SFTERAETNSGOTFH
YEARBOOK
2016
WWW.KLOGIXSECURITY.COM 888.731.2314 Earning the right to be confident
in Information Security
2016
FEATS OF STRENGTH
YEARBOOK VOL. 2
ACTION & PROGRESS
2016 marked a year of action and progress for CISOs. We spent the year interviewing
some of the leading CISOs, CIOs, and security leaders to learn more about their keys to
success and top challenges. Here at K logix, we spoke with almost every industry and
organization size and were able to extract stories, thoughts, and advice to benefit our
readers.
Spring issue: Taking Action & Executing on Goals
Summer issue: Dear C-Suite
Fall issue: International Cybersecurity
Winter issue: CISO Progress
Thank you to all of the CISOs & CIOs we featured. Through these four issues, we
discussed top concerns and provided insight into overcoming a multitude of challenges.
This Yearbook is a way to keep us tied together as a community. We hope you enjoyed
reading these profiles and use this as a tool for collaboration as we continue to move
the industry forward.
20 CISOs responsible for a combined 300,000+ employees
Across 8 verticals
With offices around the globe
All with one goal: to protect & enable their organizations.
MISSION STATEMENT
Feats of Strength is a business-focused information security
magazine.
We provide a platform for a diverse set of industry leaders to
share their success and challenges.
By connecting people with thought leadership content, we
examine different ways to build confident information security
programs.
2 FEATS OF STRENGTH
3
LETTER FROM
THE EDITORS
We started the year confident that CISOs To our 2016 Yearbook CISOs,
would take action and execute on their I want to personally thank each of you for
goals. Many of the CISOs we spoke with allowing me to work with you to create
began 2016 focused on growth, innovation, outstanding, thoughtful profiles. You
and strong alignment with their CEOs. opened up and shared your stories of
We learned more about the needs of key growth, experience, struggle, and success
C-suite players and their top concerns for with me. I appreciate your transparency
information security. CISOs discussed the and openness, allowing me to profile key
importance of understanding the goals and areas that have greatly benefitted our
language of every part of their organization. audience of CISOs and security leaders.
During the summer Olympics this year, we To the rest of the CISO community,
recognized the many international I am passionate about bringing together
concerns for information security. CISOs the CISO community – you are the
discussed the importance of preparing for trailblazers leading the way for generations
business with Europe and the top data of CISOs to come. As you can see in this
protection and privacy concerns of each Yearbook, we strive to gain mindshare with
country. business-focused, proactive CISOs, and
We ended the year taking a glimpse into would love the opportunity to feature you.
CISO progress and how they measured Moving ahead in 2017, I look forward to
growth and milestones. Many we profiled tracking the progress of all the CISOs we
discussed their engagement in the have featured and continuing to learn,
Boardroom along with their impact on grow, and connect with our community of
tangible and positive business outcomes. security leaders.
From the 2016 profiles and two CISO
Summits we hosted, clear trends emerged Katie Haug
that we share with you in this Yearbook.
Thank you to those who contributed and Marketing Director
helped shape this year into the most K logix
successful yet for CISOs.
