I have a confession: I’m hopeless at football.

I don’t really know the rules, I can’t explain offside without Googling it, and I’ve never been the kind of person who can watch a full match and genuinely track what’s happening.

And yet, years ago, I got unexpectedly fascinated by a football concept: “Total Football.” I first stumbled onto it through Ted Lasso (Season 3), where it’s presented as a way of playing that’s less about rigid positions and more about collective movement, shared responsibility, and coordinated intensity.

ted

I can’t judge whether the show got every detail right. But the idea itself hit me hard because if you remove the pitch and the ball, “Total Football” reads like an operating model.

And modern cybersecurity is, more than anything else, an operating‑model problem.

What “Total” means (outside the pitch)

In its classic description, Total Football is a tactical system in which any outfield player can take over the role of any other, and when one moves out of position another fills the space so the team maintains its overall structure. This idea is strongly associated with the Dutch school and with coach Rinus Michels, who is widely credited with developing and popularizing it.

A recurring theme in explanations of Total Football is coordinated pressure (often described as pressing), where the team works together to regain the ball quickly rather than defending passively.

That’s the piece I care about. Because attackers don’t beat organizations by being “better at hacking” in the abstract; they win by exploiting hesitation, fragmentation, and slow decisions.

So the real question becomes: how do you design a security organization that can move as one unit?

My translation into cyber strategy

If I had to compress the “Total Football mindset” into a cybersecurity strategy, it would be this:

  • Expand to see clearly.
  • Contract to act quickly.
  • Keep structure while roles shift.

To anchor this in a recognized strategic model, I like using the NIST Cybersecurity Framework (CSF) 2.0, which organizes cybersecurity outcomes into six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. The fact that CSF 2.0 includes Govern as a first-class function matters, because it highlights that cybersecurity is not only technical execution, it’s also accountability, oversight, and risk direction.

From there, the analogy becomes practical:

  • “Playing wide” (expanding) maps to building visibility and coverage across Identify, Protect, and Detect outcomes: understanding assets, setting protections, and continuously monitoring for abnormal activity.
  • “Playing compact” (contracting) maps to fast, aligned execution across Respond and Recover outcomes: containing impact, restoring services, and keeping stakeholders aligned under pressure.

For incident response specifically, the NIST guide on Computer Security Incident Handling describes a lifecycle that includes preparation, detection and analysis, containment, eradication and recovery, and post-incident activity. That lifecycle is essentially a sequence of transitions, and transitions are where organizations usually fall apart under pressure.

Three patterns I’d steal for a SOC

Below are three “Total Football” patterns I’d apply to a modern SOC and incident response capability (strategic in intent, but concrete enough to implement).

1) Build role fluidity, keep accountability

In Total Football, outfield players are not fixed in predetermined roles; anyone may successively play as attacker, midfielder, or defender while the overall structure is preserved. In cyber terms, the goal is not “everyone does everything.” The goal is: no critical capability is trapped inside one person, one shift, or one silo.

Practical example (SOC design):

  • Tier 1 escalates hypotheses (what might be happening, why it matters, what evidence is missing), not just alerts.
  • Tier 2 owns decisions (containment options, trade‑offs, urgency), not just ticket progression.
  • DFIR is a capability you can pull in early using lightweight checklists, not a distant escalation step that arrives after the damage spreads.

2) Pressing is a process, not adrenaline

In analyses of Total Football, pressing is framed as coordinated pressure intended to regain control quickly and limit the opponent’s options. In cybersecurity, “pressing” means shrinking the time between detect → decide → contain, while keeping actions aligned and auditable.

Practical example (pressing without chaos):

  • Define a short list of “must‑not‑miss” detection stories (identity abuse, privileged actions, lateral movement patterns).
  • Assign ownership for telemetry health (sources onboarded, parsing stable, retention adequate).
  • Run a monthly detection after‑action: every meaningful incident produces at least one detection improvement and one visibility improvement.

3) Win the transitions: normal mode → incident mode

NIST’s incident handling guidance explicitly treats preparation and post‑incident learning as essential parts of the lifecycle, not optional extras. This aligns perfectly with the metaphor: teams don’t fail because they can’t “play”; they fail because they can’t transition shape under stress.

Practical example (pre‑authorize containment): Write down (in advance) who can authorize containment actions that affect operations:

  • isolating endpoints,
  • disabling accounts or revoking sessions,
  • blocking integrations,
  • segmenting networks,
  • shutting down a service.

Then rehearse the decision path with IT, Legal, and Comms, so speed doesn’t turn into self‑inflicted damage.

A short closing on maturity (and why this metaphor works)

A SOC doesn’t become mature because it buys better tools or generates more alerts. It becomes mature when it can change tempo and shape reliably: expand visibility, contract decision‑making, contain impact, recover cleanly, and learn systematically.

This is exactly why CSF 2.0 putting Govern up front matters: without governance (clear roles, decision rights, and risk ownership), every incident becomes improvisation. Total Football, at least as I interpret it, is the opposite of improvisation: it’s freedom built on structure.

And yes: it’s still funny that I got here while remaining unable to explain the offside rule.

But cybersecurity has always been like that. The best ideas often come from outside the room; then the real work is turning them into an operating model that holds when the pressure starts.