Ep 15: Tackling AI Offense and Defense with The National Football League CISO Tomás Maldonado

‍Evan: Hi there and welcome to Enterprise Software Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyber attacks. In each episode, fortune 500 CISOs share how the threat landscape has changed due to the cloud real-world examples of modern attacks in the role AI can play in the future of cybersecurity. I'm Evan Reiser, the CEO and founder of Abnormal Security

‍Mike: And I’m Mike Britton, the CISO of Abnormal Security. 

Today on the show, we're bringing you a conversation with Toe-MAS Maldonado, Chief Information Security Officer at The National Football League. The NFL, made up of 32 franchises, is the world's most valuable sporting league, with over 20 billion dollars in annual revenue, and a growing global brand.

In this conversation, Tomás shares his thoughts on the vital role of cybersecurity in the NFL, the impact of AI on emerging security threats, and his optimism on the potential for AI-driven incident response.

‍Evan: Tomas, great to see you as always. Do you mind giving us our, our audience a bit of a background about your career and your current role at the NFL?

Tomas: Sure. So, I'm Tomas Maldonado. I've been a security professional for, I want to say, a little over 25 years or so now. That 25 years has been made up with 17 years in financial services, working across 11 at Goldman and, uh, and Chase and then working in chemical manufacturing for about 4. 5 years. And now I'm at the National Football League. Uh, just Touching on five years. Uh, so five years in five seasons, we'd like to actually count in seasons.

So I'm going into my sixth season, uh, close off, uh, secured five Super Bowls. So really, really exciting time, not only for, for me in my career, uh, but just exciting times in the world, right? We had to deal with a whole big pandemic, uh, and put on a big show, uh, during the pandemic, and now we're sort of coming on the outside of, or the next phase of what, you You know, the, the, I'll call it the, the post pandemic, uh, side of the house and, and, uh, getting into really cool areas of technology, cyber, and just the world sort of converging that cyber physical convergence.

Evan: When you reflect on your career, you know, you've been working in this field since probably before it was called cyber security, right? What was the moment that, kind of, the light bulb went off for you around cyber security? Was there a particular moment where you said, okay, like, this is the thing I'm going to go do. This is the mission I want to go fight. 

Tomas: Yeah, there was and, so my dad was a, uh, federal officer, police officer. And so I've always had this, this, uh, police officer background, law enforcement background in my, in my family. So I've got tons of, of, of NYPD cops that are family members and whatnot.

I actually did not want to do anything law enforcement related. I didn't have that as a, as a goal and aspiration, but I did actually want to be a lawyer. When I started doing technology because  I didn't grow up with a, with a huge pot of cash that could afford me to go to law school and things like that.

So I, I had a very, I was very passionate about law and I was also passionate about technology. So my plan was to go to college, do computer science, get out of college, get a job, save up some money, go back to school, do law school, because I used to actually like watching Perry Mason with my dad, and be a lawyer.

This passion for, for technology, you know, grew, and then the internet started to, to take more shape around the people's lives, right? So my life with email and e commerce, and search, and think about that time period. And when I started to really look at security, or what's now called cybersecurity was really when e commerce was starting to take shape, where people were going to these e commerce website and saying, Hey, if I put a negative dollar amount in here, after putting the product in my cart and I hit submit, I could get the company to pay me money or get it for free.

And I was, I was like, wow, that's really a thing. So, like, the bad side of, of hacking this, if you will, creeped in and said, Hey, let me see what else I can do, you know, with this website. And then I started getting more and more involved in, in learning about, uh, being able to hack, if you will, right. What we call hacking systems. 

So I was brought up. Computer scientists by trade. I knew a lot about developing, I used to develop in in, in c and c plus plus and Java, but I really found a passion for networking. So I learned a lot more about how connecting, uh, computers together. I remember I was very passionate about trying to be a CCIE because at the time there were like less than a hundred CCIEs in the world and, where I worked at as an intern, there were two in my, in my intern, in my company. And those guys were like traveling to Japan and London and all this. I'm a kid from the Bronx, New York. I wanted to get out of New York city, right. And travel and explore the world a little bit more. So I was like, I want to do that networking.