(617) 731-5235
Kevin West [email protected]
CEO
K logix
(617) 731-2314
[email protected]
4 FEATS OF STRENGTH
PROFILES IN CONFIDENCE
ADVERTISING
8 John Whiting, CISO, DDB
10 Thom Langford, CISO, Publicis Groupe
CONSULTING
12 Jenna McAuley, CISO, Mercer
14 JP Saini, CTO, TRC Solutions
FINANCIAL SERVICES/BANKING
16 Barry Abramowitz, CIO, Liberty Bank
18 Jay Leek, CISO, Blackstone Group
20 John Nai, CISO, Paypal
22 Mike McGovern, CISO & CTO, Metro Credit Union
HEALTHCARE
24 Anthony Siravo, CISO, Lifespan
26 Arthur Ream, CISO, Cambridge Health Alliance
28 Dr. David Reis, SVP & CIO, Lahey Health
30 James DiDonato, CISO, Baystate Health
32 Kathy Hughes, CISO, Northwell Health
34 Ken Patterson, CISO, Harvard Pilgrim Healthcare
36 Pat Darienzo, CISO, Catholic Health Long Island
INSURANCE
38 Brian Haugli, CISO, Hanover Insurance
INTERNET
40 Cory Scott, CISO, LinkedIn
MANUFACTURING
42 Kevin Brown, CISO, Boston Scientific
SOFTWARE
44 Kevin Hamel, CISO, COCC
46 Vanessa Pegueros, CISO, DocuSign
5
WHAT WE
LEARNED
in 2016
TOP 10 TRENDS THAT MATTERED MOST IN 2016:
1. Maintaining a shared vision with the Board and
executives
2. Focus on security initiatives related to revenue-
impacting programs
3. Importance of reputational risks
4. Increase in information sharing
5. Information security as a competitive advantage
6. Decentralization of information security
7. Risks associated with third party vendors
8. Cyber insurance
9. CISOs reporting outside of the CIO
10. Information security education for the entire
workforce
6 FEATS OF STRENGTH
Cybersecurity Industry in 2016:
Grew from a $3.5 Billion industry in 2005 to a
$75 Billion industry in 2016*
ve8r0y%coonf cBeoranredds waritehccoynbceersrneecduroityr **
On average, businesses boosted their
information security budgets by 24%*
76% of CISOs created metrics they presented
to executives***
*Cybersecurity Market Report publis**h***eSISdAAbNCySACISTytbSaeteercsuoerfcitCuyryiStbypeVersneedncitnuugrreitTysre22n00d1166s
Based on 30+
hours of CISO
interviews, here
are the most
common words
CISOs used
while
describing their
experience and
responsibilities:
7
APRDOFVILEESRINTISING
JOHN WHITING
CISO, DDB
HEADQUARTERS: New York City, NY
EMPLOYEES: 15,000
DDB is a large, global advertising network with 15,000 gained support for the programs,” said Whiting.
employees at several agencies around the world.
DDB is a part of Omnicom Media Corporation, which is Like many CISOs in other organizations, Whiting
among the top two global advertising conglomerates. started with a gap analysis to identify weaknesses
A mandate from Omnicom’s Board put a heightened and make a strategic three-to-four year plan that
priority on Information Security, resulting in the hire sets priorities for the security team’s efforts. Those
of John Whiting, their first Global Chief Information priorities cover all areas of security – Awareness,
Security Officer. The global nature of the role, the fact Cyber and Vulnerability Management, Government,
that it is a new position, and the nature of working in a Regulations and Compliance, Configuration
creative environment presents Whiting with a number Management, Process Optimization and Physical
of unique challenges. Security Standards. Whiting works with the regional IT
Directors who are responsible for the implementation
INTRODUCING SECURITY of security efforts across the many agencies within
PRACTICES AND POLICIES FOR THE DDB. He says, “Their security program is my program,
FIRST TIME I push down. If they want to do something different
we have a process for exceptions and changes.
“It was a mandate from Omnicom that brought
me to DDB. In the beginning I was set up to be a “The push from clients, and
sole contributor, running information security as an the potential impact of
independent function, but the CFO quickly realized security on the bottom line
that I could not do this by myself. Now I have budget ”has helped me institute the
for help and resources available to me from other necessary safeguards
infrastructure teams. Those teams each have
dedicated people to the security effort. We’ve quickly
8 FEATS OF STRENGTH
That process allows them to meet security standards DDB have been helped along by client demands PROFILES IN ADVERTISING
while working within the particulars of their agency for security standards. “Similar to other industries,
requirements.” advertising clients have developed full-fledged
Whiting runs a global program supporting regional governance programs. They are holding us liable
organizations with unique needs. Because of the with regards to what we do with their information; we
company’s international structure, Whiting reports are just as liable as if we were a financial services
to the Global CIO, who reports to the Global CFO. company. The push from clients, and the potential
The advertising industry is a unique industry that impact of security on the bottom line has helped me
incubates on acquisitions and divestures constantly. institute the necessary safeguards.”
This adds an extra level of complexity to a security Since security does not come innately to advertising
program as there are no green field opportunities to executives and art directors, awareness training and
build out a program. The budget process involves advocacy are big priorities for Whiting. “I’m seven
communicating needs and initiatives to the CFO and months into this job, so I have started with creating
presenting timelines for implementation. Whiting awareness at the top level,” said Whiting. “I work
also benefits from working with his colleagues, four with all the regional CTOs and regional IT Directors.
