.png)
Simply Solving Cyber
This show features an interactive discussion, expert hosts, and guests focused on solving cyber security and privacy challenges in innovative and creative ways. Our goal is for our audience to learn and discover real, tangible, usable ideas that don't require a huge budget to accomplish. Shows like “How It’s Made” have become popular because they explain complicated or largely unknown things in easy terms. This show brings the human element to cyber security and privacy.
Simply Solving Cyber
Simply Solving Cyber - Jack Thompson
Ever wondered how cybersecurity fits into the dynamic environment of a sports organization? Tune in as we discuss the pivotal role of leadership support in driving cybersecurity initiatives, particularly from general managers and COOs. Jack sheds light on the unique challenges posed by the ever-changing sports rosters and the necessity of securing transient player accounts and critical playbooks. We also explore the different levels of tech receptiveness among coaching staff and players, emphasizing the art of effective communication to ensure everyone understands the significance of cybersecurity measures.
Disaster recovery isn't just about tech—it's about being prepared for the unexpected. Jack shares practical insights on handling scenarios like facility damage, emphasizing the need for alternative logistical solutions to keep the team functioning smoothly. From ensuring access to essential services like food and medical care to maintaining thorough documentation, Jack highlights the comprehensive nature of disaster planning. We wrap up this insightful episode with some lighthearted personal stories and nostalgic sports memories, bringing warmth and camaraderie to the serious business of cybersecurity. Join us for a captivating discussion that blends professional wisdom with the passion for sports.
Thanks for tuning in to Simply Solving Cyber. I'm Aaron Pritz and I'm Cody Rivers, and today we're here with Jack Thompson, director of InfoSec, risk and Compliance at the Indianapolis Colts. Big hand of applause, man.
Speaker 2:Excellent, go horse. Yeah Well, man, this has been exciting to get you on this podcast man, and we've been chatting for a little bit of time now and been colleagues and friends now for a little over a year when we first met, but it's been a fun journey, so I'm excited to hear this today. We've had some conversation before just chat about it, but I think the big thing today is talking about like BCP and DR and kind of the preparation for incident response, and so I know this is kind of a passion thing for you and a challenge that you've taken on, but really want to hear your thoughts on it and I would say, probably a pretty big obstacle for a lot of companies to see how much do we do, how detailed do we get? What's a good start?
Speaker 1:Yeah, and maybe before we dive in, I'm personally curious and I know a little bit, but I think our audience would be curious how do you wander through cyber into a professional sports league position with the Colts? So maybe let's start with your journey. And then obviously, bcp is critical for resiliency of a sports organization, but let's start with you.
Speaker 3:Yeah, absolutely, I think, similar to most of the journey throughout my life. I kind of just stumbled into it. Similar to most of the journey throughout my life. I kind of just stumbled into it. And so I started my career within the military doing military intelligence, transitioning more into the niche cyber threat intelligence, and after I separated from active duty, I saw a job opening for the Indianapolis Colts. Born and raised in Indianapolis, I was like, absolutely, I'm going to throw my name in the hat, see how things go. Turned out to be a good fit. It came from something that happened at another club. That kind of was the catalyst that drove ownership, realizing we need to do something about this. It's a bigger problem. It's going to grow and evolve and we need to try and get ahead of it if we can. So, luckily for me, it worked out.
Speaker 2:That's excellent.
Speaker 3:Yeah, yeah. So thank you for having me. I'm excited to talk about business continuity, disaster recovery and everything that that entails, whether it's a professional sports team or a small to medium-sized business, or even a global enterprise. Right, everybody needs to think about, you know, when something hits the fan, what are we going to do, how do we maintain operations, and then how do we recover from?
Speaker 1:it. Yeah well, Lucas Oil has some pretty big fans, if I remember right, Like the biggest fans I've seen in my life in the stadium. Like they're pretty impressive. So, you don't want stuff to hit those.
Speaker 3:Yeah, exactly, it might get all over the rest of the fans. There you go.
Speaker 1:Well, let's start with what is a disaster. Well, let's start with what is a disaster. What are the top scenarios? Obviously cyber's in the mix, but what are sports teams most worried about these days?
