So what does constructing a fantasy football roster--and managing it through football injury and uncertainty to fantasy fame and glory--actually have to do with cybersecurity? Let’s start at zero and look at the draft results of 11 world-class CISOs participating in the CISO Phish Bowl, cybersecurity’s first CISO Fantasy Football League, presented by Hoxhunt. Here we’ll see beyond who won or stumbled in the draft to find the philosophical parallels between fantasy football and cybersecurity.
The NFL season kicks off on Thursday, September 8 in epic fashion. This might be the best Thursday night game of all time as last year’s Super Bowl champs, the Los Angeles Rams take on this year’s pre-season darlings, the Buffalo Bills. But on Monday, September 5 something just as epic went down in the cybersecurity community: the first draft in the CISO Phish Bowl thought leadership series. Participating CISOs include: Katie Arrington, CISO of the US Department of Defense | Gary Hayslip, CISO of Softbank | Christina Shannon, CISO of SPS Commerce |Jerich Beason, CISO Capital One Commercial | Shawn Bowen, CISO of World Fuel Services | Dutch Schwartz, Principal Security Specialist at AWS | Dan Lohrmann, CISO at Presidio and author of Cyber Mayday | Lisa Kubicki, Director of Trust & Security Awareness & Training at DocuSign | Larry Whiteside, Jr., CSO of Women’s Care and co-Founder – President of Cyversity |George Finney, CISO of SMU and author of Well Aware | Bill Bonney, co-Fonder and President of CISO DRG Publishing.
Fantasy football lets ordinary people feel like real team owners. They draft and manage a roster of real players online with a group of friends, forming a fantasy league. Their teams' individual players' and team defensive statistics from each football game are tracked and turned into points for the manager's fantasy team. Running backs, wide receivers, and tight ends receive a point for every yard and reception they gain, and six points for every touchdown they score. Quarterbacks get a certain amount of points for every 100 yards they throw, one point for every yard they run (historically, QBs ran less than in today's game), and six points for every touchdown they score. Kickers get points for making field goals and extra points. Players also lose points for bad plays, like interceptions thrown and fumbles lost.
It's great fun, even for those who are more into the math and strategy of fantasy than the athleticism of real football. Fantasy sports are hugely popular around the world, but in North America fantasy football has surpassed baseball as the most popular fantasy sport. Over 40 million people play fantasy football in the US alone, in an industry pegged at over $22 billion in 2022, and projected to grow over the next five years to $34.66 billion by 2027.
Cybersecurity tie-in: Understand your technical environment and the business goals
Just as you must understand the rules and scoring system of your specific fantasy league--a 2-QB super-flex league is a completely different animal, for instance, than a traditional 1 QB league--the CISO must have a firm grasp of the environment they must protect and the business goals they are helping advance.
In the Phish Bowl, football and cybersecurity collides every week with expert insights into cybersecurity leadership, strategy, awareness, and more. Let’s look at lessons from this draft, round by round:
Fantasy takeaway: In round one, it’s all about risk and reward. Do you go for the big play with ultra-talented but injury-risk players like running backs, Christian McCaffrey or Derrick Henry? Or do you opt for less risk and perhaps lower reward, like Larry did with running back, Austin Ekeler at pick 2? What is your risk tolerance as a manager? How does that play out in your draft strategy?
Cybersecurity tie-in: Risk
How do you establish a business risk threshold as a CISO? When deciding whether to do something new and risky--as many businesses did during the great migration to the cloud during the pandemic--the CISO is tasked with understanding the business goals and the security risks. They must then determine whether a proposed action is too risky to move forward with. Look at round one, above. If risk were thrown out the window, then McCaffrey and Henry would go in the top three picks every time. Their upside is MVP-level. But risk IS an integral part of the equation in roster construction, as in business. At pick 6, Gary saw the upside of having Derrick Henry as outweighing his injury risk. So, pick six signified the Derrick Henry risk threshold.
Fantasy takeaway: In round two, one will either solidify a position group or diversify. Do you take two running backs or wide receivers? Or, alternatively, opt for positional dominance with a pick of Josh Allen at quarterback, as Jerich did, or with the pick of Travis Kelce at tight end, as Lisa did?
