Scroll

Hard Knocks: Tomás Maldonado, CISO of the NFL

Imagine you’re walking past the sports book in Las Vegas. People are betting on baseball, horses, and the usual fare. Something catches your eye, you look more closely and you can’t believe your eyes. People are betting on whether or not you're going to fail at doing your job this week! 

While this may sound far-fetched, this exact scenario played out for Tomas Maldonado, the then freshly minted CISO of the National Football League when the 2020 NFL Draft shifted to a virtual format unexpectedly due to the pandemic. Across Las Vegas, people were betting on the probability of a cybersecurity event disrupting the draft– the exact type of incident Tomás was hired to prevent. 

Our hour-long conversation with Tomás goes deep into the unique nature of “defending the shield” at the NFL, from concerns about drones at the games themselves to the elaborate planning that goes on before keystone events like the Superbowl. He gives us a window into the extent of information sharing across sports leagues that all face a combination of physical and cyber threats unseen in most areas of the security industry. 

Tomás explains how his pedigree at Goldman Sachs and 17 years in cybersecurity in financial services and beyond prepared him for his position at the NFL where he’s responsible for protecting all 32 teams who are equally customers and partners to his team. Beyond his current work, Tomás and Dave discuss not only what makes a great career but how to leave a legacy that outlives your time in the field so that your fingerprints remain long after you’ve hung up your cleats.

About this episode

Imagine you’re walking past the sports book in Las Vegas. People are betting on baseball, horses, and the usual fare. Something catches your eye, you look more closely and you can’t believe your eyes. People are betting on whether or not you're going to fail at doing your job this week! 

While this may sound far-fetched, this exact scenario played out for Tomas Maldonado, the then freshly minted CISO of the National Football League when the 2020 NFL Draft shifted to a virtual format unexpectedly due to the pandemic. Across Las Vegas, people were betting on the probability of a cybersecurity event disrupting the draft– the exact type of incident Tomás was hired to prevent. 

Our hour-long conversation with Tomás goes deep into the unique nature of “defending the shield” at the NFL, from concerns about drones at the games themselves to the elaborate planning that goes on before keystone events like the Superbowl. He gives us a window into the extent of information sharing across sports leagues that all face a combination of physical and cyber threats unseen in most areas of the security industry. 

Tomás explains how his pedigree at Goldman Sachs and 17 years in cybersecurity in financial services and beyond prepared him for his position at the NFL where he’s responsible for protecting all 32 teams who are equally customers and partners to his team. Beyond his current work, Tomás and Dave discuss not only what makes a great career but how to leave a legacy that outlives your time in the field so that your fingerprints remain long after you’ve hung up your cleats.

Meet our guest

Tomás Maldonado

Chief Information Security Officer at the National Football League

Tomás Maldonado is the Chief Information Security Officer (CISO) at the National Football League (NFL). He is globally responsible for leading the information security program for the League and its entities. Maldonado has over 23 years of experience in this area, having led global information security teams and programs at several large international organizations. 

Prior to Joining the NFL, Maldonado was the CISO at International Flavors & Fragrances where he was globally responsible for establishing and leading the Cybersecurity & Technology Risk Management program. Maldonado was an executive director and CISO for the corporate sector of JPMorgan Chase, where he established and shaped the future direction of the security program and focus for the line of business. He was also a VP of technology risk management at Goldman Sachs where he worked on several key initiatives namely creating and leading the data loss protection program. He had additional opportunities at Schroders where he was the network security officer, Ernst & Young and Bloomberg LP. 

Maldonado holds several industry recognized certifications: he is a CISSP, a CISM, a CDPSE, and a CRISC, while holding a Bachelor of Science in computer science from Fordham University.

Transcript

[00:00:00] Tomas: Since there's still a human touch on everything that we do. There's always gonna be flaws.

If security is not enabling the business, what are we doing?

Do I really need this stress right now in my life?

Who's gonna tell your story. Once you leave this earth. And that really sticks with me along the lines of have I done enough? Have I done enough to touch people and impact people's lives? Have I done enough to leave a legacy? If you will.

Imagine if you will, you are a security executive walking past the sports book in Las Vegas. People are betting on baseball horses and the usual fair something catches your eye. You look more closely and you can't believe it. People are betting on whether or not you are going to fail at doing your job.

This is not a scene from the Twilight zone. It is a scene from the life of our guest for this episode, Toma Malto. This happened to the then freshly minted, C I S O of the national football league. When the 2020 NFL draft shifted to a virtual format unexpectedly due to the. Across Las Vegas, people were betting on the probability of a cybersecurity event, disrupting the draft.

The exact type of incident tomos was hired to prevent this hour long conversation between Dave and tomos goes deep into the unique nature of defending the shield at the NFL from concerns about drones at the games themselves, to the elaborate planning that goes on before Keystone events like the super bowl.

He gives a window into the extent of information sharing across sports leagues that all face a combination of physical and cyber threats unseen in most areas of the cyber security industry. Tomas explains how his pedigree at Goldman Sachs and 17 years in cyber security and financial services, and beyond prepared him for his position at the NFL, where he's responsible for protecting all 32 teams who are equally customers and partners to his team.

Beyond his current work Toma and Dave discuss not only what makes a great career, but how to leave a legacy that outlives your time in the field so that your fingerprints remain long after you've hung up your cleats. Hello, and welcome to security voices. This is Jack. One of the lessons we all learned sooner or later when dealing with technology is the importance of backups.

And then we learned the lesson that it's better to not have to go to the backups. Well, this episode has some audio that's not great because we had to go to our backup systems to recover what otherwise would've in a lost episode. It would've been a shame as this is a fantastic conversation that Dave has with Thomas Malto.

So please bear with the less than ideal audio quality because the content is absolutely worth the listen 

[00:03:42] Dave: Toma. Malto welcome to security voices. 

[00:03:45] Tomas: Thanks, Dave. It's great to, uh, great to be it. Thanks for the opportunity. 

[00:03:48] Dave: All right. So you run your own show of sorts. I think with a few other people, I wanna say it's every Wednesday, I see it come through on Twitter and it's a whole bunch of people.

It's security leaders, it's vendors. It's got a, it's got a good, a good combination of people that come through yet. You have a big job. You're Seeso at the NFL. If I'm not mistaken, you've got a family and family obligations and a bunch of other things to do. Why did you agree to take on this additional responsibility of hosting that and doing it?

[00:04:23] Tomas: Man? I would say, I think about that weekly, uh, because we do this show very every week, every Wednesday, uh, between, uh, 8:00 PM. So for about, for about an hour and a half, right. And to be honest, Dave, it really started off as a conversation during the pandemic with me and somebody at a CSO, friends, friends, and colleagues of mine, just trying to stay connected.

Right. We found this application online called, uh, clubhouse and, and not sort of trying to plug the app. I don't get any revenue from that, but you know, it was a drop in audio app, if you will. And if you think about the time period, at least for where I'm gonna sort of frame it, you know, it was around Superbowl, around Superbowl and Tampa, where we had very strict COVID protocols to keep NFL staff healthy and safe and not get sick.

Because if any, one of us got sick, you'd be sort of knocking out the other and you can't work the actual game. And so we found this drop in audio app around that time period, where I had these very strict COVID protocols and, and the strictness of the protocols were, you couldn't necessarily take a Uber car ride with your colleague to the stadium or to wherever you were going.

