Photo - Amitpal Dhillon, Senior Product Manager, Asia Pacific for Sourcefire, now a part of Cisco.
The analogy between sports and business is one often made; interestingly, the same comparison can be made between football (soccer) and IT Security.
In many ways the Chief Information Security Officer (CISO) in a business has a similar job to that of a football manager in preparing his team for whatever his adversary will throw at him.
The analogy continues as what was once an amateur game, football has become a serious business with a level of professionalism that footballers would not recognise from 20 years ago. In turn, today's CISO is facing a threat from professional hackers and cybercrime gangs that did not exist 10 years ago. In both cases, it is no longer a game of amateurs, but instead it is a game of well trained and often times highly resourceful professionals with a clear goal and objective in mind.
Just like for a football manager, planning is critical for a CISO. A football manager will place himself in the shoes of his opponent and try to spot his own weaknesses, strengths and where he would attack if he were playing his own side. Similarly, a CISO needs to think like a cyber attacker because with a deeper understanding of the methodical approach that attackers use to execute their mission, a CISO will be able to identify ways to strengthen the defenses of a network.
The game plan
Planning like this before the match or a cyber incident is an essential start to dealing with the attacker and making sure your team is ready oncoming threat.
During the game itself a manager constantly needs to assess the threat and opportunity and revise their plans accordingly. Visibility of what is going on during a match is critical since it is this visibility which enables the manager to make the necessary tactical decisions to win the game.
In the same way, a CISO needs to have visibility and context during a cyber crime incident in order to be able to identify indicators of compromise once a threat has entered the network, the CISO needs to take a two-tiered approach with tools and processes that combine trajectory capabilities, big data analytics and visualization.
After the match and the undoubted victory, a football manager will work just as hard as during the match itself to analyze the results and assess the abilities of his players and their strengths and weaknesses. By carrying out this sort of 'investigation', the manager is able to determine any ongoing weak links that he might need to replace, or strengthen for the next game.
A CISO similarly needs to have the ability to look back at a security incident that happened to determine what went wrong and what steps need to be taken to mitigate the risk. Retrospective security uses this continuous capability to allow the CISO to do so. In essence, it enables a CISO to travel back in time and retrospectively identify which devices have been exposed to malware, regardless of when the file was identified as malware. This requires not just tracking every file but also the full lineage of every action that happens on every protected device. In addition, it maps how the files travel through the organization and what the files do on the system. By being able to determine the scope of an outbreak and root cause(s), a CISO can quickly switch to response mode during an attack and effectively determine and implement the necessary controls and remediation steps.
So the next time you watch your favourite team playing football, think of the IT Security team at the company you work, or the Bank which holds your savings. Relegation for a football team is bad enough for the team and fans, but failure in IT Security can impact share prices and the reputation of a business hence it is even more vital that companies get it right.
By using the Before, During and After model in managing and planning, both the CISO and the Football Manager can be confident that they have done all they can to prepare for the inevitable attack to come.
- Amitpal Dhillon is Senior Product Manager, Asia Pacific for Sourcefire, now a part of Cisco.
Sign up for CIO Asia eNewsletters.