Welcome back for the conclusion of our three-part series on building a security organization using the NFL roster as our framework. We've covered special teams (risk and program management) and defense (detection, response, and prevention). Now let's talk offense.
Offense Strategy
Building in-house offensive security capabilities—rather than purely outsourcing—enables organizations to be proactive. This reduces long-term costs and supports the broader mission of risk reduction. While defense is about responding to threats, offense is about finding vulnerabilities before attackers do.
The Passing Game (Outward-Facing)
This covers penetration testing, application security testing, and red teaming. Having internal resources focused on testing makes it more a continuous improvement activity instead of a point solution. Internal application security tools can dramatically improve platform security when integrated into development cycles.
Penetration testing should be ongoing, not annual. Red team exercises should simulate real-world attack scenarios. Application security testing should be embedded in your CI/CD pipeline. These aren't one-time activities—they're continuous processes that improve your security posture over time.
The Running Game (Inward-Facing)
This addresses systems hardening, standards development, segmentation, and vulnerability mitigation. Gate-within-gate approaches provide better protection than perimeter-only defenses.
Your internal offensive team should be constantly testing your own defenses. They should be trying to break your systems before external attackers do. This includes testing access controls, network segmentation, and authentication mechanisms.
Conclusion
Building a comprehensive security program requires combining risk assessment (special teams), defense (detection, response, prevention), and proactive offense (testing and hardening). Each sub-organization has its own strategy, but they must all align with the larger organizational mission.
The key is articulating clear business value propositions to stakeholders. Security isn't a cost center—it's a business enabler. When you can demonstrate how your security program reduces risk, protects revenue, and enables growth, you'll find it much easier to get the resources you need.
Just like a football team, your security organization needs all three phases working together. Special teams set you up for success, defense keeps you in the game, and offense wins championships.
