Basketball season is just ramping up at the collegiate level. After watching a game last night, I realized that there are at least 5 reasons why information security is like basketball.
Focusing on the small business, here goes…
-
Success requires more than just one person.
We’ve all seen teams that tried to rely solely on one star player. They may have wins and that star player will have some tremendous stats, but often the team falters in the critical times, or in the playoffs.
Similarly, there may be an InfoSec star at your business. But, everyone needs to be involved. The owners or top executives set direction and provide support. The technical staff should be cross-trained and understand how they work together. Users should be made aware of the role they play in safeguarding the company assets.
-
Everyone needs to work together.
Have you seen a basketball team play and there are a few players that “haven’t seen a shot they won’t take”? That causes frustration and soon more players play like this.
Protecting the assets of the company require that each person understand their role and responsibilities, and how they work together. One person may be the server guru and another the network dude and yet another the workstation expert. But when an incident arises, they need to be able to work together with a practiced response. There is no time to ego to get in the way.
-
Fundamentals are important.
There is a reason why teams practice shooting, dribbling and running plays. Fundamentals can be the difference between winning and losing.
Likewise, the fundamentals of information security should be practiced. Layer the defenses. Train the users and tech staff. Encrypt data. Lock the doors. De-activate accounts when people leave. Review logs. Follow good practices.
-
Someone needs to make the hard decisions.
In basketball, the coach is the one who makes the hard decisions of who plays and who doesn’t. He sets the strategy and the game plan.
InfoSec also needs someone to make the hard decisions. I’m talking policy here. We can help develop the policy, but support for development and following the policy must come from the very top of the command structure. They also must be willing to support policy enforcement. Otherwise, you’ll end up with multiple individuals trying to convince you to make policy exceptions just for them.
-
Rules are there for a reason.
Rules allow each basketball team to know exactly what is allowable and what is not. Did that player travel? Was that a foul? Oh, and the referees are there to make sure that the rules are followed.
Businesses are often required to follow a set of information security rules. Do you accept credit cards? Then you need to follow the PCI DSS rules. Are you a publicly traded company? You’ve got regulations to follow. Are you a financial institution? Regulations, again are a major player. These rules are set in place to protect the company and those it interacts with. InfoSec rules are there for a reason. Be sure to follow them. And, get to know you auditors. They can be very helpful in resolving deficiencies.
Basketball and information security… Who knew they had so much in common?
- Dan