So I went along the path of networking and learned a lot about networking and connecting computers. But then I also learned about systems. So windows and I started down the path of doing a MCSC. Never, never quite fully uh, completed that because I stumbled into security and I stumbled into figuring out that, wow, I can actually take over a computer. I can actually modify a setting on a web page and get a product for nothing. I'll have the company send me a refund. Right. So that was like my first introduction to cyber security, what is now called a cyber security, and it really started with being able to quote unquote, hack, right. Take over a machine, take over a network and take over, uh, you know, the, or compromise any commerce system.

And that started me down the path of getting formal training, if you will, in that space at the time, formal training was like, You know, like a SANS training or, or some specialized TCP IP security course. Um, but that started me down that path of, of doing that. And then, you know, the Hacking Exposed books sort of came out and, and, you know, these guys that are, I don't want to name drop them, but just Google Hacking Exposed and you can see who wrote the books and see what they're doing now. Like these guys, you know, really helped me map out what I thought was really interesting and cool, which was cyber security, which is what we now know as cyber security. But, uh, that, that was the, uh, I'll say that was really the, the tipping point for me, Evan. 

Mike: No, that's, that's great context, Tomas, and really appreciate you sharing that. So just given how, you know, everybody, I'm assuming everybody in our audience knows the NFL and how popular the NFL is, and it's growing global audience, what are some unique aspects of your cybersecurity program or doing cybersecurity at the NFL that an outsider may not fully appreciate?

Tomas: Yeah, look, I think a lot of people don't fully appreciate the convergence between cyber physical and and the actual ramifications of a cyber event trickling down to a health, a physical health and safety type of event. And they don't usually make that connection right off the bat. 

Well, think about everything that we're doing from a sports and entertainment standpoint. Yes, there's a product that you're seeing on the field with people going at it in terms of a sport, and it's a lot of enjoyment and excitement behind that. But what does that do? 

I mean, that is generating a lot of data. A lot of data that we're capturing to do different things, to make different decisions. Those decisions could be making a bet, right? Placing a bet on the outcome of an actual game. Those decisions could be, uh, you purchasing some piece of merchandise because you are very close and connected with that, that body of, of, of team, if you will, that are playing. And that data being the video data, right? The broadcast fees, the audio fees, the reactive, the sort of connectedness, the human side of the sport. That's why I say it's, it's, it's generating so much, so much data. 

So I think most people don't fully appreciate that when you generate a lot of content, whether it's audio, video, or even statistical data. That, that information is actually being used by several different parties to make decisions. Those decisions could be broadcast partners focused on which ad revenues are going to be, how you're going to generate more ad revenue because it's more eyes on a TV screen to watch, uh, the, the, the actual game being played, played and that could be what is a TV screen or mobile device or what have you, right? Those decisions could be, uh, for sports, uh, betters, if you will, right? Statistic wise, how to, how to increase the odds so that people can place bets, right? Those decisions could be people just wanting to go see a game, right? Physically actually go see a game because their team is winning more games than the other team and their team is in the playoffs. 

So there's a lot of data that we're collecting around the actual, uh, event. And when you collect a lot of information like that, you obviously have to worry about securing that information and making sure that that data is actually safe and secure. And then the, the association of that information is, uh, there's a lot of other aspects of what we do that's very similar to other companies, right? We have material non public information for deals that we're doing. We have medical information for players and their health and safety aspects. We have customer information for all the customers and the fans that are providing that data for us, whether they're purchasing things or buying tickets or interacting with our website. So we have to collect and secure all of that data and make sure there's privacy laws, make sure that we're maintaining the compliance of privacy laws. So that's the piece that, that, that people sort of, uh, kind of forget.

And then the, the health, the physical set, the, the cyber physical convergence is, you know, when you're in a venue and you're watching a game and you're consuming a product, Imagine, you know, I use this example a lot and I'll maybe mix it up a little bit, but just imagine, let's say you're not at a football game, let's say you're at a basketball game. And the scoreboard of the basketball game gets hacked and they say, Hey, there's a fire. Oh, Hey, there's a bomb. Oh, Hey, there's something that makes you cause a reaction in you. That's like, wow, I got to get out of this location. Like right now, because I've got my two kids with me and I don't want anything to happen. That will cause some level of stampede in that, in that arena, if you will. And that now trickles down that cyber event trickle down into health and safety and physical security sort of issue that you got to deal with. So a lot of people don't think about that. And they, they sort of take that for granted.

