Saturday, February 14, 2015

Five Reasons Digital Security Is Like American Football

Butler's Interception (left) Made Brady's Touchdowns (right) Count
In Kara Swisher's interview on cyber security with President Obama, he makes the following comment:

"As I mentioned in the CEO roundtable, a comment that was made by one of my national security team — this is more like basketball than football in the sense that there’s no clear line between offense and defense. Things are going back and forth all the time,” he said.

I understand why someone on the President's national security team would use a basketball analogy; we all know the President is a big hoops fan. In this post I will take exception with the President's view, although I am glad he is involved in this topic.

The following are five reasons why digital security is like American football, not basketball.

1. Different groups of athletes play offense, defense, and special teams in football. It is rare to see a single player appear on more than one squad. (It does happen, though. Julian Edelman is a punt returner and wide receiver. JJ Watt has caught touchdowns a few times. And so on...) In basketball, five players are on the court, and they play both offense and defense. In digital security, it is exceptionally rare to find professionals who routinely work offensive and defensive operations. I recommend that they do, but daily life is generally not a mix of these disciplines. Digital security pros are more like American football players due to these groupings of expertise.

2. Digital security is highly specialized. There are simply too many areas of expertise to expect any single person to master more than one aspect. This is true within American football. It is rare for a player to routinely fill multiple positions, whether on the offense or defense. A few athletes come to mind, like Kordell Stewart, but they are exceptions. Basketball has positions and specialties as well, but they are not as distinct as football.

3. Lines and direction of activity in digital security are more like American football than basketball. It is rare for defenders to "score points," compared to the points scored by the offense. This is true for digital security and American football. Basketball, like ice hockey, is much more fluid, with the flow of play going back and forth. Now, some players in basketball and hockey are more offensive-minded than defensive minded, and vice-versa, but the idea of the "defense" scoring points against the "offense" doesn't really make sense in those sports.

Sources: Business Insider, Arizona Cardinals
4. Digital security is really complicated. Similarly, American football is extremely complicated compared to basketball. There are 22 players on the field compared to 10, for starters. I found examples of real NFL plays from an old copy of the Arizona Cardinals playbook. It reminds me of the gyrations an intruder might have execute in order to accomplish his mission. Obviously basketball has plays, but they are not as intricate as those in football.

5. Digital security involves progression across territory, in a manner more like football than basketball. Most of the action in a basketball game occurs in either team's half-court. In football, teams spend time across most of the field. This reminds me more of the progression of actions that must take place for an intruder to accomplish his mission.

Now, those of you with long memories of this blog may remember my 2006 post Digital Security Lessons from Ice Hockey. In that story I emphasized the benefits of "being well-rounded..." having "knowledge and capability in offense and defense." I still advocate that position, but I recognize that it is really tough to achieve it.

Those with slightly longer memories may remember my 2005 post Soccer-Goal Security, showing a player kicking the ball into a goal, while the goalie looks elsewhere. The point of that post was to focus one's defense on actual attacks, not theoretical concerns.

Bejtlich's Mandiant Helmet
My hope with this post is to offer a counter-example to the views of the President and some of his staff. As with all analogies, they are open to interpretation, and some fail more quickly and spectacularly than others. Please try not to get too twisted out of shape or take offense. It's only a game, and this is only a blog post.

Given that we used to get football helmets at Mandiant, you might have predicted this post...


Giant M said...

Since you recommend that security professionals learn both offense and defense, would that by extension mean that you also recommend they learn multiple roles in security rather than stay in one?

Nunswipe said...

I don't like analogies when they turn into a fight over whose is most accurate. However, analogies can help deepen the discussion if approached right and I think yours achieves this nicely.