You had to. Eat specifically, if you were eating breakfast, lunch or dinner, you know, the goal was to try to separate and not be together to minimize people getting infected. So I found myself eating a lot breakfast, lunch, and dinner in my ho in my hotel room. Luckily I had a little bargainy. I was able to look outside in, in, uh, Tampa, Florida.

And while I was there, you know, I was, I was, I was very conscious of the fact of being isolated. So even though I'm at this location where everybody would be like, wow, this is a great time. You're having a, you know, a great event that you're gonna put on. There was a lot of isolation and that feeling of like, wow, I'm really just by myself.

And all I really had was like a phone, right? To call my, to call my wife, to call my kid, to call my. And so we found this application and we started chatting online, chatting through the application and we F and what we found is since it's a social media type app, where anybody can join in and listening to any conversations, I remember listening to like Tiffany Haddish, you know, talking comedy and, and I'm like, wow, this is so awesome.

I could listen to celebrities. But what we found was that as we were creating rooms to just talk amongst ourselves around, like, what's going on from a cybersecurity standpoint, and from a security standpoint, people would also join into these rooms and they would ask us questions around like, well, what is it like to be a CSO?

What is it like to go through that? What's that journey look like. And that sort of an issue, Hey, let's use this to, to stay mentally healthy, if you will, and, and have a conversation and, and get us through the, the pandemic that very difficult periods of the pandemic and deal with that isolation turn into a weekly conversation with security leaders, with CEOs of companies with, uh, as you mentioned, privacy leaders and others, and, and looking forward to having you, uh, on the show, uh, you know, I'm gonna hold you to that at some point, because you're a CEO and we wanna hear about your journey.

We wanna hear about your origin story, if you will. And that was a way for us to give back to the community. And so why do I do it every Wednesday is because it's very fulfilling. We don't get any revenue from it. It's not like I'm getting sponsorship or anything like that. But what I do get is fulfillment and emails and LinkedIn messages from people saying, Hey, Tomas, I was on your show.

I was able to connect with, with one of the guests, or I was able to connect and network and. I ended up with my next job or, Hey Toma. It was really great to hear XYZ. Person's sort of story because it resonated with me and it's helping me with imposter syndrome. Right. We're talking about these topics that are not your, what do you do in your day job?

It's Hey, how do you get through your day and how did you get to where you are? So that's what I find really interesting, especially at this stage in my career, when you know, we've got great hairs and we've been doing this for such a long time, that it's, it's one of those things where let's get back, let's get back to that next generation of talent, right?

If we're not doing that, and we're not talking about the hard topics around diversity and what's ethnic diversity or gender diversity, or, you know, mental health and, and things like that, then we're not really doing a, a good service to the, to the security community and to the community at large of, of being able to tackle those conversations, if you will.

[00:08:28] Dave: Yeah. So many thoughts on that. I think one. At this stage of your career, like it's easy to complain about cyber security and I've been in it for 20 plus years. And so have you, and it's easy to complain because it's such a grind and it changes all the time. It can be disconcerting and painful, but the reality is it's been good to us.

It's been awesome to grow with an industry. And part of the reason Jack and I decided to do security voices is very similar. We wanted to make the industry feel smaller and more approachable for anyone, for anyone who could listen to a podcast. And in your case for anyone, you know, who is brave enough to install clubhouse and so forth.

And I think the pandemic driving a further sense of community and pushing us in that direction and saying, no, we have to solve this sense of isolation too, that we all had makes perfect sense. Um, the thing that I like about it is that you bring in not only CSOs and practitioners, but also vendors too, which I think is one of the things that's really missing.

Is looking at it and saying, look, we're all people in the same industry. There's nothing adversarial here. Like we're all partners trying to move the ball forward. The fact that you guys don't discriminate and have just a candid conversation with no advertising or bullshit in it. I think it's spectacular.

I really appreciate the format you guys have for that reason. It's far it's become far too adversarial. 

[00:09:52] Tomas: Yeah. No, absolutely. And, and look, we have a, a great list of moderators that assist me. So it's not only me asking the questions and, and ho pulling together the show, but you're right. It's we invite people with different perspectives and different points in time of their career and in different roles.

Because if you think about what we do for security, for us to be successful, we have to have vendors selling us products, right. We have to have vendors listening to the customer, figuring out, well, what are the needs of the customer so that they can work with startups and others to create products, right?

You have been on that vendor side for a while, and now you have your own company and it's the same sort of deal. Right? You saw a problem because you listen to your customers and you're like, wow, I'm gonna solve that problem by creating founding my own company. So there's two sort of sides to the coin.

And the important thing is it's really not so much what you do. It's how did you actually arrive to doing what you're doing? Why do you do it? What drives you? What motivates you? You know, and, and, you know, I would jokingly say, I don't know if you've ever seen the show Hamilton, uh, you know, the Broadway show Hamilton mm-hmm

So I don't know if I wanna put this on record, but I've seen that show. So I've seen it live. I saw it, my wife took me to see it. I wanna say January of 20, 20, just before, you know, everything sort of the world sort of changed yeah. Pandemic wise. And it was great for my birthday, so I loved it. And I've seen it ever since they've put it on, like on demand streaming services.

Uh, so I've seen it a lot, seen it like maybe a hundred times . Now, the point that I'm trying to make is the reason why, like, I enjoy that, that show not only because it's Lynn Mount Welland and it's a sort of great theme and storyline, it's a really great show. And obviously it's around sort of politics, right?

Alexander Hamilton, but there's a storyline in there along the lines of, who's gonna tell your story. Who's gonna tell your story once you leave this earth. And that really sticks with me along the lines of, have I done enough? Have I done enough to touch people and impact people's lives? Have I done enough to leave a legacy?

If you will, most people don't think about that and I'm not thinking about it. Like, Ooh, I need to do these things to try to build my legacy, but I'm just being very in the moment and very conscious of the fact that like, I do have a voice, I do have some experience cause I've been in this industry for a long time and I can actually impact a lot of, uh, people that are trying to get into a position maybe like mine or even just figuring out their way in the industry.

And so I wanna be able to sort of leave those bread crumbs if you will, for others to 

[00:12:20] Dave: follow. Yeah, anybody can have a job and just about anybody can have a career, but not so many people leave a legacy. And in order to leave a legacy, you've gotta record what you're doing. You've gotta pass it along and you, that doesn't happen accidentally.

That's fantastic. So, given what you've learned, let's say that someone was 10 years year junior, or let's say we fast forward to the future and younger Tama. Malto the new CISO of the NBA says, say Tama, what did you learn from doing the fireside chats? I'm thinking of doing something similar in the metaverse, which I'm pretty sure is how everything will be done at that point.

What did you learn from it? And what would you tell me about it? 

[00:13:04] Tomas: So what I will learn, what I would say is I've learned that you need to definitely find something that you're passionate about so that you can immerse yourself in that experience. And that could be, you know, if it's. Technology, if it's security, privacy, whatever that is, what is it that you're passionate about?

So for me, you know, if I were to look forward into that, metaverse, I would say, Hey, make sure that what you're doing, you're very, very passionate about doing. And then the other thing I would say is humans created technology. And I notice there's a lot around artificial intelligence, but we're not there where the machines are actually starting to take over like the movies just yet, but they can be.