I will challenge everyone when they go in to see their favorite baseball team or their favorite basketball team or their favorite NFL team to always think about. How does technology impact them in that experience? And then how do they have to work, you know, are they worried about whether technology is going to be a problem or not for them? And my hope is, as a security professional, is that you don't worry about any of that. You go in, you sit in, you watch the replays, you watch the score, you go drink something in the, from the concession stands, and you have a great day, uh, getting to the game and getting out of the game. 

Evan: Tomas, I really appreciate the example. That's very, very kind of tangible and it's good. It's a good reminder about just how this growing interconnection between the digital and physical worlds.

We're in 2024 and there's a growing usage of, you know, web applications and people are working from anywhere in the world on any device, any network. What is kind of like the most top of mind considerations you have for cybersecurity right in this, in this new world that just, you know, maybe didn't, people didn't have to think about in the past.

Tomas: Yeah. Look, I, I think the, the evolution of technology and the interconnectedness of technology within our lives, it's gonna continue to grow and our dependency on technology is gonna continue to grow in a way that actually worries me. And I, I'll, I'll give you an example of why that worries me, and, and then I'll also tell you why I'm thinking about it in, in a way that I think is gonna be really good and, and, and fruitful.

You have a phone, right? This concept of a smartphone. And in that smartphone you put in a contact list with phone numbers and people's names. Do you remember your, your parents' number? Do you remember your wife's number, right? Do you remember somebody important to your phone number? Just something very basic and simple. Well, this smartphone is making us actually a little bit less smart because we're dependent on that device. So, you lose your smartphone, now you lost your contact list, you may lost your credit card list, you may lost, you know, your ability to communicate with people, whether it's text, phone, or email. And, you know, you're at a loss. 

And so, I worry about that aspect of the technology where humans become more dependent on the technology and less dependent on their own technology, which is their very fascinating brain that they have in their system, in their bodies, that is probably the best computer you could ever have, right? Depending upon what age you are, and at what stage of your career you are, and maybe, you know, what you did when you were younger, if you, if you burned any brain cells or not, right? Depending upon those decisions that you made. So that's the piece that worries me. 

The piece that I'm excited about is all of the capabilities that you would have never thought about, right? And, and, you know, obviously the conversation is probably going to gear towards AI because that's where we're at. 

So where I think technology is really helping to innovate is underdeveloped countries. I think there's a huge opportunity for things like artificial intelligence to help underdeveloped countries get faster into the internet world, if you will, and get faster to the 21st century, if you want to call it that, uh, in the context of more interconnectedness. I really see that there's a lot of great possibilities there.

I also see there's a huge possibility for adversaries to start to leverage technology in ways that are going to be very problematic for cybersecurity professionals. We've seen this with the start of social media. Remember how the concept of something going viral, what does that mean? That means someone posted something and someone reposted it without checking it. They just, it connected with them. They reposted it and it went viral. That's what social media, you know, 1. 0 social media, 2. 0, 3. 0, wherever you want to call it, mix that in with artificial intelligence and deep fakes from videos and audios and even texts, right? We don't really think about deepfake texts, but texts, so physical, you know, someone's actually typing a word message that you get in your phones, right? A text message that is starting to change the way we react as people. And we're not doing again, the concept of smartphones and us getting less smart as technology evolves. We're not validating content. We're not reviewing content. We're taking it for face value as, as what we see, and we're making bad decisions. We're making real bad decisions. And, you know, adversaries know that. And they're praying into those weaknesses that we have. Those weaknesses being that we're very empathetic human beings. At least some of us are. 

Mike: When you think about how adversaries or cyber criminals can take advantage of, of these new technologies and, you know, kind of like what you mentioned, social media 3. 0 or, or whatever. Can you maybe share some examples of surprising ways that adversaries are using AI to, to be more successful in their attacks. Maybe it's some things you've heard about in the industry or, or specific examples that you're aware of. 

