April 21, 2020 By Bill Bonney 4 min read

I grew up watching professional football back in the 70s, when defenses were so good they had their own nicknames. The Pittsburgh Steelers had the “Steel Curtain,” the Miami Dolphins had the “No-Name Defense” and the Dallas Cowboys had the “Doomsday Defense.” The Cowboys’ defense was based on a newfangled concept called the flex defense, which their coach, Tom Landry, introduced in 1964 and the team perfected over the next decade.

The flex defense used gap assignments to define player’s roles and relied on reading “keys” to determine what the offense was likely going to do. Players trusted each other to mind their gap, and each learned to read and react to the keys that would predict what was to come and were trained to continually read changes and alter the plan of attack as the play unfolded.

The Role of Security in Business Flexibility

Flexibility in business, like business continuity planning, is a core competency. Much like the Cowboys’ flex defense, information security teams can amplify this competency by creating a trusted foundation that generates goodwill and engenders confidence, and by continually sharpening their risk management skills so the business can experiment, adapt to customers’ evolving needs and remain secure.

The cumulative effect of the data breaches that started to become commonplace at the beginning of the last decade has taken a toll on both the cybersecurity community’s confidence in our own abilities to detect and prevent breaches and data loss and also on the consumer’s overall belief that their private data will remain private. At the same time, because trust matters greatly to consumers, it can also yield extremely positive results.

To leverage the value of trust as a source of goodwill, companies need to adopt a digital trust mindset, invest in system hygiene and commit to a high-performing security function that can provide flexibility in business and protect the products and services that their customers rely on.

Engender Digital Trust in Your Organization

Digital trust can be defined as a measure of confidence in an organization’s ability to protect and secure data, as well as safeguard the privacy of individuals. By aligning privacy controls and privileges around the customer’s data experience, you can leverage your investment in system hygiene to go beyond business continuity and create customer goodwill and peace of mind for the organization. Your customers will have confidence that their data is secure and their privacy is protected, and you will have confidence in your ability to protect their data and minimize the impact of cyber intrusions.

Achieving this requires diligence around system hygiene and an emphasis on identity, authentication, and the granularity of privileges for your workforce and customers. This, in turn, can give you confidence about the activity on your network and make it easier to provide the privacy controls required by regulations like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).

In addition to developing trust by emphasizing data security at the systems level, the flexible security organization needs to have a high-caliber team that is continually investing in skills development. To return to the flex defense analogy, Dallas was known for drafting fast, strong and smart players, and for training constantly on the flex. So too should the security function place a high value on learning agility and keeping team members in constant learning mode. While there is no getting around the time investment required for always being in learning mode, the resulting combination of trustworthy systems and finely honed security skills is worth the investment.

Work Backward to Manage Cyber Risk

Finally, as I discussed in an article about diversity of thought in security, we often don’t have enough security personnel to meet all of our security requirements and, therefore, may not be able to promise the needed flexibility in business for our internal customers. We can’t just embed personnel; we need to teach security thinking.

I like an effective and straightforward risk management technique that can be taught through example and used in a wide variety of scenarios: The idea is to visualize the ideal state of control or “security” for a product, service, function or process that we’re implementing — that ideal state would be when security is fully implemented and would represent the fully risk-mitigated state.

While we’re getting to that ideal state, our task is to design and implement compensating and detective controls. Depending on the background of the members of the team, rather than talking about compensating controls, we might ask how we can protect this process in the meantime. Likewise, instead of discussing detective controls, we might challenge the team to come up with ways of determining whether there is a problem we need to respond to.

This technique fosters brainstorming and teamwork by acknowledging an ideal state in the future while keeping the focus on the here and now. It can be applied anywhere, and it can be employed repeatedly as circumstances change.

Foster Innovation and Adaptability Throughout Your Business

By establishing digital trust, we are buying goodwill. By investing in a well-trained security team, we are creating a legion of teachers that can take a simple risk management technique and deliver flexibility in business, so we can innovate and give customers the products they need and want.

So how good was the flex defense? If the New England Patriots, the football team that has dominated the whole 21st century, and possibly the last true American sports dynasty, have one more winning season before experiencing a tie or losing season, it’ll be their 20th in a row and will just tie the Dallas record from 1966 to 1985. The flex defense and its offshoots and imitations were so effective at allowing defenses to dominate football that the only real solution was to alter the playbook to open up the game. Flexibility matters.

Learn More about IT Risk Management Services

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today