This past weekend was the Superbowl (yeah suck it NFL, I am using the word), and of course you get all the people who are not into sports with their meme’s and complaints about so much talk on sportsball. Hold on a moment though, there are similarities between our world of infosec and the world of sports, and I do not mean poker, chess or any of the other things along those lines. I mean the big name sports.
Back in the 90’s I was a coach for youth football. It was a volunteer position, and I enjoyed it. In fact, I have always enjoyed sports, but recently I started to wonder if there were lessons I could learn from understanding sports, that could be applied to the world of infosec. The answer is yes. Lets take a look at the “Big 4”, football, baseball, basketball and hockey, and how they can relate to the world of infosec.
The big 4 sports are all strategy based. Some, like baseball, are more individual compared to team based. I am not saying there is not a team aspect to baseball, but it is not as important in the overall strategy. The thing with all of them is you watch, you record stats, you analyze, you make a plan and then you adjust on the fly(if your coaching staff is any good). Baseball is a slower paced game, hockey and basketball are constant motion, and football is in between. Hockey and Basketball really can represent a full on attack with an active defense. The constant motion means everything is constantly changing. No break. Thin of this like dealing with an ongoing incident. Baseball, with its much slower pace is more along the lines of setting up new policies, procedures and technology. You have time, you can look at things and make a long term decision. Football I see as more the day to day type activities, but does encompass both the speed at times of baseball and of Hockey/basketball. I think it also has the most to teach us.
Football, at least at the college and pro levels, works like this. You have an opponent that you are facing. Over the past week you have watched film on them, devised a plan to stop them when they are on offense, and break through their defense, or in our terms blue and red team. When on defense you have to get everything right to stop them. The smallest mistake and they advance (or score). When on offense you only need to find the one weakness in the defense. When the play is actually going, it is fast paced, decisions have to be made split second. Take a wrong angle, you miss stopping them. Slip and they get past you. In between plays you get a chance to set up for the next attack. this setup is usually based on tendencies discovered between watching film of prior games the opponent has played, and statistics available, or in our world going through logs and stats and doing research. Conversely, when on offense the use the same research or OSINT to find the holes on defense and exploit them. During the course of the game it has to be agile and fast responses. Without that agility they get pwned er scored on.
So what can we learn from all of this? First, our world is not much different than the world of sports. Our ball (or puck) is data, our goal (basket, base) are locations (servers, folders, shares). Studying how the coaches come up with their plans in sports may give us better ideas on how to plan out our world, red and blue team. How they have learned to make fast adjustments is a skill we can learn. How they innovate can give us insight in how we can do that better.
This is just a small look, a quick overview of the similarities. Just a thought I had while watching the Superbowl this weekend, and something I am continuing to look at. Our world gets stagnant and we need to find other ways and angles to look at it otherwise we are sunk. This is just one idea.