Tomas: Yeah. So I'll say, um, you know, when we think about email and email compromise, I remember years ago where you were like, Hey, you get an email from like the Nigerian prince or whatever, and you're like looking for spelling grammatical errors and like these weird things, adversaries don't need to know English, Spanish, or whatever language you speak to attack their, uh, to attack their, their victims. Now they can go into, you know, your open platform that deals with a generative AI, type up a message and say, Hey, can you create a message that sounds like this in the language X? And then, you know, put that as a payload, put whatever payload you want in there, and then you can mass mail that to people and it'll sound like it's, Mike, like it's your, you know, your family member trying to get ahold of you because, uh, they got a flat tire in the street. So that's one example that I've seen of, of just AI advancing those adversary and those adversarial techniques to, to craft more, better phishing emails or, or increased, you know, the realness of a business email compromise, right? And starting that. 

I think the other thing that we're seeing, you know, that I sort of keep my eye on from a sports entertainment standpoint is it's just a concept, not the concept, but the reality of deepfakes, right? I mean, whether it's someone Creating a deep fake for their, you know, their coach, or sorry, against the team for a coach. I think I saw one against Michigan, right? The coach for Michigan wants Michigan won. I think I saw some Ohio State fan. Oh, I don't know if it was an attribute to Ohio State, but it was very sort of a one way, where the coach from Michigan was like, supposedly saying that, you know, saying things that were in favor of the, uh, of the opposing team. Well, that's a deep fake, right? That you're seeing.

Now that was made and you could see it and you could be like, Oh yeah, that's a joke. But think about when you get into the presidential election that we're going to see in the next few, uh, few months. Right. We've already seen doctored images for like wartime stuff that is happening. And this is not to get into any of the wartime conversation, but we're seeing it already. It's out there, this misinformation, this, this, this disinformation, and then deep fakes and audio fakes, just being able to exacerbate that problem. So that's what I'll say.

Uh, we've seen, you know, I don't think it's been attributed in, in the news for the, uh, the recent sort of hotel hacks on ransomware. Right. We're seeing people calling us, posing as their CEOs. You know, you, you, the same way you get a text message that says something like that, you see, you're hearing it in an audio fake. Uh, and I think the next evolution of that, it will be a real deep fake and, so, uh, yeah, it's, uh, it's very, very real. 

Evan: So Tomas, it's kind of a grim future, right? Like you made this point earlier that people put so much trust in these digital identities, right? You said they kind of don't use, like, you kind of forget to use your brain because you kind of trust the technology so much. You're, you're painting a grim future, right? Where like, you know, every email, phone call, FaceTime, Zoom video is now. You know, Jared by AI, but that's a scary world. 

Maybe, tell us like why we should have some optimism, right? You know, what role do you think AI will play in helping, you know, the good guys win or is it like a lost cause? Like, you know, what, what is the, what's the light at the end of the tunnel? 

Tomas: Look, I think there's a lot of positive that we can get out of, uh, out of AI, right? Whether it's making advancements in medicine and using AI to help us cure diseases and illnesses and, and, and do better in that capacity. I think that's one real good use case.

Whether it's helping educate people and think about like job shortages in certain areas. Helping to speed up the education process and building that pipeline of talent and getting people started in their careers. I think it will definitely help get more, make more efficient decisions for mundane and repeatable tasks and processes. I think that's a huge upside there. 

And I also think it'll help us communicate across countries where historically you had to have like a language, right? You know, think about you standardized on a language. All right. English. Everybody learns English. Now you don't really need to standardize on a language. You can speak German. I can speak English. We can use AI and still communicate and have a conversation. Imagine being able to send an email and you can do this today, right? But you have to hit that translate button. But imagine being able to send an email and knowing just like your keyboard, right? Your keyboard is set in different languages. Imagine your email was set in different languages. Your operating system is already set in different languages. So I send an email in English, your system is set up for Japanese. It automatically translates it to Japanese when you receive the email, right? I think there's a huge thing there with AI that could help there. If it's not already there.