Speaker 3:I mean, the ultimate goal within sports is to win right. So when you compete at the highest level and you get to the championship of whatever league, it may be for us, obviously the Super Bowl if something happens and we can't communicate properly, if we can't scout our opponents, if we can't access our playbooks right, we're immediately the underdog. And when you're in the business of winning, that is not a good position to be in. So what are our crown jewels? How do we protect those crown jewels and what do we do if something happens and we can't access them?
Speaker 1:Well, and speaking of crown jewels, let's talk about Moneyball, moneyball, obviously, baseball, and my wife always tells me that movie, you know.
Speaker 2:Brad Pitt.
Speaker 1:Brad Pitt is always eating like in every shot. But let's not dwell on that. I got a hoagie off to my left here you can't see me because I'm only on a mic. But what is data and how competitive is it beyond maybe the stuff we all know about, like with video recording of plays?
Speaker 3:Yeah, we've seen an emergence of data analytics within sports, right, and, like you had mentioned, Moneyball, MLB and baseball kind of being one of the pioneers in that space and you know, with that comes the evolution of technology and the evolution of securing that data. And, as they're using it and the NFL is trending that way as well we're looking at what key metrics or indicators can we identify that can give us a leg up right? How can we tell if somebody might get injured? How can we tell that they might be a career player in terms of prospecting? What are some of the nuances around? If a team calls an audible and shifts left or right, you know what is the likelihood of them running this play versus that play.
Speaker 1:And if you yell Omaha, is that left or right?
Speaker 3:Oh okay, six on the board, basically, but I think that when we talk about our crown jewels and things like that, there's no such thing as new plays being invented, but how we kind of obfuscate, how we're calling plays right or how we're looking at, what we focus on when we're scouting right those sorts of things that really differentiate us from our opponents.
Speaker 1:So thinking of like Spygate let's not bring up Deflategate too soon. But then you think about some of the collegiate. I think it was Michigan with the scout that was going around and recording plays, play stealing not only this sport, but definitely in professional and collegiate football it's been prominent. How much do you worry about or get concerned about the cyber side of intelligence when it comes to protecting those secret plays and tactics and recruiting decisions?
Speaker 3:Yeah, at the end of the day, some are more worrisome than others. I would say part of it boils down to the level, the number of systems accessing the data, the number of users accessing the data, how much we can lock it down. Some of it is what can we try to do in terms of making it so that people don't necessarily realize that that's even what we're talking about, or that's what we're working with Like a disguise play in baseball, where you've got signals, signals may change.
Speaker 1:Trigger sign follows.
Speaker 3:Yeah, I guess more prominently kind of sometimes knows security through obscurity and just hiding things a little bit. But when we talk about how worried we are about other clubs finding that, I mean, that would be the difference in terms of us winning or losing a game If we talk about them learning you know our play sheet or play calls and stuff like that, versus them potentially drafting a prospect, jumping us in the draft and picking somebody who we see that could be a franchise player right. So when we look at things like that, it is very much a focus on principle of least privilege. Only the people who absolutely need access have access, only the people who are securing it. We can't see the data. We can see the configurations right, we know how we're securing it, but at the end of the day it's a category of data to us Well, and if you're willing to video record plays and cheat and deflate balls and cheat and then be on the Patriots.
Speaker 1:There's probably other forms of this over time. I don't want to signal any logic out, but at what point do you think that somebody could use a cyber intrusion to get the data directly?
Speaker 3:Yeah, I think that when you talk about intrusions, security incidents, breaches, things like that, it's not if it's when, right, but at the end of the day, it's also what are they going to do with the data that they steal, right? Yeah, is there a market for that data? Do they have?
Speaker 2:an Anthony Richardson.
Speaker 3:Right. I mean, at the end of the day, the X factor. When you have something like him, it doesn't really matter.
Speaker 2:Yeah, try it.
