This book was so good that I bought a physical copy. The Audible version wasn’t cutting it for all the bookmarks and notes I wanted to take while reading. I believe the book has a little bit of everything, from his struggles early on and how he built a team, to the burnout he felt at the end of his career. There are three topics I’ll discuss; if I didn’t leave it to that, I would probably end up writing a book myself about Walsh’s book.
“The score will take care of itself.” Much can be learned from this and applied to security. In football, there’s a heavy focus on the scoreboard; they want to know who won and who lost. This, to many, is the most critical aspect of a football game, but not for Walsh. It was the execution of the play. Did the wide receiver run the proper pattern at the correct distance and speed? Did the linesmen move and block the right way to give his quarterback the maximum amount of time? If the play was executed to perfection, this gave the highest probability of success. He said that there are always variables that can prevent a play from not being successful, and that’s OK, as long as the team executed it to perfection and gave them the highest chance of success.
In security, I see people worry about the score; only it’s not a score but an audit. Security teams will not focus on making sure the execution of the process is done correctly but execute in such a way to satisfy the audit. For example, this could be the deployment of EDR (Endpoint Detection & Response) platform. Yes, you might say it’s deployed and get the green check or audit approval, but is it deployed 100%? Is it configured to ensure maximum protection? Is it tuned to produce only high-fidelity alerts? All these questions are the perfection of executing the deployment of EDR and, if done correctly, will give you the highest probability of detecting something malicious in the environment. If you do good security, the audit will take care of itself.
“The west coast offense” I knew Bill Walsh was the creator of this methodology. It focused on short passes, higher pass completion, and stretching out the defense horizontally instead of vertically. I didn’t know that this new type of offense was created out of necessity since his quarterback couldn’t throw a deep ball (a common characteristic of any good quarterback at the time) and he had a smaller physical team overall. Walsh knew if he tried to physically outplay and throw a deeper ball than the other team, he would never win. So, this methodology was created to maximize the current team’s skill set instead of making it into something it was not. Other teams at first mocked him, saying his methodology was not football, but in later years, many teams mimicked it, not because they had the same struggles, but because they wanted the same success.
Security departments, I feel, do similar to what most football teams do, mimic one another instead of assessing the skills, people, and organization to maximize the potential. Tools and methodologies are just acquired, and there’s hope that it will make the organization more protected. I think it’s essential to assess your employees’ skills and abilities (this means you have a working knowledge of security). If the team members have a passion for EDR, have them focus on it. Make your organization’s EDR the best in your industry. Be proud and show all the things you accomplished with it. Maybe the other technologies don’t get as much attention; I think that’s OK. I also think it’s about working with what you have. Perhaps you don’t have a security budget for a fancy SIEM; you can still do deception where the cost is minimal. An organization that is heavily invested in maturing in a deception program could be very problematic for even the most skilled attacker.
“Avoid the destructive temptation to define yourself as a person by the won-lost record” This quote and thought process is something I was struggling with at this very moment. The book talks about Cedrick Hardman, a talented defensive end who led the team with the most sacks for eight straight years. In the first two seasons of Bill Walsh’s coaching, the team had only won 4 games. Walsh recounted how this appeared to weigh on Hardman so much that his attitude and performance changed; Hardman could no longer see how things would get better. In essence, his value was tied to how the team was doing. The team was losing, he was losing. Walsh describes another player, Ronnie Lott. Lott was known for his hard-hitting tackles on the field, but he was somebody that strived to make the most out of himself, not the team. Walsh described him as somebody who “demanded maximum effort and effective execution from himself at all times and refused to quit until it was achieved. Since he never felt it was totally and completely achieved, he never quit.” Lott pushed himself, which encouraged others to do the same; he became a leader to others.
Hearing this story of Hardman and Lott made me realize how the successes and failures of the organization affect me directly. When incident response is botched or mishandled and causes more damage to the organization, I take it personally. My level of expectation of the team is on the same level as my expectations of myself, and it can be very demoralizing and frustrating when I don’t see similar effort. I realize I need to be more like Lott. Push myself to be better, grow, and develop even if maybe the team is “losing.” This is a new mindset for me because I want the organization to win. Still, maybe the best way for the organization to succeed is to set goals and expectations of myself, and if others follow in my footsteps, great, but it doesn’t define me as a person how the organization does.
I don’t know if this book was ever on The New York Times’ best-seller list or if it’s a staple in leadership reading material, but reading this book was inspiring. This book helped me change how I perceived work, and when a book does that, it’s a good book. It’s nice to know that there are leaders like Walsh who lead by example, understanding the role they play and all functions of everybody on the football field. Every moment in Walsh’s life seemed to be dedicated to excellence, and it’s hard not to try to incorporate some of that into your own.
Editor: Emily Domedion