And then maybe that will be happen in the middle verse. Hopefully, hopefully not. But the point I'm trying to make is that since there's still a human touch on everything that we do, there's always gonna be flaws. And so focusing in on fundamentals of what we do from a security standpoint will always help us in any new venture or any new, innovative way that we.

Uh, that we embark upon the metaverse is an interesting place. Uh, I can tell you that's an area that I've spent a lot of time, and I don't know if you wanna call it the metaverse, but just thinking about like the, the concept of digital constructs, right? Digital assets, digital, digital way of, of, you know, getting into games or seeing games and things like that, uh, in the ticketing world, uh, digital art, I think there's a lot of opportunity for good.

And with that opportunity for good, there's a ton of opportunity for people to do bad things. And there's a lot of people doing bad things in that space 

[00:14:30] Dave: today. Yeah. And I've noticed you've made a number of comments on web three and NFTs and so forth. I don't have strong opinions on the space. I'm more of a curious bystander.

My crypto portfolio, my like my small foray into it. Has taught me that I don't know anything about it and I should probably stay the hell away from it. So I'm the last person to ask you, probing insightful questions about it. Although I'm, I'm kind of intrigued. I can see the use of NFT, obviously as tickets in the future.

I mean, there are tokens at the end of the day. Are there a lot of crossovers of NFT into your day job? Is CISO of the NFL and kind of web three in general? Or is it still at this point? More of a curiosity and something as a technologist that you're interested in, how tightly bound are those today and where do you see the collision?

[00:15:22] Tomas: Well, it's definitely something I've been interested in for the past three, seven or so years now. Uh, just thinking about blockchain in general, right? So in different specific use cases around like, you know, supply chain risk, reducing supply chain risk, and being able to handle things on that side, thinking about the current role, you know, we, we do have, obviously we do have NFTs, uh, so digital collections that are out there and it's very public, right?

So NFL all day and things like that, which are out there. And, you know, there's an internal working group, uh, where I'm a part of, and we do work with the business and it, and, and our different lines of business within the organization to, to find a sort of value add. Right. And, you know, I think what we're, what we are really focused on is how can we.

Not only enter into that environment, but also how, how can we add value back to the customer at the end of the day? So I, I think just broadly speaking, we, you know, not sort of speaking for the NFL, but I think just broadly speaking, I think you'll see a lot more use of NFTs as tickets, as you said, I, you know, they are collectables, right?

People collect tickets. If you went to the world series in like, uh, 86, you know, and you watch the Mets beat the red Sox, uh, you probably still have that ticket, you know, and that is collectible. And it could probably, if you've reserved it a certain way, it could be very, very expensive collectible. So I think that concept of collecting ticket stubs and, and collecting memorabilia by way of NFTs, I think that'll continue to continue to evolve.

I think what we'll see also is that we're definitely seeing the boundaries of what a currency looks like and what a currency is. Yeah. And what it will be in the, in the future. Right. I'd argue that most of us already live in the metaverse today. We just. Don't really call it the metaverse. We call it the, uh, you know, web two, if you will.

If, if you think about it from that construct, but the argument that I'll make is when was the last time you actually used a dollar to buy something and you might say Toma actually used a dollar yesterday. I bought a, you know, I bought a, a Pepsi as, I don't know soda, but I can tell you that my son, right.

Who's in who's who's about to be 20 years old. Later this year, you know, is in college. And it might be in the form of like, Hey dad, can you send me some, some money? And, and I'll text him a few dollars and he'll get it in his bank account. And then he'll go make a purchase with a credit card. And then once he purchases that with a credit card that he's probably not used in physical form, he's used it online.

Yeah. He's making the payment to that credit card by logging into his bank account or his car payment. And just saying, pay this. So he is not, there's no exchange of a dollar bill of a paper currency. So I'd argue that we are already in that sort of intermediate stage of a web three, because we don't really deal with paper today or at least the majority of us.

And I think the pandemic really accelerated that. Right. You, you started to see going to restaurants, looking at QR codes to see a menu, go to restaurants, paying with, uh, your latest phone, right. Doing, uh, sort of smart pay that way. So yeah, I think it's an interesting space, Dave. I, I definitely catch up on.

The crypto space is a different story. cause, cause you know, no, I can, you know, aspirations of being able to retire with crypto that's yeah. That's not happening anytime. So no, no and the go, the us government is looking at, you know, there's gonna be a lot of, I think, tighter regulations around that they almost have to be right.

Thinking about just currencies in general. Cause a lot of bad actors 

[00:18:38] Dave: and I mean, this is, this kind of goes back to where I met you when you and I met you were early in your career. And I was early in my career. We both had, we had less gray hairs and more hair in general. Mm-hmm back. I was at Foundstone you were at Goldman Sachs and you spent no less than 17 years in financial services.

And then you went from there to IFF international. See if I can get this right. Fragrances and flavors, 

[00:19:04] Tomas: flavors. There we are. Okay. So you you're close. And so just international flavors and fragrances, which is a very fascinating company. I encourage everybody to go out there and, and sort of look@iff.com and, you know, they're a very fascinating company.

I can argue that you're using their products every day and you just don't know it. Yeah. 

[00:19:21] Dave: Yeah. They're one of those conglomerates where like, you'd never recognize the names, but you know, the brands, exactly. The brands are very visible. Yeah. And what are a few of the brands? Just so people know, 

[00:19:31] Tomas: you know, so, uh, if you've ever heard of Tang Tang that, uh, that powdered sort of powder, you put water in it, it tastes like orange or whatever.

They make the flavor that goes into, into Tang. They've, uh, Irish spring. They make the scent that goes into Irish spring, tons of Coke and Pepsi products proc and gamble uni lever does all their customers. So they'ing that sort of middle tier fuel. You'd never go into a store and buy an IFF branded product, but you'd buy your favorite sort of everyday product that you use for just about anything, whether to put in your mouth on your body on a daily basis.

So it's very, very fascinating company. When I was leaving financial services, trying to figure out what my next step is. I remember the recruiters calling me and say, Hey, Thomas, I know you're looking for a global CISO role. I've got this company, you know, that I want you to think about and consider. And you know, it gives me, it's like, it is a fortune 500 company.

These are all the specs, the details on the company. I'm like, oh great. Which bank is it? He's like, well, you know, it, you know, it starts to give me more information around the company. I'm like, okay. Uh, so, so which financial services company is it? Cause I spent 17 years at finance. They're like, well, it's not, it's a, it's a chemical manufacturing called international flavors and figures.

I was like, excuse me, bless you. What, what did you say? like, did you sneeze? Like, what is that? But as I started to find out and dig into that company and really start to meet their leadership team there, I found that it's not only a very fascinating company, but as a security person, it's very. I'd I'd say, do you know what you're protecting as a security person?

And you know, when I was a finance, nothing against finance services, but you're, you're protecting, you know, a lot of money movement. You're protecting privacy information. You're protecting people's assets, right. Not very tangible. You're not going in and saying I'm protecting Dave Cole's trillion dollars in his bank account.

Where's 

[00:21:11] Dave: that? You're, you're off only by a couple digits. Okay. Really important digits. I I'm. And maybe a com or two. 

[00:21:16] Tomas: Yeah. But, but you know, you, you, you get to like a chemical, my infection company, and I can know the perfume or the cologne or the, or the flavor or the scent that I'm protecting. I can feel it.

