A CISO’s guide to building a proactive cyber security culture
Like half of other Americans, I played competitive sports in high school and college. Basketball, softball, soccer, golf — you name it, I tried it. I never tried going pro, but my love of the game eventually brought me to the digital sports company, Fanatics.
Fanatics is in a period of expansion and hyper-growth. While we’re best known for selling licensed sports fan gear, our mission is broader: To become the leading global digital sports platform. For example, we offer a marketplace for trading cards and memorabilia and are building the largest network of in-person fan events. We are also expanding our online sports betting and real-money wagering (for which I oversee infosecurity programs).
Constant innovation means staying ready to respond to new threats. Sports fans are increasingly targeted by cybercriminals, and 70% of sporting organizations are hit by at least one attack annually.
However, technology alone won’t safeguard the business. Everyone from manufacturing to app development must practice good cyber hygiene and help keep the organization safe.
In other words, strong cyber security is a team sport. Here are three key ways I work to successfully get buy-in across the organization.
Start with a “yes” mindset
Hall of Fame baseball manager Tommy Lasorda once said, “In baseball and in business, there are three types of people. Those who make it happen, those who watch it happen, and those who wonder what happened.” As a leader, I’m here to make my organization’s success and security happen.
I won’t sit on the sidelines, responding reactively to threats while Fanatics proactively expands our business.
Proactively contributing to the company’s success starts with having a “yes” mindset. Security professionals are often viewed as secretive friction points — we’re the people who say “no” with minimal explanation. When juggling multiple projects, it’s easier to tell others, “No, use what you already have. We don’t have enough resources to do what you’re asking.” Unfortunately, getting told “no” is a big reason why shadow IT — and increasingly shadow APIs and shadow AI — are rampant across many organizations. Being told “no” is also why other teams can be less inclined to collaborate proactively with security.
A “yes” mindset, however, helps move cyber security from being seen as a cost center to a growth enabler.
Here are a few ways my team puts this into practice:
1) We assume positive intent. When someone wants to try something different, it’s important to assume good intentions and to meet them where they are. For instance, imagine a scenario where an app development team repeatedly delays fixing security vulnerabilities, citing tight deadlines and resource constraints:
Without assuming positive intent, an infosec team believes that the developers are careless about security. They elect to escalate to leadership right away — without first attempting to resolve the issue collaboratively.
With assuming positive intent instead, the infosec team believes that the developers are genuinely prioritizing business needs, and want to balance security with their deliverables. We approach the development team with a conversation like, “We understand it’s critical you meet your deadlines. Let’s collaborate to address the security vulnerabilities in ways that won’t compromise your timelines.”
The second approach fosters collaboration and trust — while leading to a solution that meets both security and business objectives.
At the end of the day, it comes down to understanding people: What is it they can and cannot do with their current technologies? Can cyber security accelerate their work? Will we count all the ways something new could go wrong, or will we jump in excitedly to make a first-of-its-kind immersive sports fan festival secure?
2) We welcome feedback and criticism. If Simone Biles thinks her coaches are key to reaching her full potential, the rest of us can use some feedback, too! This includes listening with an open mind to others’ complaints. If you want cyber security initiatives to be acknowledged by more people, then acknowledge their feedback. You’ll learn something useful about others’ areas of expertise — and maybe even about yourself.
3) We work to deeply understand the business’ strategy. If you want the overall organization to take security seriously, show how seriously you take the company’s financial priorities. I stay alert to what’s on the horizon for product, sales, engineering, development, and other divisions. When Fanatics began planning to launch sports betting services following the acquisition of PointsBet’s US business, I quickly became familiar with the business and compliance implications, and pivoted my team’s focus accordingly.
Fuel trust through transparency
To instill the importance of cyber safe practices, it’s important to be transparent about cyber vulnerabilities and strengths. The concept of “security through obscurity” — obfuscating vulnerabilities and details of security mechanisms — is not new. However, I believe many security leaders tend to take this too far, especially when it comes to internal communication.
Let’s take the threat of DDoS attacks, which are ever-present but might peak during major promotions or sporting events. I don’t expect other teams to know the difference between an HTTP POST flood and an HTTP GET flood attack, but I find it important to educate them on major trends: Do attacks tend to happen at certain times of the year? Where do they originate? Are they coming from competitors or criminals? Which services are being targeted? How many attacks did we stop?
Data and transparency help foster cross-functional support for our cyber security investments (which include Cloudflare’s advanced DDoS protection, bot management, load balancing, and other application services). Regular metrics-backed communication also reinforces how security fuels the company’s growth.
It’s natural in work environments for people to care only about things directly related to their job. The team in charge of Cyber Monday promotions may not care about our security vendors, but they care deeply about website performance and sales. If they understand the link between my role (to defend our digital footprint) and theirs (to reach online customers), then they’re likely to embrace secure practices.
Commit to inclusion — and being yourself
The global cyber security talent shortage is so severe that Gartner predicts by 2025, “lack of talent or human failure will be responsible for over half of significant cyber incidents.”
While there are numerous reasons for the shortage, to attract more hires, we must do more to welcome diverse, non-traditional talent. As the ISC2 notes in the 2024 Cyber security Workforce Study, “With the growing talent gap, cyber teams must look to all backgrounds to fill gaps.”
I’m very vocal with our recruiters about maintaining a strong pipeline of diverse candidates. Everyone deserves a fair chance based on their skills, not their degree. For example, I am a big advocate for campus recruiting at a wide variety of colleges and universities.
Whenever I can, I also make myself available for external recruiting events, mentoring new grads, and encouraging other women to consider a career in sports technology. For example, attending the Grace Hopper Celebration was an inspiring experience, particularly due to the diverse talent represented. It was remarkable to hear so many stories from attendees who entered the tech field from non-technical backgrounds. A common thread in their journeys was the presence of an advocate — someone who saw their potential, encouraged them to explore technology and provided support. These advocates played a pivotal role in helping individuals transition into tech, often at various stages of their careers, proving that passion and determination can lead to success at any age.
Beyond diversifying the candidate pool, you must also retain talent once they’re hired. Several studies have shown that authenticity and authentic leadership are linked to greater job satisfaction and reduced turnover. Unfortunately, more than one-third (36%) of women in the cyber security industry still feel that they cannot be authentic at work.
I try to encourage others to show who they truly are by:
Genuinely sharing my whole personality
Staying curious and asking many, many questions
Making space to unpack our highs and lows
Asking for uncensored feedback
Consistently highlighting others’ accomplishments
No one should feel uncomfortable being themselves at work. That’s why it’s so important to bring my honest, whole self to work every day.
Proactive cyber security starts at the top
Staying authentic, keeping a “yes” mindset, and maintaining transparency has helped foster the strong relationships I have with our CFO, CTO, and other executives across Fanatics. Our organization is fortunate to have so many leaders who see the value of security.
This top-down culture of cyber security is crucial more than ever. For example, as all industries are entering a new era of both AI-driven customer experiences and AI-generated threats, the key to getting it “right” will be tight policy and technology alignment.
Ultimately, when an organization operates securely with less internal friction, everyone is freer to focus on the core business. Who wouldn’t be a fan of that?
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
Learn about managing the industry’s top cyber security risks in Cyber security best practices for online gaming and gaming companies.
Author
Ami Dave
CISO, Fanatics
Key takeaways
After reading this article, you will be able to understand:
Cyber security attack trends in digital sports apps and online betting
3 recommendations for nurturing a culture of proactive cyber security
Positioning the security function as a business enabler