In the previous chapter of our bold comparison between Golf and Cybersecurity, we briefly explored five major themes: fundamentals, tools, strategy, cross-functional collaboration, and continuous self-improvement.
In this second chapter, we will focus on five key topics:
Golf & Cybersecurity: two worlds, shared principles
To say that golf is a game of precision would be an understatement. Physics reminds us of this with every shot: club angle, swing path, clubface alignment at impact, clubhead speed, follow-through, and so on. To give just one example, if the head of a driver sending a ball 250 metres down the fairway arrives at impact with just a 2° deviation from a square position, the ball can end up at least 9 metres off target by the end of its flight (without even considering carry distance, spin, and other factors).
In Cybersecurity, the complexity of infrastructures, applications, and the integration of all these components leads to the same conclusion: every detail matters. The smallest mistake can become a wide-open door for cybercriminals, allowing them to gain access and potentially bring an entire organisation to a standstill.
The devil is in the detail, both in Cybersecurity and in Golf.
All athletes train to improve their performance… well, not exactly. Their first objective is to avoid a decline in performance, and only then to improve it. In Golf, this principle is taken to the extreme. Even an average golfer must practise regularly if they want to maintain their current level of play.
Cybersecurity follows the same pattern. An expert who no longer practises will see their ability to perform tasks deteriorate exponentially over time.
Take a simple example. Someone attends a training course on configuring and administering a cybersecurity solution, such as a firewall. At the end of the course, they have acquired all the necessary knowledge to manage the tool. However, if they only work with it occasionally, within a few months they may struggle to perform tasks they were previously capable of handling with ease.
Regular practice is therefore essential, just as it is in Golf.
To achieve a good score in a golf competition, one prerequisite is essential: you must know the course exceptionally well. If you play a course for the first time without guidance, you are likely to fall into the usual traps, bunkers included.
Every golfer has different strengths and capabilities, such as driving distance or a particular affinity for certain clubs. Since the objective is to get a small ball into a small hole in as few strokes as possible, defining a strategy is critical. How many shots will be required? Which clubs should be used? How can obstacles such as trees and bunkers be avoided while still achieving the desired outcome?
In Cybersecurity, concepts such as Zero Trust, Defence in Depth, and Security by Design are commonplace. However, organisations often overlook the importance of clearly defining objectives, intermediate milestones, and the factors required to achieve them.
This is where a strategic approach to Cybersecurity comes into play. It goes beyond tools and processes. It is truly about adopting an overarching approach, or more accurately, a Cybersecurity Strategy.
Artificial Intelligence is a term, and a technology, that is on everyone's lips in 2026.
In Golf, AI has been used for many years in the design of equipment such as clubs and balls, as well as in technologies that analyse player performance and provide virtual caddie recommendations for club selection.
However, AI cannot account for a player's mindset, intuition, confidence, or feel for the game. Ultimately, the golfer remains solely responsible for their decisions and their outcomes, whether good or bad.
In Cybersecurity, AI has also been used for many years, particularly within detection tools designed to identify previously unknown threats, such as zero-day attacks.
Even today, AI is primarily viewed as an aid to managing cybersecurity tools and automating certain responses, such as playbooks. Yet the cybersecurity analyst or security manager remains fully responsible for the decisions taken and the results achieved.
As in Golf, AI can be a valuable assistant in Cybersecurity, but it should never be allowed to make every decision.
Golf is a sport where reflexes are essential. Professional golfers can generate swing speeds of around 185 km/h with a driver. With an optimal smash factor, this can produce ball speeds exceeding 240 km/h.
It quickly becomes clear that trying to consciously think about every movement during a swing almost inevitably leads to a poor shot. A good golf swing is a reflex developed through repetition and practice drills.
The same principle applies to Cybersecurity. Incident management and disaster recovery procedures (DRP) must become second nature.
The only way to build these reflexes is through repetition. Attempting to execute a Disaster Recovery Plan in a real-life situation without having rehearsed and validated it beforehand is a losing battle. Just as in Golf, it is likely to lead to serious problems when it matters most.
After this methodical analysis, I better understand why, at MCG, elements of our profession share so much DNA with a sport such as Golf.
Both disciplines require precision, discipline, strategy, continuous learning, and the ability to make the right decisions under pressure.
And in both cases, success rarely comes down to luck. It comes from preparation.
