Tom Brady, Deflategate, and Information Security

By Eric Noonan • September 4, 2015

That’s an ambitious title so please, stay with me. Yesterday Tom Brady won his court case and effectively had his four-game suspension lifted, at least while the appeals process takes place. Good for him; I’m a Patriots fan so I’m biased, but the whole sordid affair got me thinking about how hard it is to deliver information security when security is usually treated like a practice squad player and not a starting quarterback. And I do mean deliver because almost every company treats it as a service that is to be delivered to the business rather than the team sport that it is.

Tom Brady is an elite athlete who tinkers with mechanics and variables that ultimately make him the elite, once in a lifetime player that he is. In contrast, most security organizations are underfunded, misunderstood, struggling to get the basics right and organizationally buried in the “IT Department.” They aren’t tweaking widely accepted best practices, instead, they are distracted by the CIO’s pet projects and hoping they address fundamentals like Privileged Account Management, Vulnerability Management, and merging compliance with operations. Deflategate was a reminder of just how bad things are and how much better they could be. Security needs to be elevated to a place in every business where they are treated like the mission-critical function and business enabler that they are.

I’ve changed my mind on this over the years, security should not report to the CIO. When I was a global CISO reporting to the CIO I had the benefit of an amazing board that acted aggressively and had visibility at the board level that I now realize is uncommon. Years later having shifted to delivering services for CISO’s, I recognize the luxury I enjoyed. Most CISO’s fight corporate politics and bureaucracy every single day just to try and get the basics done. Their bosses, usually CIO’s, have immense pressure to deliver availability and affordability that always trump decisions around security. Their bonuses are rarely anchored in delivering security initiatives, improvements, or anything that doesn’t reduce cost and increase availability. It’s a conflict that makes “achieving” security highly unlikely. Security needs to report wherever they can deliver an unvarnished view of what they need to do and avoid the political and bureaucratic obstacles in the way of the mission.

Don’t believe me? Read the Verizon Data Breach report which highlights year over year the fundamental missing security practices that lead to a breach. It’s largely a re-read every year, but instead of tinkering with mechanics and variables to deliver “championship” security most organizations are chasing new technologies and investing in products rather that people and processes.  CyberSheath works with security organizations to establish an effective and formal process to conduct strategic planning. Our operational strategy and budgeting plans aggressively drive security organizations towards pursuing higher levels of performance, focused on areas that are most important to meet and exceed your business requirements.

Cybersheath Blog

CMMC Compliance Dashboard: Gain New Visibility into Compliance

CMMC is not a compliance framework. It’s a maturity model. That has big implications for how you approach compliance, but also how you keep track of all the elements that make up compliance. And yet, visibility has been one of the most difficult challenges facing DIB contractors. It used to…

CMMCEnclave: Add Versatility with a More Flexible Approach

The enclave approach to CMMC compliance is one of the most cost effective and least disruptive ways to safeguard CUI. You can maintain high-value custodial security of CUI without upending your existing processes, procedures, and people. That way, you can maintain the proper level of CMMC compliance and remain eligible…

How to Offboard Your Managed Services Provider

For any of a variety of reasons including lack of communication, slow response times, or prolonged downtime, your organization has decided to change your managed service provider (MSP). Whether you have already signed an agreement with a new MSP or you are actively looking for a replacement, now is the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft