Skip to main content

Lessons on Proactive Incident Management From… the Packers?

October 10, 2018

Leaving it to chance, isn’t a best practice

Information security and professional football don’t appear to have much in common. Fantasy football and information security probably have more in common but still, it’s not a lot. 

We are weeks into the NFL season and so far, my fantasy team is very average. I am not complaining because I took some risks this year. The biggest being I opted to deal with the auto-assigned picks of players to make up my team, missing the live draft. One of the greatest challenges this season is determining which players I need to replace and who to start each week. Right off the bat, I was set back, as three picks turned out to be suspended or injured. The other challenge is adjusting for week 8, when half of my team is on their bye week. 

Long story short, my fantasy team is kind of a mess. 

I started working on this blog while watching my beloved Green Bay Packers take a hard loss to Washington in week three. During the game, I started to think how everything regarding my fantasy team was left to chance. Soon enough, I began making comparisons between football and incident management, including the work that should go into preparation for an incident.   

Incident Management Strategy – In many organizations, this is the most overlooked step. We tend to see less mature organizations completely skip this or simply neglect to document the long-term strategy for incident management. It is unfortunate that organizations skip this step, as it provides an opportunity to track and highlight progress over the years. This also allows the incident management structure to get in front of other business units. Some of the items to consider in the strategy are: 

  • How do other business units within an organization interface with the incident management team?  
  • What is the maturity level for the tools deployed? 
  • What types of KPIs are being tracked and how often is the data compiled? 
  • What are the incident management program drivers and business requirements? 

You will not find any professional football team without a strategy. They typically have this planned out for three- to five-years and are continuously adjusting their strategy to meet the target for next season’s needed improvements. 

Incident Management Plan – This is where most organizations begin Incident Response (IR) efforts, hopefully well before an incident. The typical first-level effort is to search online for an IR plan template and quickly modify it to suit their specific needs. In the beginning, this sounds like a quick and easy win. However, this often means hours and resources spent meeting with other departments, documenting, and potentially navigating internal political obstacles to customize the plan. A plan is going to be your key in responding to an incident. A hastily developed plan can have disastrous consequences. Some considerations for your plan: 

  • Who are your subject matter experts in the organization? 
  • Who is part of the call tree and how do you contact them? 
  • What is the point to engage with a third-party organization and who is authorized to make that decision? 
  • Where will it be stored, how often is it updated and who is the ultimate owner? 

Incident Management Tabletop Exercise – This is exactly what it sounds like. The participants for a tabletop include your technical resources and often includes executive leadership, legal, human resources and other business partners. You want the right mix of individuals to respond to the scenario that your team is being tested on. For example, if the scenario developed includes an insider threat, you will definitely want human resources to be involved. It is recommended teams conduct a tabletop at least twice per year to continue improving their response efforts. It is also just as important to have at least one of those tabletops facilitated by an external party with experience in IR. This can help uncover unconscious blind spots. 

In football terms, I believe preseason games most closely align with tabletops. The team is there to test their players, the playbooks they have developed, and fine tune their plan for the season. In football, we know when the season is going to kick-off, where within incident management we never know when the incident is going to happen. But we know it will happen at some point. 

My middling fantasy football team will adjust. I’ll take stock each week of the options I have with my players, craft a game plan based on my opponent, and execute my strategy using the tools at my disposal. But just like in security, preparation can only get one so far. 

Chance is always a factor. But ask any winning organization what their secret to success is and they won’t tell you “we just got lucky.” Preparation, planning, execution, and knowing what your team can do matters as much in football as it does in security as it does in life. 

    Jeff Wichman

By: Jeff Wichman

Managing Security Consultant, Enterprise Incident Management

See More

Related Blogs

October 03, 2018

Do You Know Where Your Evidence Is?

In part three of our series focused on the Enemy Perspective, we’ll focus on an important element of incident response: digital forensics investigatio...

See Details

September 21, 2018

The Necessity of Enemy Perspectives: The Enemy Gets a Vote

The enemy gets a vote. The current Secretary of Defense and retired Marine Corps General James Mattis is fond of this observation. However, in many ar...

See Details

September 26, 2018

Data is the New Currency

In today’s digital world, data is currency. Nowhere does this phenomenon show itself more clearly than in the world of payment transactions. Payment f...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.