Lumifi Cyber CTO Talks Heading The Security Efforts At The WM Phoenix Open
Fundamentally, securing the golf event is the same as securing any customer’s infrastructure, but practically, ‘it’s a different endeavor,’ said Lumifi Cyber CTO David Norlin.
(David Norlin, chief technology officer, Lumifi Cyber)
Cybersecurity firm Lumifi Cyber is aiding in the security efforts at the Waste Management Phoenix Open golf event, being held in Phoenix on Feb. 2 - 8, 2026.
David Norlin is the chief technology officer at Lumifi Cyber and is at the helm of securing the upcoming WM Phoenix Open.
Though traditionally slower to adopt new technologies than other industries, according to a report by Morgan Stanley, the professional sports sector is making significant investments in technology, much of that investment sparked by AI.
By accelerating its adoption of tech, including AI, the global sports industry can increase its revenue by annual sales by 25 percent, or $130 billion, Morgan Stanley predicts in its report.
It seems the sports world is taking heed.
Tech vendors are increasingly partnering with professional sports organizations to help them modernize the event experience by leveraging the latest technology like Cisco did with the NFL,Microsoft with the Big 12 Conference, and as Hewlett Packard Enterprise recently did with the team at the 2025 Ryder Cup.
Norlin spoke with MES Computing on what it takes to secure such an event and how securing one follows the same guidelines as securing other organizations.
Talk a bit about your role at Lumifi Cyber and how the company ended up securing the WM Phoenix Open.
I’ve been [at Lumifi Cyber] for nine years. I started as an analyst, helped manage the SOC as the director, was our CISO for three years, and now the CTO.
My role right now is very focused on making sure that our technology path is marching in the right direction, that it’s staying in line with how the industry is evolving. I work a lot with outside partners and potential acquisitions, and then also customers.
As far as Waste Management and the Thunderbirds [the organization behind the WM Phoenix Open], that was a deal that we really thought made a lot of sense, because they’re here locally.
They are kind of a tent pole event or venue, if you will, in Phoenix Valley, and they were in the market for someone to help mature their security platform.
We met with them and designed a maturity roadmap for them and helped attune what we were doing to the nature of their business, which is really the tournament and in supporting all those endeavors.
When you say ‘tent pole,’ is it like with the Ryder Cup, where they had to put some infrastructure or technology in place temporarily and then dismantle quickly?
The Waste Management event is really a huge physical effort, right? They bring in all this equipment. We have a local ISP as well that supports that, and they come in to carry all that information out of the tournament for vendors to sell things, to support billboards and all the other IT infrastructure that they need to support that event.
They have a lot of temporary network infrastructure — closets and trailers and all these other things — cabling and what not, to really make the event happen.
In addition to that, and maybe even more critical to a degree, are all the support staff that then have to take part in that event and facilitate and be available for vendors and help coordinate just the goings on of the event from a people perspective. There was kind of this dual mode of focus and concentration for us to support that.
What does it take to secure an event like this?
Securing a physical event, in principle, it’s not terribly different from something in the cloud or something in a normal office park or physical building.
It’s really about data, and that’s what you’re concerned with. And you want to know where is the data going, who has access to it? What types of data should be a part of those transmissions and or communications, and what could potentially read that data or tamper with it or get access to it?
On a fundamental level, not much is changing. Now, from a practical standpoint, it is quite a different endeavor. A lot of it’s temporary, for one.
There’s a lot of different ways that people can get access to the physical equipment, maybe unlike a cloud environment or even a normal office building, where a lot of those closets are locked away. Certain people have access.
[At the golf tournament] you got thousands and thousands of people in this venue.
Various wireless [networks] could be used [for] short range Bluetooth or Wi-Fi to get in touch with devices and then tamper with them.
Then, of course, you got the classic point-of-sale vulnerabilities where physical tampering, or that same kind of short distance Wi-Fi hacking or just broadcasting of false point-of-sale devices, broadcasting false Wi Fi, all of those things are in this live, local, temporary environment where you’ve got, again, thousands of people just milling around. You don’t really know who’s doing what.
Can you share some of the Lumifi Cyber products or platforms or services that were deployed for the event?
Without getting into too many specifics, the key thing that we help monitor is on the endpoint on the network, and then the logs themselves.
Primarily, all devices are going to generate logs. User activity generates logs. We send those logs to a tool that’s specially designed to parse important bits of information out of those logs, and then we do some additional, what we call threat hunting, and threat detection on top of that data to see if there’s anything malicious or anomalous in that and that’s often called SIEM [security incident, event management] security. That’s a tool ... that’s one of them.
And then we use another one, we typically call it endpoint detection and response or sometimes called extended detection and response. But that usually lives on the actual devices themselves, your laptop, your servers, other types of cloud containers are sometimes lumped into that, and that gives us a really good view of the kinds of activity that’s going on in real time on those devices. So, in a similar fashion, that also generates logs that we can then use to say, ‘Hey, there’s something unusual happening on this endpoint or this server, and let’s go respond to that,’ or ‘let’s dig deeper into it.’
And then ... the network detection component. A lot of customers find value for that by seeing what’s actually going over the wire, what’s actually being sent from one endpoint to another. And our customers have usually some mix of that, or in many cases, all three.
What sorts of threats do events like this face most often?
It really could be anything, anytime, especially in this day and age where you have some kind of high-profile event, where you have a name of a company really out there, and the social media sphere, and a lot of people are tuning in to look at something, there’s all kinds of different ways you could get at an organization.
Someone might want to try to deface a billboard, or take over a website, or hijack that moment, that event, for some kind of activism, social or geopolitical, or otherwise.
We’re really just looking for anything that’s out of the ordinary. And those attacks could be also directed via social engineering. That’s very common when you have someone that’s very busy, under a lot of pressure, and that’s where protection of the staff comes in ... they may be sent an email that it looks like it’s from a legitimate vendor, and they are dealing with hundreds of vendors for a huge event like this, and they may not quite recognize that person, perhaps, or click on an incorrect link. It’s a completely normal human thing, right?
We want to have measures in place to protect against that and help prevent those emails from affecting them at all in the first place, and if they do, then we’ve got multiple layers of defense through the endpoint, and then the other log management capabilities that we have.
Were there any specific challenges that were unique to this type of event that maybe a midsize customer wouldn’t face? Or is it pretty much the same type of deployment with either one?
It’s the same type of deployment. The difference, I would say, is the degree to which this kind of organization would have to surge up to meet the event. They may have to be in a different location than normal, out of the office, they may be moving around. You may have internet, intermittent connectivity in some cases.
It’s just kind of the typical challenges associated with folks who are normally in an office 38 weeks out of the year, and then a couple weeks they’re on site, doing a huge amount of work and moving around and being very mobile and involved and just busy for longer than they ordinarily would be.
You’re on the go for those two critical weeks of the year and you’re just susceptible to fatigue and all the other things, maybe lower your guard slightly. So that’s why we come in. We were available, really on guard, and we ourselves kind of surged up to meet the need to be extra vigilant and be really in touch with the Thunderbirds and that team. I think we sent them daily activity reports just so they could have assurances that we were on the lookout ... aware of what’s going on.
How does AI factor into the solution that Lumifi Cyber provided?
There’s a lot of heuristics in the tools that we make use of, including some AI capabilities, and that’s really to surface the important stuff from the noise as quickly as possible.
The quicker we can respond if [it’s] an AI-enabled response, so much the better in helping us get the information in front of an analysis as quickly as we can.