I recently had the pleasure of speaking with 'The Stack' around the growing need for industry wide cyber security standards for venues and stadia with the looming threat of attacks.

The article provides some insight of these challenges and the requirement for more collaboration between governing bodies and local government to do more. If you fancy a read I have shared the link below:

https://www.thestack.technology/why-sports-venues-need-to-step-up-to-the-plate-on-cybersecurity/

If you would like to dig more into these pressing issues, I have provided in-depth insights below and my suggestions to level-up cyber security for venues.

Growing Challenges for Venues

In my role at World Rugby, I discovered a number of reasons why venues are not keeping pace with the advancements in cyber security. Firstly, it could be holding onto their legacy technology. Usually venues have spent large investments into their technology which are no longer fit for purpose or out of support, with technology costing more and more each year it is difficult for venues to justify the uplift. These legacy platform cost more each year to maintain and harder to address growing demands on venues.

Another challenge is the lack of cyber expertise to call upon; cyber skills are expense and any recommendations to build better protections costs even more. Most venues outsource their technology support and receive very little in cyber guidance.

Lastly is the motivation of threat actors and advancements in attacks. It is much easier for cyber criminals to attack small to medium organisations and recent research show ransomware is still the most likely technique to be used.

Requirements for Frameworks and Standards

One of the biggest challenges currently for venues is the lack of a framework to follow when looking improvement their protections. Upon each assessment I've undertaken each venue is inconsistent ranging from no network segmentation or lack of endpoint security. This highlights the importance of a venue cyber framework with a step-by-step so venues can ensure investments are high value.

This framework should include a list of standards and controls depending on the size and complexity of a venue. I use a blend of NIST and NCSC CAF to select those controls then proceed to tier between bronze, silver, and gold;

• Bronze controls are mandatory which every venue should have such as patch management, endpoint security, network security and MFA as examples. Usually the venues and stadiums are small/medium under 1000 seating capacity.

• Silver controls are selective based on the complexity of the venue, examples include DDoS protection, IdP, IDS/IPS for the network, and proper asset lifecycle management.

• Gold controls are the most advanced and usually reserved for national/major venues; that could include UEBA, zero trust networking, or advanced user training.

Using this type of approach means there is a baseline for venues to follow, ensure they are not investing the inappropriate controls and shows gradual maturity.

Consequences of Inaction

The usual response I get back from venues, "we're only a small venue, we wont be targeted?" and unfortunately unknown to them they are wrong, small to medium sized organisations are the prime target for cyber criminals as it is likely they are easier to compromise due to lack of protections and rigour around cyber security.

A successful cyber attack could result major long term disruption of any events at the venue or an inability to operate proper access control leading to potential extreme threats to health and safety to fans.

The long term impact for a venue if a cyber attack happens could take months to recover and the associated revenue, based on my own analysis this could result in bankruptcy for the operators.

Responsibility for the Sports Industry

As governing bodies, they have a responsibility when running any events including major sporting spectacles such as World Cups or Series' to help venues with their cyber security. Often these venues have seen under investment specifically technology and cyber so guidance on the most appropriate controls to keep them protected is just as important as the successful running of an event. On top of the guidance and support, governing bodies and sporting organisation need to consider investing in venues for the long term and not just a short-term event.

Another responsibility is sharing best practice regularly with venues and stadiums, producing blue prints and policies to share with them ensures their is consistency in their deployments.

Lastly would be integrating the venues into any operational planning and exercises to better prepare for a potential attack. This will highlight gaps in process, technology, and procedures.

Next Steps

With any industry challenge, the first step is acknowledge of the growing threat and building a group of professionals to help coordinate activities and push out positive change. With my role in the NCSC, I will pioneering this initiative across a number of governing bodies.

Next step would be the publication of a venue cyber security framework and standards to guide venues and owners how to tackle this new challenge. Venues currently do not have a best practice standards to follow which often leads to disjointed and messy implementations.

Following the creation of a framework and best practice standards there needs a centralised location for these to be shared, distributed, and updated for every venue to visit. The recommended place would be in the NCSC leveraging their expertise and support network.

With the heavy lifting of the first few steps it needs to be integrated with other industry frameworks such as Health & Safety, Physical Security, and Terrorism. The latest legislation 'Martyn’s Law' is a huge step up for venues and embedding cyber security practices within will help highlight the importance to each venue to take it seriously.

Upon the publication of a framework and standards it is equally important to assess if venues are following this guidance and if its uplifting their cyber security. I would suggest adding cyber security criteria to the venue audits that are currently being conducted for physical security which will capture their maturity. The additional benefit of these audits would be capturing some factual data on the growing concern and establish a baseline.