Cybersecurity tie-in: Protecting your crown jewels
When setting up your security system, what is most important to protect? What and where are your crown jewels? The first two rounds of the fantasy draft will establish the crown jewels of your fantasy roster. These are the players most likely to lead your team in fantasy points. From here, you build around your top picks--defending your crown jewels--by selecting the best player available, as Lisa and Jerich can, with needs at every position, or by selecting based on positional needs. And if your crown jewels are particularly risky, you select backup plans later on to prepare for injury.
Fantasy takeaway: Rounds 3 and 4 are where the identity--the culture--of your team crystallizes. By now, the most established fantasy talents in terms of projected value have been selected and your roster’s foundation is set. You can see whether you are thin at certain positions--or whether you have a great deal of risk that must be insured against with selections in later rounds to protect against injury or poor performance--and make picks accordingly. Picking first this year is an advantage with Jonathan Taylor being the clear-cut top choice. Christina has leveraged that advantage by establishing a killer core. Somehow Aaron Jones slipped to her all the way at the round 2/3 turn (I almost took him in early rd. 2), along with Tee Higgins from her hometown Bengals. With speedster Jaylen Waddle at WR, she has 2 awesome RBs and 2 very good WRs. Dan, meanwhile, has positional dominance at QB and TE with Pat Mahomes and Mark Andrews, along with low-risk-but-awesomely talented picks of Najee Harris at RB and AJ Brown at WR. He can take the best player available from here on out.
Cybersecurity tie-in: Culture
How do you approach security culture? In every CISO’s book I’ve read, culture is a central factor to an effective system. Some CISOs begin with reaching out to leadership. Others start with their own team. Most look at creating and managing an effective security awareness program. Still others create cross-functional security ad-hoc boards full of stakeholders from key departments.
You will notice that many quarterbacks and tight ends started coming off the board in rounds 5 trhough 8. From here on out is where most leagues are won or lost, either by hitting on a player who maximizes their potential or by avoiding total duds and injuries. Now teams must make decisions on how to fill out their roster around their stars, putting question marks next to the exclamation points. Other than the picks of Breece Hall and Dameon Pierce in the 5th round, the CISO Phish Bowl league took a more risk-averse style, as the rookies and second-year players with loads of talent don’t start going off the board until George’s last pick of the round with second-year wide receiver Rashod Bateman, followed by his first pick in the 8th round of the number 8 pick in last year’s NFL draft, Drake London, an ultra talented USC product.
Cybersecurity tie-in: Technical and human layer
A cybersecurity system is often put in two categories: the hard outer shell of the technical perimeter, and the human layer within. Just as you can count on your first four picks to perform to a certain level of predictability, you can count on technical solutions to filter out most threats. But some always get through! These middle rounds are where the less known or reliable players are found who will find another level of performance and win your league; likewise, awareness training receive only 3% of the security budget and they cost a lot less than the technical solutions. But the emails that slip through the technical perimeter that are where most (85-95%) breaches happen. And it’s here where awareness training can mean the difference between a breach with ransomware, or a well-trained employee reporting a suspicious email. All it takes is one bad click.
Fantasy takeaway: After round 9, you’re going to see how well prepared your are for your draft. This is where you make calculated risks on players who haven’t yet maximized their potential or are in new siutaitons that work better for them. Or you go against standard draft strategy and take a defense or a kicker higher than is usually recommended, with the last two picks of the draft. And let’s be honest: most “normal” people, as in those who aren’t paid fantasy analysts, won’t know much about a lot of these players. We must rely on our trusted sources for good intelligence on players' talent, their team situation, their injury history and recovery, and so many other factors. Who do you trust when the internet is overflowing with so-called experts?
Cybersecurity tie-ins: Team building and Threat Intelligence
Building an information security team is challenging. There is a gap between supply of talent and demand. That’s why CISOs are figuring out new ways to find talent in new places to join their teams. Last year, longtime super athlete wide receiver Cordarrelle Patterson had the best year of his career when he moved to running back for the Atlantic Falcons. Likewise, many innovative CISOs are looking for candidates who have untapped skills that would fit well in a cybersecurity role.
The other thing they must constantly evaluate is their threat intelligence. With so many sources claiming to know what threat is looming and what vendor or solution is the best way to defend against it, the CISO must figure out who to trust. There’s real skill involved in determining the signal from the noise in cybersecurity.