CISOs at the other Omnicom companies. Together, Since I report into IT I feel like we have to get our act
the five CISOs decide on major security initiatives to together first, in order to prove security’s value. I also
be implemented across all Omnicom brands. They talk to all the agency executives. I am asking them
also rely on each other for best practices and insight to be facilitators. Each agency owns the information
as each is in different stages of rolling out their they have on clients, and they own the process. As
company’s first security program. a business unit they take accountability for what
happens to that information, and how it is secured.”
INTERNATIONAL ORGANIZATIONS
REQUIRE GLOBAL THINKING GROW AND LEARN WITH PEERS
DDB is international, so Whiting does not adhere to Whiting is fortunate to have four peer CISOs
a specific set of standards. He says, “It is a hybrid within Omnicom Media Corp, but he also relies on
approach. For the most part we follow ISO, with a networking and information-sharing at conferences
little bit of NIST and COBIT. NIST is so US-centric that to keep up-to-date and educated on the industry. “I
it does not work well internationally. There is push was just at a small conference and I met a CISO from
back from other regions when we try to implement a competing agency who has been doing compliance
something like NIST.” management in the advertising industry for 20 years.
Whiting says, “The challenges to data protection and Those are the types of conversations that help me. We
information security are standard across the globe, talked about the stuff you can’t learn in the classroom,”
but countries like Germany, Argentina and Singapore said Whiting.
have strict data privacy laws, so DDB’s agencies in Like many of his peers, Whiting believes the technical
those countries are above the bar. Canada does not knowledge required for Information Security can be
allow data to leave the country, so they have tighter learned on the job, or through certification programs
standards as well.” and associations. He encourages those interested in
Information Security to study business, accounting or
SECURITY AND CONTROLS IN A risk management in college. Whiting was a pre-law
CREATIVE ENVIRONMENT major in college. Early on, that background helped
him to understand contracts and security clauses in
Whiting says, “I came from AIG, which is in the Service Level Agreements, and his law background
financial services industry, so a little different in terms helps him to more easily understand compliance
of accepting controls and processes. Advertising requirements and legal mandates.
agencies do not like controls or being locked down.
It’s a balancing act for sure.” Whiting’s efforts at
9
APRDOFVILEESRINTISING
THOM LANGFORD
CISO, PUBLICIS GROUP
HEADQUARTERS: Paris, France
EMPLOYEES: 77,000
ANNUAL REVENUE: $10.6 Billion
PRESENTING SECURITY TO THE For Langford, presenting to the Board should not
BOARDROOM differ from how he presents to conference audiences.
“In the Boardroom, you still have a fixed amount
Thom Langford, the CISO of Publicis Group, believes of time. You have a set amount of time to deliver
his experience presenting to large audiences at information that will be understood and remembered
global information security events has helped him more than 30 minutes later.” Langford recommends
better communicate with senior executives at his Slideology and Presentation Zen to those looking to
organization. Whether presenting to a room full of fine-tune their presentation skills. “They helped me
CISSPs, or strategic business executives, he strives to boil down what I want to get across into a two minute
engage in concise, relatable, relevant and engaging visually impactful presentation.”
content.
“In 2010, I decided to start doing more public OPPORTUNITIES, MENTORS, AND
speaking. I got engaged in the information MISSTEPS
security event circuit and I crashed and burned a
few times,” said Langford. “But I worked hard to Langford started working at Sapient in 2002, after a
hone my presenting skills. I studied the industry, long career spanning IT and facilities roles in global
and solicited honest feedback from friends and companies such as PWC. At Sapient in 2008 he
colleagues.” Langford learned the fundamental key identified a gap in the company’s internal services,
for presentations is less is really more. “Instead of specifically related to information security. “I spoke to
presenting a lot of data and facts, focus on simple the COO and explained what I felt was missing and
statements that you can back up with facts,” said that I could do the role. He added four or five other
Langford. “Overtime, I got to the point where I could components to it and I was tasked with starting the
deliver a presentation without breaking into a sweat.” security office on two beans.”