Lastly would be the continued support for venues as expertise is expensive and often difficult for a venue to justify hiring cyber professional. This is where governing bodies can aid, if they can centralise cyber expertise that can be pooled out to venues and act as a touch point for any questions.

As part of my role at World Rugby and NCSC I helped produce a venue cyber assessment, I will be releasing a few videos how I've reviewed and recommendations for venues to improve their cyber security. If you are interested in this document, please feel free to reach out.

I recently attended an invite-only event hosted by Saepio at the House of Commons (UK) to discuss the evolving cyber security landscape and the new technology which is being developed to address these challenges.

Summary of the key areas of discussions from the day:

• 3rd Party Risk Management

• Automated IAM & Monitoring

• Cloud Data Protection & Reducing TCO

• Business Email Compromise

• Recovering from Cyber Attack

• Benchmarking Cyber Position & Planning

If you are interested in a more detailed write up and some insights I will be digging into as a CISO, read more below..

1. Third-Party Risk Management

• Increased Scrutiny of Supply Chains: With a rise in supply chain attacks, organisations are shifting from point-in-time assessments to continuous third-party monitoring.

• Risk Scoring Models: Modern platforms now use dynamic scoring, enriched with threat intelligence, to help CISOs prioritise vendors based on real-time risk posture.

• Zero Trust Extensions: Extending Zero Trust principles to third-party access and integrating them into Identity Governance & PAM (Privileged Access Management) frameworks is becoming best practice.

2. Automated IAM & Monitoring

• Efficiency Through Automation: Automation in Identity & Access Management is reducing provisioning/deprovisioning delays and closing security gaps.

• Identity as the New Perimeter: IAM solutions are integrating with SIEM/SOAR for continuous user behavior analytics, allowing proactive response to identity anomalies.

• Lifecycle Management: Integration across HRIS, AD, and SaaS applications is critical for seamless onboarding/off-boarding, especially in hybrid/remote environments.

3. Cloud Data Protection & Reducing TCO

• Unified Data Protection: Consolidation of CSPM, CWPP, and DLP under unified platforms is reducing tooling overlap and cutting operational costs.

• Encryption & Tokenisation: There's a strong shift toward data-centric security, where encryption/tokenisation happens at the data layer, agnostic of cloud provider.

• Cloud-Native Security: Adopting cloud-native solutions (vs. lifting legacy tools) is significantly lowering TCO while improving agility and compliance posture.

4. Business Email Compromise (BEC)

• Beyond Email Gateways: AI-based anomaly detection is essential, as BEC often involves hijacked trusted accounts rather than spoofed ones.

• User Awareness Still Critical: Despite technological advances, user training and simulated phishing exercises remain key components of layered defence.

• DMARC Adoption Rising: Adoption of DMARC, SPF, and DKIM is improving but still inconsistent—critical for domain reputation protection.

5. Recovering from a Cyber Attack

• Resilience Over Recovery: Focus is shifting toward cyber resilience—ensuring business continuity through segmentation, rapid isolation, and immutable backups.

• Tabletop Exercises: Mature organisations are running cross-functional tabletop exercises including Legal, Comms, and Execs—not just IT and Security.

• Detection-in-Depth: Emphasis on post-breach forensics, XDR platforms, and response orchestration to reduce dwell time and limit blast radius.

6. Benchmarking Cyber Position & Planning

• Framework Alignment: NIST CSF 2.0 and MITRE ATT&CK are increasingly used for benchmarking maturity and identifying coverage gaps.

• Board Reporting Evolution: Metrics are becoming more business-aligned—focus on risk reduction, ROI of controls, and scenario-based impact.

• Roadmapping with Context: Using benchmarking data to drive a prioritised, risk-based roadmap, often aligned to regulatory expectations and insurance requirements.

Stay tuned for more insights from other events I attend.

Welcome to our latest podcast from Fortify Security. Today we discuss sit down with Things People Do and discuss the world of cyber security, the evolving threats of the world and tips to stay safe online.

Spotify: https://open.spotify.com/episode/5zBmh8iFQUVh9tSz9gAh7D?si=mDZpNeS8R2-AAgPjIT07UQ

YouTube: https://youtu.be/oUSGSWzlWwg

Topics covered:

• Cyber security basics.

• Different threat actor groups.

• The evolving world of cyber security.

• Example of a targetted cyber attack.

• How to keep your passwords secure.

• What to do if your phone or account got hacked.

• What is a deepfake and how concerned should we be about AI.

• What is the dark web.

• How advanced cyber attacks can be and could you be monitored over your webcam.

I hope you found the podcast interesting and learnt more about cyber security.