Tom Brady, Deflategate, and Information Security

By Eric Noonan • September 4, 2015

That’s an ambitious title so please, stay with me. Yesterday Tom Brady won his court case and effectively had his four-game suspension lifted, at least while the appeals process takes place. Good for him; I’m a Patriots fan so I’m biased, but the whole sordid affair got me thinking about how hard it is to deliver information security when security is usually treated like a practice squad player and not a starting quarterback. And I do mean deliver because almost every company treats it as a service that is to be delivered to the business rather than the team sport that it is.

Tom Brady is an elite athlete who tinkers with mechanics and variables that ultimately make him the elite, once in a lifetime player that he is. In contrast, most security organizations are underfunded, misunderstood, struggling to get the basics right and organizationally buried in the “IT Department.” They aren’t tweaking widely accepted best practices, instead, they are distracted by the CIO’s pet projects and hoping they address fundamentals like Privileged Account Management, Vulnerability Management, and merging compliance with operations. Deflategate was a reminder of just how bad things are and how much better they could be. Security needs to be elevated to a place in every business where they are treated like the mission-critical function and business enabler that they are.

I’ve changed my mind on this over the years, security should not report to the CIO. When I was a global CISO reporting to the CIO I had the benefit of an amazing board that acted aggressively and had visibility at the board level that I now realize is uncommon. Years later having shifted to delivering services for CISO’s, I recognize the luxury I enjoyed. Most CISO’s fight corporate politics and bureaucracy every single day just to try and get the basics done. Their bosses, usually CIO’s, have immense pressure to deliver availability and affordability that always trump decisions around security. Their bonuses are rarely anchored in delivering security initiatives, improvements, or anything that doesn’t reduce cost and increase availability. It’s a conflict that makes “achieving” security highly unlikely. Security needs to report wherever they can deliver an unvarnished view of what they need to do and avoid the political and bureaucratic obstacles in the way of the mission.

Don’t believe me? Read the Verizon Data Breach report which highlights year over year the fundamental missing security practices that lead to a breach. It’s largely a re-read every year, but instead of tinkering with mechanics and variables to deliver “championship” security most organizations are chasing new technologies and investing in products rather that people and processes.  CyberSheath works with security organizations to establish an effective and formal process to conduct strategic planning. Our operational strategy and budgeting plans aggressively drive security organizations towards pursuing higher levels of performance, focused on areas that are most important to meet and exceed your business requirements.

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO