At first sight it may seem that the world of soccer and IT security services are light years away. The former loves full tribunes, soccer fans’ hymns, colorful scarves of favored clubs and enthusiasts who adore the sport above anything else. The latter should operate unnoticed; it is fond of well-ordered and optimized processes, it values silence and lack of incidents; on the other hand, it is a costly and often least favored area of managing a company. At least this is how things were until recently. However, if we delve into IT security, we will discover with amazement that it has more in common with soccer than would have been initially expected.
First of all, for a number of years companies neglected the issues of security and left them at the dugout – like players waiting for their turn. Until now! The increasing number of notorious cases of violation of IT security, causing serious losses for organizations both financial and image-related, has resulted in the fact that the interest in the issue is growing, along with awareness of its critical importance.
Recently, numerous private companies and public organizations have sustained adverse consequences of the absence of relevant protection from malicious external attacks, as well as effects of hardware failures. It is commonly known that in Poland, when the whistle of a referee announces the start of a soccer match, everybody becomes a soccer expert. Starting from specialists who reproach the players for even the tiniest mistakes, up to seasoned professionals in the area of transfers and team management. Many believe that they have more extensive knowledge than the coach who receives a lot of money for nothing. The case is similar with security. The issue of IT security has recently been on everybody’s lips. Additionally, companies do not want to confirm publicly that they have not implemented and do not maintain any comprehensive IT security solutions. Therefore, they build an illusion of a safe world where the company’s key data and the customers’ data is ‘safe’ – but is it really true?
What can companies learn from the best soccer teams? Apart from the obvious elements which include teamwork, talent management, recruitment process or selection, the necessity of implementing a relevant strategy seems to be of vital importance. The case is similar with respect to IT security. Implementation and maintenance of a relevant strategy allows for long-term performance of objectives, as well as undertaking important decisions and activities that are related to the calculation of financial costs and organizational changes, in order to limit the risk to the minimum. This is a long and costly process, but it is also profitable. For a company, it may offer profits comparable to hiring one of the best players in the world: Lionel Messi, Cristiano Ronaldo or Robert Lewandowski [for example]. It will allow a company to accomplish long-term benefits. The increasing complexity and sophistication of cyber-attacks calls for more and more complex security measures, which may exceed the organizational capacity of many companies. However, even if we cannot hire the best of the best, a good solution can always be found. In such a situation, it is rational to use cost-optimum and easy-to-use cloud services provided by specialist companies.
When thinking of IT security, for many people the only association is protection from malicious attacks from the outside, such as hacking, DDoS or the recently ‘popular’ ransomware. Meanwhile, IT security should be understood in a much broader manner: as availability, integrity and confidentiality of data. Not only may a cyber-attack may deprive an organization of the possibility of providing services to its clients it can expose it to adverse consequences (legal, financial and image-related). Therefore, it is very important to implement Managed IT Security Services as a comprehensive set of tools and processes that are aimed at protecting the operation of a client’s organization by ensuring data security. For a company, they are as important as a proper talent management program for a soccer team: they are its heart that allows for accomplishing high efficiency on the soccer pitch and in the realm of business.
Implementation of best monitoring systems and best security incident detection systems is pointless if no relevant reaction follows in due time
Implementation of best monitoring systems and best security incident detection systems is pointless if no relevant reaction follows in due time. Even though the implemented technical measures may level or block security incidents by preventing them, it is not possible to eliminate and block all events of this type, for example due to the fact that there is a human factor at play. The response to this problem is implementation of Security Incident Management; its major task is to detect such situations and to react as quickly as possible to them. Correct implementation of the process is like a good coach for a soccer team – the most important element that is capable of identifying all types of risks and potential threats and reacting to the ones that have already happened.
Efficient process of security incident management requires implementation of relevant incident management procedures and shows all the key tasks that should be performed by competent personnel. A coach is never successful on his own: he needs a number of highly-qualified people to win (goalkeeper coach, physical therapist, doctor, masseur, information bank expert, etc.) and, obviously, relevant tools. The situation is similar in the case of implementing the Security Incident Management process. The tasks implemented in this process by the security team are supported by properly configured technical tools enhancing its operation (security systems, monitoring systems, systems for collecting, correlating and managing events and incidents, automatic notification mechanisms and notification and incident processing systems). A security incident requires analysis and drawing of conclusions, leading to a better organization of security and processes (lessons learned) in order to eliminate similar events and their effects in the future.
