One thing is for certain in football, surprises do happen. Whether it is Saudi Arabia beating Argentina or Germany losing to Japan in the World Cup 2022, football is a sport full of excitement. But have you ever thought that football can teach us many great lessons about cybersecurity?
Football can be a great teachable moment for cybersecurity
Football is a great sport to watch, and it's also a great teachable moment for cybersecurity. Football teaches us that resilience is about making good decisions under pressure, staying calm under stress, planning for failure and being aware of what needs to be always done. Cybersecurity professionals should use these same strategies when defending their organization from cyberattacks:
- Make good decisions under pressure - Any football player will tell you that there are moments when they need to make split-second decisions on the field without any hesitation or doubt as to how they should proceed next for their team to win the game. Similarly, cybersecurity professionals must make quick decisions not only to protect themselves but safeguard the corporate systems they are responsible for.
- Stay calm under stress - You know those moments when things just don't go according to your way? A lot of times those moments come during intense competitions like football games. In such situations, players have learned how important it is not only to stay focused but also to remain calm so as not to get caught up too much in whatever emotion could cause them to make bad choices. The same applies to cybersecurity; when faced with stressful situations, such as during a data breach incident, it is important to remember the ultimate goal and be focused on limiting the impact on your company and the local society.
Prepare for the unexpected
One lesson that is especially relevant to the current cybercrime landscape is that you never know what might happen next. We are always prepared for the unexpected, whether it is a hacktivist or organized crime group attacking your network from the outside, or an employee bringing malware into the office on their smartphone. The best way to prepare for such a scenario? Know what your opponent looks like—and know how they play the game of cybersecurity football so that you can predict their next move with confidence.
The same goes for having a playbook: everyone needs one! A playbook is simply an outline of every possible scenario and contingency plan that could arise in terms of security breaches; as we have witnessed with all the ransomware attacks sweeping all organizations across the world affecting hospitals, schools, energy businesses and more, the stakes are high now more than ever before.
Backup plans are important
Backup plans are important. Football teams have players benched as a backup solution because you never know what might happen on the field, and you can't be caught unprepared. Backup plans aren't only for the worst case scenario. Your team needs to be prepared for all types of situations—even ones that seem less dire than others but still need to be covered off in case something goes wrong (like when your staff cannot make it to the office because of extreme weather conditions).
Test your backups before an emergency happens so everyone knows how to make them work. If you don't test these emergency procedures ahead of time, the people on your team who aren't familiar with what should happen during a cyberattack are most likely to freeze rather than get things done quickly enough before the damage gets too far along and spread through your network assets compromising customers' personal data.
More lessons learnt from “the biggest sporting shocks”
But there are more lessons we can learn from football. Let us examine two cases that were heralded as “the biggest sporting shock of my lifetime” and “the triumph of the dour over the delightful.” I am talking about Leicester City winning the Premier League in 2016 and Greece becoming the European Champions in Euro 2004. The first quote is attributed to England’s captain Gary Lineker and the later appeared in the Telegraph newspaper.
Let’s examine these lessons:
- Strategy is the cornerstone – When examining the Greek miracle, it was noted that “it was a triumph of tactical tinkering, a victory for a team tweaked to nullify each differing opponent, and a team drilled to make the most of the limited opportunities that came their way.” Having a well-defined strategy is the alpha and the omega everywhere – including cybersecurity.
- Leadership does matter – Otto Rehhagel and Claudio Ranieri, head coaches of Greece and Leicester, led by example to do the job done and transmitted confidence self-assurance to their players.
- Communication is important – The German coach and the Greek players were cultures apart. Assistant coach Topalidis, a Greek born and raised in Germany, made sure that “players and manager understood one another.” Communication between all stakeholders is important for the success of any project and policy.
- Learn from the mistakes and don’t be disappointed – Both teams lost some games along the way of the respective championships. However, the important lesson was that some battles might be lost, but you can still win the war and improve the security of your company.
- Cybersecurity is everyone’s responsibility – In the words of Nikos Dabizas, Greek footballer and member of the National Team “that kind of collective spirit, nurtured painstakingly by Rehhagel, helped see Greece through.”
- Cybersecurity is about people – Leicester taught us how important it is to retain your winning team. Staff retention plays a pivotal role in robust cybersecurity management and any staff changes adds to complexity to cybersecurity management. In addition, Rehhagel noted several times to his team that “I believe we can do this.” Believing in your team’s skills and capabilities is a great boost for better performance even during dire and stressful times.
- It's not about being 100% secure (this is impossible), it's about being effective (and resilient) – Reflecting on the two games that Greece played against the host Portugal, assistant coach Topalidis said that "In the end we beat them twice and it was a clear indication we were a better team: not the most talented team, but the most effective team.”
- Be realistic – Rehhagel was described as “unapologetic pragmatistic” saying “we had to be realistic, relying on defense, taking advantage of set pieces and being very effective on the counter.” Be realistic about your threat environment, lack of perception can and will create security gaps.
Football and cybersecurity have an awful lot in common, especially when it comes to resilience. Football is all about adapting to your opponents and their tactics, and the same principle applies to cybersecurity. Organizations have a lot to learn just by watching how teams build up their strategies in every football field.