Operations

11/14/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What the NFL Teaches Us about Fostering a Champion Security Team

Cybersecurity experts can learn how to do a better job by keeping a close eye on the gridiron.

Now that it's NFL season, there's a lot of wisdom to be gleaned from the football field for cybersecurity experts. How do all of the different positions on and off the field relate to your cybersecurity efforts? How can you correlate the value each position plays in your own squad and in building great policies and practices?

Here are the four ways that security pros can improve their play:

It All Starts with the Coach
The coach is arguably the most pivotal position on the team. Coaches dictate strategy, lead their players, work on trades and salary caps, and pore over new plays and rules. This is, of course, the CISO or CSO. The CISO must develop an overall strategy for your organization's security, manage and lead the security staff, recruit talent, and budget for products and services, as well as understand the legal, regulatory, and compliance frameworks he or she must adhere to. And just like the coach, the CISO must be able to understand both offense and defense. As we look to  a future  in which companies  may have the ability to "hack back," offensive play may become a bigger priority for security teams.  

The Quarterback Makes It All Happen
The CISO's direct reports are your quarterbacks. Sure, in the NFL, it's almost always a star QB and a couple of backups, and you may have a "star" manager in your organization who outshines your other quarterbacks. But just as in the NFL, the quarterbacks need to work tightly together to coordinate strategy and cover each other just in case. Quarterbacks have spent many sleepless nights in fear of a particularly potent pass rusher or blitz play they know they'll see in their next game.

The security quarterbacks spend just as many sleepless nights thinking about a "hacker blitz" or a pass rusher swooping in past your organization's line and getting the sack. Both the pass rusher and the sufficiently skilled attacker are unblockable forces in the "game" without the right visibility. The football quarterback must be able to see the rush coming and instantly figure out a way to get out of the rush. Your security quarterbacks need to be able to see into every corner of your infrastructure, every endpoint, every asset… all giving some sort of tell-tale sign that the blitz is coming.

Don't Forget the Defensive Line
Flipping it the other way, and thinking of the offense as the attacker, we can't forget the incredible value and critical role the defensive line plays in both the NFL and inside your security team. In football, those on the defensive line have one singular goal: to prevent the attacking side from scoring points.

Just as in football, your defensive line of analysts and security operations center (SOC) staffers are the first line to protect your network from being scored against. The defense in football must be ready at all times for deceptive tactics such as naked bootlegs, lateral passes, and other trick plays. For your SOC staff, they too must always be ready for trick plays: ransomware attacks that are designed to be a diversion against another attack that is designed to steal your valuable data; hundreds of false-positive alerts that draw skilled resources away from looking for that breach needle in the haystack; overloading one part of your security infrastructure in the hopes of overwhelming your defense staff so that something will get through undetected.

A recent Ponemon survey showed that the average organization spends 425 hours chasing down false positives. That same survey showed that same enterprise is spending almost $1.4 million annually dealing with those false positives. That's a lot of defense time and money that could be better spent training, studying new plays, and practicing techniques.

What About the Fans?
Fans can make or break a team. A raucous home crowd in the NFL can add an unquantifiable positive to the home team. Remember Kansas City's legendary noise levels or Seattle's 12th man campaign? Much like the 12th man, an organization needs "fans" of its security efforts, including the rank-and-file employees you protect, your executive leadership team, and your shareholders, to buy in to your vision and strategy. If the organization's employees feel as if they're part of the solution, are not treated like second-class users, and believe they can come forward and report issues or incidents immediately without getting stomped on by your security staff, they'll feel like they're part of the team.

Your executive leadership team and shareholders must also buy in to your overall security vision. They're the part of the team that approves operational and capital investments in security, or pushes back on rapidly expanding and increasing security spend. If they don't see the value, it can be difficult to get what you need from them when you need it.

At the end of the day, it's important to remember that no team, NFL or security, wins with a single star. You could have the world's greatest quarterback/manager, or an All Star defensive line/analyst, or a wizard of a coach/CISO. But they can't do it alone. No team wins on Sunday on the back of one single position. And just as in the NFL, it takes a well-oiled security machine to win games in the security gridiron. You need to see the whole field, read plays, work together, and stop the attacking side before they find their way into the end zone.

Related Content:
10 Mistakes End Users Make That Drive Security Managers Crazy
Why Common Sense Is Not so Common in Security: 20 Answers
How Law Firms Can Make Information Security a Higher Priority

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Richard Henderson is global security strategist at Absolute, where he is responsible for spotting trends, watching industries and creating ideas. He has nearly two decades of experience and involvement in the global hacker community and discovering new trends and activities ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sojjon
50%
50%
sojjon,
User Rank: Apprentice
5/14/2018 | 4:31:34 AM
Re: Why use the NFL as an example?
yes, appreciate with jenshadus
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
11/15/2017 | 9:12:25 AM
Why use the NFL as an example?
How embarrassing.  I would have used another structured game like Baseball.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.