We’re approaching Super Bowl Sunday and the lead up to the main event has been a helluva lot of fun. Stefon Diggs’ 61-yard walk-off touchdown that sent the Vikings to the NFC Championship game will go down as one of the most memorable moments in football history. Most of the games in this years’ playoffs have had some level of excitement, which is great for fans. In the world I inhabit, however, excitement is the last thing our customers want. In fact, the best day for cloud security teams is a day when nothing happens. It makes for a lousy highlight reel, but it’s good for business.
At the same time, football teams and cloud security teams are playing in fiercely competitive environments that require coordination of an endless number of moving parts. Coaches and CISOs alike draw up plans and schemes to win; they care about their teams and outcomes, and they are passionate about the work they do. Their idea of the touchdown dance, however, is quite different.
While it may give validity to our Monday-morning quarterbacking to analyze how Ben Roethlisberger could throw for 463 yards and lose to an arguably worse team, the realm of cloud security does not like surprises or come-from-behind wins, and the only efficiency rating we like is about how well we can identify and fix security vulnerabilities. Sports give us great metaphors for life, and especially in the business of security, we can point to platitudes about defense and use it to connect our work with something understandable like football. They work because they make sense in a shared context. But the truth is that winning a Super Bowl requires something far, far different from what success in cloud security looks like.
My hope all weekend had been to shrink the essence of cloud security into an analysis neatly wrapped in football platitudes and jargon. There are, indeed some aspects of the game that mirror the work done by security teams. There are unforeseeable gyrations and constantly changing scores. There are clearly defined good guys and bad guys (depending on who you root for), and there are specific goals behind every action on the playing field.
An NFL team builds its season around getting into the final game of the year. The Super Bowl looms large on the minds of all players because it ultimately defines why players take blows to the body in the first place. But while the Super Bowl winner finishes the season with a victory parade, those who form the defensive line in the trenches of the IT department never get to partake in the spoils of the victor. It’s not that they are never victorious, but their yardstick is measured less by out scoring the other guys, and more about just preventing them from getting into the end zone. Security teams consider a 0-0 score to be a victory, but you don’t pop champagne for that.
In the cloud security world, the playbook is really all about planning, executing, and doing it over and over again. That game plan involves assembling the right team, active preparation, continuous defense, and a commitment to regular fitness. But in the Safe Cloud Bowl, the effort simply never ends. Security never stops and so all of these different pieces have to be continually coordinated and managed. There is no victory parade, no off-season.
So, how do you become victorious in an environment that rarely high-fives and has no visible end zone? You protect customers. You configure servers correctly. You create policies that prevent sweeping changes to settings without oversight. You have a remediation plan. You ensure continuous, automated monitoring of your cloud environment. You create a culture of security and ensure it is a priority – for board members, employees, partners, and customers.
If you do this, if your team is able to avoid getting breached, then know there is a big bucket of Gatorade waiting to be dumped on your CIO in celebration of a job well done, and continuing to be well done.