Sunday, September 28, 2008

What can the Minnesota Vikings teach us about Information Security?

Since I grew up in Minnesota, I am honor bound to love and root for the Minnesota Vikings. Anyone that grew up here and doesn't root for the Vikings is a traitor. I know some of them, and even though I love them, I believe they should turn themselves in and accept their punishment.

We Vikings fans are used to disappointment, and I was certainly disappointed after today's game with the Tennessee Titans. However, it got me to thinking about football and what the Minnesota Vikings can teach us about information security.

Now anyone that has read this blog with any regularity knows that I enjoy comparing information security with other disciplines. I also have a few good sports metaphors and I think this is a good place to unveil them. In information security, I view passwords, patching, and policies as the building blocks of any good program. You could compare these skills to blocking, running, and passing in football. What makes these building blocks important is that no matter what kind of awesome plays you put together, it will fail if you don't have these building blocks in place. One of the lessons that we can learn from the Minnesota Vikings is that even if your running and blocking is in good shape, you will fail to win games without a passing game.

Another lesson that we can learn from the Vikings comes from play calling. Our enemies are constantly changing tactics. So even if you've got your fundamentals down, you will fail to win games if you keep calling the same three plays over and over again. You have to keep studying the tactics used by your enemies and figure out how you're going to defend against new threats.

Another lesson we can learn from the Vikings is from the fan response. Sure we all love the Vikes, and we want them to do well. But if they start to play poorly we'll trash them and call for the firing of the coach and the benching of the quarterback. Not everyone will agree that these are good moves, but the fans want to see some heads roll.

This leads to another observation. In the end your fans want good things for you. If you can give them even a glimmer of hope that you're getting the job done then they will cheer for you up on the mountaintops.

Football has a million statistics to help measure the performance of teams relative to each other. Information security needs to do that also. Just sayin'...

All this has lead me to believe that we should have something similar to an offensive and defensive coordinator. The offensive coordinator would try to develop new ways to attack threats before they can affect the organization and the defensive coordinator would develop the plans for responding to the bad things that still manage to happen.

No comments: