Securing Major League Baseball - On and Off the Field

Securing Major League Baseball - On and Off the Field
Author: ISACA Now
Date Published: 15 May 2019

Three strikes and you're out is one of the more well-known sayings in baseball, but it only takes one devastating cyberattack to inflict huge damage on Major League Baseball or any of its 30 teams.

At Wednesday's session, "It's Only Baseball: Technology and our National Pastime - A Security Perspective," at ISACA’s 2019 North America CACS conference in Anaheim, California, USA, Neil Boland, the CISO of Major League Baseball, and Albert Castro, director of information technology with the Los Angeles Angels, provided perspective on the scope of the security challenge for an organization with such high visibility as MLB.

“Baseball has a lot going on,” Boland said. “We have a lot of fans, a lot of games, a lot of activities throughout the course of the year, and a lot of exposures around the globe in many, many countries. The sport continues to grow, and the consumption of the sport continues to grow.”

The session traced the rise of prominence of security in baseball from when security was an afterthought to today’s state, in which the bottom line is: “This is critical. Don’t mess it up.”

Securing Major League Baseball - On and Off the Field

MLB works with numerous partners, which is often where the most challenging security considerations come into play. Boland said MLB is taking steps to strengthen partner onboarding and provide further guidance on mitigating risks.

"There's just a vast amount of partners we work with to pull this off - 162 games a year, not even counting spring training and the postseason for a club, and [multiply] that by 30 teams," Boland said. "There's a lot of data, a lot of tools and a lot of systems, and some of them are really important, like industrial control systems to keep people safe."

Recognizing the scope of the challenge, in 2017, Boland helped to implement a program to better protect the league and its clubs from cyberattacks, standardizing the security stack and integrations. A vastly increased use of mobile platforms, IoT and cloud services means the traditional perimeter is gone, putting the onus on MLB to provide simple and reliable tools that prevent attacks.

"We wanted to raise the bar a lot higher," Boland said. "We wanted to be faster than the next guy running from the bear."

Boland encouraged session attendees to move quickly to upgrade their organizations’ security posture rather than delay in search of the ideal solution.

"Any layer that you can add that just makes life harder for your adversary is a good thing, even if it's not perfect," Boland said.

Unlike the sport’s signature rivals such as the Red Sox and Yankees or Cubs and Cardinals, Boland emphasized that everyone needs to be on the same team when it comes to cybersecurity, and said it is important to share information on cyber threats.

"I ring the bell, and I think that's really important to do, because we're all in this together," Boland said.

Beyond the security realm, Castro highlighted the way that teams leverage technology in areas such as ticketing, sponsorship activation, fan engagement and scouting and developing players.

“The access to information has just grown exponentially and with that has come the ability to do all kinds of really sophisticated analysis that just makes technology critical to running a baseball team,” Castro said.