I grew up watching professional football back in the 70s, when defenses were so good they had their own nicknames. The Pittsburgh Steelers had the “Steel Curtain,” the Miami Dolphins had the “No-Name Defense” and the Dallas Cowboys had the “Doomsday Defense.” The Cowboys’ defense was based on a newfangled concept called the flex defense, which their coach, Tom Landry, introduced in 1964 and the team perfected over the next decade.

The flex defense used gap assignments to define player’s roles and relied on reading “keys” to determine what the offense was likely going to do. Players trusted each other to mind their gap, and each learned to read and react to the keys that would predict what was to come and were trained to continually read changes and alter the plan of attack as the play unfolded.

The Role of Security in Business Flexibility

Flexibility in business, like business continuity planning, is a core competency. Much like the Cowboys’ flex defense, information security teams can amplify this competency by creating a trusted foundation that generates goodwill and engenders confidence, and by continually sharpening their risk management skills so the business can experiment, adapt to customers’ evolving needs and remain secure.

The cumulative effect of the data breaches that started to become commonplace at the beginning of the last decade has taken a toll on both the cybersecurity community’s confidence in our own abilities to detect and prevent breaches and data loss and also on the consumer’s overall belief that their private data will remain private. At the same time, because trust matters greatly to consumers, it can also yield extremely positive results.

To leverage the value of trust as a source of goodwill, companies need to adopt a digital trust mindset, invest in system hygiene and commit to a high-performing security function that can provide flexibility in business and protect the products and services that their customers rely on.

Engender Digital Trust in Your Organization

Digital trust can be defined as a measure of confidence in an organization’s ability to protect and secure data, as well as safeguard the privacy of individuals. By aligning privacy controls and privileges around the customer’s data experience, you can leverage your investment in system hygiene to go beyond business continuity and create customer goodwill and peace of mind for the organization. Your customers will have confidence that their data is secure and their privacy is protected, and you will have confidence in your ability to protect their data and minimize the impact of cyber intrusions.

Achieving this requires diligence around system hygiene and an emphasis on identity, authentication, and the granularity of privileges for your workforce and customers. This, in turn, can give you confidence about the activity on your network and make it easier to provide the privacy controls required by regulations like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).

In addition to developing trust by emphasizing data security at the systems level, the flexible security organization needs to have a high-caliber team that is continually investing in skills development. To return to the flex defense analogy, Dallas was known for drafting fast, strong and smart players, and for training constantly on the flex. So too should the security function place a high value on learning agility and keeping team members in constant learning mode. While there is no getting around the time investment required for always being in learning mode, the resulting combination of trustworthy systems and finely honed security skills is worth the investment.

Work Backward to Manage Cyber Risk

Finally, as I discussed in an article about diversity of thought in security, we often don’t have enough security personnel to meet all of our security requirements and, therefore, may not be able to promise the needed flexibility in business for our internal customers. We can’t just embed personnel; we need to teach security thinking.

I like an effective and straightforward risk management technique that can be taught through example and used in a wide variety of scenarios: The idea is to visualize the ideal state of control or “security” for a product, service, function or process that we’re implementing — that ideal state would be when security is fully implemented and would represent the fully risk-mitigated state.

While we’re getting to that ideal state, our task is to design and implement compensating and detective controls. Depending on the background of the members of the team, rather than talking about compensating controls, we might ask how we can protect this process in the meantime. Likewise, instead of discussing detective controls, we might challenge the team to come up with ways of determining whether there is a problem we need to respond to.

This technique fosters brainstorming and teamwork by acknowledging an ideal state in the future while keeping the focus on the here and now. It can be applied anywhere, and it can be employed repeatedly as circumstances change.

Foster Innovation and Adaptability Throughout Your Business

By establishing digital trust, we are buying goodwill. By investing in a well-trained security team, we are creating a legion of teachers that can take a simple risk management technique and deliver flexibility in business, so we can innovate and give customers the products they need and want.

So how good was the flex defense? If the New England Patriots, the football team that has dominated the whole 21st century, and possibly the last true American sports dynasty, have one more winning season before experiencing a tie or losing season, it’ll be their 20th in a row and will just tie the Dallas record from 1966 to 1985. The flex defense and its offshoots and imitations were so effective at allowing defenses to dominate football that the only real solution was to alter the playbook to open up the game. Flexibility matters.

Learn More about IT Risk Management Services

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…