I can taste it. I can, I can look at it. I can hold it. So I knew exactly what I was protecting. I was there. So it was a very fulfilling, uh, opportunity. Just, just hang. I don't wanna say hanging out there, but, but, uh, spending four and a half years there building that security program from the ground up, 

[00:21:39] Dave: I mean, it's, Goldman is such a great.

Security has always had such a great security team. I think back to like all the really impressive people that were there, I would imagine to move to IFF was partly for you to go off and test yourself and go beyond that environment and be the person who is responsible at that point and not, I mean, I'm sure you learned a lot from Phil Venables and all of those guys there who are just, you know, legendary folks and, and good people.

As well, but at some point you wanna go off and do your own thing and you want to test yourself. And I imagine there's a piece of that in your move to IFF. No, 

[00:22:16] Tomas: yeah, absolutely. Look, I, I, I spent that 11 years at growing under on the field leadership, you know, working with him and his leaders and really growing and, and learning and I'll say fine tuning my security skillset and, and what I wanted to do from a program management standpoint.

And, you know, I left there and went to chase and spent four years there and, and, uh, had an opportunity to see. So for the business there, and I've been very fortunate to work with very smart people, very, you know, type a innovative sort of forward thinking industry, leading cyber and information, security professionals and risk professionals in general.

So, you know, not everybody's had that opportunity and, and I, and I'm very fortunate that I've had, but you're right. Like part of leaving. Safe Haven, if you were of, of financial services where you kind of grow up in, it's kinda like the, the, the, the grown man leaving the house, right. , you know, little kid leaving the house.

It, it was a little bit of ego, right? Part of it was like, Hey, can I be successful in a non-financial services industry? Right. So can I do what I do in an industry that I'm not accustomed to? And the other part was just learning about a completely different industry. I'm never bored of the industry that I work in and I wasn't bored, and I'm still not bored of financial services.

I, I love what they do, but just being able to adapt to a completely different industry that I never grew up in, that was really what, what intrigued me with the opportunity there. And that's, you know, just leading up to, to where I am now. Right. I never would've thought I'd be in a sports and entertainment industry.

That was not in my, in my sort of foresight, if you will. I thought I would actually end up coming back into finance after spending four and a half years outside of finance I'd figure. Yeah. Maybe I'll go back to finance. But then the NFL came knocking down the door and 10 or so interviews later, I found the company being very fascinating as well, very similar in terms of, uh, importance and branding and the likes, just like, you know, the big financial services companies that I work for and the challenges, you know, I'd argue are the same, if not somewhat greater, because I, I have to worry about a lot more sort of health and safety, even though I'm not responsible for physical security, my.

Ultimately runs the, the physical security shop, but I do a line up to physical security and I do get that opportunity to work and collaborate with my, with my Boston and my peers. Uh, and so I do get engaged in a lot of the health and safety aspects of what we do from a cyber. Yeah. And, and physical stand because that convergence is, is just naturally happening.

So very, very fascinating. I mean, I look back at my career and I think, wow, I've had really good opportunities to work with really smart people and really different industries picked up a lot. And I've been able to adapt some of the good from these different industries in the programs that I've been able to, uh, drive and create, and I've have fascinating teams, uh, working for me and, and sort of been able to, to lead them.

And I've really, really smart leaders. I'll say, please don't steal my people but, but they are really, you know, they're they're most, some of them are on the path if not ready to be CSOs on the path to be CSOs in their own. Right. 

[00:25:12] Dave: So, yeah. Yeah. Which is just a sign of good leadership and good management. So, you know, it's always the tip of the hat when someone grows past.

You know, absolutely goes on, but let me, how did the NFL happen? So you were at the IFF. Were they out recruiting people or did you say all right, this was good. I have enough Irish spring. I have enough tan. I've kinda learned what I need to learn here. And let me go out and look for other things. So did the NFL tap you on the shoulder and, and say, we need a CSO.

How did it happen? And why did you make the move? 

[00:25:43] Tomas: Yeah, you know, the NFL had a CISO draft day, you know, just like they would do drafting a player and then they, they had a, and exactly one position. Exactly what for just one position. And they, you know, they put out a scouting report and they had a combine.

I, no, look, it, it happened, I'll say it happened. I'm not gonna say it happened by accident, cuz it was very purposeful, but you know, it happened by networking. Right. So I was networking within the sort of CISO organizations within new. I knew the incumbent CISO, Michael Palmer who's who was a friend who happened to be on his way out to his next opportunity.

And he said, Hey, Toma, you know, I'm, I'm leaving the NFL. And I, I was like, wow, you know, historic career of 20 something years, you decided to leave sounds, sounds, sounds like the right time for you. And he said, Hey, would you be interested in the NFL? And two, do you want me to leave your resume in with HR and a, and a hiring manager for them to potentially interview you?

I. Sure sounds good. So I, I sent him my resume. I didn't hear anything for, for a few months. You know, he left, went to his new row and I was like, oh, I wonder, I wonder what happened with that. I guess they didn't like me. They looked at my financial services and chemical manufacturing background say, Hey, we don't want this guy.

But they ended up calling me, you know, a few months AF he departed, uh, the NFL. And, uh, I went in and I met my boss at who? I didn't know. I mean, I knew she was gonna be my boss, Kathy lair. And I started to, uh, do my own research on who my leadership is and the people at the company. And I found that not only is the NFL a very interesting company from what we do, right.

It's, you know, it's, I'll say it's more than just football, even though what you might see is the game being played. There's so much more to the business than, than just football, but also the, the internal leadership team and working for my boss, just learning so much, you know, she was an awesome leader herself.

She was a former chief of police in metropolitan PD in Washington, DC did 20 something year historic career there. First female woman, chief of police in DC secured both for the last Obama inaugurations while she was wrapping up her tenure there. And now she's at the NFL. So I've, I've again, I've, I've been very lucky to work for really great leaders and learning so much from these great leaders.

So interview with a bunch of people at the NFL figured out that it's very, it's not too dissimilar to financial services or even chemical manufacturing in terms of the, the mission and the objective, right with touching people's lives, impacting people's lives. And how do we protect all of. And then, uh, the globalness of the, of the row and, and the sort of more national nature of the row intrigued me.

And then, you know, they liked what I had to say in, in terms of how to deliver and execute on the program. And, you know, I've been, I'll be three years, this, uh, this December, and it's been a great ride so far. All right here, three super bowls 

[00:28:22] Dave: with at least on the outside, no big visible problems, other than JLo being pretty pissed off, off about having to come on with Sierra, but that's a whole, that's a whole nother conversation.

Tell me this. What were the biggest surprises? What about securing? The NFL is fundamentally different from IFF 17 years in fin services and so on. What's different. What were the surprises? 

[00:28:49] Tomas: I think one of the things that surprised me the most was. When I was thinking about how to secure the big tempo events.

I think one of the things that surprised me the most was that is not only the actual location or the stadium that I need to worry about to secure it's, it's everything that, that goes along, that sort of journey, if you will, with the big game and with the, uh, sort of lead up to the big game. I think that was one of the things that stood out to me as like, wow.

I, I didn't think about that as, as a, as a fan or somebody outside looking in. I didn't think about that. The other things that, that were not so much surprising, but was the level of engagement that we have with, with all of the respective clubs and the touch points that they have in the states, uh, that they operated in.

