August 1, 2024 • 28 mins
What happens when military intelligence meets professional sports? Our guest, Jack Thompson, Director of InfoSec, Risk, and Compliance at the Indianapolis Colts, brings a unique perspective to cybersecurity in the high-stakes world of professional football. With a career that transitioned from military operations to safeguarding invaluable sports data, Jack's journey underscores the critical importance of Business Continuity Planning (BCP) and Disaster Recovery (DR). We unpack the constant threats to sensitive information like playbooks and scouting reports, and how advanced data analytics are changing the competitive landscape. Jack's experience offers a compelling lens through which we explore historical incidents like Spygate and the ongoing efforts to protect strategic assets.
Ever wondered how cybersecurity fits into the dynamic environment of a sports organization? Tune in as we discuss the pivotal role of leadership support in driving cybersecurity initiatives, particularly from general managers and COOs. Jack sheds light on the unique challenges posed by the ever-changing sports rosters and the necessity of securing transient player accounts and critical playbooks. We also explore the different levels of tech receptiveness among coaching staff and players, emphasizing the art of effective communication to ensure everyone understands the significance of cybersecurity measures.
Disaster recovery isn't just about tech—it's about being prepared for the unexpected. Jack shares practical insights on handling scenarios like facility damage, emphasizing the need for alternative logistical solutions to keep the team functioning smoothly. From ensuring access to essential services like food and medical care to maintaining thorough documentation, Jack highlights the comprehensive nature of disaster planning. We wrap up this insightful episode with some lighthearted personal stories and nostalgic sports memories, bringing warmth and camaraderie to the serious business of cybersecurity. Join us for a captivating discussion that blends professional wisdom with the passion for sports.
Ever wondered how cybersecurity fits into the dynamic environment of a sports organization? Tune in as we discuss the pivotal role of leadership support in driving cybersecurity initiatives, particularly from general managers and COOs. Jack sheds light on the unique challenges posed by the ever-changing sports rosters and the necessity of securing transient player accounts and critical playbooks. We also explore the different levels of tech receptiveness among coaching staff and players, emphasizing the art of effective communication to ensure everyone understands the significance of cybersecurity measures.
Disaster recovery isn't just about tech—it's about being prepared for the unexpected. Jack shares practical insights on handling scenarios like facility damage, emphasizing the need for alternative logistical solutions to keep the team functioning smoothly. From ensuring access to essential services like food and medical care to maintaining thorough documentation, Jack highlights the comprehensive nature of disaster planning. We wrap up this insightful episode with some lighthearted personal stories and nostalgic sports memories, bringing warmth and camaraderie to the serious business of cybersecurity. Join us for a captivating discussion that blends professional wisdom with the passion for sports.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:07):
Thanks for tuning in to Simply Solving Cyber.
I'm Aaron Pritz and I'm CodyRivers, and today we're here
with Jack Thompson, director ofInfoSec, risk and Compliance at
the Indianapolis Colts.
Big hand of applause, man.
Speaker 2 (00:18):
Excellent, go horse.
Yeah Well, man, this has beenexciting to get you on this
podcast man, and we've beenchatting for a little bit of
time now and been colleagues andfriends now for a little over a
year when we first met, butit's been a fun journey, so I'm
excited to hear this today.
We've had some conversationbefore just chat about it, but I
think the big thing today istalking about like BCP and DR
(00:39):
and kind of the preparation forincident response, and so I know
this is kind of a passion thingfor you and a challenge that
you've taken on, but really wantto hear your thoughts on it and
I would say, probably a prettybig obstacle for a lot of
companies to see how much do wedo, how detailed do we get?
What's a good start?
Speaker 1 (00:57):
Yeah, and maybe before we dive in, I'm
personally curious and I know alittle bit, but I think our
audience would be curious how doyou wander through cyber into a
professional sports leagueposition with the Colts?
So maybe let's start with yourjourney.
And then obviously, bcp iscritical for resiliency of a
sports organization, but let'sstart with you.
Speaker 3 (01:18):
Yeah, absolutely, I think, similar to most of the
journey throughout my life.
I kind of just stumbled into it.
Similar to most of the journeythroughout my life.
I kind of just stumbled into it.
And so I started my careerwithin the military doing
military intelligence,transitioning more into the
niche cyber threat intelligence,and after I separated from
active duty, I saw a job openingfor the Indianapolis Colts.
Born and raised in Indianapolis, I was like, absolutely, I'm
(01:42):
going to throw my name in thehat, see how things go.
Turned out to be a good fit.
It came from something thathappened at another club.
That kind of was the catalystthat drove ownership, realizing
we need to do something aboutthis.
It's a bigger problem.
It's going to grow and evolveand we need to try and get ahead
of it if we can.
So, luckily for me, it workedout.
Speaker 2 (02:03):
That's excellent.
Speaker 3 (02:06):
Yeah, yeah.
So thank you for having me.
I'm excited to talk aboutbusiness continuity, disaster
recovery and everything thatthat entails, whether it's a
professional sports team or asmall to medium-sized business,
or even a global enterprise.
Right, everybody needs to thinkabout, you know, when something
hits the fan, what are we goingto do, how do we maintain
operations, and then how do werecover from?
Speaker 1 (02:26):
it.
Yeah well, Lucas Oil has somepretty big fans, if I remember
right, Like the biggest fansI've seen in my life in the
stadium.
Like they're pretty impressive.
So, you don't want stuff to hitthose.
Speaker 3 (02:36):
Yeah, exactly, it might get all over the rest of
the fans.
There you go.
Speaker 1 (02:40):
Well, let's start with what is a disaster.
Well, let's start with what isa disaster.
What are the top scenarios?
Obviously cyber's in the mix,but what are sports teams most
worried about these days?
Speaker 3 (02:51):
I mean, the ultimate goal within sports is to win
right.
So when you compete at thehighest level and you get to the
championship of whatever league, it may be for us, obviously
the Super Bowl if somethinghappens and we can't communicate
properly, if we can't scout ouropponents, if we can't access
our playbooks right, we'reimmediately the underdog.
And when you're in the businessof winning, that is not a good
(03:16):
position to be in.
So what are our crown jewels?
How do we protect those crownjewels and what do we do if
something happens and we can'taccess them?
Speaker 1 (03:25):
Well, and speaking of crown jewels, let's talk about
Moneyball, moneyball, obviously,baseball, and my wife always
tells me that movie, you know.
Speaker 2 (03:33):
Brad Pitt.
Speaker 1 (03:34):
Brad Pitt is always eating like in every shot.
But let's not dwell on that.
I got a hoagie off to my lefthere you can't see me because
I'm only on a mic.
But what is data and howcompetitive is it beyond maybe
the stuff we all know about,like with video recording of
plays?
Speaker 3 (03:50):
Yeah, we've seen an emergence of data analytics
within sports, right, and, likeyou had mentioned, Moneyball,
MLB and baseball kind of beingone of the pioneers in that
space and you know, with thatcomes the evolution of
technology and the evolution ofsecuring that data.