Speaker 3:So when we look at what is the probability of something happening, what is the likelihood Right, we also look at what the impact would be, and the impact is, I mean, depending on what it is also depends in this instance on would there be a buyer? I think in some instances there might be, but I think when you look at trying to uphold the integrity of the game, a lot of clubs focus on that. I mean you might have some bad apples over time, holes over time, but on average I think we're doing pretty well in terms of, as far as what we know, people not buying secrets that have been parts of breaches from other clubs.
Speaker 2:You said something earlier that I want to come back to, and it was getting buy-in or raising the priority with people. And I think you guys are very busy, right? You got summer camp and you got OTAs and everything. And then you got the games and it's like how do you, as a small team for a very reputable brand, get the focus and get the buy-in from other non-Infosec functions at the Colts to say, hey, this is important. And then, beyond that, like how do you say, hey, let's work on these scenarios, talk to us how you get that buy-in.
Speaker 3:So one of my favorite quotes I'm sure you guys have heard is never let a good crisis go to waste. Right when it doesn't have to happen to you for you to show, basically be able to provide an example of what could be. Jump all over it, because at the end of the day, if they can't see what might happen to us that just happened to our neighbor you got to open your eyes a little bit. But when you talk about how do you get buy-in with everybody else, part of it is timing right. Obviously, like you said, we're really busy.
Speaker 3:The season is very cyclical, so trying to posture ourselves to have those conversations, to have tabletops, to do the business impact assessments with the various stakeholders right. Do the business impact assessments with the various stakeholders right? Trying to make sure that they have the time on their calendar not just to do that but to actually digest it, to be able to think about it, because if you just find the only available slot in their calendar, they won't have time to do the other things that kind of go along with it. For it to be meaningful, and on top of that, when we talk about the other business stakeholders is I don't know your data like. You know your data, you own it, you know how you use it, you know its value Great point. So it's really getting them to understand that piece in terms of if it's me and I'm making all the decisions as an InfoSec or IT professional you're probably not going to like the outcome because I don't have all the contextual awareness that I need that you would be able to provide.
Speaker 1:One follow-up question on this and it's time to get real and transparent. I'm 6'5", 230, not a laser rocket arm. There's a reason. I wasn't in football. I might have been a dork growing up. Cody was pretty cool, he was a running back. Here in football, I might've been a dork growing up. Cody was pretty cool, he was a running back. Here's a question as a tech professional and not on the athlete side. When you talk about engagement, what's the typical vibe? I'm having flashbacks now to not being good in high school and like get out of here, dork. So do you get stuffed into lockers? And how is the engagement when you're trying to get hearts and minds in the right lane to help you with this mission?
Speaker 3:What I will say is there's far less lockers openly accessible to be shoved into, so that helps.
Speaker 1:Yeah, I might have been, but I was six foot five and 180, you know 150 in high school, so I wasn't going in.
Speaker 3:You know, they see things happening on the news, right, and, for instance, our general manager he's reached out to our VP and like, hey, this happened, that's pretty cool. What does that mean? Kind of just has his interest piqued and then we use that as an opportunity. We're good here because of this, because of the efforts that we made, because of our relationship with you and you allowing us to meet with the coaches or the players or the athletic training staff. We have this lockdown or no, we need to do this because it could be very bad for us. So I say that and the Colts are what I would say the weirdest organization that I've worked for from a leadership like hierarchy perspective, with a general manager basically having just as much authority as, say, the COO of the company. Ultimately we have owners who are effectively CEO or sit in those roles, and then you have the general manager and the COO. So having buy-in at the GM level is very much a blessing for us because even if it's just curiosity, asking questions, that's the first step. I mean, if they're just completely disengaged and uninterested, it makes it that much harder. So when they come to you asking questions about I saw this on the news that's very reassuring.
Speaker 3:But I think there's a lot of unique personalities, especially when you have people who play football for a living or coach football for a living. Some of them are, what I'll say, more old school. They don't want to leverage data and the analytics, they want to go with the gut feeling and things like that. So they don't necessarily see the value in technology as much. But then you have others who are like what is, what's the probability of this? And they've kind of learned through exposure that technology can be a boon for them, right. And it's not just this thing, this laptop that they have to turn on, the emails that they have to check, right. So it depends person to person how they receive it, and part of it is understanding and knowing those personalities and just how you engage with them.
