We’re Talking About Practice? A Sports Psychology Lesson for Cybersecurity Leaders 

Have you ever heard something that, when you first heard it, seemed completely off (even ludicrous) but later, when you experienced something in your personal or professional life, made perfect sense?

Consider some of the latest cybersecurity breach statistics:

• 2.9 billion compromised credentials leaked in 2024
• ransomware attacks up 25%
• Data breaches shared on underground forums rose by 43%
• The number of ransomware group leak sites rose by 53%

Despite record cybersecurity spending, breaches continue to accelerate. Organizations are buying sophisticated tools and following industry best practices, yet something becomes painfully clear: our checklist-driven approach to cybersecurity preparation is fundamentally flawed.

The evidence is overwhelming. Organizations are investing more in cybersecurity than ever before, adopting sophisticated tools, hiring talented staff, following industry best practices … yet breaches continue to accelerate. The technology isn’t failing. The people aren’t incompetent. So what’s wrong?

One compelling answer comes from an unlikely source: NBA legend Allen Iverson … specifically his infamous 2002 rant (starts at 7:21) that sports commentators mocked for years:

“We talking about practice … not the game, not the game when it matters … we talking about practice, man.”

On its face, Iverson’s frustration seemed absurd. Practice is fundamental to any sport, right? But Iverson understood something profound about human performance that applies directly to cybersecurity: practice and actual competition exist in completely different psychological universes.

When Practice Becomes Performance Theater

Here’s what sports psychology research reveals about the practice-versus-competition dynamic: athletes can dominate in practice but crumble when it matters most. Why? Because practice creates a safe, predictable environment with supportive teammates, while competition involves unknown opponents actively trying to defeat you.

In practice, your teammates want you to succeed. They’re predictable. You know their moves, their strengths, their weaknesses. There’s always another chance if you mess up.

In competition, your opponents are strangers who’ve studied your vulnerabilities and are actively working to exploit them. You get one shot. The stakes are real. The psychological pressure is entirely different.

Sound familiar?

The Cybersecurity Practice Problem

Most cybersecurity programs are stuck in “practice mode”: comfortable, predictable compliance activities that feel productive but leave organizations psychologically unprepared for real cyberattacks.

Compliance “practice” looks like this:

• Running through security checklists with friendly auditors who want you to pass
• Installing endpoint protection because regulators require it
• Conducting tabletop exercises with checked-out colleagues
• Implementing multi-factor authentication because it’s a “best practice”

It’s the cybersecurity equivalent of scrimmaging with your own team every day and calling yourself game-ready.

Meanwhile, real cyberattacks (the “game”) look like this:

• Unknown attackers who’ve studied your specific vulnerabilities for months
• Criminals who don’t follow compliance frameworks or honor business hours
• Social engineering that exploits the psychological pressure your employees have never experienced
• Zero-day exploits that your signature-based defenses have never seen
• Ransomware groups that view your multi-million-dollar security budget as a challenge, not a deterrent

The numbers tell the story. Professional, scientific, and technical services (organizations with sophisticated cybersecurity budgets) were the most targeted sectors in 2024. These aren’t companies lacking security awareness or resources. They’re organizations that excel at compliance “practice” but struggle when facing opponents who aren’t following the playbook.

The Psychology of Defensive Failure

Here is what’s really happening: cybersecurity failures are predominantly psychological and cultural, not technical.

Organizations spend millions on technical controls but create cultures where employees:

• Share login credentials (usually to stretch scarce software licenses)
• Leave remote devices logged in
• Click suspicious links
• Ignore security protocols when deadlines loom
• Assume someone else will pick up the security slack

It’s the human equivalent of athletes who are physically conditioned but psychologically unprepared for competition pressure. When the real game starts, training falls apart.

Consider this: 7.7 million endpoint logs were listed for sale on underground markets in 2024… username/password combinations that cybercriminals purchase for around $10 each. These aren’t sophisticated zero-day exploits. They’re basic credential compromises that happen because employees make predictable human decisions under pressure.

Nearly 14.5 million compromised credit cards hit underground markets in 2024, with 80.7% being U.S. cards. Again, these breaches often start with human factors like phishing emails that succeed because employees aren’t psychologically prepared for sophisticated social engineering.

The bottom line: Your compliance checklist prepared your team for the audit, not the attack.

Getting Into the Game: Offensive Security

So how do you move from cybersecurity “practice” to game-day readiness? The same way elite athletes do: by practicing against opponents who are actively trying to defeat you.

This is where offensive security strategies become essential, particularly as organizations create their cybersecurity budgets for the coming year.

Instead of waiting for attackers to test your defenses, hire ethical hackers to find your vulnerabilities first. But unlike compliance testing, offensive security simulates the psychological and social pressures your team will face during real cyberattacks.

Truly effective penetration testing doesn’t just scan for technical vulnerabilities. It tests whether your employees will click malicious links when they’re stressed about deadlines. It evaluates whether your incident response procedures work when people are panicking. It identifies whether your security culture holds up under the psychological pressure that real attackers create.

We often find organizations paying premium prices for “penetration tests” that barely scratch the surface. In one case, a client was paying more than our comprehensive testing costs, but the vendor only tested 100 of their 10,000 available devices and still called it a complete penetration test. It’s like declaring your team the winner of the game after scoring a single basket.

Real offensive security testing includes:

• Red team exercises where ethical hackers actively exploit vulnerabilities without causing damage, while your security team tries to stop them in real-time
• Social engineering simulations that test whether employees can identify and resist sophisticated manipulation under pressure
• Comprehensive penetration testing that evaluates your entire attack surface, not just a sampling
• Vulnerability assessments that prioritize risks based on how real attackers would exploit them

The Cultural Transformation

But here’s the crucial insight: offensive security isn’t just about finding technical vulnerabilities. It’s about preparing your organization psychologically for the reality of a cyberattack.

When your team has successfully defended against realistic attack simulations, they develop something that compliance training can never provide: confidence under pressure. They’ve experienced the stress, made decisions in real-time, and proven their procedures work against committed adversaries.

This psychological preparation transforms organizational culture. Employees stop viewing security as bureaucratic overhead and start seeing it as competitive preparation. Leadership stops treating cybersecurity as a compliance cost and starts investing in it as a business advantage.

Invest now … or pay later

As organizations race to complete their annual cybersecurity assessments and meet year-end compliance deadlines, the question isn’t whether you can afford comprehensive offensive security testing; it’s whether you can afford to remain stuck in “practice mode” while attackers bring game-day intensity. The cost of inadequate preparation is becoming clearer every quarter. Beyond the immediate financial impact of breaches, organizations face:

• Regulatory penalties that increasingly target leadership personally
• Customer trust erosion that takes years to rebuild
• Competitive disadvantage as security becomes a market differentiator
• Insurance premium increases as carriers demand proof of realistic testing

The time for talking about compliance “practice” is over. Your attackers aren’t practicing: they’re competing to destroy your business and fleece your customers. The question you need to answer is: When they bring their game-day intensity to your organization, will your team be ready?

As Allen Iverson might say if he were a CISO: “We talking about compliance checklists … not the game, not the game that matters when bad actors are trying to steal everything you’ve built. We talking about practice, man.”

Stop talking about practice. Get in the game.

Ready to get your people and procedures into the real game? Contact Richey May’s cybersecurity experts to schedule a comprehensive penetration test that prepares your organization psychologically and technically for modern cyberattacks. Let us help you move from compliance theater to competitive advantage.