Cybersecurity and football have many things in common, and football can teach us a lot about how to approach cybersecurity.
Football is a very adversarial sport. One side is trying to score, and the other side is trying to prevent that from happening. Cybersecurity is the same; hackers are always on the offensive, trying to get into your technology system and “score” data, access, or information, while information security teams are always playing defense to keep that from happening.
Football can teach several lessons about cybersecurity that we are calling “The Five Ps.”
Football is a sport that is based on planning. Instead of it being a free-flowing, fluid game like soccer or basketball, it is a series of orchestrated plays that are chosen based on game circumstances.
As anyone who has ever tried to pick which team will win on any given weekend can attest, the best team doesn’t always win. Experts believe that most of a team’s success is a result of the planning and strategizing that goes into every game, because when the game is being played, the winning team is usually the one that better executes its game plan.
For example, Team A knows that Team B has a young and inexperienced defensive secondary, so Team A’s game plan includes lots of long, downfield plays to exploit the defense’s weakness. In cybersecurity, Company A is continually updating its cybersecurity plan based on the tactic’s cybercriminals are using to gain access to companies, because unlike football, you never know which opponent you will be facing on any given day.
“Practice makes perfect.” Sure, it’s an unimaginative phrase, but it’s also time-tested and true.
Practicing plays over and over creates a pattern in the brain and the body where the actions and motions become instinctual. This “muscle memory” means that the play can be repeated over and over with the same results.
Practice is also crucial to good cybersecurity. Breaches and security incursions should be practiced with regularity and moderated by someone that understands security and can “grade” the participants after the exercise to improve their readiness skills. Regular practice with staged security issues also keeps security and IT team members sharp because they never know which type of incident will be practiced.
Practice is all about doing better today than yesterday, because much like football players, cybersecurity always need to improve because the cybercriminal competition is always improving.
It is also important to remember that practicing cybersecurity does not take-away from everyday work, it is a crucial part of the job, it is as important as new technology installations and integrations. Practicing security threats and simulating cyber-attacks should be part of every IT team’s responsibility.
Precision means putting focus on the right things. Practice is important, but it’s just as important to practice effectively. Reinforcing bad habits or practicing the wrong things doesn’t accomplish anything except waste time and effort. A football team that practices running plays all week long and then decides on a pass-first game plan will have wasted their entire week of practice and will most certainly be ineffective on game day.
For a cybersecurity team, practicing the wrong things wastes time and increases costs. Two critical aspects of cyber training are to:
- Align the right training for the right roles – in football, kickers spend their time practicing field goals and kickoffs and don’t participate in blocking drills. Your security team’s training should work the same; your Help Desk Analyst isn’t going to be your Cyber Forensics expert on game day. Both play a vital role in getting your organization back up and running and both should be prepared for their own individual role that day. One will help the company get back up and running, while the other determines the cause.
- Manage training effectively – this means that some team members might use self-guided online training modules, some might attend a seminar, and others might take classes to attain certifications.
Coaches coach and players play. In football, it’s important for coaches to understand their players and where they fit on the team based on the unique skills they possess.
A player that was a tight end in college might be better suited to be a wide receiver role in the NFL, based on his size and speed. A lineman might not play is his rookie year until he adds weight and muscle and learns the position from a more experienced teammate.
In cybersecurity, leaders must assess and evaluate their teams, understand the skill and knowledge they have (and which they lack), and provide training appropriate for the role that will improve proficiency to the skill level required for the role. It’s also important for team members to understand where they fit on the team by understanding their roles and how they contribute to the security of the organization.
It’s important to note that players aren’t always people. Cybersecurity relies on people, process, and technology, and all three must work together. It’s crucial that your processes and technology also be appropriate for your security needs and that their fit into your team and your security game plan.
Athletes and coaches understand that cross-training improves overall fitness and prevents injuries, while at the same time expanding their abilities. A lineman that only lifts weights might improve upper body strength but might have little stamina. A coach can vary the player’s training to provide more balanced conditioning, so adding running to the lineman’s workout routine can add stamina and improve overall cardiovascular performance.
Cross-training in cybersecurity makes team members perform better. Security team members that have a broader understanding of the organization’s security playbook increase the teams’ agility and ability to respond to a security incident. In some cases, it allows team members to step in and perform in other roles, adding flexibility to the team.
Focusing on continuous assessment and training can create a cybersecurity team that is trained in modern security methodologies and tools. Plus, the business can draft new talent with skills missing from the team or to augment existing strengths.
Cybersecurity preparation is a vital function for every organization. Proper Planning, effective Practices that focus on Precision, training your Players, and continually improving your Performance can help your players and organization be ready for game day.
Fortress Security Risk Management is a global data protection company that helps organizations dramatically minimize their risk of disruption from unforeseen events like cyber-attacks and data breaches by providing industry-best cybersecurity services. Our goal is to help every client secure their future with the highest degree of security and the least amount of risk.