Cyber security lessons from cricket: Cricket Australia’s CIO on risk management in sports

Donald Elliott, CIO at Cricket Australia, shared his strategies for navigating the complex cyber security landscape in a highly visible and globally connected organisation.  

In an interview with ADAPT’s Principal Research Analyst Peter Hind, he touched on key issues such as managing risk, educating stakeholders, and the importance of flexibility in a federated environment. 

Donald will join 150 leading CISOs & CSOs from enterprise and government organisations in to debate strategies on how to navigate the vulnerability minefield & enable the age of AI at Security Edge on 10 October. 

Expanding attack surfaces and managing risk 

One of the unique challenges Cricket Australia faces is the wide attack surface created by its global operations.  

He pointed out that the risks extend beyond national borders, following teams, athletes, and their families wherever they travel.  

This introduces additional complexities, as securing not only Cricket Australia’s digital assets but also the personal identities of players and their companions is crucial.  

Donald stressed that protecting personal privacy while ensuring security requires a delicate balance, especially when working with high-profile athletes. 

Federation and the power of consensus 

Cricket Australia operates in a federated structure, with multiple boards and management teams across states and territories.  

Donald highlighted the challenges of gaining consensus in such a setup, where not all stakeholders have the same knowledge or priorities around cyber security.  

The key, he explained, is education and consensus-building rather than dictating from the top.  

Tailoring risk appetite and educating the board 

Donald discussed the importance of tailoring risk management to different areas of the organisation.  

For instance, systems containing sensitive information like athlete medical records have a very low appetite for risk, whereas other systems may have more flexibility.  

He emphasised that ongoing conversations with the board about the organisation’s evolving risk appetite are critical, especially in light of major data breaches in the broader market.  

By drawing on these external incidents, Donald has been able to educate stakeholders on the need for continuous improvement in cyber protections. 

Benchmarks, budgeting, and real-world comparisons 

Donald also touched on the challenge of benchmarking cyber security spending in the sporting industry, which doesn’t fit neatly into traditional sectors like telco or media.  

He explained that while other industries can use standard benchmarks, sports organisations need tailored comparisons that consider the unique demands of the field. 

 Cricket Australia’s approach, he explained, is fit-for-purpose, focusing on what’s essential rather than gold-plating every solution.  

This flexibility allows the organisation to optimise its cyber security budget without overextending resources. 

Key Takeaways: 

• Global attack surface: Securing both organisational and personal identities across borders introduces unique challenges for risk management.
• Collaboration over control: In federated organisations, building consensus through education is key to implementing effective cyber security measures.
• Tailored risk management: Risk appetites should be flexible and based on the sensitivity of the data involved, with frequent communication with the board.
• Benchmarking for sports: Standard industry comparisons aren’t enough—sports organisations must create their own tailored benchmarks. 
• Practical cyber security: Focusing on essential protections and optimising budgets is more effective than aiming for overly complex, gold-plated solutions.