Role Description: Executive Management (CFO, CTO, COO & CCO)

Management

Welcome to The Security Games

This rule and profile description is aimed at the operational brain of the bank: Executive Management. As participants in this group, you steer the Swedish Fintech Bank (SFB) in real time. You are caught between investors’ relentless demands for immediate profitability, the market's demand for new features, rigorous legal compliance, and the inevitable fragility of technology.

1. Objectives and Motivation

Your primary task is to execute the board’s vision in practice with the budget you have been assigned. A Product Owner (PO), acting completely externally and lobbying on behalf of the operations, is constantly knocking on the door begging for money to build fantastic AI features. Within your group, your CTO feels stressed out over the aging server infrastructure. The CCO is constantly warning about DORA fines. The COO demands stable operational delivery, and the Chief Financial Officer (CFO) stands in the middle, flat out refusing to open the wallet.

Motivation: Annual bonus, beating the market's expectations, and profiling yourselves internally as the rock stars driving the bank forward.
Business Goal: Launch "SFB Crypto-wallet" before the end of Q3 with a budget that's 15% below last year's overhead, no matter what the security teams claim is necessary.
Nightmare Scenario: An external audit shows that your technical debt and compliance gaps are astronomical, followed by a ransomware attack that forces the Board to make you resign, singling you out as the sole scapegoats.

2. Abilities and Limitations

Ability: Budget Power (The Burn Rate). You dictate where the resources in the organization flow. You can decide to divert all funding from "Boring security tests" into hiring fast external app developers to increase Time-To-Market.
Ability: Obfuscation. You have the ability to polish and scrub the reports passed up to the Board. You can choose to "tone down" alarms about security breaches to stop investors from panicking.
Limitation: Technical Debt & Legal constraints. The more you pressure developers without giving them time for maintenance, the greater the Technical Debt grows. Legal constraints like GDPR do not care about your scheduled deadlines. Gaining shortcuts here will mathematically open doors for cyber attackers during the game.

3. Built-In Conflicts

To keep the game realistic, you must protect your internal "kingdoms" at the negotiation table:

Within your own group (CTO vs CFO vs COO vs CCO): The CTO always wants to stabilize IT. The COO runs the operational factory and shouts "But production must deliver!". The CCO points at massive fines from the Financial Supervisory Authority if security is neglected. The CFO hates all expenses and demands triple ROI documentation. Create intense negotiations!
Against the Product Owner (PO) and Scrum Teams: The PO and the operations teams want endless funding to innovate quickly. Your job is to severely question every dime and press them for maximum delivery with minimum resources.
Against Second Line (DPO & Legal): They constantly show up with thick spreadsheets and compliance demands. You must stressfully defend why you took calculated risks, telling them to "Solve it after the release is out".

4. How to play the role credibly (Game Master Tips)

Quarterly focus ahead of Security: Remain indifferent when contracts and firewalls lead to delays. You represent growth and cost control.
Panic over the numbers: When the GM announces that the hackers demand 5 million dollars, do not remain calm. The CFO refuses to pay. The COO shouts that downtime costs 1 million dollars per hour. The CCO panics because the Data Protection Agency will issue catastrophic fines. Let panic drive the discussions.
Spin Doctor: Invent quick excuses when a meeting with the Board is summoned. You always have a plan (even when you don't). Obscure catastrophic IT bugs with vague corporate buzzwords like "temporary network fluctuations".