And, as they're using it andthe NFL is trending that way as
(04:13):
well we're looking at what keymetrics or indicators can we
identify that can give us a legup right?
How can we tell if somebodymight get injured?
How can we tell that they mightbe a career player in terms of
prospecting?
What are some of the nuancesaround?
If a team calls an audible andshifts left or right, you know
(04:34):
what is the likelihood of themrunning this play versus that
play.
Speaker 1 (04:38):
And if you yell Omaha , is that left or right?
Speaker 3 (04:41):
Oh okay, six on the board, basically, but I think
that when we talk about ourcrown jewels and things like
that, there's no such thing asnew plays being invented, but
how we kind of obfuscate, howwe're calling plays right or how
we're looking at, what we focuson when we're scouting right
(05:05):
those sorts of things thatreally differentiate us from our
opponents.
Speaker 1 (05:10):
So thinking of like Spygate let's not bring up
Deflategate too soon.
But then you think about someof the collegiate.
I think it was Michigan withthe scout that was going around
and recording plays, playstealing not only this sport,
but definitely in professionaland collegiate football it's
been prominent.
How much do you worry about orget concerned about the cyber
(05:34):
side of intelligence when itcomes to protecting those secret
plays and tactics andrecruiting decisions?
Speaker 3 (05:43):
Yeah, at the end of the day, some are more worrisome
than others.
I would say part of it boilsdown to the level, the number of
systems accessing the data, thenumber of users accessing the
data, how much we can lock itdown.
Some of it is what can we tryto do in terms of making it so
(06:04):
that people don't necessarilyrealize that that's even what
we're talking about, or that'swhat we're working with Like a
disguise play in baseball, whereyou've got signals, signals may
change.
Speaker 1 (06:15):
Trigger sign follows.
Speaker 3 (06:17):
Yeah, I guess more prominently kind of sometimes
knows security through obscurityand just hiding things a little
bit.
But when we talk about howworried we are about other clubs
finding that, I mean, thatwould be the difference in terms
of us winning or losing a gameIf we talk about them learning
you know our play sheet or playcalls and stuff like that,
versus them potentially draftinga prospect, jumping us in the
(06:38):
draft and picking somebody whowe see that could be a franchise
player right.
So when we look at things likethat, it is very much a focus on
principle of least privilege.
Only the people who absolutelyneed access have access, only
the people who are securing it.
We can't see the data.
We can see the configurationsright, we know how we're
(06:59):
securing it, but at the end ofthe day it's a category of data
to us Well, and if you'rewilling to video record plays
and cheat and deflate balls andcheat and then be on the
Patriots.
Speaker 1 (07:10):
There's probably other forms of this over time.
I don't want to signal anylogic out, but at what point do
you think that somebody coulduse a cyber intrusion to get the
data directly?
Speaker 3 (07:21):
Yeah, I think that when you talk about intrusions,
security incidents, breaches,things like that, it's not if
it's when, right, but at the endof the day, it's also what are
they going to do with the datathat they steal, right?
Yeah, is there a market forthat data?
Do they have?
Speaker 2 (07:39):
an Anthony Richardson .
Speaker 3 (07:41):
Right.
I mean, at the end of the day,the X factor.
When you have something likehim, it doesn't really matter.
Speaker 2 (07:46):
Yeah, try it.
Speaker 3 (07:47):
So when we look at what is the probability of
something happening, what is thelikelihood Right, we also look
at what the impact would be, andthe impact is, I mean,
depending on what it is alsodepends in this instance on
would there be a buyer?
I think in some instances theremight be, but I think when you
(08:07):
look at trying to uphold theintegrity of the game, a lot of
clubs focus on that.
I mean you might have some badapples over time, holes over
time, but on average I thinkwe're doing pretty well in terms
of, as far as what we know,people not buying secrets that
have been parts of breaches fromother clubs.
Speaker 2 (08:25):
You said something earlier that I want to come back
to, and it was getting buy-inor raising the priority with
people.
And I think you guys are verybusy, right?
You got summer camp and you gotOTAs and everything.
And then you got the games andit's like how do you, as a small
team for a very reputable brand, get the focus and get the
buy-in from other non-Infosecfunctions at the Colts to say,
(08:46):
hey, this is important.
And then, beyond that, like howdo you say, hey, let's work on
these scenarios, talk to us howyou get that buy-in.
Speaker 3 (08:53):
So one of my favorite quotes I'm sure you guys have
heard is never let a good crisisgo to waste.
Right when it doesn't have tohappen to you for you to show,
basically be able to provide anexample of what could be.
Jump all over it, because atthe end of the day, if they
can't see what might happen tous that just happened to our
neighbor you got to open youreyes a little bit.
(09:15):
But when you talk about how doyou get buy-in with everybody
else, part of it is timing right.
Obviously, like you said, we'rereally busy.
The season is very cyclical, sotrying to posture ourselves to
have those conversations, tohave tabletops, to do the
(09:35):
business impact assessments withthe various stakeholders right.
Do the business impactassessments with the various
stakeholders right?
Trying to make sure that theyhave the time on their calendar
not just to do that but toactually digest it, to be able
to think about it, because ifyou just find the only available
slot in their calendar, theywon't have time to do the other
things that kind of go alongwith it.
For it to be meaningful, and ontop of that, when we talk about
(09:58):
the other business stakeholdersis I don't know your data like.
You know your data, you own it,you know how you use it, you
know its value Great point.
So it's really getting them tounderstand that piece in terms
of if it's me and I'm making allthe decisions as an InfoSec or
IT professional you're probablynot going to like the outcome
(10:19):
because I don't have all thecontextual awareness that I need
that you would be able toprovide.
Speaker 1 (10:24):
One follow-up question on this and it's time
to get real and transparent.
I'm 6'5", 230, not a laserrocket arm.
There's a reason.
I wasn't in football.
I might have been a dorkgrowing up.
Cody was pretty cool, he was arunning back.
Here in football, I might'vebeen a dork growing up.
Cody was pretty cool, he was arunning back.
Here's a question as a techprofessional and not on the
(10:45):
athlete side.
When you talk about engagement,what's the typical vibe?
I'm having flashbacks now tonot being good in high school
and like get out of here, dork.
So do you get stuffed intolockers?
And how is the engagement whenyou're trying to get hearts and
minds in the right lane to helpyou with this mission?
Speaker 3 (10:58):
What I will say is there's far less lockers openly
accessible to be shoved into, sothat helps.
Speaker 1 (11:04):
Yeah, I might have been, but I was six foot five
and 180, you know 150 in highschool, so I wasn't going in.
Speaker 3 (11:11):
You know, they see things happening on the news,
right, and, for instance, ourgeneral manager he's reached out
to our VP and like, hey, thishappened, that's pretty cool.
What does that mean?
Kind of just has his interestpiqued and then we use that as
an opportunity.
We're good here because of this, because of the efforts that we
made, because of ourrelationship with you and you
(11:34):
allowing us to meet with thecoaches or the players or the
athletic training staff.
We have this lockdown or no, weneed to do this because it
could be very bad for us.
