What Poker Taught One Expert About Cybersecurity

By Megan Gates

01 December 2019

Print Issue: December 2019

It’s not every day that you meet a cybersecurity expert who also has $3,640 in lifetime cashes in the World Series of Poker.

But then again, Tarah Wheeler is not your typical cybersecurity professional. She got her start in the field later in life. She led projects at Microsoft Game Studios, served as senior director of data trust and threat and vulnerability management for Splunk, and was the senior director of engineering and principal security advocate at Symantec Website Security.

Now, she’s a cybersecurity policy fellow at New America, a bestselling author, and an active member of the cybersecurity community—sharing her thoughts on Twitter and through appearances at security conferences, including Global Security Exchange (GSX) in Chicago in September.

In her keynote address, Wheeler focused on convergence and response to security incidents. After her remarks, Security Management had a chance to speak with Wheeler directly. Below is a lightly edited version of their conversation.

SM: Today, more than ever, cyber and physical teams must work together to solve security challenges. What skill sets do physical security professionals need to make that transition to effectively partner with cybersecurity in the next five years?

Wheeler: They’re going to transition whether they want to or not. It’s already happening. And they’re already getting those skills. Video surveillance is cybersecurity now. Where do you store the footage?

There’s not a separation. And maybe the best way to put it is to ask any physical security expert or consultant: Where do you store the identification for people allowed in the building? If it’s not on a physical sheaf of paper at the front desk, you’re already in cybersecurity.

You play poker. I’m curious how that has helped you and what you’ve learned from cards that you’ve been able to bring to your cybersecurity skill set?

Wheeler: When I talk about incident response, I say that there’s not a magic bullet—that you can only make this better a little bit at a time over time.

And sometimes in the moment, everything seems completely terrible, but you have to make the right decision. And it’s going to suck, and it’s going to be awful, and it’s going to hurt. But over time, you start to fine-tune your sense of decision making.

That’s what poker is like—folding what you know isn’t the best hand, even if you’re perfectly short. Being sure enough that you need to make a good decision and following through on that good decision and gradually tuning your game so you’re better over time is what poker brought me when it comes to my decision-making process in cybersecurity.

Sometimes it’s awful when you have to make that decision.

You talked in your speech about your mom meeting an Iron Man competitor and how he told her that no matter how good the shape he’s in, it always hurts to get to the top of the mountain. When getting to the top of the mountain in incident response—the point where you’ve worked with stakeholders to respond and mitigate the problem—you said that it always hurts, but eventually you will get there faster. What are some moments or experiences in your own career that have helped you get better at getting to the top of the mountain?

Wheeler: It’s closely related, as so many things in my professional life are, to poker again. The ability to recognize that the absolutely wonderful situation you find yourself in—or the absolutely terrible situation you find yourself in—is just of this moment, and that making the right decision now is going to hurt. But it pays off in an unseen, slight increase over time, multiplying over time to a better feature, a better product, a better career, a better person.

I’ve seen that happen when we’ve had to cut the use of products a lot of people were using and use something new. It’s very common for there to be something that works well enough in security.... For a while the solution is going to be worse than the previous thrown-together Frankenstein solution.

Knowing that there comes a point where you have to pull the plug on a solution that works kind of good enough, and take the hit that comes in defending that new solution. Taking the responsibility for that and knowing that people are going to be mad at you for a while is what I took away from Mom’s story about that cyclist and the Iron Man.

After a while, I’ve gotten used to that—that there will be conflict and problems and politics around implementing better solutions. But sometimes, you just have to deliver the mercy blow to a terrible old solution that was put together 10 years ago when the company started. And it’s time to grow, and it’s time to make things better, and there’s going to be a dent in service reliability provision for a while. People aren’t going to like it. They’re going to yell at you. You get used to that part.

Once you get used to it, you know it’s going to be done quicker.