Speaker 1:Uh, so we've got to drill on that. Personalities and do you have any stories of like initiatives or challenges that you face that won't get you fired if you share them? Think about all the cyber professionals that listen to this. Do you have any shareable stories that cross sector if you think about other cyber practitioners and other fields would kind of relate to or be like oh, he's dealing with some of the same stuff or that's an interesting, funny story.
Speaker 3:Yeah, well, I think, when one of our biggest challenges is, if you think about volatility of rosters, right, sports and just onboarding, offboarding and things like that. Training camp starts in a week or two, right, so we will have up to 90-something people on a roster or something at any given time, and then we have to cut down to 53. So we can have people who are on the roster for a couple hours and then they're off right, so we're looking at what is the best, most efficient way for us to keep these people secure, keep the playbooks secure, create accounts for them and license them. If they're only going to be on for a couple hours, right. That's an administrative nightmare when you start talking about allocating licenses and stuff, but at the end of the day, we're saying that this is some of our crown jewels, right, so we still need to ensure that it's protected.
Speaker 1:So when the players don't want to hear like Jack is accepting the risk for your lack of training. That's not a good sign from upstairs.
Speaker 2:No, no, jack has the burner phone.
Speaker 3:Right, and luckily we're seeing a shift in especially newer players, right, younger ones, and we're seeing colleges adopting SSO and things like that. That. They come in like oh yeah, I've already had to do this, so it makes that side easier. But it's some of you know the coaching staff or more veteran players who are like why? And they question why should I care? Why does this matter to me? And it really allows myself, as an InfoSec professional, to showcase why they should care, why it's important, and bring it home for them, and I use a lot of football analogies and I think they like it. I don't know, I'm not going to stop, but you should do women's lacrosse, see how that plays.
Speaker 3:Yeah, I wish I knew just some references to throw in there as a joke, but I don't.
Speaker 3:It's cool having some of the conversations, especially growing up where I grew up and being a fan of the club and talking to these people, but also getting to share with them the things that I care about Making sure everybody understands hey, security is important. It's not just for me, it's not just for IT, it's for everybody. And not only will it impact you here, but it will impact you in your day-to-day life, right, and this is how yeah.
Speaker 2:So, taking all of that and going back to the BCP and incident response, I think that you've got limited bandwidth right. Like to your point about being busy, how do you down select? Hey, we're going to prepare for these scenarios. And one thing we see with a lot of clients is like, well, we're good, you know, we got IT, we got DR. But it's like, how do you operate in manual process? And you had the recent healthcare scare they had, you know, or real breach, and there was paper charting going back to it and some of those folks who had not done it before are now trying to figure out paper charting. So how, from the on the sports side, do you say, hey, look, I've got to pick these one or two scenarios to prepare for and prepare manual processes for an incident response. So talk to us about, like, how you think that and how you pull those threads and then execute on that.
Speaker 3:Yeah, exactly, I think you know, when you say pulling the threads, it's spot on, because you have to be able to foster the relationships and be able to communicate with the business stakeholders. You have to have at least a general understanding of how they operate and what's important to them so that you can ask those questions. You can ask the revealing questions on if this data was gone, if you didn't have access to it, how would you operate? If this system was gone, how would you operate and really ask the questions to try and get the gears turning in their mind of I don't know, you haven't had to do that. Would that happen? Can that happen?
Speaker 2:Yeah.
Speaker 3:Yeah, and here's an example. Right, and that's part of it too is doing some research yourself to be able to provide relevant examples of? Yes, this can absolutely happen to us, because until you can showcase that, people are thinking that, oh, this is just something the IT or the security guy wants to do, and when, in actuality, it's not. Not that I don't want to do it I love BIAs and BCPDR, but yeah, I mean, it's riveting, sounds like.
Speaker 1:Stockholm syndrome.
Speaker 3:As the.
Speaker 1:CAPT fall in love with the CAPTOR. Here we always a lot of our tabletops.
