Welcome to the latest edition of “When Experts Meet Experts,” where we’ve transformed our ArmourTalks podcast into this informative article. In this debut episode, we feature Tony Smith, the Regional Vice President for Southeast Asia at WithSecure.

Tony is a cybersecurity evangelist, having extensive years of experience in this industry. He’s been in the United Kingdom and is now based in Singapore. In this discussion, he collaborates with our Head of Business, Janica, to explore the fascinating link between cybersecurity principles and the world of sports. 

So, let’s jump right into this intriguing conversation!

Sports and Cybersecurity

Could you share with us what has sports taught you about the industry you’re specialised in? In this case, Cybersecurity. 

To underline the synergy between these seemingly distinct worlds, I delivered a conference talk in Australia at the beginning of the year, titled “Cybersecurity Principles Translated into Sport.” The key takeaway from this talk was the remarkable relatability between the two domains.

One of the most compelling parallels that I drew is the concept of incident response. In the realm of cybersecurity, when facing a cyberattack or incident, a robust incident response is imperative. Surprisingly, many organisations fall short in this aspect, failing to rehearse their processes and procedures for major cyber incidents. This lack of practice is akin to neglecting a “cyber fire drill.” The lesson here is that, just as in any sphere of life, practice makes perfect.

Regularly practising these procedures is vital to ensure efficient and effective handling of significant cyber incidents. This principle resonates profoundly in the world of sports. An illustrative example comes from the legendary South African golfer, Gary Player, who was known for his relentless practice. He once recounted an incident where, while practising from a bunker, a passerby commented on his luck in sinking shots. The player’s response, “The more I practise, the luckier I get,” vividly captures the importance of consistent practice and continual improvement.

Another area of convergence between cybersecurity and sports lies in Managed Detection and Response. In cybersecurity, assembling a team with the right skills is paramount. Teams often employ layered structures where experienced members, typically level three analysts, handle the most complex cases, leaving junior resources to address high-volume, lower-level incidents. This strategy ensures that the most senior resources are involved in only a few high-impact cases each year.

Drawing a parallel to the world of sports, it becomes evident that star athletes like Lionel Messi, Cristiano Ronaldo, or LeBron James are never benched for an entire season, only to be brought out for a championship game. These athletes are continually engaged in matches to stay match-fit, sharp, and prepared for high-pressure situations. In cybersecurity, similarly, it’s essential to have the entire team ready to perform at their best during a “Cyber event,” which is when an organisation faces the most significant pressure and requires the entire team to be operating at its peak.

In conclusion, the connection between sports and cybersecurity, although unconventional, yields valuable lessons and insights. The intersection of these two worlds underscores the importance of practice, preparation, and consistent performance in both domains. These lessons serve as a reminder that valuable insights can be found in unexpected places, enriching our understanding and approach in our respective fields.

“Putting” it Together

Just as a golfer needs precision when putting, how does attention to detail play a role in your cybersecurity approach? Could you share an example of how a small security measure would make a significant impact?

In both sports and cybersecurity, the concept of “controlling the controllable” has taught me valuable lessons. This phrase, frequently heard in the world of sports, emphasises the need to focus on the aspects that are within our control to minimise risks. The same principle applies to cybersecurity, where concentrating on the factors that are manageable has shown me how to reduce the risks faced by an organisation.

In the context of sports, I’ve learned that every team can only control certain facets of the game, such as the position of the ball in ball sports like rugby, football, or basketball. Possessing the ball equates to having control over the game, and determining the direction of play. Similarly, in cybersecurity, an example of a controllable factor is the configuration of systems and organisational setups.

When I examine cloud security, I find that a significant number of security breaches result from misconfigurations. Depending on the source, misconfigurations can contribute to a substantial percentage of all cloud security incidents, ranging from 40% to 70%. This range, although varying, underscores the importance of addressing misconfigurations as they are factors within our control.

The crucial aspect of “controlling the controllable” has shown me the preventable nature of misconfigurations. Just as one would not send a goalkeeper up the field in a soccer game, leaving the goal unattended, organisations should focus on addressing and preventing misconfigurations. While it’s true that there are instances in sports where a team may go all out in the last minutes of a game to secure a goal, it’s a risky move, akin to exposing vulnerabilities resulting from misconfigurations.

In cybersecurity, these misconfigurations are within our reach, and we have the capability to rectify and prevent them. Therefore, it’s imperative not to give potential adversaries an opportunity to exploit vulnerabilities, making configuration a vital component of any robust security strategy.

