I always snicker when an angry businessperson admonishes their audience with the phrase “We’re not playing game here!” I know the phrase is meant to convey that the audience should be taking their current situation more seriously. I get the sentiment, but I can’t take the phrase seriously. Work is a game … partially, anyway. Understanding that is a critical first step towards becoming an effective leader.
To be fair, I’m biased; I’ve been big into games from an early age. One of the few strong memories I have of my preschool years was playing Monopoly with my parents on the floor of their apartment at Western Michigan University. I got my first Dungeons & Dragons Basic Set in 1983 and learned how to play with my cousin. I spent my profits from mowing lawns in the summer to purchase new and interesting games like Car Wars, Twilight: 2000, and Paranoia. All this is to say, when InfoSec Twitter goddess @Infosec_Taylor  tweeted this on Saturday:
“You can’t be in cybersecurity without being super technical and knowing at least 2 programming language.”
ST*U. You have a very narrow definition of cybersecurity of you believe that and should broaden your skillset.
… I concurred with a joke:
If we’re going to make up *#&$ gatekeeping rules, let’s declare that “You can’t be in cybersecurity unless you’ve GM’d at least 2 TTRPGs that aren’t a D&D edition.” 
This quip was aimed mostly at other game enthusiasts. There’s a lot of us in the security and tech worlds, so I figured the joke would resonate on a couple of levels. I wasn’t disappointed.
There’s been some controversy in the gaming community about the success of Dungeons & Dragons 5th Edition. Most people are thrilled that the new edition has made TTRPGs accessible to much wider community of players. The more, the merrier! That said, some people are upset that 5E’s success seems to have pushed other TTRPGs out of the limelight. For those folks, the only way to “prove” you’re a “real” role-player is to demonstrate your experience with lesser-known games that aren’t based on D&D rules. Hence, my gatekeeping crack.
I say all this for two reasons: first, I believe that @Infosec_Taylor is absolutely right about counterproductive gatekeeping practices in the cybersecurity and IT communities. I’ve noticed a disturbing trend of mocking, ignoring, and blocking people who appear to be trying to break into our world. We have far too much to do to turn our back on potential reinforcements. We need to encourage people to join us and then mentor them when they do.
Second – and this is going to sound a bit daft – we need to remember that a great deal of corporate life resembles a game. That is to say, functioning in a collective corporate setting is as much performance art as it is work. It’s not enough to employ one’s qualifications and experience to solve problems and generate results. Every employee must constantly demonstrate their compliance with social expectations by convincingly “performing” a “character” such that their “audience” approves. It’s more of a stage play with PowerPoint than a simple “job.”
If you think this is a barmy notion – and I will take no offense if you feel that way – consider the norms of your office environment: every office establishes, maintains, and enforces rules of workplace behaviour. These rules might not be formally defined, like in a dress code policy, but they always exist. There are rules – some common to the larger society outside the office, and some unique to the inside of the office – about what people may and may not do in the office and while representing the organization. An example might involve the wearing of underwear:
- It’s an individual choice as to whether a worker wears underwear or not, however;
- Workers’ underwear must not be visible whilst in the office
- Workers must not discuss underwear – their own, or others’ – in the office
- Underwear is not an appropriate gift for office parties
- No matter what, underwear should not be worn on one’s head
It’s a deliberately silly example. Still, it makes sense when you think about it. Even though these prohibited actions rarely have any meaningful impact on day-to-day operations, society at large has established protocols governing proper and improper clothing wear. That said, clothing rules for the home are less restrictive than for the street, which are in turn far less restrictive than in the office. Why? Because of the rather arbitrary notion of “professionalism” which supposedly affects customer relations, brand reputation, and individual credibility. We have rules regarding what clothing wear is acceptable and what isn’t; wilfully defying those rules may have consequences.
Think about it: if you go out to dine at a fine restaurant and the chef comes to your table wearing a traditional toque blanche, you’re likely to feel reassured. You’ll believe that the chef knows what she’s doing. If, however, the chef comes to your table wearing a pair of boxer shorts on her head you’re likely to stammer an apology and bolt for the exit because the chef seems like a nutter. Why, though? The two “hats” are nearly identical from a strictly mechanical perspective … some bleached white cotton sewn into a standard shape and augmented with elastic to keep the wearer’s hair from falling into the food. What’s the big deal? One “hat” is considered “correct” and the other is irredeemably “wrong” even though someone from a different culture might not be able to tell the difference between the two.
It’s all about coding meaning in both objects’ design and how those objects are used; wearing the right clothing signals to the audience that you know what’s expected of you and are both willing and able to conform to those expectations. Violating those rules signals that you’re either ignorant or else challenging the culture.
If you’re willing to humour my argument that work requires some performance art, then I ask you to consider my opening Twitter joke from a new perspective. One of the major downsides to knowing only one TTRPG system is that you game experiences can be constrained by the inherent limitations of the rules. All TTRPGs are crude simulations of reality; the designers’ decisions on how to handle basic mechanical issues like “how far can I move in a turn?” artificially limit what the characters can do. That, in turn, limits the players’ choices which reduces what sort of stories can be told.
That’s why seasoned gamers encourage new players to branch out and learn multiple – and wildly different! – games even if they’re not going to ever play them. The more one learns how different designers tackled game mechanics problems, the more tools you have for addressing your main game’s inherent shortcomings. D&D 5E is played on a grid map, and your token or miniature must always fit into a clearly marked square. The original Car Wars was played on a grid map, however the car counters could cross multiple squares diagonally. Champions and BattleTech were played on hex map. Paranoia didn’t use a map at all, and so on.
That in mind, I argue that one of the best things a new cybersecurity professional can do is to branch out and learn multiple – and wildly different – office cultures even if they’re not going to accept a job there. Take advantage of every opportunity to visit other companies to study how the people working there act. What rules do they conform to and why? How do they address deviance and wilful noncompliance? What sort of pressure or influence does it take to establish, reinforce, or revoke a collective expectation? Just like the act of learning new games, you’re learning new rules systems, mechanics, and customs. This will help you revaluate your own culture’s rules, assumptions, blind spots, and weaknesses.
Also, I feel it’s important that all cybersecurity professionals should accept that a great deal of workplace behaviour is performative rather than purely functional. People act to satisfy their bosses and co-workers’ behavioural expectations. What you perceive in the office isn’t necessarily an accurate picture of who people really are, what they really believe, or what they secretly feel is right for them. The people you’re observing are conforming to pressures and expectations to ensure they keep their jobs. I attribute this to the insidious influence of the Hawthorne Effect: people change their behaviour when they know they’re being watched.
Why does this matter? Because this disconnect between who people really are and who they pretend to be for work directly affects how effective your policies, communications, and processes will be in curtailing counterproductive behaviour. If you want to be effective as a cybersecurity professional, you need to meet people where they really are, not where you think they should be according to some academic policy model.
 If you work in security and you’re not following @Infosec_Taylor on Twitter, you’re doing security wrong. She’s brilliant.
 TTRPGs = Table Top Role Playing Games