You know, again, things that you, you. If you're not inside the NFL, you don't usually, uh, it doesn't sort of pop out at you and you, and you think about that. I'll say those are probably the, the few things. The other thing that, that was probably absolutely surprising was the level of attention that, that they are with, uh, with the super bowl, right?

Again, outside person looking in, I would probably watch football, you know, I, I would watch football occasionally some depending upon, uh, which team I was, I was cheering on. And I'll say that now that I'm at the NFL, I like all 32 teams equally. oh, come on man. Now. No. Nope. I don't have a, I don't have a favorite.

I, my favorite is all 32, including the whole of fame. Uh, but you know, but before you join the league, you have your favorite. You kind of watch the game. And if they're in the super bowl, you're like, great. If they're not in the super bowl, you might watch the super bowl and you, you see who wins, but you focus on maybe the halftime show the commercials and you kind of look away and you go on with your, with your life.

But now that you're at the league or that I'm at the league, it's so intense. What we have to wor not only worry about insecure so that you, as a fan could have an ultimate experience, but it's, it's so much more than the game that's being played. All right. 

[00:30:38] Dave: Give me a favorite story. Give me a favorite moment.

Leading up to a super bowl or in a super bowl where it just spun your head around or was something that was like, you'll never forget. 

[00:30:49] Tomas: Well, I was in the elevator and I got trapped with JLo and Shakira. No, I'm just playing. that's that's a joke. My wife will kill me. No, like, look, there's been I'll. I've talked about this in a little bit in other forms around like the differences between like a super bowl event and like a, like a draft.

And the one thing that stood out to me was when we were doing the virtual draft, so pandemic had just started, we had just finished super bowl and we pivoted to a, to a virtual draft, as we were preparing to execute on that, there were Vegas odds, whether the draft was about to be cyber attack or hacked.

So, you know, I'm thinking to myself, wow. When I was a CSO chemical manufacturing, I didn't have to worry about my job being bet on in Vegas. When I was in finance, I, the most I have to worry about was regulators. You know what they were gonna find us. But now I have to worry about not only. Executing and delivering.

Yeah. But I have to worry about what a will I have a job on Monday because Vegas on 

[00:31:50] Dave: Joe, Joe, six pack is out there basically betting whether or not you can prevent a breach. Exactly. Like, and, and yeah, 

[00:31:58] Tomas: so, so that's probably one of the things that's just like really, like I do, I really need to stress right now in my life, you know?

So we can't bet obviously does game integrity is very important and, and we don't, uh, sort of bet on, on sports or anything like that. And, and we can't right by by policy, but I was just thinking like, wow, should I hypothetically race bet gonna have a job? I might have gonna have a job. Because we, we secured it.

Oh, maybe I'll be filthy rich because I got B and you can't lose, right? Yeah. Yeah. But yeah, obviously I didn't be. And, and, uh, we had a, a good draft and it was very, very secure. 

[00:32:35] Dave: So, and now we know what part of the podcast is never gonna see you 

[00:32:39] Tomas: right. A day. Yeah, absolutely. Absolutely. 

[00:32:42] Dave: Wow. That is a moment.

I mean, walking past the sports book, never in a million years, would I imagine anyone in there is betting on how I do my job? yeah. Mind you VCs do, but that feels entirely different.

so you mentioned this before and it, it struck me when you and I were talking at, um, at RSA where I think we both avoided COVID so high five we're like the two people who didn't get COVID. Yeah. So, you know, amazing. But there's an element of kind of, when I talk to people or in critical infrastructure where cyber security crosses over into physical security, And that's always fascinating.

You see it with things like the electrical grid mm-hmm and energy providers, but it's also very much the case with your job. And it sounds like you are involved in physical security, but not responsible for it, but your boss actually is the intersection of those two, how much different is what you have to worry about at the NFL than IFF or kind of a normal security job, if you will, how much does physical safety kind of wander over into your path?

[00:33:54] Tomas: No, it, it plays a lot into what we worry about from a security standpoint. And, and me specifically from a cyber standpoint, as we put on the big events, right? Whether it's, uh, tempo events or international series games, or even the regular season games, having to worry about health and safety is, is at the forefront of, of my mind.

My thought process is we should not have any cyber event that impacts health and safety. We need to do the best that we can to prevent cyber incidents or, or the impact of a cyber event. But us also, you know, you, you need to prevent it from stopping the game. You need to prevent it from yeah. Causing some level of chaos in, in a stadium.

So as. As we work through our incident response. And as we work through tabletop exercises and likes, we account for physical security type scenarios, if you will, that started as a cyber event and translated into a physical security, uh, health and safety matter and vice versa on the physical security side, where there's a lot more focus on physical security.

There is a, a focus in there on scenarios around things that might start cyber, right. Or, or that, or physical that might lead to cyber event. Right. So think about somebody getting into a location and, and taking assets or things like that. So. In my opinion, not only because I work for, for a really good chief security officer, but in my opinion, that convergence between cyber physical is very, very apparent and very real on a day to day basis for what, what I do.

And I'm just seeing that more and more. And we are seeing that just across the industry and the world with the sort of industrial control environments, right over those critical infrastructure environments. So that's a very real issue. And so the teams or the, or the organizations that still have those roles separate, whether, you know, the, the CSO reports to the CSO or the CSO reports to the CSO, it doesn't matter.

Reporting wise, there needs to be that mutual respect around the functions, but there also needs to be that collaboration and coordination between the two functional areas. Because if you're not doing that today, you're just setting yourself up a failure. Uh, I think that convergence between cyber physical is happiness becoming more and more apparent every day.

Yeah. I want 

[00:35:51] Dave: to talk about a little bit about wearables and 5g and where that's headed. Mm-hmm , let's take a quick, like two minute bio break. So give me one sec and get up, stretch your legs, whatever you need to do, I'll be right back. Okay. Sounds good. There's a couple of directions from here that are sort of interesting.

And one of them is you've got all these people with cell phones, wearables, 5g, and everything else. And you've got an event with tens of thousands of people where you need to protect it. So there's an element of the amount of telemetry and data that you can take in at an event like this, which is beneficial for security, and it might be cameras at the event itself.

And so on how much of that factors into your job. And there's another aspect of that we'll talk about afterwards, but like how much are you, like not worried about guard duty and you know, an IDs and a firewall and EDR and the rest of it. And are you thinking of like all the telemetry that comes in from just.

People and the safety oriented to it. Is that a factor of the job or is that pretty far a field at this point? 

[00:37:01] Tomas: Well, some of that is, is not some of that doesn't play a factor in, in the day to day role of the job. I mean, some of it plays a factor into, are we providing the right level of services for people while they're at the, at the venues, you know, watching and enjoying their, the sort of event that's that's occurring.

Right? Yeah. So just being able to sort of connect and be able to tweet and things like that. Yeah. There are areas that, that do play into along the lines of wearables and the technology, you know, as we think about the sort of gaming integrity pieces, you know, what can be in and around the, the, the sort of on the field and things like that.

And so there's the compliance aspects of, of what occurs from just, you know, football and, and the operational aspects of football that, that do that are concerning. So to certain rules and regulations, you know, as part of it's part of the game where you can't wear wearables or any type of, uh, recording device, and that's all specific to, to gaming integrity, which is, uh, very, very key and critical to the brand.

