What the NFL Teaches Us about Fostering a Champion Security Team

Now that it's NFL season, there's a lot of wisdom to be gleaned from the football field for cybersecurity experts. How do all of the different positions on and off the field relate to your cybersecurity efforts? How can you correlate the value each position plays in your own squad and in building great policies and practices?

Here are the four ways that security pros can improve their play:

It All Starts with the Coach
The coach is arguably the most pivotal position on the team. Coaches dictate strategy, lead their players, work on trades and salary caps, and pore over new plays and rules. This is, of course, the CISO or CSO. The CISO must develop an overall strategy for your organization's security, manage and lead the security staff, recruit talent, and budget for products and services, as well as understand the legal, regulatory, and compliance frameworks he or she must adhere to. And just like the coach, the CISO must be able to understand both offense and defense. As we look to  a future  in which companies  may have the ability to "hack back," offensive play may become a bigger priority for security teams.  

The Quarterback Makes It All Happen
The CISO's direct reports are your quarterbacks. Sure, in the NFL, it's almost always a star QB and a couple of backups, and you may have a "star" manager in your organization who outshines your other quarterbacks. But just as in the NFL, the quarterbacks need to work tightly together to coordinate strategy and cover each other just in case. Quarterbacks have spent many sleepless nights in fear of a particularly potent pass rusher or blitz play they know they'll see in their next game.

The security quarterbacks spend just as many sleepless nights thinking about a "hacker blitz" or a pass rusher swooping in past your organization's line and getting the sack. Both the pass rusher and the sufficiently skilled attacker are unblockable forces in the "game" without the right visibility. The football quarterback must be able to see the rush coming and instantly figure out a way to get out of the rush. Your security quarterbacks need to be able to see into every corner of your infrastructure, every endpoint, every asset… all giving some sort of tell-tale sign that the blitz is coming.

Don't Forget the Defensive Line
Flipping it the other way, and thinking of the offense as the attacker, we can't forget the incredible value and critical role the defensive line plays in both the NFL and inside your security team. In football, those on the defensive line have one singular goal: to prevent the attacking side from scoring points.

Just as in football, your defensive line of analysts and security operations center (SOC) staffers are the first line to protect your network from being scored against. The defense in football must be ready at all times for deceptive tactics such as naked bootlegs, lateral passes, and other trick plays. For your SOC staff, they too must always be ready for trick plays: ransomware attacks that are designed to be a diversion against another attack that is designed to steal your valuable data; hundreds of false-positive alerts that draw skilled resources away from looking for that breach needle in the haystack; overloading one part of your security infrastructure in the hopes of overwhelming your defense staff so that something will get through undetected.

A recent Ponemon survey showed that the average organization spends 425 hours chasing down false positives. That same survey showed that same enterprise is spending almost $1.4 million annually dealing with those false positives. That's a lot of defense time and money that could be better spent training, studying new plays, and practicing techniques.

What About the Fans?
Fans can make or break a team. A raucous home crowd in the NFL can add an unquantifiable positive to the home team. Remember Kansas City's legendary noise levels or Seattle's 12th man campaign? Much like the 12th man, an organization needs "fans" of its security efforts, including the rank-and-file employees you protect, your executive leadership team, and your shareholders, to buy in to your vision and strategy. If the organization's employees feel as if they're part of the solution, are not treated like second-class users, and believe they can come forward and report issues or incidents immediately without getting stomped on by your security staff, they'll feel like they're part of the team.

Your executive leadership team and shareholders must also buy in to your overall security vision. They're the part of the team that approves operational and capital investments in security, or pushes back on rapidly expanding and increasing security spend. If they don't see the value, it can be difficult to get what you need from them when you need it.

At the end of the day, it's important to remember that no team, NFL or security, wins with a single star. You could have the world's greatest quarterback/manager, or an All Star defensive line/analyst, or a wizard of a coach/CISO. But they can't do it alone. No team wins on Sunday on the back of one single position. And just as in the NFL, it takes a well-oiled security machine to win games in the security gridiron. You need to see the whole field, read plays, work together, and stop the attacking side before they find their way into the end zone.

Related Content:
10 Mistakes End Users Make That Drive Security Managers Crazy
Why Common Sense Is Not so Common in Security: 20 Answers
How Law Firms Can Make Information Security a Higher Priority

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.