Securing Major League Baseball: On & Off the Field

Three strikes and you’re out – it is one of the more well-known sayings in baseball. However, it only takes one devastating cyber-attack to inflict huge damage on Major League Baseball or any of its 30 teams.

At ISACA’s 2019 North America CACS conference in Anaheim, California, USA, in May 2019, a breakout learning session was led by Neil Boland, the CISO of Major League Baseball, and Albert Castro, director of information technology with the Los Angeles Angels, who provided perspective on the scope of the security challenge for an organization with such high visibility as MLB.

“Baseball has a lot going on,” Boland said. “We have a lot of fans, a lot of games, a lot of activities throughout the course of the year, and a lot of exposures around the globe in many, many countries. The sport continues to grow, and the consumption of the sport continues to grow.”

The conference session recounted the evolution of security activities in baseball from when security was an afterthought to today’s state, in which the bottom line is: “This is critical. Don’t mess it up.”

The most challenging security considerations for MLB often involve their extensive network of partners. Boland said MLB is taking steps to strengthen partner onboarding and provide further guidance on mitigating risks.

“There's just a vast amount of partners we work with to pull this off – 162 games a year, not even counting spring training and the postseason for a club, and [multiply] that by 30 teams,” Boland said. “There's a lot of data, a lot of tools and a lot of systems, and some of them are really important, like industrial control systems to keep people safe.”

To address the scope of the challenge, in 2017, Boland helped to implement a program to better protect the league and its clubs from cyber-attacks, standardizing the security stack and integrations. Furthermore, increased usage of mobile platforms, IoT and cloud services means the traditional perimeter is gone, putting the onus on MLB to provide simple and reliable tools that prevent attacks.

“We wanted to raise the bar a lot higher,” Boland said. “We wanted to be faster than the next guy running from the bear.”

Boland encouraged security practitioners to move quickly to upgrade their organizations’ security posture rather than delay in search of the ideal solution.

“Any layer that you can add that just makes life harder for your adversary is a good thing, even if it's not perfect,” Boland said.

Unlike the baseball’s signature rivals such as the Red Sox and Yankees or Cubs and Cardinals, Boland emphasized that everyone needs to be on the same team when it comes to cybersecurity, and said it is important to share information on cyber-threats.

“I ring the bell, and I think that's really important to do, because we're all in this together,” Boland said.

Beyond the security realm, Castro highlighted the way that teams leverage technology in areas such as ticketing, sponsorship activation, fan engagement and scouting and developing players.

“The access to information has just grown exponentially and with that has come the ability to do all kinds of really sophisticated analysis that just makes technology critical to running a baseball team,” Castro said.

To help enterprises and security professionals better leverage data analytics to enhance cybersecurity, the Infosecurity ISACA North America Expo and Conference 2019 offers a diverse lineup of learning sessions for building your security knowledge from 20-21 November 2019 – register now!

What’s Hot on Infosecurity Magazine?