So I say that and the Colts arewhat I would say the weirdest
organization that I've workedfor from a leadership like
(11:55):
hierarchy perspective, with ageneral manager basically having
just as much authority as, say,the COO of the company.
Ultimately we have owners whoare effectively CEO or sit in
those roles, and then you havethe general manager and the COO.
So having buy-in at the GMlevel is very much a blessing
(12:17):
for us because even if it's justcuriosity, asking questions,
that's the first step.
I mean, if they're justcompletely disengaged and
uninterested, it makes it thatmuch harder.
So when they come to you askingquestions about I saw this on
the news that's very reassuring.
But I think there's a lot ofunique personalities, especially
when you have people who playfootball for a living or coach
(12:40):
football for a living.
Some of them are, what I'll say, more old school.
They don't want to leveragedata and the analytics, they
want to go with the gut feelingand things like that.
So they don't necessarily seethe value in technology as much.
But then you have others whoare like what is, what's the
probability of this?
And they've kind of learnedthrough exposure that technology
(13:00):
can be a boon for them, right.
And it's not just this thing,this laptop that they have to
turn on, the emails that theyhave to check, right.
So it depends person to personhow they receive it, and part of
it is understanding and knowingthose personalities and just
how you engage with them.
Speaker 1 (13:20):
Uh, so we've got to drill on that.
Personalities and do you haveany stories of like initiatives
or challenges that you face thatwon't get you fired if you
share them?
Think about all the cyberprofessionals that listen to
this.
Do you have any shareablestories that cross sector if you
think about other cyberpractitioners and other fields
would kind of relate to or belike oh, he's dealing with some
(13:40):
of the same stuff or that's aninteresting, funny story.
Speaker 3 (13:43):
Yeah, well, I think, when one of our biggest
challenges is, if you thinkabout volatility of rosters,
right, sports and justonboarding, offboarding and
things like that.
Training camp starts in a weekor two, right, so we will have
up to 90-something people on aroster or something at any given
(14:04):
time, and then we have to cutdown to 53.
So we can have people who areon the roster for a couple hours
and then they're off right, sowe're looking at what is the
best, most efficient way for usto keep these people secure,
keep the playbooks secure,create accounts for them and
license them.
If they're only going to be onfor a couple hours, right.
(14:24):
That's an administrativenightmare when you start talking
about allocating licenses andstuff, but at the end of the day
, we're saying that this is someof our crown jewels, right, so
we still need to ensure thatit's protected.
Speaker 1 (14:36):
So when the players don't want to hear like Jack is
accepting the risk for your lackof training.
That's not a good sign fromupstairs.
Speaker 2 (14:43):
No, no, jack has the burner phone.
Speaker 3 (14:45):
Right, and luckily we're seeing a shift in
especially newer players, right,younger ones, and we're seeing
colleges adopting SSO and thingslike that.
That.
They come in like oh yeah, I'vealready had to do this, so it
makes that side easier.
But it's some of you know thecoaching staff or more veteran
players who are like why?
And they question why should Icare?
(15:06):
Why does this matter to me?
And it really allows myself, asan InfoSec professional, to
showcase why they should care,why it's important, and bring it
home for them, and I use a lotof football analogies and I
think they like it.
I don't know, I'm not going tostop, but you should do women's
(15:27):
lacrosse, see how that plays.
Yeah, I wish I knew just somereferences to throw in there as
a joke, but I don't.
It's cool having some of theconversations, especially
growing up where I grew up andbeing a fan of the club and
talking to these people, butalso getting to share with them
the things that I care aboutMaking sure everybody
understands hey, security isimportant.
(15:49):
It's not just for me, it's notjust for IT, it's for everybody.
And not only will it impact youhere, but it will impact you in
your day-to-day life, right,and this is how yeah.
Speaker 2 (16:01):
So, taking all of that and going back to the BCP
and incident response, I thinkthat you've got limited
bandwidth right.
Like to your point about beingbusy, how do you down select?
Hey, we're going to prepare forthese scenarios.
And one thing we see with a lotof clients is like, well, we're
good, you know, we got IT, wegot DR.
But it's like, how do youoperate in manual process?
And you had the recenthealthcare scare they had, you
know, or real breach, and therewas paper charting going back to
(16:23):
it and some of those folks whohad not done it before are now
trying to figure out papercharting.
So how, from the on the sportsside, do you say, hey, look,
I've got to pick these one ortwo scenarios to prepare for and
prepare manual processes for anincident response.
So talk to us about, like, howyou think that and how you pull
those threads and then executeon that.
Speaker 3 (16:40):
Yeah, exactly, I think you know, when you say
pulling the threads, it's spoton, because you have to be able
to foster the relationships andbe able to communicate with the
business stakeholders.
You have to have at least ageneral understanding of how
they operate and what'simportant to them so that you
can ask those questions.
You can ask the revealingquestions on if this data was
(17:04):
gone, if you didn't have accessto it, how would you operate?
If this system was gone, howwould you operate and really ask
the questions to try and getthe gears turning in their mind
of I don't know, you haven't hadto do that.
Would that happen?
Can that happen?
Speaker 2 (17:19):
Yeah.
Speaker 3 (17:20):
Yeah, and here's an example.
Right, and that's part of ittoo is doing some research
yourself to be able to providerelevant examples of?
Yes, this can absolutely happento us, because until you can
showcase that, people arethinking that, oh, this is just
something the IT or the securityguy wants to do, and when, in
actuality, it's not.
(17:41):
Not that I don't want to do itI love BIAs and BCPDR, but yeah,
I mean, it's riveting, soundslike.
Speaker 1 (17:49):
Stockholm syndrome.
Speaker 3 (17:50):
As the.
Speaker 1 (17:50):
CAPT fall in love with the CAPTOR.
Here we always a lot of ourtabletops.
Speaker 2 (17:54):
sometimes we'll begin with.
The first is like all right,you know SharePoint's gone, lost
, that, and they're like.
Well, all I had was one digitalcopy of my incident response
plan, so now I can't even lookat the plan that I was going to
look at.
So I think some of those things.
So then, like, you get itdeveloped and now you're going
to do a tabletop, who are youpulling in?
Are you pulling in players?
Are you pulling in executives?
Speaker 3 (18:22):
Are you getting Jimmy out of bed recently done?
Pull in, you know, the variousdepartment heads, vp levels,
c-suite and then direct reports.
Right, because what we'venoticed is the direct reports
they're in the weeds a littlemore than the VPs.
Right?
So they'll have no more of thenuances of the systems and what
kind of teams cover exactly what.
So bring in all those keyplayers and then walk through.
Hey, if this happened, whatwould we do?
Speaker 2 (18:43):
Yeah.
Speaker 3 (18:44):
And some people don't even know where to start.
They don't know what an SLA is,they don't know what agreements
they've necessarily signed,they don't know what systems
talk to what.
So if something goes down, howthat could impact them.
And I say that because I dobelieve that while business
continuity is not an IT problem,it is very much so an entire
(19:07):
organization or an entirebusiness problem.
Speaker 2 (19:10):
That needs to be addressed.
Say it one more time.