Evan: What about in the context of cybersecurity, right? Because again, we're going to see all these AI generated cyber attacks, right? I would argue we're not super equipped as a civilization to defend against those yet. You know, what role will AI play in helping build the next generation of cybersecurity?

Tomas: I think for, for cybersecurity, it'll help close the job shortage gap, I think, uh, with getting people to speed up their education, to get them into cybersecurity roles, right? I think it'll help demystify some of the, the scariness that people think about when they think about cybersecurity. They're like, Oh, I can't do that. It's too difficult. I think that'll help. 

I also think it'll help the cybersecurity professionals in making better decisions because you'll have to create AI tools to detect AI generated content and it'll help us make better decisions. I think there's opportunities for us to make our users that are not so tech savvy make better decisions by flagging either content or removing content from their channel because the technology has already been able to generate and understand that this content is, is, is bad, if you will, or malicious. So I think there's some upside there. I think there, there's still a lot of companies that are creating AI solutions that will definitely help in that regard. And there's companies that are well established already that are already playing in that sandbox that are going to capitalize on that. 

I think there's more upside than to, uh, than to the grimness, if you will, uh, and it'll force us to go back to fundamentals, like stop, think about it, and then react, right? Don't automatically click or assume that, you know, It's right. 

Mike: So one more question, because I think you brought up some really great points and lots of great ideas of how AI could be useful. Do you think there's maybe some areas where, from a cybersecurity context, maybe areas where AI is, is maybe not thought about as much as it should, or maybe some specific areas in the security program where AI could really benefit, and maybe we haven't seen as much? Uh, technology evolution there when it comes to AI?

Tomas: When I think about AI in the context of like, um, doing incident response, I think there's opportunities there for leveraging AI and even generative AI to build out like an incident response. not a plan or anything like that, but the reactive side of incident response, right? Like, how did Jane Doe's account get compromised? This is how it happened, right? You have all of the data and the challenges we have today is that there's so much data to cull through to figure out what was patient zero and how did it actually happen and all those steps in between. You've got to look at endpoint systems. You got to look at email systems. You got to look at infrastructure and network systems. Well, if you're correlating all of that information into, into a centralized location, why not have AI spit out a timeline that says, This is how Jane Doe's account was compromised. You know, and it, and it pieced together that, that path for you. And then you start to say, well, if you can do that, why don't we proactively flip the switch on that and say, we know that these are the usual next steps for someone being compromised. Why don't we stop that activity? Right? Help the user make better decisions. So I think that's an opportunity there. 

I think there's some, some companies looking at ways to make the security analysts role and the incident responders role a little bit easier and more efficient. I also think that that'll speed up if you think about when you're actually in an incident, right? So let's get a little bit more maybe technical and hands on here. 

When you're in an incident, You know, you've got your operators dealing with the actual incident, right? They're trying to figure out what's happened. And you've got people like me who, who got their leadership saying, Hey, Tomas, what is going on? How did it happen? What did it happen? And they want answers immediately. Think about if you had like that AI sort of tool doing that IR report that I just said, and your operate, your analysts can be doing their day to day to figure out how to stop and block and whatever, what is the email compromise or what is an active attack? Have the AI tool just spit out a report that says go to management. And this report will give them an up to date timeline as to what happened, what do they know at the time, period, and then that can go to management, you can get a management take on that. That'll free up and divide and conquer, uh, the silos, if you will, that you need to have, um, and provide, um, you know, better visibility and more real time. So I think that's an interesting space for security operations to leverage, uh, generative AI and AI, and AI type tools to help in that regard. 

I think there's other areas that we could interact with users. While they're creating and manipulating and sending information that we probably have not thought about. So, you know, user creating a file, if you will, and this is all very candid thoughts. So what you're getting here is very raw, just so you know. But, you know, think about users sort of creating content. I have having the system interact with them as they're creating content and just about them hitting send having a system, you know, we, we spent a lot of time saying, Oh, that file that's going to go out has a credit card or social security number, something sensitive. Well, why don't you have the AI system, you know, that they're creating the content and actually figure that out so that when they hit send, it automatically encrypts it and it sends it out securely and not have to have the user deal with, you know, whether it gets popped up or blocked or what have you. Right. 

