak up behind me? Can that archer hit me from over there? Making incorrect risk assessments can seriously mess up a Witcher’s day!
What “The Witcher” can teach us about information security extends to risk assessment as well. As someone tasked with information security, risk management and risk assessment are two of your most important roles. Failing to identify risks may open your organization to hacking, data leaks and damage to its reputation. Correctly identifying risks is your first step in protecting against them. Making incorrect assessments can seriously mess up your day too!
Once Geralt has identified his risks, he can take steps to mitigate or completely counter the risks he is about to face. If a monster is poisonous, he can drink a potion to protect against poison. Some monsters are vulnerable against certain magic so casting the right sign at the right time will protect Geralt. Repairing his armor before attacking bandits will keep him shielded from arrows. Countering enemy advantages with the appropriate countermeasures gives a Witcher an edge in battle.
This principle applies in information security as well. Once you know the risks your organization faces, you can take appropriate measures to protect against them. Insufficient awareness is countered with an awareness program, internet-facing systems are hardened and protected by firewalls and ransomware is thwarted by good anti-malware software.
In “The Witcher” at higher difficulty levels, preparing for an encounter becomes essential. You can’t run into a cave or bandit camp and hope for the best. That’s actually a good way for Geralt to get killed. Instead, you need to make sure your armor and swords are repaired and up to the job. You also want to apply the right oil to your blade for the monster you are facing. Having enough and the right bombs, potions or decoctions is also important so these need to be prepared. Only this way does a Witcher stand a fighting chance.
The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand.The Art of War, Sun Tzu
Information security really is no different. Every organization will face a time when they have a serious cyber incident. When that happens, there will be no time to prepare. Your preparation must be done before any confrontation takes place. Have a cyber incident playbook ready, make sure people know what to do and who you need to reach out to before anything happens. Practice cyber incidents and have experts test your defenses before the bad guys do. It will not prevent the incidents from happening but at least you’ll be better prepared to deal with them.
Being a Witcher isn’t a life of glamor and luxury. Very often, Geralt finds himself in dirty, monster-infested environments. Or he goes up against a gang of bandits all by himself. While he knows how to handle himself in a fight, has superior strength and reflexes, it still helps to have the best equipment money can buy. When possible, Geralt should have a new sword made or invest in superior armor. He can also buy new alchemy formulas or other necessities. Especially later in the game, having the best gear you can afford becomes very important.
Again, this is no different in information security. Whether it’s training, services like awareness or pentesting or software to support your mission, you should get the best your budget will allow for. Getting the appropriate budget can prove a challenge especially if you need to get upper management on board. Having a good plan and strategy may help with that but remember to always spend your money wisely.
A side effect of the mutations, is that they tend to strip the Witcher of emotions. During dangerous encounters with monsters, having a clear head is a great advantage. The same goes for not being afraid. Geralt’s lack of emotion leads to some wonderfully understated reactions to things that would make normal people swear, curse or panic, both in the game and in the series.
Geralt likes to hide behind his mutations to avoid emotional topics. In the real world, we don’t have the help of Witcher mutations but in a crisis people still look to us to manage the situation. That’s where practice and planning come in, but also the ability to make difficult decisions based on limited information. There’s always the risk that you’ll make the wrong decision but doing nothing while a crisis unfolds is always a bad choice.
Often when Geralt defeats a particularly challenging monster, he’ll take a trophy to strap to his horse “Roach”. This shows everyone that he was victorious and proves to the one issuing the contract that the job is done so Geralt will get payed. The trophy is both proof and a way to celebrate a job well done. A Witcher with the head of a griffin strapped to his saddle is a Witcher who knows his stuff and gets the job done.
While we (fortunately) do not have to strap the heads of hackers or cyber criminals to the hood of our car to be taken seriously, it’s still important to celebrate our successes. Showing users, management and clients the good things we’ve accomplished, keeps them informed about what we’re doing and how information security adds value. Showing our success can also go a long way to secure next year’s budget!
Not such a stretch after all
There you have it, a list of what “The Witcher” can teach us about information security. Even though they are completely different in most respects, we can still learn a few things about how Geralt manages situations. What do you think? Is there anything else The Witcher can teach us about information security? Feel free to add your suggestion in the comments below and thanks for reading!