What Infosec Can Learn from Pro Sports

Have you ever given thought to how Information Security (Infosec) teams might benefit from a pro-sports mentality? No, not the mega-wages (though that would be nice), more along the lines of always trying to improve the team’s performance through improved strategy, processes and personnel.

Who can forget the 2002 Oakland Athletics? The A’s general manager, Billy Beane, changed his strategy, processes and personnel in an effort to make the A’s more competitive. Beane hired Peter Brand away from the Cleveland Indians and implements Brand’s “sabermetric” (measuring in-game activity) means to scout players and begins assembling players who collectively will give the team the best chance of success over the long term.

Fast forward a couple of years, and we see the Boston Red Sox win the World Series after implementing the Beane/Brand approach. 

The same can be said for other professional sports. The Golden State Warriors (coincidentally located in Oakland) won the NBA championship in 2014-15 and had the league’s MVP on their roster, Stephen Curry II. The team’s roster was deep and strong, yet in 2016, they made a move to make them even more competitive, and brought in Kevin Durant, a player who was a contender for MVP honors in his own right.

That move caused a member of the championship team to be deleted from the roster, but made the Golden State Warriors even more formidable, as evidence by their 2017 NBA championship more successful.

Putting the Best Player on the Field

These sports and others draft young talent and trade and haggle over existing talent all the time. All with the goal of putting the best available player on the field or in the game in order to be successful and win. Shouldn’t infosec teams be built with the same mentality?

Job growth continues in the major technological meccas (Seattle, Silicon Valley, Washington DC, New York City, Austin, Raleigh-Durham and Boston) and beyond. Every company has an infosec requirement. Where are they to find their talent?

The National Security Agency and Department of Homeland Security is awarding universities and colleges their National Centers of Academic Excellence in Cyber Defense awards for their work in producing graduates and conducting research in infosec. But talent doesn’t just reside in those institutes which the NSA and DHS recognize; it comes from outside the United States as well.

Some states permit employers to shackle their employees through the use of non-compete clauses, others don’t. In this writer’s humble opinion, non-competes are stifling for all concerned.

Perhaps free agency should be adopted instead of non-compete clauses, and if a company steals away prime talent which is encumbered by a non-compete, then compensation in the next infosec draft should be awarded or a check written to the company losing their talent.

Transparency would benefit the infosec actualizers - those who actually roll up their sleeves and get work accomplished. Their managers and supervisors are like the coaching staff, mentoring and directing – the CSO is the general manager.

The difference is, they too can roll up their sleeves and dig into affecting the solution in infosec, whereas in pro sports, they are relegated to the sidelines.

Absent a national draft for bringing new talent onto infosec teams and without a transparent free-agency, we have social networks like LinkedIn where talent quietly signals they are ready for a change and recruiters act in a sub rosa manner to get key talent into open reqs, resulting in a surprise for the current employer and a windfall for the receiving company.  

The opposite is also true. Numerous companies reach out to the headhunters to quietly and confidentially bring forward a slate of candidates to replace executives who might not know they are on the way out the door.

Shifting Focus to Beyond the Goal

But what about the employer? Shouldn’t the employer be working to improve their infosec team every day? Not just waiting for the employees to signal they want a change?

Both need to be satisfied with the employee’s contributions, and if there is an individual who may provide a greater contribution to the infosec team’s success, should the employer be loyal to the employee or drive to enhance the team’s success? 

I posit the latter is where the employer’s focus should be, though emotionally, the former is where many find themselves making decisions.

While a national infosec draft day may one day arrive, and the likelihood of free agency evolving to total transparency of infosec talent and their personal employment situation will remain clouded in secrecy.

Employees and employers can engage in more transparent engagement and when employers act to improve their team by bringing in new talent, they can help their departing talent land softly by assisting them in finding a place within another’s team which can make good use of their services.

What is for certain, infosec is a growth sector. Employers can and should constantly be improving the caliber of their infosec teams. And there remains plenty of room in the employment pool for talented individuals to become infosec rock stars. Now who has the first pick in the 2018 infosec draft?