Yeah, say it louder for thepeople in the back.
There's some facts right there.
Speaker 3 (19:15):
Yeah, but I do believe there are some
departments that are bettersuited to lead the conversation
or own the process, because theymay speak the language that is
common throughout that process,or they understand the
intricacies of interconnectedsystems and secondary or
tertiary effects of certainthings, just because they have
(19:38):
to deal with it every day.
That's not to say that anydepartment couldn't run it.
I just think that right off thebat, some could run it a little
easier, step into that role alittle better, and I think
oftentimes that's why we seemore IT or InfoSec departments
running it.
What I would say is, when thepandemic happened, one of the
(20:00):
departments our athletictraining department did a
phenomenal job in terms of doingbusiness continuity around the
pandemic disaster recovery, interms of, okay, now that this is
over, how can we begin totransition back to our normal
operating model.
They did a fantastic job withthat.
Our physical security team,because when you think about, we
(20:20):
have retired police officersand law enforcement individuals
on our physical security staff.
They deal with that stuff a lotLike okay, if this, then what
type scenarios?
To try and be prepared foreverything.
So when we start communicatingwith them, they understand it a
little better.
And when you're having thoseconversations and I'm not going
(20:41):
to say you start using some morelayman's terms or some more
generalized terms instead ofspecifically technology, but
more around business continuityand disaster recovery, to
communicate with those peoplewho you know have done this Then
you start getting peoplechiming in from other
departments.
Oh, you mean like this or likethat.
(21:03):
And it's really from myexperience, just trying to
foster the conversation to beginwith, because if you go in
there with I like to havescenarios, I like to have
injects, I like to make peoplethink, but if you go in there
without allowing some freedom ofconversation, then you're
locking out all the other ideasor questions that people might
(21:26):
have and then they may feel likethey are not necessarily
included as much as you wantthem to feel included.
Because at the end of the day,it is an entire business program
that needs everybody'sparticipation to really become
as powerful or as effective asit can be.
Speaker 2 (21:43):
So what I'm thinking of, let's go to incident
response and I'll ask thequestion.
I'm going to ask Aaron firstand then I'll give you a second
to think about it.
But when you do these newtabletops and you run through an
incident response plan, what isthe most common thing you think
is left out, that kind of yousee the oh, oh, crap moment in
the eyes when you're rollingthrough a plan, because
obviously the goal of thetabletop is to run through your
(22:04):
plan, not what you think issupposed to happen, but the
actual plan written down.
So I would say, from yourexperience in running tabletops,
what's a couple of things orone thing that you think is, man
, this is very common thatpeople really don't think about.
Speaker 1 (22:21):
So I've not yet had the chance to do one in sports
entertainment.
Let's see if we can change that.
But I would say just thebusiness inclusion.
It's usually early maturity.
It's very typical to get all ofIT involved or the right leaders
from IT and then usually theCFO that maybe IT reports up to
usually legal privacy.
For many companies it stopsthere and they don't simulate an
actual line business areascenario.
(22:41):
So, like healthcare, maybe youpick on the EMR, but then two
surgery centers that we're goingto simulate that they got
completely bricked and they needto figure out if surgeries can
continue, if they're diverting,if they're canceling surgeries
and non-essentials.
So that's a healthcare example.
I could pick any example, butit's usually like keeping it too
(23:02):
close to the show and then whenthe crisis happens, inevitably
the CEO and everyone's going tobe at the table and those that
weren't at the table, thatdidn't practice, are probably
going to be making mistakes thatthey could have gotten better
through rehearsal or practice.
So I would say or guess andJack, I'm interested to turn it
to you is inclusion and breadthone of the biggest challenges.
Speaker 3 (23:27):
Yeah, I would agree, because people don't realize
what they can contribute to theconversation because, again,
they historically have thoughtof it as an IT problem.
Oh, it will fix it.
Or all of our systems are inthe cloud, wherever that is, or
something like that.
Speaker 1 (23:43):
I mean, look at Ascension Health Healthcare not
too far from here, midwest-basedI think, here in Indianapolis.
They still have some systemsthat are down.
Last I checked with a buddythat works in lower level in
finance.
There still has some systemsyou can't use.
So I think it's examples likethat to turn that right back to
say no, this exercise isassuming they're completely
(24:03):
incapacitated and they're goingto be busy focusing on
restoration.
You got the literal andproverbial ball.
Speaker 3 (24:10):
Yeah, and what we've tried to do is to not just focus
on a technology problem as well, because if you start with a
technology problem, thenoftentimes like, oh, once you
fix your stuff then we're good,Okay, but there's a water main
break and we can't access ourfacilities.
Either it does fry some of ourservers or it ruins some of the
(24:31):
football equipment.
How do we replace these things?
You know, if we can't practicethere, where do we go to
practice?
Do we need additional lodgingbecause it's too far away for
them to commute from their homes?
Do we need to prep getting food?
And you know our nutritionalstaff.
Where are we going to putathletic training to deal with
injuries if we're practicing?
(24:52):
Is that down?
Do they have a?
Speaker 1 (24:54):
backup.
So just a micro example of Idon't know if that person would
be at the table helping withthat.
You can't test every businessprocess at once, but what I've
seen is let's pick the mostcritical first and then rotate
through them and as you do it,every year or quarter or
(25:16):
whatever the cadence is everyonegets a turn at some point.
It's just not all at once.
Speaker 3 (25:27):
Yeah, and the other piece to that is you may know it
, but is it documented?
And nobody likes documentation.
I don't like documentation, butyou're not going to be there
forever.
And just because you know andthere's tribal knowledge of how
things operate doesn't mean thatsomebody new that's coming in
or somebody following behind youwill just know it, right, or?
Speaker 2 (25:43):
you're on vacation.
Speaker 3 (25:44):
Or you're on vacation , right, and you don't want to
be bothered on vacation.
Who wants to be bothered onvacation?
Not me.
So we look at is it documented?
Can we reference it?
And then, on top of that, ifthere is a technology problem,
we can't access our file sharesthe cloud.
Do we have a physical copy ofit?
Who has a physical copy of it?
(26:06):
So you start looking atconsiderations like that.
But I mean, that's a good point.
Do we have things like playerallergies documented somewhere
where, if we lost access to asystem, we would be able to
easily reference it, becausethat could become really bad
really fast.
Speaker 1 (26:22):
Right, or who needs an EpiPen or?
Like backup medical care thatplayers may not be taking care
of if they've got somebodynormally taking care of it for
them.
We got time for one lastquestion.
We usually try to keep it funand on a light note, so do you
have a interesting Jack story, afun fact or something that
(26:42):
listeners or even your friendsor your mom may not know about
you, that you could share?
Live for the first time withoutthinking of it?
Speaker 2 (26:48):
This is a safe space.
Speaker 3 (26:49):
Yes, so my mom definitely knows this because
she was there during many timeswhen it happened.
And continuing with thefootball theme, so when I used
to play football you know, whenI was in elementary school and
middle school I'm double jointedin both my arms, so when I
would get tackled I would jumpup and I would act like I broke
(27:09):
my arm and the rest would freakout because we're in youth
football and they're just like,oh, what's happening?
