Information Security Lessons Learned from Disney World Vacation Planning

As a parent of twins, one item that was evident since my wife was pregnant was that we would take them to Disney World.  A Disney vacation forms lasting memories for children.  It is one of the few items that they will remember when they grow older.  It is also one of the most expensive and extensively planned trips that families will take.  When you go there, you see families all dressed in custom-printed shirts to identify themselves.  There are numerous Facebook pages and web sites dedicated to mapping out trips for families based on age, gender of kids, amount of available cashflow, and numerous other criteria.  This is also one of the trips where you will speak with all your friends and family who have previously made the trip.  You also make plans for what happens if families get separated, or other disasters strike.  Having those matching shirts is an excellent plan to address a major potential issue of losing a child in the world’s largest theme park.

If we can extensively plan and research for our families to go to Disney, including for when something goes wrong, why can’t we do the same for our own organizations?  Thousands of families can plan for Disney every year.  What can we learn from them?  How can we improve?

To put this in perspective, if we planned our Disney vacations like we do our cyber defenses, we’d be spending outrageously on items we would not need and would have bad experiences. For example, we wouldn’t spend hundreds of thousands of dollars on consultants that have never lived through leading incident response to tell us how to protect ourselves.  Much like the conversations we have with other Disney vacation-goers,  we’d have a web conferencing meeting with organizations that have either experienced an attack or have effectively defended themselves.  This is a tactic that I have used at work, where we will speak with organizations that have been attacked to better understand how to build more effective defenses.  We have learned more from 30 minute conversations with affected organizations than months of Big 4 firms throwing twentysomething MBAs on projects to make pretty charts.

We also wouldn’t spend money on tools and services that don’t provide value.  There is nothing like watching a spouse or friend plan out meals and snacks for a family vacation at Disney.  It’s not cheap.  The places your kids want to go to require reservations days in advance.  You need to understand menu options available, especially if you have picky eaters in your family.  You also have to plan out snacks for long line waits, including the Dumbo and Frozen rides.  Meal planning for Disney eliminates waste.

Yet we still have tool vendors who push products claiming to eliminate ransomware and cyber attacks using fear to override rational thought.  The amount of times I have heard “That next cyber attack could be right around the corner, and we have a technology to stop these new attacks that your current vendor doesn’t.  You could be left exposed, unless you buy our product, and we have a special deal for you….” Is in the thousands over the past twelve years.  However, it works because there are enough CIOs and CISOs that fall for this hook, line, and sinker repeatedly.  We create waste.  We need to think like parents planning out when the kids get snacks and what extra snacks go into the backpack in case they get hungry when we’re in line.

We need to rationally assess our needs and plan out our purchases based on reality, not on some hypothetical scenario.  Most ransomware attacks use old techniques because they work.  The likelihood of someone using a new type of attack on your organization to spread ransomware  and potentially burn an exploit when you haven’t patched your VPN in years and you have left Remote Desktop Protocol open on the firewall for a vendor that wouldn’t take no for an answer is zero.  Ransomware gangs are professionals.  They understand risk and reward, and that the shiny new protection you blew your budget on goes away when you leave unlocked doors open.

Your kids will have to pee when you are in line for rides.  When we were in line for Pirates of the Caribbean in 2019, my son, right before we got into the ride, announced he had to pee.  I learned that day that Disney World has the best bathroom placement of any entertainment experience I have ever been to.  You are never more than 2-3 minutes from a clean bathroom.  However, you need to plan for the unexpected.

When you think of cyber attack playbooks, you need to think the same way.  Plan for the unexpected.  Don’t have playbooks for certain attack types.  Plan for the technical equivalent of your son announcing his full bladder right when you’re about to get into a ride.  Make sure your plans for unexpected events include bringing in the right resources to address issues in the plan at the right time, not having plans to go to the same plan all of the time and building a bunch of plans you won’t maintain.  You need to always be within 2-3 minutes of a bathroom, or you’re going to have a mess on your hands and clothes.

Before COVID, you only got three FastPass reservations a day at Disney World.  This meant that you had to prioritize and rank your experiences that you wanted for your children’s lasting memories, including rides and character encounters.  You had to wait a long time for the rest of them.  We need to do the same with Cyber Defense.  We only get a limited number of FastPasses with our senior leadership to put in what we need.  Prioritizing risk and addressing the top items using a credible assessment goes a lot farther.  Trying to address everything at once means that you will end up using FastPasses where it is not needed or important, like “It’s a Small World” instead of Dumbo or Space Mountain.

Planning the time of day to be at Disney is also very important, especially given the wildly divergent sleep patterns of smaller children.  You don’t want to be the one pushing the stroller around the park with a sleeping child while the other is having a great time.  It ends up being a great time for one, but not the other.  You have to think of staffing the same way.  You can’t have everyone on at the same time.  You’re going to have burnout.  Plan schedules and work around the ability and effectiveness of team members.  Take them into consideration.  If you don’t, they’re going to be burned out, and your team will have the effectiveness of a sleeping toddler in a stroller, with additional resources stressed and burned out from carrying the additional load.  With COVID and working from home encroaching more on our lives, this becomes paramount.

Thousands of families can flawlessly plan for Disney trips every year and have a great experience.  They can self-organize and have a great time.  They don’t need to spend thousands on trip advisors.  They speak with friends and family who have been there to learn their experiences.  They plan what they need based on their needs and desires far in advance.  They plan for the unexpected, including when kids have to pee.  They use the FastPasses for limited wait times judiciously.  Finally, they plan when to be there so that everyone enjoys the experience.  We can learn a lot from them, and paralleled the experience to some security tips that organizations can use to improve their cyber incident and ransomware response.

Here’s hoping we get back there sooner than later!

About the author

Mitch Parker, CISO

Mitch Parker, CISO

Mitchell Parker, MBA, CISSP, is the CISO, at IU Health. Mitch has eleven years’ experience in this role, having established effective organization-wide programs at multiple organizations. He is responsible for providing policy and governance oversight and research, third-party vendor guidance, proactive vulnerability research and threat modeling services, payment card and financial systems security, and security research to IU Health and IU School of Medicine. In this role, Mitch collaborates across the organization and with multiple third parties to improve the people, processes, and technologies used to facilitate security and privacy for the benefit of IU Health’s patients and team members.