One of my favorite Chief Information Officers (CIO) that I have the privilege to collaborate with is Dr. Alissa Johnson (known in the Industry as Dr J. - Twitter: @dralissajay), former Deputy CIO of the White House and now Chief Information Security Officer (CISO) at Stryker. Dr. J and I often discuss the latest technology trends in IT and cybersecurity, business leadership and most importantly, sports. Yes, Dr. J and I love to talk about sports, especially basketball. We both played and are now big fans of the game of basketball. In fact, Dr. J and I have written about business leadership lessons that we both apply based on playing basketball -- executing the basics, being team player, playing unselfishly, elevating our teammates, and playing with passion.
Dr. J and I were joined by Dr. David Bray, CIO of the FCC, on a technology panel for CIO Magazine, where we discussed the importance of servant leadership, cultivating a culture of innovation and developing high-performance organizations who can successfully adapt, serve and grow.
Given the epic battle in the 2015 NBA Finals between the Cleveland Cavaliers and the Golden State Warriors, I asked Dr. J to share her thoughts about basketball lessons as related to cybersecurity and her new CISO responsibilities. Here is what Dr. J had to say:
This is my season! I am pre-occupied with the effortless three point shots, distracted by the pace of the game, and in awe of the creativity displayed on the floor. I am talking about basketball season and the NBA Finals. Now that I have changed from a Chief Information Officer to a Chief Information Security Officer, what better time to compare basketball to information security.
1. The NBA has an Instant replay center: This is the first season where the NBA is using their finely tuned NBA Replay Center. It's state of the art with 94 HD monitors and enough bandwidth to download the entire digitized Library of Congress, but what does this really mean? It means that they are watching. They are watching the game from various points of view. I like to think of it as their Replay Operations Center with 17 replay operator stations and three replay manager stations. My eyes are glossing over as we speak!
How well is your Operations Center staffed or better yet, what is the depth and breadth experience? How is your enterprise security monitoring solution tuned and how often do you fine tune it? In a perfect world, security professionals would want to monitor everyone all of the time, but that paradigm is not realistic. Highly sensitive data may need a higher level of monitoring than a public facing website. No matter how much security monitoring you have, there needs to be clear assessment of what to monitor and how often, as well as the life-cycle of the data.
2. Flagrant fouls can be strategic: According to ESPN, The Houston Rockets' Dwight Howard is No. 1 in the league for flagrant fouls in the postseason. That stat brings me to question whether he is just a hard player or is he strategically being brazen in order to distract and draw attention to himself so other things can happen. Maybe that's what helps to consider him a play maker.
As we look into our networks and identify spam, common viruses, and crimeware we can't let it distract us from other things that we should be looking for. Spam, viruses, etc are flagrant fouls. Advanced Persistent Threats (APT) happens because we don't see it. We don't realize a nation state, for example, is in our network because we are so busy focusing on the flagrant fouls. We are distracted. Information security organizations can't afford to be distracted.
3. It's offense and defense: The top teams have a strong offense and defense. The Golden State Warriors are among the top five offensive and defensive teams this year. They have included a switch style defense, but the strength of the team also lies within their offense. They had more players put up three pointers than any other team in the NBA. Now sure, you can attempt shots and eventually something will fall, but with this team they have worked on executing on both ends of the court. Three years ago, Stephen Curry was only attempting 121 three pointers. This year he attempted 646 three pointers. That's well more than tripling his attempts. Additionally, he is successful all around that three point arc and many times a few feet further away. By the way, Stephen Curry made 286 of those three pointers this year. And then there is LeBron James, who perfectly exemplifies the complete player -- both on offense and defense -- scoring, rebounding and unselfishly involving his teammates with assists. Win or lose, you can count on LeBron to have a triple-double game.
How is your cybersecurity offense and defense? Technology organizations have to focus on both sides of the court, at the same time. The idea is that the focus is on prevention and preparedness. When you look at it that way, then the conversation changes from "if" to "when." It is no longer a conversation about if something happens. It is a conversation about when something happens and being prepared to execute based on a plan. It's the ability to play both ends of the court and play them well.
4. Everyone is learning the game: You can pick any player and he will tell you that one way that he learned was by watching other players or by watching the game. As a non-basketball player, but a lover of the game-I've learned by not just watching but listening to the commentators as well. I'm not saying they always get it right...I disagree with my TV all of the time! It really doesn't matter how you learned. What matters is that there's an educational aspect to this as well. In the same sense, organizations have to educate users and make them aware.
Just as hackers are always sharpening their toolbox, we must educate users on skills and tactics that may be used against them. Security education and awareness is a huge part of a great Cyber security practice. The audience doesn't want to just come and watch with very little information. They want to be educated on the calls, they want to hear the stats, because that helps them to enjoy the full experience. They -- in some way -- want to be educated. They want to know what's going on. I think users want to be aware of how to protect the assets and as cyber professionals it is our responsibility to teach them.
5. Muscle memory is key!: I've seen 2014-2015 MVP Stephen Curry make effortless three point shots. As I analyzed his shot, what I realized is that when he thinks about it and posts up... his percentage of misses is greater. But when he plays in the moment, turns around and shoots a three -- it's a money shot every time! It's all about muscle memory. He's taken those shots so many times it looks effortless.
Is your incident response running off of muscle memory? How many times have you ran a desktop exercise? How many of your key leadership have a Incident Response Playbook? How many people know what to do? I am not suggesting that incident response is cut and dry and follows the same playbook every time, but having press release templates, pre-drafted communications, and a predetermined process in place surely helps to know who's the point-guard and who's the small forward when game time comes.
I can go on and on relating different aspects of basketball to cyber-security, with lessons galore, but let me take you to legendary basketball great Dr. J. He was known to play very competitively against the legendary Larry Bird. I hate to do this, but let me bring to your memory to one of the greatest fights between the two. It was an all-out brawl. It's not one of professional basketball's proudest moments. It happened November 9, 1984. It wasn't a playoff game, but the two teams, Sixers and Celtics, were such rivals that it had all of the buzz that a playoff would bring. Both teams were undefeated and going head to head, but still very early in the season. It was late in the third quarter and tensions were high. Dr. J tries to hold Larry Bird with Bird retaliating with a forearm twist up. Bird is called for the foul, but the officials missed the initial hold from Dr. J, which precipitated Bird's reaction. Eventually a fight breaks out on the floor with both being ejected and fined for the exchange.
Organizations are in the middle of this same type of brawl. We are fighting our own war. Have you practiced security incident response regularly? Do you know what your weaknesses are? Have you fine-tuned your monitoring? We are in the middle of the fight of our lives and unfortunately, this fight isn't going to end. We will just become better skilled and sharper fighters. It's hackers vs organizations. It is a clash of the titans. It is Ali vs. Joe Frazier. It is Mayweather vs. Pacquiao. It is the Cowboys vs. the Redskins. It's LeBron James's Cleveland Cavaliers vs. Stephen Curry's Golden State Warriors.
It's game time baby and only the strong will survive.
This post was co-authored by Dr. Alissa Johnson (Dr. J.) - Twitter: @dralissajay.