Winning or Losing: Red Zone and Cybersecurity Reporting

Red zone and reporting.

College football’s wild weekend inspired some reflection on the redzone and comparison to reporting and communication in cybersecurity.

The high of watching #1 Ohio State fall to #2 Indiana (now ranked #1) was offset by the low of Notre Dame being snubbed from the college playoffs. Football is filled with upsets and losses due to a few key plays (and decisions) going against your team. I think there are rich insights to be gained by thinking through how the same game is played out in reporting and communication … especially cybersecurity.

Teams win or lose in the red zone (and reporting)

Football teams win games based on successfully traversing through the red zone and crossing the goal line by running on the ground, passing in the air, or kicking the ball through the golden uprights. Football teams lose games when they are unable to successfully traverse the red zone due to fumbling, turning over on downs (or an interception), and stopping forward progress.

In contrast, cybersecurity teams “win games” when they can successfully report and communicate in a way that crosses the threshold of understanding of their intended audience (e.g. the end zone). Cybersecurity teams lose when they cannot communicate or report effectively (this applies to horizontal and vertical communication).

I think the football version of the 80/20 rule is so powerful – it might merit its own mental model and special name.

Why care about the red zone

The red zone (20-yard line to the end zone) is a pivotal battleground on the football field. In this tense high-pressure zone, a battle of brains and brawns occurs between the strategic decisions of coaches and tactical execution of the players on the field. Here, the stakes are high because the game that takes place over 100 yards and four fifteen-minute quarters can be condensed to a game of inches and seconds.

This area is filled with game-deciding moments. The conversion rate, a team’s ability to successfully translate an entry into the red zone into points via a touchdown or a field goal, is a key indicator of success. Fans know this zone well. Game-deciding moments can ignite the feeling of pure ecstasy or utter misery depending on if the team makes/breaks the goal line into the end zone (and if you are rooting for offense or defense). It hurts when your team “drops the ball” and forward progress is stopped.

Now think about how reporting and communication is like the equivalent of the “red zone” in football. If you were to think about the conversion rate of you and your team’s reporting, what would it look like? If you were to think about all your current security initiatives, are they converting to something that matters at the end of the day? Or are teams “dropping the ball” when it comes to converting (communicating effectively) when it matters?

Strategy and execution are needed for the “red zone” to avoid turnovers and losses

To help give some contextual framing, I am going to take the 4-phase risk analysis process and show how it conceptually overlays with the football field. It’s easy to swap any other process because no matter how many steps there are in a process or how long it takes, at the end of the day, it needs to be reported and communicated to some person or team to matter (a.k.a. “score”).

The 80/20 (“Glory Be”) rule.

In football:

So. Much. Practice. So. Many. Decisions. So. Many. Plays. So. Much. Energy. All work toward gaining and maintaining forward progress across the 80 yards (or less depending on where the team receives the ball at the change of possession). While momentum is huge, momentum truly materializes into something that matters when teams make it through the red zone, across the goal line, and scores.

In cybersecurity:

So. Much. Time. So. Many. People. So. Many. Steps. So. Much. Money... Goes into moving any given person, team, and or process to a certain point. Milestones, small wins (insights included) and momentum are wonderful. But none of them matter if forward progress stops when it comes to reporting and communication.

One non-cybersecurity example:

To make sure the takeaway from this article lands...the story of the Challenger serves as a tragic example of failed reporting resulting in a devastating loss. So many resources were spent in preparing for the launch of the space shuttle, but the failure for the engineers to effectively report risk upward (i.e. get through the red zone and across the goal line) resulted in a fatal explosion shortly after takeoff.

Obviously, not all reporting mishaps result in life-or-death circumstances. But effective or ineffective reporting and communication can determine if your hard work successfully launches (and lands) or implodes (and scatters).

Reflection on the red zone

Remember, games are won and lost by traversing the red zone and crossing the goal line (or golden uprights). Reporting and communication are akin to the red zone and end zone in security. You communicate and collaborate effectively - or not. You can win people over - or lose them. You can win budgets based on your ability to report (communicate) effectively - or lose. You can negotiate to get the proper protection - or not.

What does your current reporting red zone conversion rate look like? You don’t want to be the person or team that fumbles and “drops the ball”! Be sure to prioritize time and resources on the reporting red zone to secure the victory.

Closing thoughts

I would like to propose a new mental model along with its name: the “Glory Be” 80/20 Rule. This name pulls precedent from two stories: one, the “Hail Mary” play that received its name from Roger Staubach’s remark about his game-winning touchdown pass. Second, the emotional Indiana college football quarterback, Fernando Mendoza’s, 12/06/2025 interview after his #2 team upset the #1 team. He said, “We were never supposed to be in this position. But by the glory of God, the great coaches, the great teammates, everyone we have around us, we were able to pull this off.”

I think glory goes all around when security teams can progress through the red zone and into the end zone, make their work count, and collectively pull off a “win.”

At SUSA, we specialize in helping coach on how to get to the end zone and boost the team performance through the red zone.  Check out our storytelling and communication services to learn more.