Operations

11/14/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What the NFL Teaches Us about Fostering a Champion Security Team

Cybersecurity experts can learn how to do a better job by keeping a close eye on the gridiron.

Now that it's NFL season, there's a lot of wisdom to be gleaned from the football field for cybersecurity experts. How do all of the different positions on and off the field relate to your cybersecurity efforts? How can you correlate the value each position plays in your own squad and in building great policies and practices?

Here are the four ways that security pros can improve their play:

It All Starts with the Coach
The coach is arguably the most pivotal position on the team. Coaches dictate strategy, lead their players, work on trades and salary caps, and pore over new plays and rules. This is, of course, the CISO or CSO. The CISO must develop an overall strategy for your organization's security, manage and lead the security staff, recruit talent, and budget for products and services, as well as understand the legal, regulatory, and compliance frameworks he or she must adhere to. And just like the coach, the CISO must be able to understand both offense and defense. As we look to  a future  in which companies  may have the ability to "hack back," offensive play may become a bigger priority for security teams.  

The Quarterback Makes It All Happen
The CISO's direct reports are your quarterbacks. Sure, in the NFL, it's almost always a star QB and a couple of backups, and you may have a "star" manager in your organization who outshines your other quarterbacks. But just as in the NFL, the quarterbacks need to work tightly together to coordinate strategy and cover each other just in case. Quarterbacks have spent many sleepless nights in fear of a particularly potent pass rusher or blitz play they know they'll see in their next game.

The security quarterbacks spend just as many sleepless nights thinking about a "hacker blitz" or a pass rusher swooping in past your organization's line and getting the sack. Both the pass rusher and the sufficiently skilled attacker are unblockable forces in the "game" without the right visibility. The football quarterback must be able to see the rush coming and instantly figure out a way to get out of the rush. Your security quarterbacks need to be able to see into every corner of your infrastructure, every endpoint, every asset… all giving some sort of tell-tale sign that the blitz is coming.

Don't Forget the Defensive Line
Flipping it the other way, and thinking of the offense as the attacker, we can't forget the incredible value and critical role the defensive line plays in both the NFL and inside your security team. In football, those on the defensive line have one singular goal: to prevent the attacking side from scoring points.

Just as in football, your defensive line of analysts and security operations center (SOC) staffers are the first line to protect your network from being scored against. The defense in football must be ready at all times for deceptive tactics such as naked bootlegs, lateral passes, and other trick plays. For your SOC staff, they too must always be ready for trick plays: ransomware attacks that are designed to be a diversion against another attack that is designed to steal your valuable data; hundreds of false-positive alerts that draw skilled resources away from looking for that breach needle in the haystack; overloading one part of your security infrastructure in the hopes of overwhelming your defense staff so that something will get through undetected.

A recent Ponemon survey showed that the average organization spends 425 hours chasing down false positives. That same survey showed that same enterprise is spending almost $1.4 million annually dealing with those false positives. That's a lot of defense time and money that could be better spent training, studying new plays, and practicing techniques.

What About the Fans?
Fans can make or break a team. A raucous home crowd in the NFL can add an unquantifiable positive to the home team. Remember Kansas City's legendary noise levels or Seattle's 12th man campaign? Much like the 12th man, an organization needs "fans" of its security efforts, including the rank-and-file employees you protect, your executive leadership team, and your shareholders, to buy in to your vision and strategy. If the organization's employees feel as if they're part of the solution, are not treated like second-class users, and believe they can come forward and report issues or incidents immediately without getting stomped on by your security staff, they'll feel like they're part of the team.

Your executive leadership team and shareholders must also buy in to your overall security vision. They're the part of the team that approves operational and capital investments in security, or pushes back on rapidly expanding and increasing security spend. If they don't see the value, it can be difficult to get what you need from them when you need it.

At the end of the day, it's important to remember that no team, NFL or security, wins with a single star. You could have the world's greatest quarterback/manager, or an All Star defensive line/analyst, or a wizard of a coach/CISO. But they can't do it alone. No team wins on Sunday on the back of one single position. And just as in the NFL, it takes a well-oiled security machine to win games in the security gridiron. You need to see the whole field, read plays, work together, and stop the attacking side before they find their way into the end zone.

Related Content:
10 Mistakes End Users Make That Drive Security Managers Crazy
Why Common Sense Is Not so Common in Security: 20 Answers
How Law Firms Can Make Information Security a Higher Priority

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Richard Henderson is global security strategist at Absolute, where he is responsible for spotting trends, watching industries and creating ideas. He has nearly two decades of experience and involvement in the global hacker community and discovering new trends and activities ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sojjon
50%
50%
sojjon,
User Rank: Apprentice
5/14/2018 | 4:31:34 AM
Re: Why use the NFL as an example?
yes, appreciate with jenshadus
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
11/15/2017 | 9:12:25 AM
Why use the NFL as an example?
How embarrassing.  I would have used another structured game like Baseball.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The State of IT and Cybersecurity
The State of IT and Cybersecurity
IT and security are often viewed as different disciplines - and different departments. Find out what our survey data revealed, read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12959
PUBLISHED: 2018-07-19
The approveAndCall function of a smart contract implementation for Aditus (ADI), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all contract balances into their account).
CVE-2018-14336
PUBLISHED: 2018-07-19
TP-Link WR840N devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses.
CVE-2018-10620
PUBLISHED: 2018-07-19
AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code t...
CVE-2018-14423
PUBLISHED: 2018-07-19
Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in lib/openjp3d/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).
CVE-2018-3857
PUBLISHED: 2018-07-19
An exploitable heap overflow exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain...