Tom Brady, Deflategate, and Information Security

By Eric Noonan • September 4, 2015

That’s an ambitious title so please, stay with me. Yesterday Tom Brady won his court case and effectively had his four-game suspension lifted, at least while the appeals process takes place. Good for him; I’m a Patriots fan so I’m biased, but the whole sordid affair got me thinking about how hard it is to deliver information security when security is usually treated like a practice squad player and not a starting quarterback. And I do mean deliver because almost every company treats it as a service that is to be delivered to the business rather than the team sport that it is.

Tom Brady is an elite athlete who tinkers with mechanics and variables that ultimately make him the elite, once in a lifetime player that he is. In contrast, most security organizations are underfunded, misunderstood, struggling to get the basics right and organizationally buried in the “IT Department.” They aren’t tweaking widely accepted best practices, instead, they are distracted by the CIO’s pet projects and hoping they address fundamentals like Privileged Account Management, Vulnerability Management, and merging compliance with operations. Deflategate was a reminder of just how bad things are and how much better they could be. Security needs to be elevated to a place in every business where they are treated like the mission-critical function and business enabler that they are.

I’ve changed my mind on this over the years, security should not report to the CIO. When I was a global CISO reporting to the CIO I had the benefit of an amazing board that acted aggressively and had visibility at the board level that I now realize is uncommon. Years later having shifted to delivering services for CISO’s, I recognize the luxury I enjoyed. Most CISO’s fight corporate politics and bureaucracy every single day just to try and get the basics done. Their bosses, usually CIO’s, have immense pressure to deliver availability and affordability that always trump decisions around security. Their bonuses are rarely anchored in delivering security initiatives, improvements, or anything that doesn’t reduce cost and increase availability. It’s a conflict that makes “achieving” security highly unlikely. Security needs to report wherever they can deliver an unvarnished view of what they need to do and avoid the political and bureaucratic obstacles in the way of the mission.

Don’t believe me? Read the Verizon Data Breach report which highlights year over year the fundamental missing security practices that lead to a breach. It’s largely a re-read every year, but instead of tinkering with mechanics and variables to deliver “championship” security most organizations are chasing new technologies and investing in products rather that people and processes.  CyberSheath works with security organizations to establish an effective and formal process to conduct strategic planning. Our operational strategy and budgeting plans aggressively drive security organizations towards pursuing higher levels of performance, focused on areas that are most important to meet and exceed your business requirements.

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO

CMMC CON 2022 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.