And then the other things, you know, just thinking about as like introductions, if you were of like risk, right. You know, are we worried about to where we I'll say more? So things like drones is probably the things that we sort of, uh, you know, if you're thinking about the things that could be somewhat disruptive would be drone technology.

Mm-hmm I think that has, that has more of a, of an area of concern, if you will, for us, the other things that are sort of in that world. Right. Because we worry about it. And so more operating technology and IOT devices, if, if it's ant type device, so not wearable or phone or, or things like that, but another type of IOT device that, that we don't know about, we, we would be concerned about that, but yeah.

But every day, like users going into watch a game. Yeah. That's not stuff that we are overly concerned. That's gonna have an impact to, uh, to the, you know, to the product. 

[00:38:45] Dave: Yep. So, so different. So different than other situations. And I, and the other thing that that's kind of interesting is the players themselves are so monitored now and have so much telemetry coming off them as individuals mm-hmm

I would imagine that there's privacy implications for the players as well. And for protecting, you know, what, arguably it's patient health information of a sort, or at least it's very private, biometric style information, or at least biofeedback information. I'd imagine that's a part of the job as well.

[00:39:20] Tomas: Yeah. That's, there's definitely components of that, that, that we do worry about and we have to protect, I mean, there's, you know, there's, you, you can't turn on the, the game and not see something like, you know, NextGen stats, right? This, this statistics side of what we capture and the Teleme data from the players, uh, being play, sorry, playing on the, on the field and being able to capture all that information.

Uh, and then you have, there are some, you know, there are, uh, good attribution of information that we can do to, to help with health and health and safety as the player. Some of that stuff I can't go into too much detail on it is definitely top of mind for, for the league that play health player, health and safety is definitely top of mind for the league.

And so we try to capture a lot of information to be able to assist players, assist coaches and the likes, uh, to be ma to, to make good decisions and look at the, the, the field and the operational aspects of the field to make sure that, you know, uh, it's not gonna contribute to a, to a player injury or something like that.

Yeah. 

[00:40:14] Dave: And you, as, as you mentioned before, all 32 teams are your favorites, which I think is I I'm just gonna guess that it's, it's the giants, but having said that, you know, you can, you can , you, you can keep your secret. As a Browns fan I'm, I'm used to hiding who my favorite team is. So, you know, I, I feel you, man.

[00:40:34] Tomas: I, I like them all. I like 4 32 teams 

[00:40:38] Dave: at the end of the day. You're you're you, you're kind of getting it there that in some ways you're a service provider to all 32 teams and taking care of them and enabling it and so forth how different the 32 teams have different on-field personalities, different histories, and so on.

How different are they as, as customers, if you will, or as parts of the league is a big part of your job dealing with the peculiarities and the personality differences across the different teams. Well, 

[00:41:07] Tomas: it it's really trying to interweave security into their businesses, right? If you, if you look at like the, um, I can't think of what the Browns have in terms of, uh, businesses, other than football, but majority of the clubs, they have other interests other than football.

And so, you know, as a, as a CSO, you have to. Uh, account for where the business is trying to get to. And, and how do you enable that business stakeholder to get to where they need to get to and hit their, their, uh, sort of targets. And so, yeah, absolutely looking at the different clubs, figuring out what other lines of businesses do they actually run other than football?

Uh, how can the security program, you know, in interfere with what they're trying to do on, on a different side of their, their house, you I'll give you an example, right? Like the saints, the new Orleans saints, they have the new Orleans saints, and then they also have the NBA F as, uh, the pelicans. I right.

Pelicans. Yep. So, you know, I'll speak to the CISO at MBA. Right. And, and actually the O the prior CSO, the new one, I actually just met, but we would have conversations along the lines of like, you know, how is the security program that we are pushing forward from the NFL standpoint? How, and, and how does that conflict or align with the secure program that you have on the MBA side to make it easier on the club, right.

That has multiple businesses so that it won't be. So it's really just stakeholder management working with their respective. Each club has their own it and security representative. And working with those individuals to ensure that the, the program is not gonna break that business. Uh, because if you can't, if security is not enabling the business, what are we doing?

You know? Yeah. What are we doing? Like, I could security, I could secure any company, but you know, that requires unplugging them from the internet. And if we did that, you know, nobody's gonna be able to see or make money or anything like that, everything along the line. So not the game that we're 

[00:42:53] Dave: in. And do they do each one of the individual teams have a point person for security that you can go to?

Is that piece of it pretty normalized? Is it usually combined with it or does it kind of vary wildly across the board based on the 

[00:43:08] Tomas: team? Yeah, I think it varies. So yes, they do have a point of contact that we, that we interface with and we work with on a, on a regular basis, uh, actually on a monthly basis.

And it varies, it varies just like, you know, the. I was just thinking about like these sort of surveys that they always put out. He was like, where is the CISO report to where is the CIO report to, yeah, it's the same sort of thing. Like, you know, if you were to survey 30 to clubs, you might have a different sort of reporting line and different level of maturity, if you will.

And I'm sure the same applies to the other leaves as well. So, so yeah, there is a point of contact. They do align with a new organization. Uh, there are different areas or leadership that they do align to. So our job is to try to work with them and, and figure out, you know, how do, how do we continue to influence?

How do we continue to influence them to do the right things from a security standpoint? How do they continue to influence their stakeholders to, uh, to fund the program? 

[00:44:00] Dave: Who's the big boss? Is it the owner? Is that typically who like, you know, the bottom line inside, it it's like it comes back and if Jerry isn't happy, nobody's happy or is it, is that kind of depend on the club too, based upon how involved the owners are.

[00:44:16] Tomas: I think a lot of the owners, you know, I, I'm not gonna say that I have intimate knowledge of, of each and every one of the owners. I think Jerry Jones is probably a, a great owner, but I would say that the owners, since they are engaged a lot in their business and in there specific football business, they are heavily influencing decisions that are being made.

So yeah, just peripherally from the, the ones that I have met, they are fully engaged and, uh, and they do, I'll say the buck stops with them because they are, they're the owner of the, of the team. Have 

[00:44:45] Dave: you had to have memorable security conversations with owners before? 

[00:44:51] Tomas: No. Never, not yet. No, not yet. No, not memorable.

What are we talking about here, Dave trouble? now. So I do get to present to the owners cuz they are my board of directors, if you will. Right? Yeah. So all 32 owners are my board of directors and there's different subcommittees that I present to as part of my role as CISO. And look, we have conversations just like any other CISO would have with their board where you're talking, raising issues and you're trying to get them to, uh, to buy into solutions that you you're pushing forward and asking them for their support.

So nothing really spirited at this point, you know? No, no sort of war stories, if you will, maybe well, I'm hopeful. There won't be any war stories like that. But, and, and I think it's really a Testament to the it teams and the security teams within the organizations sort of being those evangelists to, to spearhead those conversations.

And it's hard, right? I mean, in this day and age, if we go back maybe 10 years, it would probably be, you probably see more spirited conversations, but in this day and age it's hard because there's so many breach, public publicized breaches. And I. And the owners get it. They, they get it. They wanna invest in security.

They don't wanna be that headline and they wanna protect their assets right there. And it's not only them protecting the assets, but it's also the fans and the customers that are coming into the stadiums that they want to protect as well. So those are very top of mind things for the owners and they take that very, very seriously.

