Security Experts:

Nothing Supports Winning Like Continuity: What Security Can Learn from the NFL

Building Security Teams

Building a Winning Security Program is a Process and It Takes Time to Implement All The Pieces.

We’ve kicked off the 2014 NFL season. In the United States, opening day nearly qualifies for national holiday status as the country’s most popular game grabs hold of more than half the population for the next several months. As a New Englander, I’m one of the lucky ones who has experienced the type of winning streaks most other cities can only dream of. Sure, we didn’t beat the Dolphins on Sunday, but I’m not worried. We’ve reached double digit victories for the past dozen years.

How are they able to consistently succeed while others may grapple with up and down years? The most obvious answer is talent. Every team and every organization, whether in professional sports or the business world, needs exceptional talent in order to beat the competition. But in the NFL, you need even more than that. Every team has good players. In fact, the league is designed to ensure the teams with the worst records get the top picks the annual draft. I would argue that in professional football, consistency is the critical differentiator.

According to a report on, the average time in job for the current 32 head coaches in the NFL is slightly less than four years. Remove the mainstays such as Bill Belichick and Mike Tomlin and that number drops even lower. The point being, it’s hard to build continuity under inconsistent leadership. I’m sure by this point you are wondering what the heck this has to do with security. According to the Poneman Institute, the average employment duration for a chief information security officer (CISO) is 2.1 years. It’s also really hard to beat the hackers when the person responsible for keeping them at bay has less job security than an NFL coach with a losing record.

Building a winning security program is a process and it takes time to implement all the pieces. There are no magic bullets that can be installed to eliminate all of your problems at once. Hackers are becoming more sophisticated and better funded and, in order to compete, you need to build a team with the talent to get the job done. Imagine how difficult it would be on the players if the system was changing every couple of years? New priorities, new terminology and a new boss are not a quick fix. The same is true when it comes to enterprise security. Every time there is a new CISO, there may be a step back, an evaluation of system and protocols and the likelihood of additional turnover. This gap also creates opportunities for hackers to make headway in their efforts to gain access to your critical data.  

We need to remember that in security, incidents happen. It’s often how we respond to them that separates the true professionals from the rest. We must resist the urge to scapegoat the CISO whenever something goes wrong. This has become our version of firing the coach after a .500 season even though half the starters were out with injuries. By staying the course we build a stronger security teams who are familiar with the layout of the organization, have the experience to make the tough calls and the ability to identify the critical assets of the enterprise. Upheavals in a security organization create confusion and the likelihood of a critical error increases exponentially. An experienced team with a familiar game plan is able to diagnose issues more quickly and execute solutions than a team or coach just learning the system.

The CISO is an important part of the organization and the most critical asset in your fight to safeguard the enterprise’s critical data. This role should be valued and utilized more, not less, in order to meet the increasing demands of security programs. Keeping the leader of the security team in place increases both the confidence and the competence of the security team when things are running normally and allows them to react quicker when things go wrong.

And while I can’t guarantee that the Patriots will be the last team standing this season, I will assure you that they aren’t going 2 – 14 either. Continuity is a winning formula.

view counter
Mark Hatton is president and CEO of CORE Security. Prior to joining CORE, Hatton was president of North American operations for Sophos. He has held senior roles with companies ranging from venture capital-backed, early-stage software vendors to a Fortune 500 information technology services and distribution organization. Hatton holds an MBA from Boston University, Massachusetts and a BA Communication from Westfield State College, Massachusetts.