The myth of the solo hacker and cybersecurity professional has been thoroughly debunked. So why do organizations still manage the people side of cybersecurity as if it’s a collection of individuals? Cybersecurity runs as a team sport and we have much to learn from the people who do that best.
With Super Bowl LVII coming up this Sunday, we can learn many lessons about how teams work together to succeed. It’s not always the team with the fastest and strongest individual athletes that wins the championship: it’s the team where every member works together and moves in the same direction. The dynamics at play in a winning football team are not too dissimilar from the dynamics required for effective cybersecurity across cyber teams and the rest of the workforce.
Winning teams repeatedly practice various scenarios called “situational football.” They measure performance and track results over time to identify and fill performance gaps. Everyone plays a crucial role, from the players on the field to the coaches and management, and they use the performance data they generate to continually improve for the next game day. It’s also true for cyber leaders seeking to build organizationwide cyber resilience to new and emerging threats.
Here are four ways cybersecurity leaders can model their organization’s cyber strategy after some of this season’s most successful football teams:
- Continuously exercise: Professional football teams prepare year-round. The regular practices, scrimmages, exercises, off-season training, and team building ultimately prepare them for the big game. The end result of this consistency: increased poise, efficiency, skill sets, and ultimately, success during high-pressure scenarios. The same goes for organizational preparedness for cyber attacks – it’s not enough to upskill the organization quarterly or even monthly. Exercising and benchmarking should happen year-round. Mitigating a cyberattack can be stressful, so when it’s “game time,” and an organization faces a cyberattack, the workforce is well-equipped with the necessary defensive knowledge and skills.
- Don’t just train the starting lineup: The past few weeks have taught us that a football team’s first-string players aren’t always going to jump on the field when needed because of injuries or other unforeseen circumstances. Football teams have a wide range of players with various capabilities and supporting staff who are ready for action at the drop of a hat. Because the entire team has been training year-round, any player is ready to activate at any moment. Just like football, think of cybersecurity as a team sport with shared responsibility for success across the entire team – on and off the field. Cyber leaders must ensure that the full workforce is capable of navigating a cyber threat, not just the security team members. The capabilities of every individual are vital for success.
- A one-size-fits-all approach doesn’t work: Professional football teams have specialized positions and coaches that accentuate their capabilities individually and collectively. From the defensive line to special teams, each player gets trained and mentored specifically to their abilities and goals. Organizations need to take the same approach to build cyber champions. Cyber leaders must treat each internal team and employee as individual tools for strengthening the overarching cybersecurity posture. It’s mission-critical to identify where the skills gaps lie and how to fill them best. And security teams can’t get too comfortable. Leaders must always think about tomorrow. With the cybercrime industry more than tripling in value over the course of 10 years by 2025, we can expect more complex and costly threats in the future.
- Vision and culture come from the top: General managers, head coaches and owners at professional football teams are aligned to ensure the entire team’s vision has been made crystal clear to foster a winning culture – it isn’t just coming from the team captain. That way, the entire organization from the owner to the organizational staff is aligned to take the team to the Super Bowl. Organizational leaders, including CEOs and board members, must also commit to making cybersecurity a core part of the culture of their business. Starting at the very top, leaders must empower their CISOs to invest in programs to understand what the workforce’s skill gaps are and strategic remediation tools. Aside from security staff, all department heads and employees must share the common goal to protect the organization from cyber threats.
Football reminds us of the important elements that drive effective people-centric cybersecurity. With an increased threat landscape, organizations must stay proactive: they must continuously upskill teams and individuals across the entire organization.
James Hadley, founder and CEO, Immersive Labs