And that trickles down throughout the organization. 

[00:46:14] Dave: Yeah, I, I have to imagine. And this is, you don't have to agree with this or otherwise, but I have to imagine that what's happened in the past really two to three years with the intersection of physical security and cyber security, with things like ransomware and, you know, ransomware, hitting hospitals and having people, you know, physically impacted by security and having, you know, just cyber become so pervasive.

I'd imagine that can't help, but have them lean in when you talk to them. And your job is probably a little easier than it. Would've been five, 10 years ago to get them to care about cyber. 

[00:46:50] Tomas: Yeah, no, absolutely look, never let a good, uh, sort of reach, go of waste. Right. And, and I don't mean that in a, in a joke anyway, I mean that, you know, there's, there's headlines every day, uh, trying to take those headlines.

If you think about it from a threat landscape standpoint and, and map those back to, to the line of business, I've been doing that for, for, for years as, as a CSO, I found that to be pretty effective to drive home the point. So yeah, ransomware very in the news, very public, very sort of, uh, impactful and disruptive and they, they get it, they understand the, the potential impact to their business and to their, you know, to the season.

So, yep. 

[00:47:25] Dave: So you, you call these, I think temple events. Is that the 

[00:47:28] Tomas: vocabulary? Sorry. No, uh, 10, 10 pole. My, my 10 pole. Okay. My, my it, my English Spanish accent is a, is gay. So a big, so I think they call it, you know, like a 10 a tent and a and a pole. Yeah, 

[00:47:40] Dave: yeah, yeah, no, no, it was just, it was. Like look, uh, I, I live in LA, so we, we seamlessly learn English in Spanish.

Yeah. So I heard temple and I wasn't sure. So the temple events that this would be the NFL draft, this would be the super bowl. This would be the pro bowl, that sort of thing. Yeah. And you've, you've talked about this elsewhere, that the draft is hard because it's long, it's three days long and you have to defend it the whole time.

The super bowl is this passive event. And you can prepare for it for a long time because it's a fixed location. But these are like in, in many ways, these are the determiners of your success. There's all the normal stuff throughout the year. But if something happens at those events, boom, like it's a career defining moment in many ways.

How do you threat model for that? Like how do you start to model the risk and prepare for it? You know, and then I want to, and then we'll talk a little bit about who you compare notes with and so forth, because there's clearly things like the world's cup, where they take there's similar tent pole events, if you will, to use the same vernacular.

So how do you, how do you begin to threat model? What's the start of the journey and figuring out how to, how to defend the event look like? 

[00:48:57] Tomas: Well, the first thing I do before every sort of big sort of let's say super bowl is, uh, I make sure my resume is up to date. you gotta make sure gotta make sure your resume is like today because no, I'm joking.

I'm joking. So I jokingly say that, uh, that, that those big events are like my yearly performance, really like the super bowl. Right. You know? Yeah. And I jokingly say that, but I actually, I mean that to, to, to the extent, and I say that to, to my, to my team, I say, look, we're, we've done a really good job throughout the whole season.

But if something happens at this event, it'll call into question all the hard work that we put in. So let's, let's try to step it up and be the best that we can be and, you know, and they take that very seriously. My team takes that very seriously. All of our partners understand the pressures that we're under and, and they sort of work with us, you know, whether it stay in local government and agents, agencies and, and whatnot, um, they all understand that.

So, you know, preparing for those types of events like that, it does take a year long work for preparation. They are in static locations, which is one of the benefits that we do have aside from like, when we had to pivot and do a virtual draft, uh, which was supposed to be in a physical location. And we had to sort of, uh, do it virtually and, and figure that out in a short period of time, which was very stressful, but we accomplished it.

[00:50:10] Dave: Oh, it's alright. I'm just, well, let me ask, let me ask a really specific question. Do you sit down and threat model these beforehand and think through all the things that could possibly go wrong and as you do that, Do you compare to other events like the world cup and other places, you know, F1 the NBA, the world series, like what does that, what does that look 

[00:50:36] Tomas: like?

We do. So we, we do spend a lot of time creating, I'll call it a threat profile on the location that we're gonna play in. Uh, we look at intelligence information, you know, both cyber and physical. Uh, we, we, we start to profile that several months in advance working with our, our, uh, law enforcement partners, uh, trusted sort of, uh, uh, partners.

And really what we're trying to gauge is what do we have to worry about for this particular event in this particular, in the particular state that we're in. So to give you an example, last. Well, this earlier this year, we did the, the super bowl for last season. We did it in sofa stadium in, in LA, in your hometown.

Yeah. Uh, which was, which was awesome. I don't know if I, I don't think you were there though. Uh, it was too expensive, 

[00:51:20] Dave: man. I didn't get any tickets. And tickets were like 20, $30,000. I wanted to go, but it was crazy pants. 

[00:51:28] Tomas: Well, it was, it was a, it was an awesome event. The halftime show was, was great. I mean, some, it depends on what, how you lean.

I thought it was great. I thought the whole event, the experience, the fans, everybody that was there is awesome. Um, if I had a ticket for every person that wanted me to give them a ticket, I'd be like, uh, a millionaire. I have no tickets to give zero tickets, but, um, uh, the event itself, right? We profiled that location.

We profiled this, the all threat actor, not the all threat, but we profiled different threat scenarios. And we try to work through that in a construct of a tabletop exercise. And that experience or that journey as a fan, if you will. Right. And to me, when, when I think about sort of securing a big event, and some people will say, you know, smart, you're only really securing that venue.

And what I'd argue, I'd say, look, we're not only securing the venue. Like it's, to me, the event starts when you, as a fan purchased a ticket. So when you went to your, your favorite ticketing site and you purchased a ticket to the actual game, you know, we are working with those partners to make sure that that experience is seamless and secure.

When you decide to, to book your hotel room in and around that surrounding area, we are working with those hoteling partners, right? Those sort of hospitality partners to ensure that your experience there is going to be secure. And what I mean by that is we're engaging them early on, on table topics, scenarios, and exercises, and working through.

Working through what potential impacts there could be on not only you as a fan, just in the hotel, but us as the NFL staff, as we're putting, uh, setting up shop, as our players are engaging in a different hotel, like we're working through that sort of journey of a fan. If you will, to ensure that each of those touch points, you're gonna have a, a, an awesome experience and everything leading up to when you actually get into the, to the venue.

So think about when you're in the airport, you know, last year we had the CSO for lax airport, part of our tabletop exercise, working through some wow. You know, we had the, we had the CSO for LA Metro and, and their security teams sort of working with us. We had the, the law enforcement from the county of LA and, and the city of LA, you know, from, from law enforcement, their cyber teams, uh, engaged with us.

And we walked through, you know, we did a CSO summit in LA, and we're gonna carry that forward for the, for the next sort of, uh, super bowl in Arizona. But we did a, that sort of summit. And we walked through that journey of a fan as. You know, as I mentioned, purchase the ticket, got on a plane, get into the car service, get to the hotel, get to the car service, get to the actual venue and then work their way backwards.

And we try to work through, through different scenarios so that we can become better prepared. And really what we're looking for is, you know, at least from, from my perspective, we bring all those individuals in the, in the room and we do that to help them connect the dots so that they understand and appreciate that we have to do a few things.