Speaker 1 (27:15):
Like somebody.
Nobody can see this, but I justhave to like play by play.
Jack just reached his arms upand both of his elbow joints
went inverted and I could onlyimagine those refs and parents
being like ah.
Speaker 2 (27:28):
It's almost like a free timeout.
Man.
You're like you guys needtimeout.
Hold on a second.
Speaker 3 (27:32):
Oh, my bad, I forgot.
Speaker 1 (27:33):
Somebody pop these back for me, yeah.
Speaker 3 (27:35):
So I mean you get up, you're in full pads, you get
tapped and you come up, you'rejust like oh my gosh.
And then you know everybodyfreaks out for a minute and then
you just laugh and run away.
Speaker 2 (27:43):
He's probably the most efficient person to put on
a sports coat, because I feellike if I could do that and put
a sports coat on, I couldprobably put it on with
lightning speed.
Speaker 1 (27:49):
There, you go.
Speaker 3 (27:51):
It was a lot of fun, Probably some of my earliest
sports and specifically footballmemories Nice memories.
Speaker 1 (27:57):
So well, thanks for sharing, thanks for stopping in
and recording an episode with us.
Speaker 2 (28:06):
Have a great rest of the day and go Colts, go Colts.
Yes, sir, thank you sir.
Thanks for tuning in to Simply Solving Cyber.
I'm Aaron Pritz and I'm CodyRivers, and today we're here
with Jack Thompson, director ofInfoSec, risk and Compliance at
the Indianapolis Colts.
Big hand of applause, man.
Speaker 2 (00:18):
Excellent, go horse.
Yeah Well, man, this has beenexciting to get you on this
podcast man, and we've beenchatting for a little bit of
time now and been colleagues andfriends now for a little over a
year when we first met, butit's been a fun journey, so I'm
excited to hear this today.
We've had some conversationbefore just chat about it, but I
think the big thing today istalking about like BCP and DR
(00:39):
and kind of the preparation forincident response, and so I know
this is kind of a passion thingfor you and a challenge that
you've taken on, but really wantto hear your thoughts on it and
I would say, probably a prettybig obstacle for a lot of
companies to see how much do wedo, how detailed do we get?
What's a good start?
Speaker 1 (00:57):
Yeah, and maybe before we dive in, I'm
personally curious and I know alittle bit, but I think our
audience would be curious how doyou wander through cyber into a
professional sports leagueposition with the Colts?
So maybe let's start with yourjourney.
And then obviously, bcp iscritical for resiliency of a
sports organization, but let'sstart with you.
Speaker 3 (01:18):
Yeah, absolutely, I think, similar to most of the
journey throughout my life.
I kind of just stumbled into it.
Similar to most of the journeythroughout my life.
I kind of just stumbled into it.
And so I started my careerwithin the military doing
military intelligence,transitioning more into the
niche cyber threat intelligence,and after I separated from
active duty, I saw a job openingfor the Indianapolis Colts.
Born and raised in Indianapolis, I was like, absolutely, I'm
(01:42):
going to throw my name in thehat, see how things go.
Turned out to be a good fit.
It came from something thathappened at another club.
That kind of was the catalystthat drove ownership, realizing
we need to do something aboutthis.
It's a bigger problem.
It's going to grow and evolveand we need to try and get ahead
of it if we can.
So, luckily for me, it workedout.
Speaker 2 (02:03):
That's excellent.
Speaker 3 (02:06):
Yeah, yeah.
So thank you for having me.
I'm excited to talk aboutbusiness continuity, disaster
recovery and everything thatthat entails, whether it's a
professional sports team or asmall to medium-sized business,
or even a global enterprise.
Right, everybody needs to thinkabout, you know, when something
hits the fan, what are we goingto do, how do we maintain
operations, and then how do werecover from?
Speaker 1 (02:26):
it.
Yeah well, Lucas Oil has somepretty big fans, if I remember
right, Like the biggest fansI've seen in my life in the
stadium.
Like they're pretty impressive.
So, you don't want stuff to hitthose.
Speaker 3 (02:36):
Yeah, exactly, it might get all over the rest of
the fans.
There you go.
Speaker 1 (02:40):
Well, let's start with what is a disaster.
Well, let's start with what isa disaster.
What are the top scenarios?
Obviously cyber's in the mix,but what are sports teams most
worried about these days?
Speaker 3 (02:51):
I mean, the ultimate goal within sports is to win
right.
So when you compete at thehighest level and you get to the
championship of whatever league, it may be for us, obviously
the Super Bowl if somethinghappens and we can't communicate
properly, if we can't scout ouropponents, if we can't access
our playbooks right, we'reimmediately the underdog.
And when you're in the businessof winning, that is not a good
(03:16):
position to be in.
So what are our crown jewels?
How do we protect those crownjewels and what do we do if
something happens and we can'taccess them?
Speaker 1 (03:25):
Well, and speaking of crown jewels, let's talk about
Moneyball, moneyball, obviously,baseball, and my wife always
tells me that movie, you know.
Speaker 2 (03:33):
Brad Pitt.
Speaker 1 (03:34):
Brad Pitt is always eating like in every shot.
But let's not dwell on that.
I got a hoagie off to my lefthere you can't see me because
I'm only on a mic.
But what is data and howcompetitive is it beyond maybe
the stuff we all know about,like with video recording of
plays?
Speaker 3 (03:50):
Yeah, we've seen an emergence of data analytics
within sports, right, and, likeyou had mentioned, Moneyball,
MLB and baseball kind of beingone of the pioneers in that
space and you know, with thatcomes the evolution of
technology and the evolution ofsecuring that data.
And, as they're using it andthe NFL is trending that way as
(04:13):
well we're looking at what keymetrics or indicators can we
identify that can give us a legup right?
How can we tell if somebodymight get injured?
How can we tell that they mightbe a career player in terms of
prospecting?
What are some of the nuancesaround?
If a team calls an audible andshifts left or right, you know
(04:34):
what is the likelihood of themrunning this play versus that
play.
Speaker 1 (04:38):
And if you yell Omaha , is that left or right?
Speaker 3 (04:41):
Oh okay, six on the board, basically, but I think
that when we talk about ourcrown jewels and things like
that, there's no such thing asnew plays being invented, but
how we kind of obfuscate, howwe're calling plays right or how
we're looking at, what we focuson when we're scouting right
(05:05):
those sorts of things thatreally differentiate us from our
opponents.
Speaker 1 (05:10):
So thinking of like Spygate let's not bring up
Deflategate too soon.
But then you think about someof the collegiate.
I think it was Michigan withthe scout that was going around
and recording plays, playstealing not only this sport,
but definitely in professionaland collegiate football it's
been prominent.
How much do you worry about orget concerned about the cyber
(05:34):
side of intelligence when itcomes to protecting those secret
plays and tactics andrecruiting decisions?
Speaker 3 (05:43):
Yeah, at the end of the day, some are more worrisome
than others.