In conclusion, the principle of “controlling the controllable” has shown me how to apply it to both sports and cybersecurity. Focusing on manageable factors, such as addressing misconfigurations, is a pivotal element of a strong security strategy. By paying close attention to configuration, organisations can significantly enhance their security posture and reduce risks, as I’ve learned through my experiences.

“Caddy” of Guidance

Golfers rely on caddies for guidance. How do you view the role of expertise, advice, and collaboration in the cybersecurity environment? What would be your thoughts on collaboration with external expertise to enhance one’s defensive strategies?

When I consider the role of caddies in golf, it becomes apparent that they serve as both an assistant and a guide, offering invaluable data to the golfer. This dynamic is built on a foundation of trust, and it’s interesting to note that while caddies and golfers may change over time, many professional golfers opt to stick with the same caddy for extended periods due to the trust that develops between them.

In the cybersecurity industry, trust is a fundamental concept, and it’s crucial to address the industry’s somewhat tarnished reputation. The use of grand marketing slogans and unrealistic guarantees has contributed to this perception. Trust is at the heart of what we do in cybersecurity.

It’s important to acknowledge that no single organisation possesses a one-size-fits-all solution to every cybersecurity challenge. Instead, we encourage organisations to consider a mix of solutions, whether they be tools or services, to effectively defend against the ever-evolving threat landscape.

So, the question we should ask ourselves is, “Who is our cybersecurity ‘caddy’? Who can we trust and build a strong relationship with?”

In the cybersecurity industry, we operate in what’s often referred to as the “trust economy.” Trust from our customers is paramount to delivering the best outcomes for them. While we believe we have strong solutions and partnerships, it’s essential to recognise that building trust takes time and effort.

However, our business, much like yours, is built on research, and we are committed to offering our expertise to the industry to raise the bar and share valuable knowledge. Amidst the cacophony of marketing noise, reliable sources of information and trust are the keys to achieving the right outcomes.

Our focus is on outcomes and results, not just metrics and technical features. We aim to understand what we can effectively prevent, what the impacts of a breach may be, and how we can mitigate those risks. Ultimately, it all comes down to partnership, and as a side note, we have introduced a service at WithSecure called “co-monitoring.”

This service is grounded in the principle of partnership between our customers, ourselves, and partners like ArmourZero. It represents our commitment to fostering collaboration and trust to enhance industry standards and deliver the right cybersecurity outcomes.

“18-Hole” Security Strategy

Golf consists of 18 holes. How do you approach cyber security as a continuous journey rather than a one-time effort? Could you elaborate on how an organisation’s long-term security strategy aligns with the notion of an ’18-hole’ approach?

In professional golf, a tournament typically involves playing 72 holes over four rounds on a golf course filled with various obstacles. You encounter sand, water, trees, and tight fairways, all while navigating tricky greens with slopes and undulations. Many factors come into play when approaching a golf course, much like the multifaceted challenges in cybersecurity.

I once heard a golf professional say, “I can’t win this tournament on Day 1, but I sure could lose it.” What he meant is that winning a competition doesn’t hinge on scoring a hole-in-one, although it’s a great achievement. I’ve never had a hole-in-one myself, but it’s about being consistent throughout the tournament or, in cybersecurity, along the journey.

A poor start in either field can set you back and make you chase the game, struggling to catch up. That’s why there’s no single big fix for cybersecurity. It’s a continuous journey, not a silver bullet. Instead, it’s about doing many small things exceptionally well and making incremental improvements along the way.

There’s a sports principle called “marginal gains,” emphasising continuous improvement through small, 1-percent improvements. These little gains add up to something significant. It’s akin to the famous UK supermarket slogan, “Every little helps.” The same concept applies to cybersecurity.

Every small improvement contributes to better security. Doing the basics well lays a strong foundation, and there are plenty of free resources and advice available to help with these fundamentals. National cyber agencies, like those in Singapore, the UK, and the USA, offer valuable resources and guidance, and similar resources are available throughout Southeast Asia.

Tony’s Top Tip

It involves a series of little things, like the marginal gains we discussed earlier. Look around the market, seek views and opinions from peers in your industry, and learn from their challenges and solutions. Find out why they work with specific partners and trust particular solutions. Most importantly, ask about the outcomes they achieve.

Don’t be swayed by marketing hype – focus on results. Selecting the right cybersecurity partner is akin to forming a world-class sports team. You need a wide range of skills, and sometimes, it’s necessary to explore beyond the familiar options. Research is crucial.

However, it all boils down to putting partnership and trust first. When you prioritise these principles, you get the best out of your solutions and service providers. Trusting them allows them to deliver the best experience, just as you expect. So, my top tip is all about collaboration and focusing on the right partnerships in the world of cybersecurity.