Try demo

Hoxhunt fantasy football as a security metaphor: Week 1

Week one of the 2021 fantasy football season was a wild ride, as anyone who won on a last-minute Derek Carr TD pass in Las Vegas or lost on the resulting hit to Baltimore’s DST knows. Let’s run through something that stands out from the fantasy football week, and tie it all in to the security industry.

The unbreachable: Great scheme and great player execution

New Orleans Saints dismantle Aaron Rogers’ Green Bay Packers, 38-3. There was a lot of uncertainty going into Jameis Winston’s first start at QB in New Orleans’ post-Drew Brees era, and WOW did Jameis deliver. 5 TDs on only 14 completions and 148 yards! Did Sean Payton unlock a sleeping efficiency dragon in Jameis? He passed for as many interceptions as touchdowns before Tom Brady took his job in Tampa Bay. Meanwhile, the Saints defense stymied the vaunted Packers’ offense, intercepting Aaron Rogers twice.

Top waiver pickups:

Elijah Mitchell, RB, San Francisco

Latavius Murray, RB, Baltimore

Jameis Winston, QB, New Orleans

Tim Patrick, WR, Denver

Mark Ingram, RB, Houston

Raheem Mostert goes down in week 1, and the much-hyped rookie, Trey Sermon, doesn’t see the field. Meanwhile, the 6th round pick, Elija Mitchell goes off. Sermon is still worth rostering with Mostert out, but Mitchell looked great and that offense if built for fantasy RB goodness.

These waiver pickups will go as fast as good cybersecurity talent, so get your bids in now!

Football as a cybersecurity metaphor theme of the week: Leadership

Not all great coordinators are great coaches; not all great security engineers become top CISOs

Watching coach Sean McVay’s Rams dismantle coach Matt Nagy’s Bears on Sunday illustrated one core truth, and the enduring mystery shadowing it:

  1. Truth: Success is all about leadership.
  2. Mystery: What makes a successful leader?

In football, you can’t win without good play calling and sound strategy. That’s the technical side of the equation. But head coaches get embarrassed when they lose the locker room and their stars stop executing plays with precision. Understanding the playbook and motivating player performance are the soft skills side of the equation, and it’s essential.

Same goes for cybersecurity. Contrary to popular opinion, information security relies on people as much as it does on technical firewalls to fend off cyberattacks. Nearly all breaches contain a human element. Moreover, all security systems require buy-in from executive management for implementation. CISOs need to communicate effectively both vertically and horizontally. Their security systems won’t succeed if they don’t align with business goals and employees aren’t equipped to respond correctly to phishing attacks.

There’s a fine balance between drawing up Xs-and-Os, and enabling people with the skills and learning to do the right things. Behind every great quarterback is a great coach; behind every great football program is a great owner. It’s the not just the Xs and Os, it’s the Janes and Joes.

Chief Security Engineers = offensive/defensive coordinators

In football as in cybersecurity, success will be defined by how well leadership gets people to execute on a good strategy. Sean McVay came to the Rams as an offensive wunderkind and has sniffed the championship since day 1 as head coach. The complete package, he’s well-liked by management and players, and well-respected by football analysts.

Matt Nagy, on the other hand, rose up the offensive coaching ranks and stood out even under the long shadow cast by Kansas City’s future Hall of Fame coach Andy Reid, one of the most innovative offensive minds of all time. But Nagy has had mixed results in Chicago. His Bears have looked out-of-sync. His quarterback play has been atrocious. Though not abysmal, Chicago’s results have been disappointing (ironically, the defense has held it together while the offense has been bad).

As in cybersecurity, the traditional path to a head coaching gig emphasizes technical ability. Usually, someone coaches a position group like running backs or linebackers, is promoted to offensive or defensive coordinator (or assistant head coach), and then steps into a head coaching role. Their technical ability to create schemes and call plays has been on full display. Executive management can thus throw its support behind the coach’s vision and approach, from draft and player development to offensive and defensive strategy.

Sometimes it works. Sean McVay of the LA Rams and Sean Payton of the Saints are considered two of the best offensive minds in the game, and that skillset has translated to head coaching success. Perhaps the greatest coach of all time, Patriots head coach Bill Belichik, rose the ranks as a defensive genius under the legendary Bill Parcells regime in New York (ESPN’s 30 for 30 documentary, The Two Bills, is worth watching).

Oftentimes, it doesn’t. Josh McDaniels was considered a can’t-miss head coaching prospect as the offensive brainpower behind multiple Bill Belichik New England Patriots championships. But McDaniels’ tenure in Denver was a mess, as he made questionable personnel and strategic decisions (ahem… Tim Tebow… in the first round… with a trade-up). He’s back to doing what he does best as an offensive coordinator. Likewise, Adam Gase, the once-celebrated cerebral offensive whiz kid and “Quarterback whisperer” behind the Peyton Manning Broncos championship, endured brutal tenures as head coach in Miami and with the New York Jets. His defenses were routinely breached. His offenses seemed perpetually stalled. His top players were in open rebellion. Every time a player like Ryan Tannehill or Kenyan Drake left Miami, they’d find fantasy football stardom. The Jets arguably retained his services last year precisely because he gave them the best chance to lose their way into the first pick of the draft (he failed at that as well, gutting out a couple wins and dropping to second pick in the draft).

And then there are the coaches who seem to thrive on sheer charisma. Pete Carroll failed in his first stint as a head coach in the pre-Belichik Patriots; became a college coaching legend at USC with his positive, player-friendly methodology; and then returned to the NFL and coached the Seattle Seahawks to their first championship and a string of deep playoff trips. As he and Golden State Warriors NBA coach Steve Kerr constantly affirm on their podcast, Flying Coach, leadership is about understanding your players, opening lines of communication with them and ownership, and motivating them to perform at their best. While both coaches are decidedly capable tacticians, their real brilliance is in their people skills. They develop systems and cultures that equip players with the tools and motivation for success.

Performance enhancing CISOs

The path to a CISO is strikingly similar, from its milestones to its pitfalls. Traditionally, IT professionals have transitioned into security roles and risen to Chief Security Engineers before elevating to CISO. But technical know-how is no longer the chief attribute of a successful CISO.

The modern CISO needs to know how to communicate with the Board and with employees. As Jeffrey Brown, CISO of the state of Connecticut says, they must bridge the gap between the data center and the board room. Or as Barak Engel says, CISOs must stop thinking of themselves as guardians of the gate, and as keepers of the castle. That means understanding the business and supporting business growth. It means understanding people: selling cybersecurity to management as a business enabler, not a blocker. It means teaching cybersecurity to all sorts of people so that they don’t click a malicious link or leave the door open to a hacker.

Not all great security engineers become great CISOs. Some do but many don’t. In fact, many CISOs come from backgrounds in the liberal arts or physical security or communications. But the talented information security leaders get how all the technical pieces fit into the big picture of the business. And they understand how to communicate their complex and scary field to people in other business units.

As many infosec thought leaders like Secure Anchor’s Eric Cole states constantly on his blog, Chief Security Engineers should stay Chief Security Engineers if their chief interest is purely technical. Likewise, if an offensive coordinator is best at drawing up plays, then he should let someone else handle all of the team politics and personal motivation.

Interested in how to motivate behavior change in phishing awareness?