The world of professional sport holds unique cybersecurity challenges. Alongside dealing with general network threats like data breaches and ransomware attacks, sporting organizers are tasked with ensuring operational resiliency of live events across multiple jurisdictions and locations – these events face a growing range of disruptive cyber threats.
Kam Karaji, director of cybersecurity and risk management at the National Football League (NFL), is responsible for safeguarding the league’s international operations outside the US, ensuring the security of high-profile events and sensitive data across complex environments.
Infosecurity spoke to Karaji about how he manages this significant challenge, including the importance of planning and collaboration with external stakeholders.
Karaji also discussed his transition from working as a police officer in the UK to becoming a cybersecurity leader, and the significant value that individuals from other industries offer cyber teams.
Infosecurity Magazine: What are the main challenges for global organizations in operating an effective cybersecurity strategy across multiple jurisdictions and locations?
Kam Karaji: One of the things that we need to have more emphasis on is the variance in legal regulatory compliance obligations. We need to make sure that they are looked at in fragments. For example, with data, does it come under General Data Protection Regulation (GDPR), Digital Operational Resilience Act (DORA) or California Consumer Privacy Rights Act (CPRA)?
What we’ve tried to do is build a program and vary it with a cultural output, for example countries like Germany, China, Singapore, Australia will each have a risk associated from a jurisdiction perspective.
We create small fragment segments for us to work. This gives us an opportunity to consolidate the technology stack.
If we’ve a big Microsoft or AWS client then we need to use the same technology, rather than find another vendor. But we get those companies to support us. We create a project and say this is what the NFL wants to do.
The consolidation of technology helps our fragmentation and segmentation and does all that policing for us to an extent.
IM: What are your key recommendations to security teams for overcoming such challenges?
KK: Use standardized frameworks. We have a bunch of frameworks available from a cybersecurity perspective – the National Institute of Standards and Technology (NIST) Cybersecurity Framework, Center for Internet Security (CIS) Controls, ISO 27001.
All those frameworks have a core set of controls and principles that we need to follow. If there’s a one pane of glass, we can ensure we abide by certain elements in these frameworks. This means we’ll still abide by a control that may be different in its terminology, but it’s the same thing.
This creates a federated security governance, so one pane of glass. This means if anyone asks us to put in proactive threat management intelligence, we can make sure that it covers NIST, CIS IG3 and 27001 requirements.
As well as looking at this from a governance perspective, we also have to look at it from a reactive basis.
Invest in playbooks and make sure the playbooks that you have cover all, if not most incident scenarios. Then back them up by ensuring they work using tabletop exercises.
Use tabletop exercises with injects all the way through to say we’re playing in X country now. These are the playbooks that are in our bank, and these are tabletops that we’re going to do to test those playbooks.
IM: What are the key approaches to ensuring operational resiliency and effective incident response during live matches?
KK: In the run up to a game, it’s very important to set key escalation protocols from the beginning. We also make sure we have a collaborative cohesive team that’s not just from the NFL, but from our vendors, law enforcement and local intelligence partners as well.
We do something called a pregame intelligence, which starts from five to six days in advance of every game. All hands are on call and we look at things like dark web chatter, bot activity and venue spoofing.
We also make sure that there is an area where we can share intelligence with all common partners. What that does is not just bring intelligence from an NFL perspective, but from a government perspective as well.
For example, the if the UK’s National Cyber Security Centre (NCSC) spots something, they can make us aware of it, and we can try and act upon that.
The second part of that is creating a cyber-physical fusion center. This looks after not only cyber but physical control issues and intelligence as well. We have an individual dedicated per game to passing over intelligence from a SOC perspective, and people from NFL’s physical security, law enforcement and the stadium security.
If anything were to happen, then we’ve got clear escalation channels.
IM: What transferable skills have you taken from serving as a Police Officer into your role as a cybersecurity professional and leader?
KK: In the police, we always were told about the threat assessment piece, the mindset of criminal activity. The modus operandi of any crime is a purpose. If someone steals something then that person has permanently deprived you of something that belongs to you. If we were to think about threats in that kind of mindset to say ‘this is what the threat looks like, what is the aim of that threat.’
The mindset is that they will permanently deprive you of something. It’s like spotting a pattern and pre-empting patterns and what the output may look like with the same lens.
The second part is command and coordination. I used to lead a firearms unit, it was a very hostile and rapidly evolving cycle, a very difficult place to be in. But you have to remain calm.
