The suspense for the 2024 Formula One (F1) season is palpable. As we move from a weekly to daily countdown to the start of the action, fans are already deep in speculation about which teams will come out on top. Those who follow the sport know that success requires much more than just a talented driver.
Just like businesses, today’s F1 teams rely on fast and effective data analytics to help them gain a competitive edge, with data engineers monitoring for risks and opportunities in real time. C-suite leaders – especially those looking after cyber security – are tasked with the responsibility of assessing and managing risks across their organisations. The potential for a security incident to derail success sits heavily on a CISOs’ shoulders, just like a wrong decision can derail an F1 team’s performance.
The many variables of ‘optimal’
Managing risk and performance in a constantly changing set of conditions is an environment many cybersecurity leaders recognise. In F1, teams arrive at each track during the season with tailored plans, built with the track layout, race length and climate in mind. But these plans are then adjusted throughout the weekend for changing weather, tyre selection, track condition, car condition, fuel, and weight. Every practice, qualifying and race session throughout each weekend is different because of these variables and so the team continuously measures each of them using precision sensors, and adjusts the tuning of the car through micro changes, tweaking things such as downforce to ensure they can hit optimal performance. In addition to their own and environmental variables, the team also makes strategy decisions based on the actions of other teams and drivers, with the ultimate goal of completing the race distance in the shortest time. F1 is without doubt the best example of a data-driven sport.
Cybersecurity practitioners face a very similar challenge with a constant series of variables impacting our security posture. Consider the simple transaction of an employee connecting to a cloud application. This single action has at least seven variables that need to be considered before the request can be deemed secure, and access reasonably granted. These variables include identity, device, location, activity, application or service, instance of application or service and data type. The challenge in designing policy for risk management becomes evident when you recognise that every ‘user connecting to cloud app’ transaction potentially requires very different security and performance decisions based on these variables. There are strong parallels to F1 (and not just in our terminology;session, speed, risk factors, threats) as we look to ensure our employees can access essential services in the shortest time possible without completely cutting the brake lines.
Ensuring the right amount of friction
Much like a team principal in F1, the CISO will make the important decisions to ensure the correct amount of friction is applied to enable employees to work securely. Too much friction and the employee will struggle to keep up with their daily tasks and complain of a poor or frustrating experience. Their eyes will be diverted to watch other teams who can perform faster with less friction. Not enough friction and it’s likely they will encounter an incident (/tyre wall) that ultimately ruins everyone’s weekend. So how do you manage this?
The answer is through continuous assessment of these variables. For example, tools like a modern SASE (Secure Access Service Edge) platform combine analytics telemetry, much like that on an F1 team’s pit wall. This information can not only be presented to the employee but also to the network and security operations team and CISO. Outlier variables impacting performance or security can be discovered early and mitigated before they become a bigger problem, and policies and routing can be adjusted to maintain optimal performance. This is done through dynamic policies that determine the composite score of these risk variables and set actions (Allow, Block, Alert, Coach/Educate, Redirect).
Fastest lap
The goal in F1 is of course to win races that lead to a championship trophy (and pay day), which means not only achieving the fastest lap of a single race but performing consistently throughout the race, and throughout the season. The same can be said in cybersecurity. Just ensuring a single employee, or app, or office gets a good experience is not the same as the whole organisation consistently receiving a good experience… and doing so without taking unacceptable risks.
In cybersecurity, we have the luxury of being able to tweak the race circuit as well as the car; for example removing chicanes or ‘hairpin bends’ from the network (often found in legacy technology architectures where data is sent via illogical routes through VPNs, back hauling or split tunnelling). With the average organisation still using multiple policy enforcement points for security, it’s similar to creating multiple chicanes slowing traffic down. A SASE architecture provides a single point of policy enforcement, removing unnecessary pit stops and slow sections from the track. We also have the opportunity to steal the concept of the F1 Drag Reduction Systems (DRS), allowing employees to get extra speed by using cloud peering (optimised network connections direct from the security architecture to important apps like Microsoft 365) to enable fast access to services through the same SASE platform.
As one F1 team CISO said to me the other day; “Everything I do has to contribute to the team goal of winning the championship. Whether that means making sure I just don’t slow employees down in their important work, or protecting our IP from the competition… our work is inseparable from the championship effort”. CISOs in other types of business might be operating in a less single-minded environment but it serves us all to keep in mind the contribution we make to the wider organisation goals through our work. When you see the lights go out on the 3rd March, remember you’re watching an expert demonstration in continuous adaptation to risk – there’s lessons here for us all!
Neil Thacker is Chief Information Security Officer EMEA at Netskope
Neil holds over 25+ years of experience within the information security industry, currently serving as EMEA CISO for Netskope. He has been recognised by his peers as a leader in the industry including being selected in the CSO30 for 2022, shortlisted for an unsung hero award (CISO Supremo category) and awarded MVP in consecutive years (2021 & 2022) by his Netskope peers.
Neil is advisory board member to the Cloud Security Alliance (CSA) and former advisor to ENISA EU agency for Cybersecurity. Neil is also co-founder and board member to the Security Advisor Alliance (SAA), a non-profit organization focused on promoting the industry to the next generation and ensuring that students, teachers, and schools have the resources and mentorship necessary to foster the cybersecurity professionals of the future.
Neil is CISSP, CIPP/E and CEH certified and is a frequent speaker and author on cyber security, data protection and privacy-related topics.