Tom Brady, Deflategate, and Information Security

That’s an ambitious title so please, stay with me. Yesterday Tom Brady won his court case and effectively had his four-game suspension lifted, at least while the appeals process takes place. Good for him; I’m a Patriots fan so I’m biased, but the whole sordid affair got me thinking about how hard it is to deliver information security when security is usually treated like a practice squad player and not a starting quarterback. And I do mean deliver because almost every company treats it as a service that is to be delivered to the business rather than the team sport that it is.

Tom Brady is an elite athlete who tinkers with mechanics and variables that ultimately make him the elite, once in a lifetime player that he is. In contrast, most security organizations are underfunded, misunderstood, struggling to get the basics right and organizationally buried in the “IT Department.” They aren’t tweaking widely accepted best practices, instead, they are distracted by the CIO’s pet projects and hoping they address fundamentals like Privileged Account Management, Vulnerability Management, and merging compliance with operations. Deflategate was a reminder of just how bad things are and how much better they could be. Security needs to be elevated to a place in every business where they are treated like the mission-critical function and business enabler that they are.

I’ve changed my mind on this over the years, security should not report to the CIO. When I was a global CISO reporting to the CIO I had the benefit of an amazing board that acted aggressively and had visibility at the board level that I now realize is uncommon. Years later having shifted to delivering services for CISO’s, I recognize the luxury I enjoyed. Most CISO’s fight corporate politics and bureaucracy every single day just to try and get the basics done. Their bosses, usually CIO’s, have immense pressure to deliver availability and affordability that always trump decisions around security. Their bonuses are rarely anchored in delivering security initiatives, improvements, or anything that doesn’t reduce cost and increase availability. It’s a conflict that makes “achieving” security highly unlikely. Security needs to report wherever they can deliver an unvarnished view of what they need to do and avoid the political and bureaucratic obstacles in the way of the mission.

Don’t believe me? Read the Verizon Data Breach report which highlights year over year the fundamental missing security practices that lead to a breach. It’s largely a re-read every year, but instead of tinkering with mechanics and variables to deliver “championship” security most organizations are chasing new technologies and investing in products rather that people and processes.  CyberSheath works with security organizations to establish an effective and formal process to conduct strategic planning. Our operational strategy and budgeting plans aggressively drive security organizations towards pursuing higher levels of performance, focused on areas that are most important to meet and exceed your business requirements.