The New England Patriots just won their sixth Super Bowl. It was the lowest scoring Super Bowl in history—the fewest combined points, the lowest-scoring first half in 44 years (3 points), the most time elapsed without a touchdown—and certainly not a very exciting one. Defenses prevailed in this historic game. The Patriots’ defense was outstanding for the entirety, never allowing the Rams’ high-powered offense to even enter the Red Zone.
Just like in football, a company’s security posture is best managed with a strong defense. Good coaching, studying the opponent’s offensive strategies and understanding their attack patterns will result in a winning game plan. You can develop a proper security strategy by knowing your critical assets, performing early threat modeling and understanding the potential attackers and their motives. Once you have your game plan, you need to execute: from basic fundamentals to blocking and tackling on every play; from static analysis on every code commit and build, to composition analysis and dynamic testing of the deployed components. Football is a team sport, and security is everybody’s business, from developers and engineers to security, audit and risk teams, all the way to the C-Suite. Practice with pen tests, special (Red) Teams, and never let go of good practices and fundamentals. Play like a winning Super Bowl team every day.
As Coach Belichick would surely say, “Do Your Job.”
PS: If you had seen it yet, be sure to watch my latest webinar “Getting Started with DevSecOps.” In it I outline how to seamlessly automate and orchestrate security across the entire SDLC; the foundation of DevSecOps, and the application development and deployment processes; and how to remove the cultural differences between DevOps and SecOps teams to make way for collaboration.