By Mike Krupka, formerly a goalkeeper, now a project manager with a CISSP and a wealth of experience
Goalkeeper: The player whose special job it is to stop the ball from entering the goal.
CISO: The senior-level whose special job is to help the organization achieve its objectives in a secure way.
Last line of defense, first line of offense
As a goalkeeper, you stand on your own and in many ways, you are isolated from the rest of the team. You are the only player who is permitted to use his hands. You constantly analyze your own position; your defensive “shape”; and communicate to your team about the risks and weaknesses you see during the match and as the last line of defence it’s your job to stop everything and be ready for anything. Your sole purpose is to protect the goal at all costs.
As a CISO, you can relate to this in many ways. You are a part of the IT team but often seen differently within the organization. Every day you are monitoring your position, directing your assets, and using tools to provide you with data on potential attacks, ensuring your team is aware of those risks and adjust accordingly. Protecting your organization’s crown jewels from the bad guys at all costs.
‘it’s your job to stop everything and be ready for anything’
When in possession of the ball a goalkeeper becomes the team’s first line of offense. Delivering it precisely to their forwards turning defence into offence. As CISO your job is to build your defence and position to out-manoeuvre attackers and respond (go on the attack) as effectively as possible, turning your defence into a continuous ability for the business and operations to advance towards its’ goals and objectives.
They only remember your mistakes
Being a goalkeeper can be a thankless, lonely position. You can make 4 or 5 world class saves in the game and dominate in the air, but the headlines and the fans will always focus on are the goals you let in even if it was just one and it was world class. To the outside world, you are remembered for your mistakes.
Being a CISO is a lot like this. You can bring up great ideas, solve problems all while keeping the business safe, efficient, and profitable, but if you’re breached once, it can be the only thing the outside world remembers about you. But like being a goalkeeper, the reality of being a CISO is one of not if you will be breached, but more likely when.
‘if you’re breached once, it can be the only thing the outside world remembers’
Having proper alignment, support and buy-in from the C-Suite is critical to ensuring you can control that narrative when a breach does occur. Like a great goalkeeper when they concede a goal, you may feel accountable and frustrated, but it is not always your fault. As long as your team values the other contributions you’ve made and continue to make, it allows you to ignore the outside noise and stay focused on the next attack.
React and commit to critical decisions
Within the flow of the game, the positioning of a goalkeeper is critical. Being positioned properly cuts down the “angle” of the attackers, also called “making yourself big” which makes their target appear smaller while also making your goal easier to protect. This allows you to be able to sprint to a ball played behind your defence before the attacker gets there so you can clear the ball out of bounds and reset yourself and defence. As a CISO, how you position both your office, and the organization is vital to your success. And in order to respond quickly and confidently when incidents or “attacks” arise you have to have “cut down the angle” of attackers by ensuring your organization is in position via your Incident Response and business continuity plans.
Building walls isn’t easy
If an opposition freekick is awarded near your goal the keeper will line up a few players together to form a wall protecting the goal and minimizing the amount of area or space the attacker has to aim at. The closer to the goal or the centre of the field, the greater the threat a good attacker could thread the ball over or around your wall with enough pace to beat the keeper. Bottom line is that the best attackers can thread those needles. And in the heat of the moment, there is a lot of movement and synchronization required in a short amount of time.
‘the best attackers can still thread a needle through any gap that’s left open’
As a CISO, there is often so much going on within both IT and the business that getting everyone on the same page isn’t always easy. However, you can make protecting all your crown jewels look easy by ensuring you take the time to build your own “walls” around them.
You do this by identifying high risk assets, data and resources and developing the appropriate enforceable standards, policies, and controls around them. Ensuring you have well-tuned monitoring and logging; trustworthy alerting and correlation; proper firewall rules and that your endpoint protection meets today’s mobile workforce demands. Ensuring you have a process for measuring the risks you want (or are forced) to take as well as a practiced response plan for when your defence breaks down and you are briefly exposed or breached.
Like goalkeeping, motivating your IT team and the business owners to do things with security in mind is not always easy. It takes constant communication and alignment. And while you are doing that, the best attackers can still thread a needle through any gap that’s left open. So, if a nation state or well-funded cyber group is targeting your organization, there is not much you are going to do to stop them. They have unlimited time, resources, and their only goal is to steal your stuff because they don’t get paid unless they succeed, and they don’t answer to business objectives or corporate ideologies.
As a CISO, you have very real budgetary constraints, managers, and stakeholders to account to and unless you work for a bank or classified government agency, being able to compete with those elite attackers is not sustainably possible. You may thwart one or two attempts, but they will get to the crown jewels eventually. So, you focus on the threats that you know you can block or control and mitigate with your “walls”, and practice shutting down and responding to any attacks as quickly as possible, thereby protecting your organization against the most immediate threats and mounting a rapid and effective response to those that might get through.