Speaker 2:sometimes we'll begin with. The first is like all right, you know SharePoint's gone, lost, that, and they're like. Well, all I had was one digital copy of my incident response plan, so now I can't even look at the plan that I was going to look at. So I think some of those things. So then, like, you get it developed and now you're going to do a tabletop, who are you pulling in? Are you pulling in players? Are you pulling in executives?
Speaker 3:Are you getting Jimmy out of bed recently done? Pull in, you know, the various department heads, vp levels, c-suite and then direct reports. Right, because what we've noticed is the direct reports they're in the weeds a little more than the VPs. Right? So they'll have no more of the nuances of the systems and what kind of teams cover exactly what. So bring in all those key players and then walk through. Hey, if this happened, what would we do?
Speaker 2:Yeah.
Speaker 3:And some people don't even know where to start. They don't know what an SLA is, they don't know what agreements they've necessarily signed, they don't know what systems talk to what. So if something goes down, how that could impact them. And I say that because I do believe that while business continuity is not an IT problem, it is very much so an entire organization or an entire business problem.
Speaker 2:That needs to be addressed. Say it one more time. Yeah, say it louder for the people in the back. There's some facts right there.
Speaker 3:Yeah, but I do believe there are some departments that are better suited to lead the conversation or own the process, because they may speak the language that is common throughout that process, or they understand the intricacies of interconnected systems and secondary or tertiary effects of certain things, just because they have to deal with it every day. That's not to say that any department couldn't run it. I just think that right off the bat, some could run it a little easier, step into that role a little better, and I think oftentimes that's why we see more IT or InfoSec departments running it. What I would say is, when the pandemic happened, one of the departments our athletic training department did a phenomenal job in terms of doing business continuity around the pandemic disaster recovery, in terms of, okay, now that this is over, how can we begin to transition back to our normal operating model. They did a fantastic job with that.
Speaker 3:Our physical security team, because when you think about, we have retired police officers and law enforcement individuals on our physical security staff. They deal with that stuff a lot Like okay, if this, then what type scenarios? To try and be prepared for everything. So when we start communicating with them, they understand it a little better. And when you're having those conversations and I'm not going to say you start using some more layman's terms or some more generalized terms instead of specifically technology, but more around business continuity and disaster recovery, to communicate with those people who you know have done this Then you start getting people chiming in from other departments.
Speaker 3:Oh, you mean like this or like that. And it's really from my experience, just trying to foster the conversation to begin with, because if you go in there with I like to have scenarios, I like to have injects, I like to make people think, but if you go in there without allowing some freedom of conversation, then you're locking out all the other ideas or questions that people might have and then they may feel like they are not necessarily included as much as you want them to feel included.
Speaker 3:Because at the end of the day, it is an entire business program that needs everybody's participation to really become as powerful or as effective as it can be.
Speaker 2:So what I'm thinking of, let's go to incident response and I'll ask the question. I'm going to ask Aaron first and then I'll give you a second to think about it. But when you do these new tabletops and you run through an incident response plan, what is the most common thing you think is left out, that kind of you see the oh, oh, crap moment in the eyes when you're rolling through a plan, because obviously the goal of the tabletop is to run through your plan, not what you think is supposed to happen, but the actual plan written down. So I would say, from your experience in running tabletops, what's a couple of things or one thing that you think is, man, this is very common that people really don't think about.
Speaker 1:So I've not yet had the chance to do one in sports entertainment. Let's see if we can change that. But I would say just the business inclusion. It's usually early maturity.
Speaker 1:It's very typical to get all of IT involved or the right leaders from IT and then usually the CFO that maybe IT reports up to usually legal privacy. For many companies it stops there and they don't simulate an actual line business area scenario. So, like healthcare, maybe you pick on the EMR, but then two surgery centers that we're going to simulate that they got completely bricked and they need to figure out if surgeries can continue, if they're diverting, if they're canceling surgeries and non-essentials. So that's a healthcare example. I could pick any example, but it's usually like keeping it too close to the show and then when the crisis happens, inevitably the CEO and everyone's going to be at the table and those that weren't at the table, that didn't practice, are probably going to be making mistakes that they could have gotten better through rehearsal or practice. So I would say or guess and Jack, I'm interested to turn it to you is inclusion and breadth one of the biggest challenges.
