On Wednesday, November 15th, I participated in a roundtable on cybersecurity and sports. The event moderator, pictured with me above: Matt Bigge. I’ve known Matt for many years; he was even featured in one of my books. Matt is also a Verodin investor and Partner at Crosslink Capital.
The roundtable discussion revolved around a new report titled: “The Cybersecurity of Olympic Sports.” This report was put together by the UC Berkeley Center for Long-Term Cybersecurity (CLTC).
It is axiomatic that cyber threats and sports intersect just like cyber threats and virtually any business intersect. But while cybersecurity is often discussed in relation to financial services, critical infrastructure, the federal government, healthcare and the like, sports doesn’t get nearly as much attention.
The CLTC report does an excellent job highlighting threats related to the prevalence of digital technologies in sports. For example, from hacking scoring systems, video replay, and athlete care to panic-inducing hacks and hacks to facilitate terrorism or kidnapping, the risks are very real. This is especially true as it relates to cyberattacks impacting the physical world.
Many of the security controls that are used to protect systems associated with sports are the same as those used to protect banks, hospitals, and retailers. Because of these protection similarities, they also share the same shortcomings.
Dollars invested in security, plus effort, doesn’t yield security effectiveness. Organizations are spending a huge amount of time and money on security solutions that they simply aren’t getting value from.
They are basing their security on assumptions. The assumption that the firewall or the endpoint security control is blocking attacks. The assumption that the intrusion prevention system is detecting attacks. And the assumption that events will be collected, correlated and alerted on and that the security team and processes will work effectively and efficiently. Security and assumptions don’t mix. Organizations need to know continuously what’s working and what’s not.
In sports, as in any business, security validation is essential. If you buy something, you want to be sure it does what it is supposed to do. You probably wouldn’t buy a car that only turns left.
You want to make sure that your security controls continue to deliver value over time and don’t fail because of defensive regression. You would probably return a car that started shutting off when it rains.
When it comes to complex security controls, if something isn’t working, you don’t just want to identify that it isn’t working, you want prescriptive details on tuning that security control, so you can make the adjustment and re-validate that the tuning worked before an attacker takes advantage.
This is where solutions like the Verodin Security Instrumentation Platform (SIP) come in. SIP allows you to automatically and continuously measure, manage and prescriptively improve your security effectiveness across people, process, and technology with evidence-based results.
More simply, SIP helps you get the value you expected out of the security investments you’ve made or are looking to make. Find out more about Verodin SIP here.