This blog is a smaller part of an article in Bugcrowd’s newest report, Inside the Mind of a CISO. Check out the report for the full article, along with other thought pieces, infographics, and data analyses for CISOs and security leaders.
Tomás Maldonado is a New York-based security leader and independent board director with over 25 years of experience across finance, media, manufacturing, and technology. He has been the CISO of the NFL for six years. As the largest and most popular sports league in North America, the NFL faces unique security challenges. The NFL is an organization of organizations—it is comprised of 32 clubs, each with unique operations, plus a league office, media properties, and global events. Tomás is in charge of securing this entire ecosystem.
We sat down with Tomás to learn more about his top priorities, his thoughts on AI governance, and his approach to proactive security.
Our first priority has been to align security with the business’s objectives and risk appetite. Cybersecurity cannot sit in isolation; it must support the NFL’s mission and enable growth. We established a risk-based program mapped to standards like the NIST Cybersecurity Framework and made risk transparent to leadership so that they can make informed decisions about priorities and appetite.
The NFL isn’t just one organization—it’s an entire ecosystem. To secure it all, we built a unified framework that raises the baseline for every entity. Through consistent controls, shared playbooks, and regular assessments, we try to ensure no single point of weakness can impact the whole.
We have also invested heavily in culture and people. We don’t see employees as the weakest link—we see them as potential security advocates. By equipping them with training and awareness, we’ve created an extended line of defense where everyone plays a part.
Finally, resilience has been central to our approach. We’ve strengthened threat detection, incident response, and data protection, but we haven’t stopped there. We test these capabilities constantly through tabletop exercises and red team drills, ensuring that when the spotlight is on, security is seamless and the business can shine.
AI governance can’t live in a silo, so building an AI governance council that includes security, compliance, legal, and business leaders is necessary. Every AI use case should be reviewed for compliance, privacy, bias, and security concerns before it launches. We also monitor emerging regulations and translate those requirements into controls.
From an operational standpoint, I treat AI like any other critical system. This means securing data, testing models for manipulation, monitoring outputs for anomalies, and preparing incident response playbooks for AI-specific scenarios. I operate on a “security by design” principle, so innovation never outpaces safeguards.
The part I emphasize most is trust and brand integrity. We’re entering an era where the line between real and fake is becoming increasingly blurred. Deepfakes and AI-generated content are a real risk to organizations. Companies investing in detection tools, validation processes for official communications, and crisis playbooks for AI-driven misinformation campaigns will be ahead of the curve. For me, AI governance is about protecting that fragile trust because once it’s lost, it’s incredibly difficult to win back.
In short, AI governance should be an extension of your security framework built on compliance, operational resilience, and brand protection; all of these elements must work in tandem.
For me, balance comes from embedding security from day one. Whenever a new AI initiative is proposed, my team runs risk assessments, applies guardrails, and ensures only the right data and systems are accessible. This way, we prevent later surprises.
But I don’t view security as a roadblock. I often say, “If security is not enabling the business, then what are we doing?” Security should accelerate innovation, not stop it. We celebrate when teams launch secure products and not just fast ones because this sets the tone that secure innovation is the standard.
Culturally, we work hard to make cybersecurity a partner to innovation. When business leaders understand why we’re putting in guardrails, they become allies. Additionally, we highlight success stories where secure deployments allowed us to move faster or expand into new areas confidently.
Finally, we emphasize resilience. You can’t block every threat; this is unrealistic. But you can prepare. We monitor AI systems, we scan for new vulnerabilities, and if something goes wrong, we respond quickly and learn from it. It’s about embedding security into the DNA of innovation, so the organization can move forward safely and confidently.
Proactive testing is a cornerstone of our strategy. We don’t believe in waiting for an incident to occur—we simulate attacks, run red team operations, and drill relentlessly. We do so many tabletop exercises that when a real incident happens, we have a plan. That preparation builds the confidence and speed we need when they matter most.
It’s also about thinking like the adversary. I remind my team that unlike sports, cybersecurity has no rules—“We don’t play fair with adversaries.” This mindset drives us to simulate phishing, ransomware, and denial-of-service attacks against ourselves. If we can break our own defenses, we know where to shore them up.
For our key events, testing starts months in advance. We bring in partners to run scans, penetration tests, and tabletop drills. By event day, weaknesses we’ve found have been remediated, and security is invisible to customers and staff. The goal is to be boring from a cyber standpoint and exciting on the field.
Ultimately, proactive testing shapes what we do. It reinforces resilience because blocking every attack is impossible, but being prepared is. It also helps validate our defenses, sharpen our responses, and keep our people vigilant. Offensive testing is how we stay one step ahead and ensure our defense is ready.