Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Nothing Supports Winning Like Continuity: What Security Can Learn from the NFL

Building Security Teams

Building a Winning Security Program is a Process and It Takes Time to Implement All The Pieces.

Building Security Teams

Building a Winning Security Program is a Process and It Takes Time to Implement All The Pieces.

We’ve kicked off the 2014 NFL season. In the United States, opening day nearly qualifies for national holiday status as the country’s most popular game grabs hold of more than half the population for the next several months. As a New Englander, I’m one of the lucky ones who has experienced the type of winning streaks most other cities can only dream of. Sure, we didn’t beat the Dolphins on Sunday, but I’m not worried. We’ve reached double digit victories for the past dozen years.

How are they able to consistently succeed while others may grapple with up and down years? The most obvious answer is talent. Every team and every organization, whether in professional sports or the business world, needs exceptional talent in order to beat the competition. But in the NFL, you need even more than that. Every team has good players. In fact, the league is designed to ensure the teams with the worst records get the top picks the annual draft. I would argue that in professional football, consistency is the critical differentiator.

According to a report on NFL.com, the average time in job for the current 32 head coaches in the NFL is slightly less than four years. Remove the mainstays such as Bill Belichick and Mike Tomlin and that number drops even lower. The point being, it’s hard to build continuity under inconsistent leadership. I’m sure by this point you are wondering what the heck this has to do with security. According to the Poneman Institute, the average employment duration for a chief information security officer (CISO) is 2.1 years. It’s also really hard to beat the hackers when the person responsible for keeping them at bay has less job security than an NFL coach with a losing record.

Building a winning security program is a process and it takes time to implement all the pieces. There are no magic bullets that can be installed to eliminate all of your problems at once. Hackers are becoming more sophisticated and better funded and, in order to compete, you need to build a team with the talent to get the job done. Imagine how difficult it would be on the players if the system was changing every couple of years? New priorities, new terminology and a new boss are not a quick fix. The same is true when it comes to enterprise security. Every time there is a new CISO, there may be a step back, an evaluation of system and protocols and the likelihood of additional turnover. This gap also creates opportunities for hackers to make headway in their efforts to gain access to your critical data.  

We need to remember that in security, incidents happen. It’s often how we respond to them that separates the true professionals from the rest. We must resist the urge to scapegoat the CISO whenever something goes wrong. This has become our version of firing the coach after a .500 season even though half the starters were out with injuries. By staying the course we build a stronger security teams who are familiar with the layout of the organization, have the experience to make the tough calls and the ability to identify the critical assets of the enterprise. Upheavals in a security organization create confusion and the likelihood of a critical error increases exponentially. An experienced team with a familiar game plan is able to diagnose issues more quickly and execute solutions than a team or coach just learning the system.

The CISO is an important part of the organization and the most critical asset in your fight to safeguard the enterprise’s critical data. This role should be valued and utilized more, not less, in order to meet the increasing demands of security programs. Keeping the leader of the security team in place increases both the confidence and the competence of the security team when things are running normally and allows them to react quicker when things go wrong.

And while I can’t guarantee that the Patriots will be the last team standing this season, I will assure you that they aren’t going 2 – 14 either. Continuity is a winning formula.

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.