As a security professional, I regularly get asked questions that may seem simplistic, but can be difficult to answer in a brief, kind, informative way.
Questions like: Why are there so many big data breaches lately?
Sometimes the questions come with a cynical twist, like: With millions of dollars in resources, why can’t companies or governments just stop those hackers? What’s the “real” problem?
These cyberqueries can pop up anywhere, from panel sessions at conferences to extended family gatherings during the holidays — and even at church potluck events.
Usually, the part-question, part-comment, part editorial (outlining what they’ve heard) is directed in such a way that the asker wants a quick elevator-pitch kind of answer. (Note: Oftentimes, facial expressions implore you not to offer long speeches on the complexities of Russian foreign hackers nor personal appeals for them to buy identity theft protection.)
Frequently, I use (American) football analogies to help explain what’s happening in our cyberworld and encourage an engaging, two-way conversation that’s not overly technical.
One reason to compare cybersecurity to football (college or NFL) is that sometimes we are watching or talking about football when the question is asked. Whether on Thanksgiving watching the Detroit Lions or on New Year’s Day watching a college bowl game or during a Super Bowl Sunday party in February, security and technology pros get these questions as part of the normal small talk about work.
So what can be said? How would you answer? Here’s why I think football analogies can help us understand cybersecurity.
What Football Can Teach Us about Cybersecurity and Data Breaches and Hacking?
At a basic level, the football-cybersecurity analogy is fairly straightforward. There is an offense and a defense in football, and cyberpros in companies and governments (usually) play defense to stop the hackers who are on offense trying to access protected data. (Side note: There are certainly people who encourage hacking back — where the "good guys" go on the offensive, and you can read more about that legal trend here.)
Just as offensive coaches in football scout the other team, watch film, look for defensive weaknesses, diagram options, practice plays and more to be successful and score touchdowns, so hackers gather data on companies and governments, look for holes, find weak links and vulnerabilities in the people processes and technologies deployed. If the defense takes away one thing in football (like stacking the line against the run), the offense will adjust and try something else (like passing).
In the same way, hackers constantly adjust their methods and techniques to get around cyberdefenses. There are even attack/defend cybercompetitions all over the country with young (and old) people learning different roles in red teams and blue teams. The main point is that both hacking strategies and online defenses are moving targets, not one-and-done challenges.
But this initial analysis is just the beginnings of the similarities. Here are some other helpful football analogies used:
Just as coaches and teams prepare for upcoming games, chief information security officers (CISOs) and other security leaders prepare for online confrontations. — I like this quote from Kevin Davis in Nextgov: “Coach Coughlin was a demanding coach, but he was also fair. What he asked from each player was simple — that you worked hard to be as prepared as possible and that you strived to continuously improve. Thinking about this now, these are the same standards we should be applying to government when it comes to cybersecurity. In some ways, the “Monday morning quarterback” responses we often see in football are similar to the reactions we see in the wake of security breaches, with lots of questions surrounding what went wrong and how to improve before the next game (i.e., next attack).
However, when it comes to cybersecurity preparation, there is one question asked continually across government and the private sector — what is the right “playbook” for cybersecurity?”
Recruiting football players similar to acquiring (and keeping) cybertalent on your team — from free agency in the NFL to college coaches recruiting 3-, 4- and 5-star high school football players, the challenges of attracting and retaining the best and brightest to your team are similar between football and tech talent. Equally as intriguing in this analogy is the need to develop the players (or staff) on your team. Some college football coaches like Mark Dantonio of Michigan State University are known for “over-achieving” by talking 2-, 3- and 4-star recruits and building teams that can beat teams that attract 4- and 5-star recruits. Nevertheless, it is hard to maintain the needed level of excellence if a program (or company or government) cannot compete with the offers being made to others — especially in the NFL.
Huge upsets in football can be compared to major data breaches by well-known companies such as Yahoo and Equifax. I am writing this blog right after the Pitt Panthers just upset the No. 2 Miami Hurricanes. Other major upsets this year include the Iowa Hawkeyes upsetting the Ohio State Buckeyes. The age-old adage, “pride comes before a fall” applies to sports and cybersecurity — as I explain in more details in this blog on how overconfidence can lead to data breaches.