I would say part of it boilsdown to the level, the number of
systems accessing the data, thenumber of users accessing the
data, how much we can lock itdown.
Some of it is what can we tryto do in terms of making it so
(06:04):
that people don't necessarilyrealize that that's even what
we're talking about, or that'swhat we're working with Like a
disguise play in baseball, whereyou've got signals, signals may
change.
Speaker 1 (06:15):
Trigger sign follows.
Speaker 3 (06:17):
Yeah, I guess more prominently kind of sometimes
knows security through obscurityand just hiding things a little
bit.
But when we talk about howworried we are about other clubs
finding that, I mean, thatwould be the difference in terms
of us winning or losing a gameIf we talk about them learning
you know our play sheet or playcalls and stuff like that,
versus them potentially draftinga prospect, jumping us in the
(06:38):
draft and picking somebody whowe see that could be a franchise
player right.
So when we look at things likethat, it is very much a focus on
principle of least privilege.
Only the people who absolutelyneed access have access, only
the people who are securing it.
We can't see the data.
We can see the configurationsright, we know how we're
(06:59):
securing it, but at the end ofthe day it's a category of data
to us Well, and if you'rewilling to video record plays
and cheat and deflate balls andcheat and then be on the
Patriots.
Speaker 1 (07:10):
There's probably other forms of this over time.
I don't want to signal anylogic out, but at what point do
you think that somebody coulduse a cyber intrusion to get the
data directly?
Speaker 3 (07:21):
Yeah, I think that when you talk about intrusions,
security incidents, breaches,things like that, it's not if
it's when, right, but at the endof the day, it's also what are
they going to do with the datathat they steal, right?
Yeah, is there a market forthat data?
Do they have?
Speaker 2 (07:39):
an Anthony Richardson .
Speaker 3 (07:41):
Right.
I mean, at the end of the day,the X factor.
When you have something likehim, it doesn't really matter.
Speaker 2 (07:46):
Yeah, try it.
Speaker 3 (07:47):
So when we look at what is the probability of
something happening, what is thelikelihood Right, we also look
at what the impact would be, andthe impact is, I mean,
depending on what it is alsodepends in this instance on
would there be a buyer?
I think in some instances theremight be, but I think when you
(08:07):
look at trying to uphold theintegrity of the game, a lot of
clubs focus on that.
I mean you might have some badapples over time, holes over
time, but on average I thinkwe're doing pretty well in terms
of, as far as what we know,people not buying secrets that
have been parts of breaches fromother clubs.
Speaker 2 (08:25):
You said something earlier that I want to come back
to, and it was getting buy-inor raising the priority with
people.
And I think you guys are verybusy, right?
You got summer camp and you gotOTAs and everything.
And then you got the games andit's like how do you, as a small
team for a very reputable brand, get the focus and get the
buy-in from other non-Infosecfunctions at the Colts to say,
(08:46):
hey, this is important.
And then, beyond that, like howdo you say, hey, let's work on
these scenarios, talk to us howyou get that buy-in.
Speaker 3 (08:53):
So one of my favorite quotes I'm sure you guys have
heard is never let a good crisisgo to waste.
Right when it doesn't have tohappen to you for you to show,
basically be able to provide anexample of what could be.
Jump all over it, because atthe end of the day, if they
can't see what might happen tous that just happened to our
neighbor you got to open youreyes a little bit.
(09:15):
But when you talk about how doyou get buy-in with everybody
else, part of it is timing right.
Obviously, like you said, we'rereally busy.
The season is very cyclical, sotrying to posture ourselves to
have those conversations, tohave tabletops, to do the
(09:35):
business impact assessments withthe various stakeholders right.
Do the business impactassessments with the various
stakeholders right?
Trying to make sure that theyhave the time on their calendar
not just to do that but toactually digest it, to be able
to think about it, because ifyou just find the only available
slot in their calendar, theywon't have time to do the other
things that kind of go alongwith it.
For it to be meaningful, and ontop of that, when we talk about
(09:58):
the other business stakeholdersis I don't know your data like.
You know your data, you own it,you know how you use it, you
know its value Great point.
So it's really getting them tounderstand that piece in terms
of if it's me and I'm making allthe decisions as an InfoSec or
IT professional you're probablynot going to like the outcome
(10:19):
because I don't have all thecontextual awareness that I need
that you would be able toprovide.
Speaker 1 (10:24):
One follow-up question on this and it's time
to get real and transparent.
I'm 6'5", 230, not a laserrocket arm.
There's a reason.
I wasn't in football.
I might have been a dorkgrowing up.
Cody was pretty cool, he was arunning back.
Here in football, I might'vebeen a dork growing up.
Cody was pretty cool, he was arunning back.
Here's a question as a techprofessional and not on the
(10:45):
athlete side.
When you talk about engagement,what's the typical vibe?
I'm having flashbacks now tonot being good in high school
and like get out of here, dork.
So do you get stuffed intolockers?
And how is the engagement whenyou're trying to get hearts and
minds in the right lane to helpyou with this mission?
Speaker 3 (10:58):
What I will say is there's far less lockers openly
accessible to be shoved into, sothat helps.
Speaker 1 (11:04):
Yeah, I might have been, but I was six foot five
and 180, you know 150 in highschool, so I wasn't going in.
Speaker 3 (11:11):
You know, they see things happening on the news,
right, and, for instance, ourgeneral manager he's reached out
to our VP and like, hey, thishappened, that's pretty cool.
What does that mean?
Kind of just has his interestpiqued and then we use that as
an opportunity.
We're good here because of this, because of the efforts that we
made, because of ourrelationship with you and you
(11:34):
allowing us to meet with thecoaches or the players or the
athletic training staff.
We have this lockdown or no, weneed to do this because it
could be very bad for us.
So I say that and the Colts arewhat I would say the weirdest
organization that I've workedfor from a leadership like
(11:55):
hierarchy perspective, with ageneral manager basically having
just as much authority as, say,the COO of the company.
Ultimately we have owners whoare effectively CEO or sit in
those roles, and then you havethe general manager and the COO.
So having buy-in at the GMlevel is very much a blessing
(12:17):
for us because even if it's justcuriosity, asking questions,
that's the first step.
I mean, if they're justcompletely disengaged and
uninterested, it makes it thatmuch harder.
So when they come to you askingquestions about I saw this on
the news that's very reassuring.
But I think there's a lot ofunique personalities, especially
when you have people who playfootball for a living or coach
(12:40):
football for a living.
Some of them are, what I'll say, more old school.
They don't want to leveragedata and the analytics, they
want to go with the gut feelingand things like that.
So they don't necessarily seethe value in technology as much.
But then you have others whoare like what is, what's the
probability of this?
And they've kind of learnedthrough exposure that technology
(13:00):
can be a boon for them, right.
And it's not just this thing,this laptop that they have to
turn on, the emails that theyhave to check, right.
So it depends person to personhow they receive it, and part of
it is understanding and knowingthose personalities and just
how you engage with them.
Speaker 1 (13:20):
Uh, so we've got to drill on that.
Personalities and do you haveany stories of like initiatives
or challenges that you face thatwon't get you fired if you
share them?
