Those who know me know this is my favorite time of the year - American football season has begun. Without question I'm a football enthusiast, most people (including my wife) would describe me as a fanatic. I love the sport, and I have since I was 6. I love its complexity, its variety, and its ability to be different and entertaining from week to week without fail.
This first week was no exception...last season's Super Bowl champs lost to a Detroit Lions team that looks like it's ready to run the table, the Giants got blown out (like REALLY blown out), the Browns seem to have found their "dog pound" roots, my Eagles squeaked out a win, New England looks like they might actually have a solid defense this year and the Bills might not be who we thought they were after all. 2023 will be epic!
The sport has taught me lessons that I've applied to my leadership journey. Unlike every other sport on the planet, American Football requires a really large group of people to be on the same page and work with purpose to win a single game. And there are 17 games (now) in a season not including the playoffs. Everyone working together in a concerted effort to win for themselves, their organization, and the city they represent.
Running a security organization is no different from coaching a football team, in my experience. You essentially have 3 organizations within your organization, each with a different purpose, but each needing to own their individual strategies and an ability to link them to the larger organizational strategy for consistent success.
So, let's talk about what a good security organization's roster would look like. And before we start - no, I'm not suggesting security organizations need 53 people to be successful; quite the opposite actually, there are roles that you need to have in place that you would staff dependent on the size and scale of your organization's risk profile and appetite.
I'd break these roles down into 3 sub-organizations: special teams, offense, and defense. This week we'll focus on special teams.
Special Teams
I'm starting with special teams for a reason - in football they start the game. Special teams help determine how both the offense and the defense will start. Done right, special teams can set either the offense or the defense up for success in achieving the long-range goal.
For a security organization, Special Teams would involve technology risk management and security program management resources. One individual could theoretically handle both roles in a smaller organization, but these roles would be too cumbersome in a larger organization for a single person to handle.
Technology Risk Management
Technology Risk Management resources are aligned to the business units in ensuring cyber risk is articulated, quantified, measured, and appropriately analyzed. In some organizations these resources might exist within a separate enterprise risk management department. If this is the case in your organization, your alignment with a CRO or other independent risk leader is critical.
Tech Risk Management, as an organizational discipline, should be focused on both internal and 3rd party assessments of risk, maturity, readiness, and mitigation. This discipline also covers tabletop exercises, risk register management, and access reviews for the organization.
Tech Risk Management is the kickoff team when compared to football - their job is to place the organization in the best position possible to reduce risk and make it more difficult for identified risks to succeed.
Security Program Management
Security Program Management is essential to a security organization. Program managers help to focus and align the security organization's policies and practices with the operating processes of the business relative to both assessed risks and operational realities.
The program management function handles policy development, alignment of the program to a particular standard or regulatory framework, development of playbooks/process/procedures, and project management for security-aligned implementations and projects within the organization.
The Security Program Management function is similar to the kicker - their job is to execute the plan, and in doing so, prevent the adversary from succeeding without having to work twice as hard to do so.
Is Outsourcing Realistic?
For smaller organizations, outsourcing is realistic, but likely more costly than having an internal resource. The reason? Risk management resources have to be very closely aligned with the business. That alignment requires deep relationships that can be tough to build through interviews alone.
The other teams we'll discuss, offense and defense, can be outsourced if necessary, but special teams represent an internal investment all security leaders should make for their organizations.
See you next week!
