Photo Credit: Simon Ashmore via Compfight cc
Whilst I appreciate that we are not all lovers of what is often described as the ‘beautiful game’, most of us understand the principles of football or any other team sport for that matter. Whilst watching a recent match in what is turning out to be a disappointing season for my team, it dawned on me that there are many parallels in what constitutes a successful football team and effective cyber security.
In essence, football combines numerous variables including players, money, match officials and even technology, all of which contribute to the outcome of a match, That said, you don’t have control over all these aspects of the game, which is why it is increasingly a matter of trying to defeat the opposition both on and off the pitch. The principles are, however, very simple, if you keep the opposition at bay for 90 minutes, you will come away with something. If you drop your guard at any point, during a game you will be exposed to the risk of conceding a goal. Even if you only score one goal and let in none you win.
Whilst my team is pretty good at scoring goals, it has not been very good at keeping them out. The emphasis has been on attack rather than defence, indeed in a recent game (and this is probably where I blow my cover), we cruised into a 3-0 lead only then to concede 3 late goals as a result of our desire to keep attacking.
It didn’t take a legion of pundits and journalists to identify where things were going awry. No, everyone could see this was simply a case of the team not working as a ‘unit’ when it came to defending. And so it is with cyber security: whilst businesses will have those who are specialists in keeping the bad guys at bay, all their efforts can be undermined by carelessness elsewhere in the business. The quest to ‘win’ more business can often obscure the need to maintain your guard when it comes to protecting your digital assets.
The thing about football is that it is perpetual, in so much as one game is closely followed by another, seasons come and go, the players, teams and managers in any given competition change, but the objectives and the associated risks and rewards remain the same.
The subtle difference with cyber security is that the we are dealing with a paradigm shift from the physical to the digital. The ‘opposition’ have and always will exist, but they are now playing on a ‘digital pitch’. The rules of the game will fundamentally remain the same, but the tactics that fraudsters employ will evolve depending on the tools, techniques and security awareness we employ, always looking to attack and avoid detection.
As businesses and individuals, we too will need to get smarter in defence, as we are constantly under attack. We also need to realise we are increasingly likely to suffer a bad result, as most businesses are now knowingly or unknowingly being breached. That said, no-one can afford a run of bad results. In football it is the manager who carries the can, a precarious position at the best of times. Whilst it is tempting to blame the players, in a results-based business the fans call the shots and it’s management who shoulder responsibility. And so it is with cyber security, a high profile breach making front page news, may be the result of a careless employee or a lax third-party contractor, but from a shareholder perspective the PR hit and associated financial fall-out is now increasingly being laid at the door of senior management.
I am sure there are numerous other parallels to explore, however one stark difference is that cyber security doesn’t work in seasons. There is no time to sit back, regroup and start afresh in August!