When you really see the underbelly of something, it is rarely pretty. The NFL is no different. Grown men are paid millions of dollars a year to display unbridled aggression, toughness, and competitiveness. That sounds like a pretty Darwinian environment, where the strong prey on the weak. And it is given what we have seen over the last few weeks, as behavior in the Miami Dolphins locker room comes to light.

It is counterintuitive to think of a 320-pound offensive lineman being bullied by anyone. You hear about fights on the field and in the locker room as these alpha males all look to establish position within the pride. But how are the bullies in the Dolphins locker room any different than the petty mean girls and boys you had to deal with in high school? They aren’t. If you take a step back, a bully is always compensating for some kind of self-perceived inadequacy that forces him or her to act out. Small people (even if they weigh over 300+ pounds) make themselves feel bigger by making others feel smaller.

So the first question is whether the behavior is acceptable. I think everyone can agree racial epithets have no place in today’s society. But what about the other tactics, such as mind games and intentionally excluding a fellow player from activities? I’m not sure that kind of hazing would normally be a huge deal, but combined with an environment of racial insensitivity, it is probably crossing the line as well. What’s more surprising is that no one stepped up and said that behavior was no bueno. Bullies prey on folks, because folks who aren’t directly targeted don’t stand up and make clear what is acceptable and what isn’t. But that has happened since the beginning of time. No one want to stand up for what’s right, so folks just watch catastrophic events happen.

Maybe this will be a catalyst to change the culture. There is nothing the NFL hates more than bad publicity. So things will change. Every other team in the NFL made statements about how their work environments are not like that. No one wants to be singled out as a bully or a bigot. Not when they have potential endorsement deals riding on their public image. Like most other changes, some old timers will resist. Others will adapt because they need to. And with the real-time nature of today’s media, and rampant leaks within every organization, it is hard to see this kind of behavior happening again.

I guess I can’t understand why players who call themselves brothers would treat each other so badly. Of course you beat up your little brother(s) when you are 10. But if you are still treating your siblings shabbily as an adults, you need some help. Maybe I am getting a bit judgmental, especially considering that I have never worked in an NFL locker room, so I can’t even pretend to understand the mindset.

But I do know a bit about dealing with people. One of the key tenets of a functional and successful organization is to manage people in an individual fashion. A guy may be 320 pounds, an athletic freak, and capable of serious violence when the ball is snapped, but that doesn’t mean he wants to get called names or fight a teammate to prove his worth.

I learned the importance of managing people individually early in my career, mostly because it worked. This management philosophy is masterfully explained in First, Break All the Rules, which shows how important corporate performance is for keeping happy employees who do what they love every day with people they care about. Clearly someone in Miami didn’t get the memo.

And you have to wonder what kind of player Jonathan Martin could be if he worked in a place where he didn’t feel singled out and persecuted, so he could focus on the task at hand: his blocking assignment for each play. Not whether he was going to get jumped in the parking lot. Maybe he’ll even get a chance to find out, but it’s hard to see that happening in Miami.


Photo credit: “Bully Advance Screening Hosted by First Lady Katie O’Malley” originally uploaded by Maryland GovPics

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

What CISOs Need to Know about Cloud Computing

Defending Against Application Denial of Service

Newly Published Papers

Incite 4 U

  1. What is it that you do? I have to admit that I really did not understand analysts or the entire analyst industry prior to joining Securosis. Analysts were the people on our briefing calendar who were more knowledgable – and far more arrogant – than the press. But they did not seem to have a clear role, nor was their technical prowess close to what they thought it was. I was assured by our marketing team that they were important, but I could not see how. Now I do, but the explanation needs to be repeated every so often. The aneelism blog has a nice primer on technology analyst 101 for startups. Long story short, some analysts speak with customers as an independent advisor, which means two things for small security vendors: we are told things customers will never tell you directly, and we see a breadth of industry issues & trends you won’t because you are focused on your own stuff and try to wedge whatever the customer says into a requirement for your product. In the end customers learn from us and we learn from customers. Our briefings with small vendors are exactly the same: bi-directional sharing of perspective and information. If the vendor is receptive, that is. – AL
  2. Three to four years: I am out at the Amazon Web Services conference this week, and just a bit after you read this (assuming you read the Incite with your Cheerios, as intended), Amazon will be announcing a couple major security enhancements. I recently discussed AWS with a former co-worker, and we agree that Amazon’s security capabilities are likely 3-4 years ahead of their peers across their range of cloud services. This includes both public and private clouds, and encompasses capabilities which are effectively impossible in traditional infrastructure. I know the Official Narrative states that the cloud is less secure than your own infrastructure, but that storyline is not evenly distributed. Keep an eye on the AWS security blog for details. – RM
  3. If you don’t know the difference between a CIO and a CISO, find something else to do… Yes, that’s long and ponderous, but I couldn’t find a shorter (or nicer) way to make my point. This article in CFO Magazine makes the case for companies to hire a CISO, and in the process compares the responsibilities of the CIO to what a CISO should be doing. Wait, what? The bigger question is where the CISO reports. We increasingly see the CISO (and associated resources) outside IT, providing critical security program management to keep everyone focused on the mission: protecting corporate data. Of course the CISO and CIO need to work in lockstep, but confusing their responsibilities seems downright silly. And their list of CISO responsibilities is a joke – focused mostly on communicating policy and compliance requirements. How about something a little more to the point: “Ensure secure business functions…” – MR
  4. Risk-y business: Risk-based authentication is a trend we see coming on like a freight train, so it’s time to start discussing it on the blog in the coming weeks. As personal mobile devices are used increasingly in corporate contexts, we will see increasing press coverage. Too bad some of it just misses the point. Network World’s How Security is using IAM to manage BYOD jumbles issues of BYOD, identity management, 2FA, eCommerce, and risk-based transactional analysis into one clumsy mess. Retailers and financial services are trying to address these issues, and mixing them up just makes things worse. We see separate fraud analytics, security analytics, and risk analysis tools simultaneously used to assess user activity on everything from shopping carts to access to corporate servers. Authentication and authorization are no longer strictly defined by an application or directory server, but derived from multiple sources, dynamically, though statistical and behavioral analysis. – AL
  5. What Is the Key Length of that Windmill? I suppose I still technically cover email encryption. Especially since neither Mike nor Adrian seem inclined to look at it any more. It isn’t something I have written about, but I used to answer some of Gartner’s inquiries on it. For businesses there are reasonable options, but it is still a pain in the ass to implement at scale. For consumers? Pfft. I have tried or used most of them, and they all suck. Matt Green has now penned a piece on email encryption and the new Dark Mail Alliance for the New Yorker. He blames crappy implementations, but I don’t think that’s really the issue. I just don’t think enough people care. Even with the NSA info that has been released, average people simply don’t worry about email encryption. Until it is built in, fully transparent, and always on, they won’t use it. Yup, you are probably more likely to see a snowball in hell. – RM
  6. When in doubt, crowdfund! Need $50k to test a very popular open source cryptography engine? No problem. Just crowdfund it. That’s what some guys did to raise the money to perform a real security test on TrueCrypt. That’s awesome because it is needed, and this kind of innovative funding makes it possible. We know attackers have already done at least one deep security inspection, looking for holes to exploit. It will be nice to learn what they already know. – MR