"Offense sells tickets; Defense wins championships"~ Coach Paul "Bear" Bryant Jr.
Not unlike most people this time of year, I try to make a point of taking in at least one football game on the weekend. And if you live in Boston like I do, that means watching the New England Patriots. If you will indulge my regional bias for one moment, I’d like to take the opportunity to explain how their last- minute victory over the New Orleans Saints this past weekend did more than add another game to the win column, but how it served as a blueprint for the way organizations should approach security.
Now they say football is often used as a metaphor for war based on the military terminology and strategy. You regularly hear players refer to their time on the turf as “doing battle” or “going to war” and if you’ve ever caught George Carlin’s famous riff on football, it’s easy to see why: “In football the object is for the quarterback, also known as the field general, to be on target with his aerial assault, riddling the defense by hitting his receivers with deadly accuracy in spite of the blitz, even if he has to use shotgun. With short bullet passes and long bombs, he marches his troops into enemy territory, balancing this aerial assault with a sustained ground attack that punches holes in the forward wall of the enemy's defensive line.”
I also see it as a model for network security and, more specifically, predictive security. While most people have been caught up in the last minute and ten seconds of that game when Brady marched the team down to score the go-ahead touchdown with only five seconds left, the reality is, this game was in part decided earlier in the week. That’s when the coaching staff decided to isolate and eliminate New Orleans’ biggest threat, tight end Jimmy Graham. By applying the principles of predictive defense or security, the team identified the biggest threat to the success of their organization and dedicated the resources necessary to neutralize it. The results were that one of the most dangerous offensive players in the entire league was completely shut out for the first time since his rookie season.
Looking through that same lens, apply these predictive security principles to your organization. Are you able to identify the data that is absolutely critical to the success or failure of your business? If not, that is your first assignment. Once you have accomplished this, you need to look at your security structure and determine whether you are applying the proper resources to protect the assets that determine your company’s ability to stay in business.
As an industry, we are often guilty of trying to do too much and lose sight of the big picture - winning the game. As any coach will tell you, there is no such thing as an easy win in the NFL. And as any CISO or security director will tell you, there is never an easy fix in security. It takes constant vigilance, assessment, and focus to ensure that your organizations most important assets are locked down. It also takes the realization that no matter how many dollars or resources you throw at security, you can’t solve every problem so prioritization becomes the key.
Back to our football example for a moment, during this game the Patriots allocated their best defensive back to “locking down” Graham and ensuring that while they may take a few hits and dings along the way, they weren’t going to be beaten by the biggest threat. Now think about your own organization, do you approach network security this way? Do you say to yourself that while we make take a hit here or there on occasion, we aren’t going to lose to the company’s biggest threat which is the inability to protect our most critical data? As the Patriots proved on the field on Sunday, it’s all about neutralizing the biggest threat first, no matter what that takes from an asset allocation stand point, and you can then prioritize the rest from there.
Just like football, security is a tough game and not for the faint of heart. There are threats lurking around every corner and it’s when you think you are in the clear that a blindside hit is most likely to happen. It’s important in security to have adequate defense at all levels of your infrastructure to protect against all different types of threats while concentrating the majority of your resources on shoring up and guarding the most important asset.
If you apply the principles of predictive security to your organization, you will find that the big victories will be in reach and the ultimate goal is achievable. It’s not easy, but as coach Belichick would say, “do your job,” and everything will work out.