Think about all the cyberprofessionals that listen to
this.
Do you have any shareablestories that cross sector if you
think about other cyberpractitioners and other fields
would kind of relate to or belike oh, he's dealing with some
(13:40):
of the same stuff or that's aninteresting, funny story.
Speaker 3 (13:43):
Yeah, well, I think, when one of our biggest
challenges is, if you thinkabout volatility of rosters,
right, sports and justonboarding, offboarding and
things like that.
Training camp starts in a weekor two, right, so we will have
up to 90-something people on aroster or something at any given
(14:04):
time, and then we have to cutdown to 53.
So we can have people who areon the roster for a couple hours
and then they're off right, sowe're looking at what is the
best, most efficient way for usto keep these people secure,
keep the playbooks secure,create accounts for them and
license them.
If they're only going to be onfor a couple hours, right.
(14:24):
That's an administrativenightmare when you start talking
about allocating licenses andstuff, but at the end of the day
, we're saying that this is someof our crown jewels, right, so
we still need to ensure thatit's protected.
Speaker 1 (14:36):
So when the players don't want to hear like Jack is
accepting the risk for your lackof training.
That's not a good sign fromupstairs.
Speaker 2 (14:43):
No, no, jack has the burner phone.
Speaker 3 (14:45):
Right, and luckily we're seeing a shift in
especially newer players, right,younger ones, and we're seeing
colleges adopting SSO and thingslike that.
That.
They come in like oh yeah, I'vealready had to do this, so it
makes that side easier.
But it's some of you know thecoaching staff or more veteran
players who are like why?
And they question why should Icare?
(15:06):
Why does this matter to me?
And it really allows myself, asan InfoSec professional, to
showcase why they should care,why it's important, and bring it
home for them, and I use a lotof football analogies and I
think they like it.
I don't know, I'm not going tostop, but you should do women's
(15:27):
lacrosse, see how that plays.
Yeah, I wish I knew just somereferences to throw in there as
a joke, but I don't.
It's cool having some of theconversations, especially
growing up where I grew up andbeing a fan of the club and
talking to these people, butalso getting to share with them
the things that I care aboutMaking sure everybody
understands hey, security isimportant.
(15:49):
It's not just for me, it's notjust for IT, it's for everybody.
And not only will it impact youhere, but it will impact you in
your day-to-day life, right,and this is how yeah.
Speaker 2 (16:01):
So, taking all of that and going back to the BCP
and incident response, I thinkthat you've got limited
bandwidth right.
Like to your point about beingbusy, how do you down select?
Hey, we're going to prepare forthese scenarios.
And one thing we see with a lotof clients is like, well, we're
good, you know, we got IT, wegot DR.
But it's like, how do youoperate in manual process?
And you had the recenthealthcare scare they had, you
know, or real breach, and therewas paper charting going back to
(16:23):
it and some of those folks whohad not done it before are now
trying to figure out papercharting.
So how, from the on the sportsside, do you say, hey, look,
I've got to pick these one ortwo scenarios to prepare for and
prepare manual processes for anincident response.
So talk to us about, like, howyou think that and how you pull
those threads and then executeon that.
Speaker 3 (16:40):
Yeah, exactly, I think you know, when you say
pulling the threads, it's spoton, because you have to be able
to foster the relationships andbe able to communicate with the
business stakeholders.
You have to have at least ageneral understanding of how
they operate and what'simportant to them so that you
can ask those questions.
You can ask the revealingquestions on if this data was
(17:04):
gone, if you didn't have accessto it, how would you operate?
If this system was gone, howwould you operate and really ask
the questions to try and getthe gears turning in their mind
of I don't know, you haven't hadto do that.
Would that happen?
Can that happen?
Speaker 2 (17:19):
Yeah.
Speaker 3 (17:20):
Yeah, and here's an example.
Right, and that's part of ittoo is doing some research
yourself to be able to providerelevant examples of?
Yes, this can absolutely happento us, because until you can
showcase that, people arethinking that, oh, this is just
something the IT or the securityguy wants to do, and when, in
actuality, it's not.
(17:41):
Not that I don't want to do itI love BIAs and BCPDR, but yeah,
I mean, it's riveting, soundslike.
Speaker 1 (17:49):
Stockholm syndrome.
Speaker 3 (17:50):
As the.
Speaker 1 (17:50):
CAPT fall in love with the CAPTOR.
Here we always a lot of ourtabletops.
Speaker 2 (17:54):
sometimes we'll begin with.
The first is like all right,you know SharePoint's gone, lost
, that, and they're like.
Well, all I had was one digitalcopy of my incident response
plan, so now I can't even lookat the plan that I was going to
look at.
So I think some of those things.
So then, like, you get itdeveloped and now you're going
to do a tabletop, who are youpulling in?
Are you pulling in players?
Are you pulling in executives?
Speaker 3 (18:22):
Are you getting Jimmy out of bed recently done?
Pull in, you know, the variousdepartment heads, vp levels,
c-suite and then direct reports.
Right, because what we'venoticed is the direct reports
they're in the weeds a littlemore than the VPs.
Right?
So they'll have no more of thenuances of the systems and what
kind of teams cover exactly what.
So bring in all those keyplayers and then walk through.
Hey, if this happened, whatwould we do?
Speaker 2 (18:43):
Yeah.
Speaker 3 (18:44):
And some people don't even know where to start.
They don't know what an SLA is,they don't know what agreements
they've necessarily signed,they don't know what systems
talk to what.
So if something goes down, howthat could impact them.
And I say that because I dobelieve that while business
continuity is not an IT problem,it is very much so an entire
(19:07):
organization or an entirebusiness problem.
Speaker 2 (19:10):
That needs to be addressed.
Say it one more time.
Yeah, say it louder for thepeople in the back.
There's some facts right there.
Speaker 3 (19:15):
Yeah, but I do believe there are some
departments that are bettersuited to lead the conversation
or own the process, because theymay speak the language that is
common throughout that process,or they understand the
intricacies of interconnectedsystems and secondary or
tertiary effects of certainthings, just because they have
(19:38):
to deal with it every day.
That's not to say that anydepartment couldn't run it.
I just think that right off thebat, some could run it a little
easier, step into that role alittle better, and I think
oftentimes that's why we seemore IT or InfoSec departments
running it.
What I would say is, when thepandemic happened, one of the
(20:00):
departments our athletictraining department did a
phenomenal job in terms of doingbusiness continuity around the
pandemic disaster recovery, interms of, okay, now that this is
over, how can we begin totransition back to our normal
operating model.
They did a fantastic job withthat.
Our physical security team,because when you think about, we
(20:20):
have retired police officersand law enforcement individuals
on our physical security staff.
They deal with that stuff a lotLike okay, if this, then what
type scenarios?
To try and be prepared foreverything.
So when we start communicatingwith them, they understand it a
little better.
And when you're having thoseconversations and I'm not going
(20:41):
to say you start using some morelayman's terms or some more
generalized terms instead ofspecifically technology, but
more around business continuityand disaster recovery, to
communicate with those peoplewho you know have done this Then
you start getting peoplechiming in from other
departments.