Speaker 3:Yeah, I would agree, because people don't realize what they can contribute to the conversation because, again, they historically have thought of it as an IT problem. Oh, it will fix it. Or all of our systems are in the cloud, wherever that is, or something like that.
Speaker 1:I mean, look at Ascension Health Healthcare not too far from here, midwest-based I think, here in Indianapolis. They still have some systems that are down. Last I checked with a buddy that works in lower level in finance. There still has some systems you can't use. So I think it's examples like that to turn that right back to say no, this exercise is assuming they're completely incapacitated and they're going to be busy focusing on restoration. You got the literal and proverbial ball.
Speaker 3:Yeah, and what we've tried to do is to not just focus on a technology problem as well, because if you start with a technology problem, then oftentimes like, oh, once you fix your stuff then we're good, Okay, but there's a water main break and we can't access our facilities. Either it does fry some of our servers or it ruins some of the football equipment. How do we replace these things? You know, if we can't practice there, where do we go to practice? Do we need additional lodging because it's too far away for them to commute from their homes? Do we need to prep getting food? And you know our nutritional staff. Where are we going to put athletic training to deal with injuries if we're practicing? Is that down? Do they have a?
Speaker 1:backup. So just a micro example of I don't know if that person would be at the table helping with that. You can't test every business process at once, but what I've seen is let's pick the most critical first and then rotate through them and as you do it, every year or quarter or whatever the cadence is everyone gets a turn at some point. It's just not all at once.
Speaker 3:Yeah, and the other piece to that is you may know it, but is it documented? And nobody likes documentation. I don't like documentation, but you're not going to be there forever. And just because you know and there's tribal knowledge of how things operate doesn't mean that somebody new that's coming in or somebody following behind you will just know it, right, or?
Speaker 2:you're on vacation.
Speaker 3:Or you're on vacation, right, and you don't want to be bothered on vacation. Who wants to be bothered on vacation? Not me. So we look at is it documented? Can we reference it? And then, on top of that, if there is a technology problem, we can't access our file shares the cloud. Do we have a physical copy of it? Who has a physical copy of it? So you start looking at considerations like that. But I mean, that's a good point. Do we have things like player allergies documented somewhere where, if we lost access to a system, we would be able to easily reference it, because that could become really bad really fast.
Speaker 1:Right, or who needs an EpiPen or? Like backup medical care that players may not be taking care of if they've got somebody normally taking care of it for them. We got time for one last question. We usually try to keep it fun and on a light note, so do you have a interesting Jack story, a fun fact or something that listeners or even your friends or your mom may not know about you, that you could share? Live for the first time without thinking of it?
Speaker 2:This is a safe space.
Speaker 3:Yes, so my mom definitely knows this because she was there during many times when it happened. And continuing with the football theme, so when I used to play football you know, when I was in elementary school and middle school I'm double jointed in both my arms, so when I would get tackled I would jump up and I would act like I broke my arm and the rest would freak out because we're in youth football and they're just like, oh, what's happening?
Speaker 1:Like somebody. Nobody can see this, but I just have to like play by play. Jack just reached his arms up and both of his elbow joints went inverted and I could only imagine those refs and parents being like ah.
Speaker 2:It's almost like a free timeout. Man. You're like you guys need timeout. Hold on a second.
Speaker 3:Oh, my bad, I forgot.
Speaker 1:Somebody pop these back for me, yeah.
Speaker 3:So I mean you get up, you're in full pads, you get tapped and you come up, you're just like oh my gosh. And then you know everybody freaks out for a minute and then you just laugh and run away.
Speaker 2:He's probably the most efficient person to put on a sports coat, because I feel like if I could do that and put a sports coat on, I could probably put it on with lightning speed.
Speaker 1:There, you go.
Speaker 3:It was a lot of fun, Probably some of my earliest sports and specifically football memories Nice memories.
Speaker 1:So well, thanks for sharing, thanks for stopping in and recording an episode with us.
Speaker 2:Have a great rest of the day and go Colts, go Colts. Yes, sir, thank you sir.