Success in the world of soccer depends on multiple factors. Not only is inspiration necessary, so is strategy and business maturity, and also technological innovations and proper leadership. A goalkeeper plays a vital role in accomplishing success. His role in today’s soccer is not to be underestimated. A goalkeeper’s role for the team may be compared to Vulnerability Management in business.
Moving within the penalty area, the goalkeeper has the entire pitch in front of him. He is able to see the most. He can notice his friends’ errors and suggest the best positions. Vulnerability Management is an automated process, which is also aimed at discovering new susceptibilities in infrastructure. With the use of susceptibility scanners, resources are checked with respect to the potential occurrence of susceptibilities, which could contribute to the disintegration of security measures. The scanning engines allow for detecting susceptibilities on servers, working stations, in operating systems, apps, databases and other devices having IP addresses. Every identified susceptibility may be assigned with a new security threat. The discovered susceptibilities contain detailed information about it, as well as a description of remedies that should be undertaken in order to remove it. Even though susceptibility scanning is an automated process, penetration tests are performed manually according to the scenarios of strictly defined standards (including OWASP) and rely on broad experience of the pen tester. Susceptibilities discovered earlier by the scanner may also be tested – in such a case, we check whether they may be used to break the security.
Every organization, irrespective of the form of ownership and industry, functions in a specific legal order and has to comply with specific standards (e.g. PCI DSS, ISO/IEC 27001, ISAE 3402). This translates to specific requirements with respect to the level of security and the manner of managing IT services. Compliance Management ensures that all the required regulations have been complied with, e.g. regulations pertaining to personal data protection or required by certification institutions.
We have to be aware of the fact that in spite of excellent preparation, a sustainable strategy or best players, there is always uncertainty with respect to the result of the match. Such uncertainty may refer to underestimating the opponent, failing to make use of the opportunities, dynamically changing conditions on the soccer pitch or inability to adjust one’s manner of playing to the current situation.
Security is similar; the impact of uncertainty on the designated objectives is the definition of risk according to the ISO 31000 standard. No organization is capable of fully avoiding risk. Paradoxically, the risk of a certain degree has to be undertaken in order to allow the organization to accomplish its objectives. The majority of organizations perform activities related to risk, yet IT Risk Management is not always systematic, documented and repetitive. It may be a good idea to hand over this area to the professionals from external companies who, via identification, estimation and evaluation of risk, and, subsequently, via planning and implementation of relevant preventive measures, will be able to improve the level of safety of a given enterprise and control it.
Furthermore, thanks to the fact that they are exclusively dealing with events influencing the accomplishment of an organization’s objectives in the context in which it operates, they can understand the general level of threats to which it is exposed.
Every coach is aware of the fact that the team’s success depends not only on the optimum choice of players, but also on constant planning and strategy testing to minimize the risk factor to a maximum degree. This is what the IT Continuity Management process is responsible for in the realm of security; it focuses on planning, establishing and testing specific strategies or procedures aimed at minimizing the impact of unavailability of a specific IT service for the client. The strategy may consist in ensuring additional throughput of the connections, but also in developing a whole back-up center that is going to provide a given service in case the original one becomes unavailable. An important aspect in IT Continuity Management is maintenance of procedures in case of occurrence of emergency situations and communication maps. The case is similar in soccer; every coach always has a plan B in case any of his players sustains an injury. Such a plan, regularly tested, offers certainty that in case of a failure, everything will go according to plan and all the involved parties will receive adequate information, thereby minimizing the risk of unavailability of the provided service.
To conclude, just like a coach who has a vision of his team and of victory, we also have to think of relevant selection and adjustment of the level of security in our organization in order to make it effective, accurate and to bring us closer to one objective: to win the match, because this is a high-stake match.
This content is authored, and sponsored, by Comarch.
