Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Nothing Supports Winning Like Continuity: What Security Can Learn from the NFL

Building Security Teams

Building a Winning Security Program is a Process and It Takes Time to Implement All The Pieces.

Building Security Teams

Building a Winning Security Program is a Process and It Takes Time to Implement All The Pieces.

We’ve kicked off the 2014 NFL season. In the United States, opening day nearly qualifies for national holiday status as the country’s most popular game grabs hold of more than half the population for the next several months. As a New Englander, I’m one of the lucky ones who has experienced the type of winning streaks most other cities can only dream of. Sure, we didn’t beat the Dolphins on Sunday, but I’m not worried. We’ve reached double digit victories for the past dozen years.

How are they able to consistently succeed while others may grapple with up and down years? The most obvious answer is talent. Every team and every organization, whether in professional sports or the business world, needs exceptional talent in order to beat the competition. But in the NFL, you need even more than that. Every team has good players. In fact, the league is designed to ensure the teams with the worst records get the top picks the annual draft. I would argue that in professional football, consistency is the critical differentiator.

According to a report on, the average time in job for the current 32 head coaches in the NFL is slightly less than four years. Remove the mainstays such as Bill Belichick and Mike Tomlin and that number drops even lower. The point being, it’s hard to build continuity under inconsistent leadership. I’m sure by this point you are wondering what the heck this has to do with security. According to the Poneman Institute, the average employment duration for a chief information security officer (CISO) is 2.1 years. It’s also really hard to beat the hackers when the person responsible for keeping them at bay has less job security than an NFL coach with a losing record.

Building a winning security program is a process and it takes time to implement all the pieces. There are no magic bullets that can be installed to eliminate all of your problems at once. Hackers are becoming more sophisticated and better funded and, in order to compete, you need to build a team with the talent to get the job done. Imagine how difficult it would be on the players if the system was changing every couple of years? New priorities, new terminology and a new boss are not a quick fix. The same is true when it comes to enterprise security. Every time there is a new CISO, there may be a step back, an evaluation of system and protocols and the likelihood of additional turnover. This gap also creates opportunities for hackers to make headway in their efforts to gain access to your critical data.  

We need to remember that in security, incidents happen. It’s often how we respond to them that separates the true professionals from the rest. We must resist the urge to scapegoat the CISO whenever something goes wrong. This has become our version of firing the coach after a .500 season even though half the starters were out with injuries. By staying the course we build a stronger security teams who are familiar with the layout of the organization, have the experience to make the tough calls and the ability to identify the critical assets of the enterprise. Upheavals in a security organization create confusion and the likelihood of a critical error increases exponentially. An experienced team with a familiar game plan is able to diagnose issues more quickly and execute solutions than a team or coach just learning the system.

The CISO is an important part of the organization and the most critical asset in your fight to safeguard the enterprise’s critical data. This role should be valued and utilized more, not less, in order to meet the increasing demands of security programs. Keeping the leader of the security team in place increases both the confidence and the competence of the security team when things are running normally and allows them to react quicker when things go wrong.

And while I can’t guarantee that the Patriots will be the last team standing this season, I will assure you that they aren’t going 2 – 14 either. Continuity is a winning formula.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.