People think that cyber risk and cybersecurity are all about technology. But during my more than two decades in the cybersecurity arena—first as a cyber engineer and later as the chief information security officer at a public company and in executive management—I have found that cyber risk and cybersecurity have more to do with people, personalities, and psychology.
Whether you are preparing for the Super Bowl or another live event and/or delivering your product online or via TV, it’s critical to take an end-to-end approach to security. That starts with understanding what experiences people want and need from the content you are offering.
Expectations will vary depending on what you are offering and how people are experiencing it. Some people may be entering your arena. Others may be streaming or watching your event on TV. Certain individuals may be betting on the sporting event for which you are responsible.
Step back and think through all those scenarios, because the people experiencing your product through each of those lenses will be different. The attack vectors in these situations will also vary, as will regulatory requirements and people’s privacy expectations.
Enterprise vs. Stadium Security
It’s critical to understand that you can't take blanket cybersecurity rules and programs from the enterprise world and shift them to sports or broadcast. There are distinct differences between sports and enterprise environments. One of the biggest differences is on the people side.
In enterprise cybersecurity, you generally can control who enters and exits your environments. You can limit what devices from what locations can access your website and VPN. And for physical security, you can issue badges to help ensure only current employees can enter your facilities and/or leverage geofencing to create virtual boundaries, so you can monitor access to sensitive areas and receive alerts if unauthorized parties breach those physical perimeters.
But you don’t have that level of control with stadium security if you want to open your league and arena experiences to the world. You will need to implement an elevated level of both physical security and cybersecurity beyond what you would need in an enterprise environment.
Enterprise users are also more tolerant of the impacts of cybersecurity solutions. If an employee on a corporate laptop inside an enterprise facility has to wait an extra three seconds for a website to render, they are not going to file a complaint with the company’s chief information officer, chief information security officer, or IT team. If they did, it would probably elicit laughter. Public users have a different expectation regarding website load times when they are at home compared to being at work, so it is critical that the controls you put in place do not degrade their experience.
[NDI 6.1: New Features, Enhanced Tools, and More]
However, in sports, if your online experience is even a fraction of a second slower than what appears on the air, you may face a legal problem if you run afoul of sports betting rules. Cybersecurity controls, if implemented incorrectly, can easily add latency and delays to an online experience. Because there is less tolerance in sports for the impacts that cybersecurity controls can create, it is critical to work with consultative partners who are not only cybersecurity experts, but also understand your business and take an end-to-end approach to secure you and your customers and deliver top-notch experiences.
Be Transparent
Many organizations today believe that security by obscurity is a good thing. The thought that if you don’t talk about or expose capabilities within your environment that something bad cannot happen is simply a wild fallacy.
People tend to inherently distrust security, technology, and cameras. If you are not clear about what you’re doing and why, it just takes a few people to post something that puts you on your heels.
By making cybersecurity an integral part of your operations from the very beginning, you can turn it into a competitive advantage.
It’s best to be transparent about what you’re doing. I’m not suggesting that you give away all your secrets or share your security protocols. But be forthright about your efforts to protect their physical security, credit card transactions, and other aspects of their experience.
Explain in your literature, website, and stadium signs what controls you have in place. For example, you may want to post signs about whether or not you offer free Wi-Fi and how people can connect. That lets people know what is available and discourages them from connecting to unauthorized access points, protecting them in the process.
If you use cameras to allow faster entry into your facility or a more secure environment, let people know that. Calm people’s fears by communicating your policies around their images or information. If you will never use their face for anything other than a particular use case, share those details.
Some visitors may be unwilling to allow you to use their face or their fingerprint, so let people opt into the experience. But remember that many of those same people already use their biometrics to log into their phones. If you offer something that makes opting in worth their while—and put the right information in front of them to make them comfortable—more people will opt in, which will improve their overall experience with your services.
Baked-In Security
My team and I have had the opportunity to work with incredible organizations and venues such as Madison Square Garden, the NFL, the San Francisco Giants, the University of Texas Moody Center, and many others. Given my role, I have visited most of the stadiums across the United States.
Nobody likes to talk about security, but many sports organizations want to use facial recognition or fingerprint identification or encourage fans to install an app on their phones. I believe fans are willing to do all that if you demonstrate that you take cybersecurity—and your role as the custodian of their personally identifiable information—seriously.
No organization is immune to threats, but by making cybersecurity an integral part of your operations from the very beginning, you can turn it into a competitive advantage. Start by assessing the full spectrum of your audience’s interactions—whether in the stadium, online, or at home—and design solutions that balance security with seamless user experiences. Engage with trusted partners that have the expertise to help you implement robust, transparent, and scalable security measures tailored to your unique environment and budget.
[Executive Q&A: Time for Transformation]
Cybersecurity isn’t just a checkbox, it’s a responsibility that impacts every touchpoint of your brand. When you prioritize it, you protect your business and enhance the trust and loyalty of your fans and customers.
Don’t wait for a breach to rethink your approach. The time to act is now. Evaluate your risks, build a strategy, and lead with a commitment to security that sets your organization apart.