If you become the boy who cries wolf every time you see something, you might do yourself a disservice because you will never get the collaboration you want. I think remaining calm is a big thing.
To illustrate that situation awareness, I often put up a picture of ‘Where’s Wally’ to the team, and whenever I put that screen on, everyone stays silent looking for Wally. But as a former police officer, I’m not looking for Wally. There’s always a Wally in that picture, but I look at everything away from Wally. I look at things that are going on around like someone getting assaulted, a theft, a burglary. There are all these other things going on in that same picture, but we’re very focused on just finding Wally.
Having that situation awareness helps you broaden your horizons, broaden your view and allows you to gather a lot more intelligence.
IM: What advice do you have for people who are considering transitioning into a cybersecurity from a different industry?
I would say that there is always a skill in every walk of life that’s going to be relevant to cyber. If you’re a teacher, you’re good at communicating, if you’re in retail, you’re used to dealing with people and selling something to them, cyber needs these types of skills.
I think the other part is we’re in a really weird place within cyber where everyone wants to get qualifications.
We have found ourselves in a difficult place because establishments are telling you that you need a CISSP, CISM, CompTIA etc. But without those required qualifications, individuals may not be able to push forward, and they need a chance to be mentored or being shadowed.
“Lead with empathy, operate with clarity and never forget the job that we want to do is enable and not just to protect”
Your soft skills will help complement whichever team you are part of. I think even CISOs these days still have imposter syndrome. By the same token we need to embrace the people that are coming into this industry from outside. They’ve got so many important soft skills and we don’t make use of them.
IM: How can organizations help integrate and upskill entry-level staff and career changers into cybersecurity teams?
KK: I think most organizations have a mentorship program. But what we don’t have enough of is an inclusive pipeline, which gives you a spidergram on where you can go to.
For example, if you’re a finance manager and are interested in cyber, there’s no cross-pollination of activity, skills and expertise that help do that.
At the NFL, I use a cross-skill rotation where we have individuals in other fields that come and let you be part of their activities for a bit.
We had a finance manager who wanted to shadow cyber and she really added value. We were holding a resiliency workshop and looking at how if you had a ransomware incident in a particular area, you’ll stop the business. But she bought a financial spin on it – every minute the business stops it will cost X amount. All of a sudden, we gathered a person from a different background but added value to our business continuity plans, situational awareness and strategic resilience.
It’s about embracing the skills that we currently have and fostering a collaborative approach. It’s not just about defending systems, it’s about people and defending people.
IM: What are your biggest concerns in cybersecurity today?
KK: We’re seeing more and more deepfakes. Every time there’s an announcement of some sort, where we use our commissioner or a senior figure in the business to take part in a particular conversation or an output that we want to do, we’ve seen deepfakes come more and more into it.
Another thing is burnout. The amount of information we hold, looking at screens day in day and working ridiculous hours when an incident happens, you can get burned out.
You can have all the tools in the world, but those tools still need someone to press the button or ask them to do something. You’re not software, you’re not a program, you’re not a service. You’re a person.
I think the last part is an erosion of trust. We find ourselves as “receptive advisors” – people come to us and ask, ‘can you help us, can you give us the right advice?’
But if your advice is not coming from good sources, individuals still feel pressurized to give that information out without having the right context. I think there is a real danger that there is misinformation in our world of cyber. We have to be clear about where we get our evidence from and how we apply that to businesses.
IM: What are your biggest successes in in cybersecurity today?
KK: Collaborative ecosystems, being collaborative with our shareholders, the business and third-party vendors. Those third-party vendors play a big part in delivery and output, so it’s important to bring them into the into the fold and help them be part of that journey. Don’t work in silos.
Another thing is having a very purpose driven leadership, embracing what we want to do. We need to get the right message and make sure that people follow those steps. We need to create a security culture and that culture is only going to be started by you as a leader and people following what you tell them is the right thing to do.
IM: If you could give one piece of advice to fellow CISOs, what would it be?
KK: Lead with empathy, operate with clarity and never forget the job that we want to do is enable and not just to protect.
If we lead with empathy and clarity, then people understand that you’re a voice of reason and trust.
I also say that your heart plays a massive part in your decision making and don’t take that away to become a robot. It is there to help guide you.
Header image credit: Joseph Hendrickson / Shutterstock.com
