I grew up watching professional football back in the 70s, when defenses were so good they had their own nicknames. The Pittsburgh Steelers had the “Steel Curtain,” the Miami Dolphins had the “No-Name Defense” and the Dallas Cowboys had the “Doomsday Defense.” The Cowboys’ defense was based on a newfangled concept called the flex defense, which their coach, Tom Landry, introduced in 1964 and the team perfected over the next decade.

The flex defense used gap assignments to define player’s roles and relied on reading “keys” to determine what the offense was likely going to do. Players trusted each other to mind their gap, and each learned to read and react to the keys that would predict what was to come and were trained to continually read changes and alter the plan of attack as the play unfolded.

The Role of Security in Business Flexibility

Flexibility in business, like business continuity planning, is a core competency. Much like the Cowboys’ flex defense, information security teams can amplify this competency by creating a trusted foundation that generates goodwill and engenders confidence, and by continually sharpening their risk management skills so the business can experiment, adapt to customers’ evolving needs and remain secure.

The cumulative effect of the data breaches that started to become commonplace at the beginning of the last decade has taken a toll on both the cybersecurity community’s confidence in our own abilities to detect and prevent breaches and data loss and also on the consumer’s overall belief that their private data will remain private. At the same time, because trust matters greatly to consumers, it can also yield extremely positive results.

To leverage the value of trust as a source of goodwill, companies need to adopt a digital trust mindset, invest in system hygiene and commit to a high-performing security function that can provide flexibility in business and protect the products and services that their customers rely on.

Engender Digital Trust in Your Organization

Digital trust can be defined as a measure of confidence in an organization’s ability to protect and secure data, as well as safeguard the privacy of individuals. By aligning privacy controls and privileges around the customer’s data experience, you can leverage your investment in system hygiene to go beyond business continuity and create customer goodwill and peace of mind for the organization. Your customers will have confidence that their data is secure and their privacy is protected, and you will have confidence in your ability to protect their data and minimize the impact of cyber intrusions.

Achieving this requires diligence around system hygiene and an emphasis on identity, authentication, and the granularity of privileges for your workforce and customers. This, in turn, can give you confidence about the activity on your network and make it easier to provide the privacy controls required by regulations like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).

In addition to developing trust by emphasizing data security at the systems level, the flexible security organization needs to have a high-caliber team that is continually investing in skills development. To return to the flex defense analogy, Dallas was known for drafting fast, strong and smart players, and for training constantly on the flex. So too should the security function place a high value on learning agility and keeping team members in constant learning mode. While there is no getting around the time investment required for always being in learning mode, the resulting combination of trustworthy systems and finely honed security skills is worth the investment.

Work Backward to Manage Cyber Risk

Finally, as I discussed in an article about diversity of thought in security, we often don’t have enough security personnel to meet all of our security requirements and, therefore, may not be able to promise the needed flexibility in business for our internal customers. We can’t just embed personnel; we need to teach security thinking.

I like an effective and straightforward risk management technique that can be taught through example and used in a wide variety of scenarios: The idea is to visualize the ideal state of control or “security” for a product, service, function or process that we’re implementing — that ideal state would be when security is fully implemented and would represent the fully risk-mitigated state.

While we’re getting to that ideal state, our task is to design and implement compensating and detective controls. Depending on the background of the members of the team, rather than talking about compensating controls, we might ask how we can protect this process in the meantime. Likewise, instead of discussing detective controls, we might challenge the team to come up with ways of determining whether there is a problem we need to respond to.

This technique fosters brainstorming and teamwork by acknowledging an ideal state in the future while keeping the focus on the here and now. It can be applied anywhere, and it can be employed repeatedly as circumstances change.

Foster Innovation and Adaptability Throughout Your Business

By establishing digital trust, we are buying goodwill. By investing in a well-trained security team, we are creating a legion of teachers that can take a simple risk management technique and deliver flexibility in business, so we can innovate and give customers the products they need and want.

So how good was the flex defense? If the New England Patriots, the football team that has dominated the whole 21st century, and possibly the last true American sports dynasty, have one more winning season before experiencing a tie or losing season, it’ll be their 20th in a row and will just tie the Dallas record from 1966 to 1985. The flex defense and its offshoots and imitations were so effective at allowing defenses to dominate football that the only real solution was to alter the playbook to open up the game. Flexibility matters.

Learn More about IT Risk Management Services

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…