Never-ending rivalries. When we think about hacking, it doesn’t take long for nation-state hackers to be brought up, with Russia, China and even North Korea entering into the conversation. This new “cyber cold war” between adversaries that sit around the table at United Nations (UN) meetings in New York while at the same time hacking each other behind the scenes, remind me of the Ohio State versus Michigan, Alabama — Auburn, and the USC versus UCLA football games that have so much animosity. Watch the end of this video with Mark Dantonio describing the feelings between Michigan State and Michigan, which articulate the view that: “It’s not over; it will never be over here. It’s just starting. ...”
Trick plays, unexpected twists, unexpected results for both hackers and football teams. To pull upsets in football, the underdogs often try to be unpredictable. Hackers also win by doing things in unconventional ways. The best and worst hackers often surprise top companies and governments with unexpected cyberattacks in unique ways. The global Internet is a great leveling field which allows countries and groups from anywhere in the world to attack in new ways that were impossible a few decades ago. Perseverance and determination needed to succeed for both cyberdefenders and football teams. Anyone who plays or has played football for any length of time knows that injuries, and other setbacks can be disheartening. It takes ongoing vigilance to be successful, and in cyberspace, the online attacks never stop. Even if you are successful for a long time, what worked last year may not work this year. The strategic and tactical battle is constantly evolving. More Cybersecurity / Football Comparisons
There are many other articles and blogs on this cyber/football analogy topic. Here are a few that I have written in the past, as well as the thoughts from others:
Government Technology (GT) magazine - Blind Spots: How Cyberdefense Is Like Stopping Tim Tebow
SecurityInfoWatch.com — How Football Helps Explain Infrastructure Cybersecurity
GT magazine — Seven Career Lessons from Kirk Cousins
ThoughtCo.com — Five Life Lessons Learned from Football
GT magazine — Perspectives after the Nebraska Cybersecurity Conference
RSA Conference Website - What the Super Bowl Teaches About Cyber Security
What About Those Who Don’t Like Sports Analogies?
Some readers don’t like sports analogies at all — and don’t find them helpful. Why? Because they don’t particularly like certain sports, or may feel that these analogies are severely flawed.
For example, I have described the need to build “your own farm team” as in baseball to develop cybertalent within your own organization. Some don’t like the concept of levels of baseball referring to different cybertalents, since everyone should be on the same team and work together. The sentiment is that, “there are no minor leagues in cybersecurity.”
I realize that this choice of cyberanalogies can be both helpful as well as lead to erroneous conclusions and strategies. For example, Americans may have been playing baseball or softball while the Russians have been playing soccer on another sport for generations. For those who don’t like sports analogies, you can see some Game of Thrones cyber analogies here. I have also discussed Star Wars analogies on cyber ethics, and how the Mr. Robot TV show can help understand hactivism and other related cybertopics.
One reader told me that the entire concept of free agents and the top cyberexperts moving around (as in sports) is horrible, and I should not encourage such talk. “I want everyone to know that their role is important and that we all need everyone to work together — not create tiers of pros or privilege.”
To be transparent, I am just glad that readers are willing to send me LinkedIn comments and emails to let me know their views at all. There is certainly no doubt that football and other sports analogies can only be taken so far.
So back to the beginning and why I still believe that football analogies can help with explaining data breaches, cyberdefense and related hacker topics.
Put simply: It usually works for me. I know and love football, and so do many other people I talk with about security and technology. For better or worse, more people understand football or other sports than understand the intricacies of cybersecurity, data breaches or hacking. Football helps explain cyberconcepts in easily understood, fun, informative ways — without using political or religious connotations, which can sometimes lead to other concerns.
On a personal level, football has taught me about leadership, discipline, teamwork and the essential role of every player on the field. One weak offensive lineman or an exceptional pass rusher on defense can radically change the result of an entire game. The same is true for cybersecurity teams and hackers.
The University of Pittsburgh Panthers Head Football Coach Pat Narduzzi recently said, “We’re not just coaching football, we’re changing lives with these young men.”
That same passion and sense of mission comes out in many security teams with “white hat hackers” who defend systems, data, infrastructure, companies and even nations from cyberattacks.
And perhaps that is the greatest similarity of all.