Cathy Lanier: Why Red Teaming Your Security Standards Matters

Key Takeaways

• Complexity doesn't just scale; it diversifies and often exceeds initial expectations.
• Active 'red teaming' is not just testing, but a quality assurance process to validate your core standards.
• For truly diverse challenges, fixed plans are disposable; expect to "throw it away" and start over repeatedly.
• Leading in dynamic environments demands constant adaptation over established procedures.

The Method

Cathy Lanier, former DC Police Chief and now the NFL's Chief Security Officer, details a stark shift in how she approaches security. What she thought would be simpler – managing security for a single league instead of a whole city – turned out to be far more complex. “The diversity here is the complexity here is so much more,”▶ 1:15:39 Lanier said, comparing her NFL role to her previous one. She sets security standards across 30 US stadiums and international locations, covering everything from physical security to cyber threats and executive protection.

The core of her updated approach isn't just setting standards, but actively trying to break them. Lanier calls this 'red teaming' – a critical quality assurance process. “What a red team operation does is it's quality assurance. Are those standards working? Did I tell you to do something that didn't necessarily work?”▶ 1:14:00 This ensures that prescribed security measures are effective, not just theoretically sound.

Her experience highlights that for truly varied and dynamic events, static plans are ineffective. “This is every time it's like you just take the old plan and throw it away. Start all over,”▶ 1:17:01 Lanier explained. The diversity of venues, events, and international contexts means that each challenge demands fresh thinking and bespoke solutions, rather than iterative adjustments to a master plan.

Where This Breaks Down

Lanier's method of constant re-planning and aggressive red teaming works when the cost of failure is high and the variables are endless. For a small startup with limited resources, or a business focused on highly repeatable, low-stakes processes, full-scale red teaming might be overkill. Building foundational systems often requires a period of stable iteration, not constant demolition and rebuild.

This approach also demands significant leadership buy-in and a culture comfortable with actively seeking out flaws. If your team is resource-constrained or risk-averse, the emotional and financial cost of finding problems could outweigh the perceived benefits, at least in the short term. It fails when the pace of change or the criticality of tasks doesn't warrant such a high degree of proactive disruption.

What to Do With This

Choose one core process in your business – customer onboarding, your sales pitch, or your product's daily user flow. Instead of optimizing it for efficiency, dedicate an hour this week to actively trying to break it. Intentionally find the weakest link, the point of highest friction, or the step most likely to fail under unexpected external conditions. The immediate goal isn't to fix it, but to rigorously map its vulnerabilities. Understand where your 'standards' might not be working in practice.