So I think there's, you know, there's some combination of how AI is going to evolve where it's going to be more interactive with the user in their day to day and it'll make the user better and make them make better decisions. I would hope. 

I think the worry there is. You start to get more computer generated decision making and processing versus human generated decision making and processing and people will get lazy and they'll just automatically assume that the computer is gonna, gonna make the right decision. And I'll use the best example I can think of is, because I'm lazy in this regard to a certain extent, spellcheck. When you write emails or you do anything, spell check, you don't think about how do you spell that word, right? When's the last time you actually thought, oh, let me, let me think about how to really spell this word. You just type. And if you got it right, you're like, yes, great. I remember how to spell. If you got it wrong, you got good old spell check, right? Or grammar check to help you with that. So I think it'll be like that. And I think that's the worry that people will be more dependent on that and think less about their brain, um, and what they learn. 

But I, but those are the opportunities. I think really in security operations, I think there's a real opportunity there for incident response and this division of communication, how to communicate effectively externally. I think there's a real path for interacting with users and, and helping them make better decisions or at the very least, making those decisions for the user as they interact with data and share that information.

I also think there's, there's opportunities for in the identity and the different profiles that identity space. So, you know, we, you have users that users will have, like, let's say your admin user will have an elevated account and you have like a regular user account. I think there's some opportunities there for AI to maybe not have to have an elevated account versus a non elevated account. Maybe have one account and then the AI be able to make decisions that help you make better decisions around protecting your information. I think that's probably a little bit few years out, but I think we're on the right trajectory to get there.

Evan: So, at the end, uh, Tomas, we do, um, like a lightning round. So, we're looking for kind of like your one tweet answers to questions that warrant, like, One page essays. So forgive us if it's a little bit tricky. It's I guess it's kind of the point. Um, Mike, you wanna kick it off? 

Mike: Sure. So what advice would you give to a security leader who's stepping into their first CISO job about maybe what they would overestimate or underestimate about the job? 

Tomas: Uh, I, I'd give them the advice of get a therapist, get a lawyer, uh, and get a good mentor.

Evan: So Thomas, like one thing I wasn't impressed by you is like, you're, you're pretty up to date on like a lot of different components, right? The threats, the landscape, the technologies. What's your advice for how CISOs stay, you know, stay up to date, especially with new trends like AI? 

Tomas: I think they need to spend about 10 to 20 percent of their time, uh, thinking strategically and meeting with vendors to keep their hand on the pulse.

So that, that's how I do it. Uh, and I think that's, that's probably the best way that CISOs and other securities can do it as well. 

Mike: So on a more personal note, what's a book that you've read that's had a big impact on you and why? 

Tomas: Oh man. Simon Sinek, start with the why. 

Evan: Tomasa, what do you believe is going to be true about AI's future impact on cybersecurity that most others would consider science fiction today?

Tomas: I think computers are going to be making more decisions, uh, for, for us in the cyber security space. I think we're going to grow dependent on, on AI making more decisions around blocking and stopping than we do today. 

Mike: All right. Last question. Any advice you'd like to share to inspire the next generation of security leaders?

Tomas: Uh, be curious. Be curious about why you want to get into cyber and what you think you can add to cyber. And then keep that curiosity throughout the, throughout the extent of your career and always try to apply that towards enabling the business. 

Evan: Tomás, I appreciate you sharing your advice. You've always been a role model to many people, including me and, uh, super excited and privileged to chat with you. So thanks so much for joining us today. 

Tomas: No, thank you. Really thanks for the opportunity and, uh, I look forward to, uh, working with you guys and seeing you guys, uh, at a later date.

Mike: That was Tomás Maldonado  Chief Information Security Officer at The National Football League. I'm Mike Britton, the CISO of Abnormal Security. 

‍Evan: And I’m Evan Reiser, the CEO and founder of Abnormal Security. 

‍Mike: Please be sure to subscribe so you never miss an episode. You can find more great lessons from technology leaders and other enterprise software experts at enterprisesoftware.blog. 

‍Evan: This show is produced by Josh Meer. See you next time.