Do sports metaphors work for cybersecurity practices? Consider whether we can steal a best practice from hockey…
As a lifelong and avid Washington Capitals fan, I took great delight watching the final game of the Stanley Cup playoffs. The Caps opponent, the Vegas Golden Knights, were down 3-2 with two minutes left. Desperate to tie the score, the Knights employed a common but controversial strategy: they pulled their goalie in order to add an additional offensive player. With this new advantage, the Knights barraged the Caps with shots, instantly changing the momentum in their favor. They overwhelmingly controlled the puck, leaving the Caps unable to take advantage of the empty net on the other end of the ice. After a furious rally (which nearly gave me a heart attack), the Knights came up empty handed and the buzzer sounded as the Caps won. Although the bold strategy failed this time, the Knights were able to immediately change the tone of the game in their favor and improve their chances of winning.
Researchers pored over the data to determine whether pulling the goalie is a favorable strategy. The consensus of experts indicates that pulling the goalie is a statistically sound method of increasing a team’s chances of winning (see articles listed in appendix below). Most studies go a step further and suggest an optimal point at which to employ the strategy. Although articles on the subject disagree on the right time or scenario, all agree that goalies should be pulled earlier than is the usual practice, and some as early as 10 minutes left in the game (Asness and Brown, 2018). This begs the question, “Why aren’t hockey coaches pulling their goalies earlier in the game?” It seems reasonable to suggest most coaches in the NHL agree with the studies, yet they seem reluctant to apply the overwhelmingly consistent conclusions to maximize their chances of winning.
What does this have to do with cybersecurity? Cyber leaders, like hockey head coaches, are constantly trying to understand their assets and leverage advantages to maximize their chances of winning. Other similarities include having limited resources, playing in a dynamic environment, and the fact that strategy adjustments may be the difference between winning or losing. What if a cyber leader were able to redeploy resources to another more strategically important area of the business? Sounds compelling, but something is missing. Data.
If reliable data were available to a cybersecurity leader that proved cyber investments were more valuable in one area of the company versus another, it would enable them to make sound, justifiable decisions. They could use the data to communicate internally and build consensus. They could justify increased investment and create a plan for optimal investments best supporting the company’s risk appetite. If cyber leaders had access to this intelligence, they would be able to “pull the goalie” at the optimal time.
Circling back to hockey, we still haven’t answered the question, “why don’t hockey coaches pull the goalie earlier?” In sports, providing high levels of entertainment value and a general perception of being a strong leader may save a coach’s job, even if the coach chooses not to maximize the odds of his team winning the game (Asness and Brown, 2018). Fortunately, these competing dynamics do not exist in business. Business is all about the bottom line. Informing strategic decisions through data, not through emotion or entertainment, is all that matters. Cyber leaders can’t afford the same luxuries as hockey coaches. If they want to be successful, they put aside biases and rally the troops around the option that gives their team the best chance of winning.
In summary, cyber leaders can take two actions to improve their risk management programs:
- Get the data. By quantifying cyber risk in business terms (dollars and cents), cyber leaders are able to make strategic decisions with confidence. They gain a real time understanding of their risk posture and can create an optimal plan for success.
- Pull the goalie! Armed with the right plan and able to justify their strategic decisions to key stakeholders, they can build consensus and implement the plan. In other words, they can pull the goalie!
If you’d like to learn more about pulling the goalie and the empirical research behind this blog, check out the following resources:
Asness, Clifford and Brown, Aaron. “Pulling the Goalie: Hockey and Investment Implications.” https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3132563
Beaudoin, David and Swartz, Tim B. “Strategies for Pulling the Goalie in Hockey.” White paper.
Erkut, E. “Note: More on Morrison and Wheat’s ‘Pulling the Goalie Revisited’.” Interfaces, Vol. 17 No. 5, pp. 121-123, 1987.
Morrison, Donald G. and Wheat, Rita D. “Misapplications Reviews: Pulling the Goalie Revisited.” Interfaces, Vol. 16, No. 6, Nov-Dec 1986, pp. 28-34.
Nydick, Robert L. Jr. and Weiss, Howard J. “More on Erkut’s “More on Morrison and Wheat’s ‘Pulling the Goalie Revisited’.” Interfaces, Vol. 19 No. 5 Sept-Oct 1989, pp. 45-48.
Washburn, Alan. “Still More on Pulling the Goalie.” Interfaces, Vol. 21 No. 2 March-Apr 1991, pp. 59-64.
Zaman, Zia. “Coach Markov Pulls Goalie.” Chance, Vol. 14, No. 2, 2001, pp. 31-35.