Oh, you mean like this or likethat.
(21:03):
And it's really from myexperience, just trying to
foster the conversation to beginwith, because if you go in
there with I like to havescenarios, I like to have
injects, I like to make peoplethink, but if you go in there
without allowing some freedom ofconversation, then you're
locking out all the other ideasor questions that people might
(21:26):
have and then they may feel likethey are not necessarily
included as much as you wantthem to feel included.
Because at the end of the day,it is an entire business program
that needs everybody'sparticipation to really become
as powerful or as effective asit can be.
Speaker 2 (21:43):
So what I'm thinking of, let's go to incident
response and I'll ask thequestion.
I'm going to ask Aaron firstand then I'll give you a second
to think about it.
But when you do these newtabletops and you run through an
incident response plan, what isthe most common thing you think
is left out, that kind of yousee the oh, oh, crap moment in
the eyes when you're rollingthrough a plan, because
obviously the goal of thetabletop is to run through your
(22:04):
plan, not what you think issupposed to happen, but the
actual plan written down.
So I would say, from yourexperience in running tabletops,
what's a couple of things orone thing that you think is, man
, this is very common thatpeople really don't think about.
Speaker 1 (22:21):
So I've not yet had the chance to do one in sports
entertainment.
Let's see if we can change that.
But I would say just thebusiness inclusion.
It's usually early maturity.
It's very typical to get all ofIT involved or the right leaders
from IT and then usually theCFO that maybe IT reports up to
usually legal privacy.
For many companies it stopsthere and they don't simulate an
actual line business areascenario.
(22:41):
So, like healthcare, maybe youpick on the EMR, but then two
surgery centers that we're goingto simulate that they got
completely bricked and they needto figure out if surgeries can
continue, if they're diverting,if they're canceling surgeries
and non-essentials.
So that's a healthcare example.
I could pick any example, butit's usually like keeping it too
(23:02):
close to the show and then whenthe crisis happens, inevitably
the CEO and everyone's going tobe at the table and those that
weren't at the table, thatdidn't practice, are probably
going to be making mistakes thatthey could have gotten better
through rehearsal or practice.
So I would say or guess andJack, I'm interested to turn it
to you is inclusion and breadthone of the biggest challenges.
Speaker 3 (23:27):
Yeah, I would agree, because people don't realize
what they can contribute to theconversation because, again,
they historically have thoughtof it as an IT problem.
Oh, it will fix it.
Or all of our systems are inthe cloud, wherever that is, or
something like that.
Speaker 1 (23:43):
I mean, look at Ascension Health Healthcare not
too far from here, midwest-basedI think, here in Indianapolis.
They still have some systemsthat are down.
Last I checked with a buddythat works in lower level in
finance.
There still has some systemsyou can't use.
So I think it's examples likethat to turn that right back to
say no, this exercise isassuming they're completely
(24:03):
incapacitated and they're goingto be busy focusing on
restoration.
You got the literal andproverbial ball.
Speaker 3 (24:10):
Yeah, and what we've tried to do is to not just focus
on a technology problem as well, because if you start with a
technology problem, thenoftentimes like, oh, once you
fix your stuff then we're good,Okay, but there's a water main
break and we can't access ourfacilities.
Either it does fry some of ourservers or it ruins some of the
(24:31):
football equipment.
How do we replace these things?
You know, if we can't practicethere, where do we go to
practice?
Do we need additional lodgingbecause it's too far away for
them to commute from their homes?
Do we need to prep getting food?
And you know our nutritionalstaff.
Where are we going to putathletic training to deal with
injuries if we're practicing?
(24:52):
Is that down?
Do they have a?
Speaker 1 (24:54):
backup.
So just a micro example of Idon't know if that person would
be at the table helping withthat.
You can't test every businessprocess at once, but what I've
seen is let's pick the mostcritical first and then rotate
through them and as you do it,every year or quarter or
(25:16):
whatever the cadence is everyonegets a turn at some point.
It's just not all at once.
Speaker 3 (25:27):
Yeah, and the other piece to that is you may know it
, but is it documented?
And nobody likes documentation.
I don't like documentation, butyou're not going to be there
forever.
And just because you know andthere's tribal knowledge of how
things operate doesn't mean thatsomebody new that's coming in
or somebody following behind youwill just know it, right, or?
Speaker 2 (25:43):
you're on vacation.
Speaker 3 (25:44):
Or you're on vacation , right, and you don't want to
be bothered on vacation.
Who wants to be bothered onvacation?
Not me.
So we look at is it documented?
Can we reference it?
And then, on top of that, ifthere is a technology problem,
we can't access our file sharesthe cloud.
Do we have a physical copy ofit?
Who has a physical copy of it?
(26:06):
So you start looking atconsiderations like that.
But I mean, that's a good point.
Do we have things like playerallergies documented somewhere
where, if we lost access to asystem, we would be able to
easily reference it, becausethat could become really bad
really fast.
Speaker 1 (26:22):
Right, or who needs an EpiPen or?
Like backup medical care thatplayers may not be taking care
of if they've got somebodynormally taking care of it for
them.
We got time for one lastquestion.
We usually try to keep it funand on a light note, so do you
have a interesting Jack story, afun fact or something that
(26:42):
listeners or even your friendsor your mom may not know about
you, that you could share?
Live for the first time withoutthinking of it?
Speaker 2 (26:48):
This is a safe space.
Speaker 3 (26:49):
Yes, so my mom definitely knows this because
she was there during many timeswhen it happened.
And continuing with thefootball theme, so when I used
to play football you know, whenI was in elementary school and
middle school I'm double jointedin both my arms, so when I
would get tackled I would jumpup and I would act like I broke
(27:09):
my arm and the rest would freakout because we're in youth
football and they're just like,oh, what's happening?
Speaker 1 (27:15):
Like somebody.
Nobody can see this, but I justhave to like play by play.
Jack just reached his arms upand both of his elbow joints
went inverted and I could onlyimagine those refs and parents
being like ah.
Speaker 2 (27:28):
It's almost like a free timeout.
Man.
You're like you guys needtimeout.
Hold on a second.
Speaker 3 (27:32):
Oh, my bad, I forgot.
Speaker 1 (27:33):
Somebody pop these back for me, yeah.
Speaker 3 (27:35):
So I mean you get up, you're in full pads, you get
tapped and you come up, you'rejust like oh my gosh.
And then you know everybodyfreaks out for a minute and then
you just laugh and run away.
Speaker 2 (27:43):
He's probably the most efficient person to put on
a sports coat, because I feellike if I could do that and put
a sports coat on, I couldprobably put it on with
lightning speed.
Speaker 1 (27:49):
There, you go.
Speaker 3 (27:51):
It was a lot of fun, Probably some of my earliest
sports and specifically footballmemories Nice memories.
Speaker 1 (27:57):
So well, thanks for sharing, thanks for stopping in
and recording an episode with us.
Speaker 2 (28:06):
Have a great rest of the day and go Colts, go Colts.
Yes, sir, thank you sir.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com