We are huge football fans at Ostendio! Even though we spend our days helping customers with their cybersecurity challenges, many of us also moonlight as fantasy football professionals, or at least we think we do. With the Super Bowl this coming weekend, we started talking about how football and security planning have more in common than you might think. Of course, both require teamwork, planning, and often a little outside help, but the similarities don’t stop there.
During the Super Bowl, two teams will showcase their incredible dedication to hard work during a grueling regular season and playoff run. Compare that to a CISO carefully managing another year without a security breach and getting through a SOC 2 report and HITRUST certification. The key to being successful in both football and security is having the ability to build and operate your gameplan (be it football or security program) and if you’re really good, you’ll be asked to showcase it on the biggest stage. Let’s look at how that’s done.
STEP 1 - Invest in and build a football team or a security program
Both the Kansas City Chiefs and the San Francisco 49ers have come a long way on their road to the Super Bowl this season. Their success has come from investment in their team in the same way that a CISO needs to invest in the right people and tools to run a successful security strategy.
For the Chiefs, Andy Reid is equivalent to a CISO who had an impressive career at an established company and got fired after a big security breach. He took the opportunity to go to a slumping company to try and build their security program. The Chiefs, after a 2-14 season, gave Reid the flexibility to build and operate his gameplan.
On the other hand, you have Kyle Shanahan, the head coach of the San Francisco 49ers. He’s sort of like the young kid in your IT department that knows it all. Many teams didn’t want to give him a shot due to his “lack of experience.” Shanahan bounced around various teams as a coordinator and was extremely successful in building a new offensive program at each. In cybersecurity terms, he’s similar to a VP of IT who is able to revamp a security program to make it more streamlined and efficient. He also took over a team that had previously gone 2-14 and had to build a new program.
STEP 2 - Operate your vision for your team or security program
When Andy Reid took over that 2-14 Chiefs team, he was able to implement his vision and turn the team around immediately with the current players. Very similar to a CISO that gets a new job but is locked into the same tools that the old CISO had bought. Over the past 7 years, he’s moved on from players and coordinators to finally find the right mix to take him to the Super Bowl. Just as a CISO would want to hire the right people and get the right tools to operationalize a security program, but hopefully not take 7 years!
From a security perspective, knowing what you want to build but not having the tools or resources to do that is what Kyle Shanahan was facing as the new head coach of the 49ers. He had to find the right players to operationalize his offensive vision and the right coordinators to lead them. Just like a new CISO at a promising start-up, waiting for the funding from a Series B to close so they could get the right tools in place and hire the right people.
STEP 3 - Showcase your vision by winning football games, business, and security certifications!
It’s taken Andy Reid 7 years of hard work building and operating his new program to get to the Super Bowl. Parallel to a CISO finding an easy way to get through their security audits, vendor audits, and manage security internally after years of trying and even winning that deal with Apple or Google by showing evidence of their security and compliance program.
Kyle Shanahan’s first two seasons in San Francisco were rough, to say the least. He knew what he wanted to build, but didn’t have the players to operationalize his vision. It took some strategic player acquisitions to fully realize the benefit of what he wanted to build. Congruous with that CISO at a start-up company that just didn’t have the budget to operationalize their security program. But now, that CISO is able to easily get through their security audits, vendor audits, and manage security internally.
The Winner - my prediction for the big game!
The real winner is the CISO who builds a comprehensive security program and places importance on adherence to security standards like SOC2, HITRUST, and HIPAA. A leader who understands the benefits of a great security strategy and how that can bring a competitive advantage to their company. There’s a lot we can learn from football and the perseverance and preparation of the coaches and teams as they get ready for Superbowl. If you are looking to simply begin building your security program, looking to prepare for an audit, or want to be able to map your evidence to over 100 standards and regulations, then check out our Integrated Risk Management Platform. We are happy to give you a demo, and talk shop about football!
And finally my prediction for the Superbowl winner: My heart says Chiefs but my head says 49ers. LET’S GO CHIEFS!
Super Bowl LIV (Super Bowl 54) will be played on Sunday, Feb. 2, 2020. Kickoff is set for 6:30 p.m. ET.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.