What can sports teach us about Information Security
Unlike traditional team sports, however, Information Security is looked at differently. As InfoSec professionals, we are expected to be more trustworthy, more in-tune with our customer service side, more engaged, and more service-oriented due to the nature of our beast. We live life under a microscope since one mistake can potentially cause untold amounts of damage. We expect to lead since we are often the first to respond to an incident. We usually play all sides to stay ahead of current trends. We also expect to be approachable by anyone and be trusted by more. We do all of this and more because of the trust that is often placed in our hands. With all these responsibilities on us, we have to protect those around us by guiding them through issues such as identity theft, data breaches, and compromises. Like the old adage says: “it isn’t easy, but it is worth it.” That worth is something to be respected by all professionals at any level. Once we can look at Information Security as a sport, we can take away some key lessons that affect both worlds. Just like sports, information security can be an interest, and interests can quickly burn out without proper precautions. From here, we can learn:
Lesson One: Change isn’t always wanted, but sometimes its what is bestJust like sports, the grind can get tiring, it can be tedious, and that can wear on anybody, no matter the stature or tenacity of said person. As a leader, you have to know when to fold your cards and let someone walk away, lest they do more harm than good. Letting someone leave could be for a variety of reasons; not a good team fit, the heart isn’t in it, some people will want to leave. Removing someone isn’t an issue that should be looked down on; instead, this should be celebrated. It alerts us as a leader that something is wrong, and that something should be addressed. Being able to accept change is the most respectful thing you can do for a person. If we demonize this action, it can be the beginning of fear and disengagement, team erosion from within, and it can cause rippling effects that are felt long after departure.
Lesson two follows the same vein as one: Build a great support teamWhen somebody isn’t in the game mentally, it can bring the entire team down. Building a supporting team that has team members who are appropriately managed, able to contribute, and most importantly, understand the role they are given, you can structure them so that they protect each other; not just complete checklists. When a team protects each other, any guiding statement given has far more impact, more understanding, and can support the entire organization, not just a particular group. This is an issue that senior leadership often runs into since their decisions often include improving the overall organization and furthering the mission and values. Having a great supporting team will help you make those decisions more appropriately.
Lesson three builds off lesson two: A great supporting team helps avoid burnout and developing them breeds successAthletes are often held to ridiculous standards. They often have to be able to run a 4.2 forty, or bench 225 lbs umpteen number of times, or jump higher than X meters, just to be validated. This mentality transfers over the information security world in more ways than one. Often, information security workers are expected to know cloud security, hardware security, secure coding practices, GDPR, PCI DSS security standards, how to communicate to anyone, reverse engineering, threat hunting, and a myriad of other topics. Knowing all of this (or a fraction thereof) and being pulled in many directions can wear on anybody. To combat this, you must be a leader that can set realistic expectations, talk with both your team and stakeholders, and manage to reality. If you lose sight of this focus, you lose your teams heart and support. By developing your team, you help them achieve their goals and avoid the stress of not being skilled in one area. This method is not a one size fits all approach, nor can you send your team to a class and call it development. Improving your team means talking with your team, giving them experiences that help them grow, listening, making sure that your team has support. Not that they “feel” supported. Support leads to engagement, engagement leads to growth, and success follows growth.
The final lesson we can gather from this world: Unnecessary sacrifice is precisely that, unnecessaryThe workplace can be brutal by design. Countless stressors exist to throw us off our game. We must do our very best to avoid them or handle them appropriately. We have many competing priorities. There is an overabundance of issues, and limited resources to combat them, and frequently we introduce these ourselves. These stressors will not work themselves out, and the sooner we understand that the sooner we can begin to work through them as a team. By not addressing these stressors, it allows for disengagement to manifest. Disengagement can do far more harm than good. When we introduce a deadline that seems hard to reach, we effectively enable our team to hurt themselves in pursuit of unrealistic expectations. Be the leader that shows them that there is a better way; i.e., set manageable expectations, lead from behind, and go to bat for them when the time calls for it. You will end up with a more engaged team that is willing to do more work and get more done.
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!