One, we have to communicate effectively across the board as far as threat intelligence and what we're seeing from threat apples and whatnot, because we're also interconnected and two that it's not only the game that we're worried about, it's everything in and around that. So, you know, I don't know if a lot of people sort of see that.

And I know I can tell you that before joining, you know, the league, I didn't necessarily appreciated that so much, but you know, we must have had like over 200 people working with us just on cyber alone for some of our, between some of us, uh, between our trusted partners on calls. Uh, for things that we were working through and that's not including how many people they had back in their respective organizations.

Right? Yeah. So it's a, it's a lot of orchestration and collaboration, but that's probably the fun part about it, right? Yeah. That's 

[00:55:02] Dave: really cool. Yeah. I mean, basically instead of supply chain, it's sort of event chain, it's all the, all the parties that come into the experience of someone going to the event and bringing it all together.

Yeah. That's really cool. Is there, is there another CISO that you compare notes with or another security leader or it leader that you would compare notes with across the other leagues? And it doesn't have to be in the us, like I said, I mean, it could be, could be world cup. It could be F1. They have I'd imagine some of them have really different concerns, but similar, similar 

[00:55:35] Tomas: problems.

Yeah. So when we were preparing for super bowl in LA, remember that time period the Olympics was going on. So we had the, the winter Olympics. I, yeah, it was the winter Olympic. Uh, it was going on in Beijing. So we were, we were chatting with, so with NBC and, and their security team, NBC was also one of the sponsors broadcast partners for the, for the game.

So it was just a natural conversation, but we were chatting with them. And, and so we compare notes on like, Hey, what are you guys? What are you seeing? You know, as we, as we start to prepare and closer to the, to the game day, what have you seen threat threat wise? Uh, I do chat with like MLB and, and, and MBA and, and MLS.

And we sort of compare notes. It's a little difficult sometimes not because the NFL is like the, the best organization or the best sports league, but we are, uh, , 

[00:56:22] Dave: you're right. To be proud of that. Especially if you're not gonna pick a team, you might as well be proud of the NFL. 

[00:56:28] Tomas: But, um, look, we do chat with our, with our re respect, you know, I chat with my respective CSO colleagues in, in the, in the leagues, but I also keep keep tabs.

And I, and I talk to my CSO colleagues in, in different industries. Right? What are you seeing them finance? What are some of the latest threats that you see on finance is that trickling its way down to, to our environment. So, you know, there there's a lot of collaboration. Uh, I haven't spent a lot of time talking to, to, uh, folks like at the walkup, if you will, or that we have spoken to, uh, to UFA, but I haven't sort of been able to build that relationship.

So if you know anybody over there that, that are happy to connect with them on the topic, but definitely in the, in the us, we do keep tabs and we chat with the, with the other league CISOs, if you will. And we try to compare those notes because they're so, you know, they're doing like major league, baseball's doing like a hundred something games.

NBA's doing their, their games. You know, hockey does their games and MLS has their games. And this there's a lot of overlap in what we have to worry about, you know, not only from a venue standpoint, but also the types of threat that we're seeing. So we do try to keep those open lines of communication. And there's a, if you remember, like in financial services as like the, is a stores ack and things like that, Um, there's I think there's one in the sporting world.

I, I, I say, I think there's one, because we're not necessarily fully engaged in that, but we do our own sort of informal information sharing if you will. 

[00:57:49] Dave: Very cool. All right. So let's, let's fast forward to a day when you're ready to retire or you're ready for a new adventure. And you have to, you have to write a note.

You have to pass on what you've learned at the NFL to the next CSO. What do you put in that note? What are like, let's say that they're coming in, like, like you did from a financial services background and doing other things, and they're new to this area. What are like, what's the top advice you'd write to them?

And a note as you go off to something else, 

[00:58:21] Tomas: I think I would say keep tabs on stock market, because if it does tank, you want to, you wanna invest, invest cause it'll recover in the future. Now look, I, I would, I would leave in a note, a few pieces of advice. One would. Definitely focus on listening and learning as much as possible, as much as possible.

And as much as you can about the business and impact of the business of what we do across the industry and across the fan base, I think that's, there's a certain level of pride in it. You know, you kind of said it when I said, yeah, NFL, the best sort of league, there is a certain level of pride that we do take as employees and as security people who have to protect that shield.

Right? So that it is an emblem if you will, of America. So there is a certain level of pride. And so my, one of the advice where I would be would is to listen and learn as much as you can about the business of what we do every day. And that almost goes for any company, but yeah, very specific to where I am now.

Uh, I think that's been invaluable for me to really spend some time, try to learn and try to understand where we're trying to grow. So that's number one, and that leads into. Why you're actually securing and worried about security, right? So you always have to understand the why. And that's where, that's why I say that that's really important.

The other thing that I would say is I always think about security as a business function. I don't think about it as, Hey, we need to put in firewalls or we need to put in things to block and stuff. I think about it as we're helping the business manage risk. And I think about my program as a, as another business aligned function in that construct of how we are allowing and enabling the business to continue to grow and move as fast as they can, by allowing them to understand the risk that they're taking in any sort of capacity.

So the other area that I would sort of write in terms of, uh, advice would be continue to grow your, your security program, but don't forget to align it to where the business is trying to get to. You know, I think sometimes security people get stuck and practitioners will get not stuck, but we'll get so laser focused on the latest and greatest vulnerability or the latest and greatest zero.

Which is, yeah, it's important. And you need to worry about that, but sometimes you easily get distracted and not remember, well, what are you actually doing and, and protecting and why you're actually doing so I think those are the two things that I would, that I would say. And the third thing to round it out, surround yourself with smart people, build a great team.

I work for my team. I, you know, my team doesn't work for me. I work for them. I learn as much as I, as I can from them as, as I, as I'm responsible for sort of leading them. And if you surround yourself with great people, good, things' following you have a great career. And I, you know, so far it's been, again, it's been three years, we've secured three super bowls, multiple drafts, multiple international series games and championship games.

Um, and we've got a few more to, to secure before my, my 10 years up. So I'm not leaving anytime soon. Uh, so nobody come knocking down the door for my job this week. um, but, uh, but those would be the three things that I would, that I would sort of write as Freddy incumbent, uh, who have to take my role.

[01:01:33] Dave: Awesome. All right. Well, that feels like a good place to end on. And it's, we're going into a long weekend. It's 5:52 PM on the east coast. And the pool's been beckoning at like 90 degrees out there. Thanks for making the time for us. This has been, it's been great to have you on appreciate it to 

[01:01:49] Tomas: us. No, absolutely.

Dave, happy to be here as I've mentioned in the beginning and you're right. It is like 90 degrees out in New York. And you can't say I'm not dedicated my friend because , I can't wait to go to that pool and, uh, and crack open and an adult beverage. 

[01:02:05] Dave: There we are. All right, let's make it happen. I've hitting stop recording.

Thanks again to us. 

[01:02:09] Tomas: Thanks for joining us for this episode of security voices. If you have comments, questions, or feedback, please reach out to us@infoatsecurityvoices.org, or reach out to security voices on Twitter, or you can always contact either Dave or me directly. If you'd like to hear other episodes of security voices, see transcripts of the shows or learn more about our guests.

Check out our website@securityvoices.org. We'll be back in a few weeks with another great conversation.