10 FEATS OF STRENGTH
“I was learning the business relationships and the politics of the environment. It is my job to make sure the business knows who we PROFILES IN ADVERTISING
are and what we can do for them. We have to market ourselves hard, talk to stake holders and ensurethey know how and why they
can engage with us. . It is important to have empathy and understand their problems.”
Eventually, Sapient brought in an official CISO to work and training is a priority this year as it is critical to
with Langford. The two quickly developed a close everything we do. We are one year in and we have
working relationship and Langford realized the many started to establish ourselves as the security team and
learning opportunities he could glean from the new people are now coming to us with their issues,” said
CISO. “We got along really well and I was fortunate Langford.
to work with him. I learned so much from him. It is
always valuable to have someone who has been in SECURITY AS A COMPETITIVE
the industry and understands your perspective. It is ADVANTAGE
also good to have a mentor to champion you and be
in your corner, to validate your decisions and say, ‘yes, Now that Langford’s security team has settled within
you are right’, even if the company ultimately goes in Publicis Groupe, he seeks to positively impact the
another direction.” business through strategic security initiatives. “I am
An early failure with a big security project was just as just back from a conference where I delivered a talk
integral to his development. “I tried to overcomplicate on competitive advantage. We can make security a
a solution and that meant the business was not behind competitive advantage by supporting the business. To
me in the roll out. The project did not get the results do that we have to be flexible and adapt at the same
it needed and I got a stern talking to from the COO,” speed the business adapts to changing business
said Langford. “We ultimately made it work because decisions.”
we simplified, simplified, simplified. Now, whenever
we need to engage directly with the business for a Langford continued, “Within the advertising and
security project, we simplify. It works.” marketing services industry, security can be a
Ultimately, the CISO left Sapient for another role competitive advantage. Campaigns take in a lot of
and Langford quickly moved into the CISO position. sensitive consumer data and it matters how we handle
Soon after, Publicis Groupe acquired Sapient and that. We don’t want data stolen or lost to competitors.
the marketing and advertising giant recognized A client told me that it takes them three months to
the strength of Sapient’s security program and put accept code from their suppliers because of multiple
Langford in charge of the global company’s security security reviews. If we can do security code review
effort. before we send it to the client, then we can cut that
“The transition into Publicis Groupe was timeframe down to a single security review. Testing
straightforward in some ways, but challenging in then takes just three or four weeks. For Publicis, that
others. The team was made up of existing Sapient means we can finish and bill projects more quickly and
and Publicis people. I had to lean heavily on the team clients can get to market with their campaign more
to keep the wheels on, and they were fantastic at quickly.”
responding to requests and getting the job done while
I navigated the new corporate structure. As a CISO, HOST UNKNOWN
you need to be able to trust your team, give them a
framework and empower them to make decisions.” Described by fellow performers as both
“In many ways, we were a new team last year. a “dinosaur” and the “grand-daddy of
We were largely the same group of people, but information security”, Thom Langford is the
in a whole new environment. We had to focus on sole founder of Host Unknown, a Loose
delivering the basics. Now our goals are broader. We collective of three infosec luminaries who
are establishing consistent policies and working on take an irreverent look at the cybersecurity
consolidating our business continuity and disaster industry. You can catch their musical
recovery programs. A new program is focused parodies, “CISSP” and “Accepted the Risk”
on threat intelligence and being proactive about amongst other content on their website,
identifying zero day threats. Security awareness www.hostunknown.tv or on YouTube.
11
CPROOFNILESSUINLTING
JENNA MCAULEY
CISO, MERCER
HEADQUARTERS: New York
EMPLOYEES: 20,000+
ANNUAL REVENUE: $4 Billion
Jenna McAuley is eight months into her role as CISO two-factor authentication to better secure your Amazon
at Mercer, a global consulting leader in talent, health, account. Her users truly embraced the learning because
retirement, and investments. She says, “At Mercer it was communicated in an easy-to-understand and
our mission is to advance the health, wealth, and engaging manner. By the end of the month she was
careers of 110 million people. We do that through talent able to impart more advanced security topics, like threat
development and learning programs. The mission of modeling. As employees felt empowered to protect
Mercer is tightly entwined with my approach to security. themselves outside of Mercer, they felt, in turn, more
I believe in the idea that security is a corporate culture. empowered to protect Mercer as well.
It needs to be in the fabric of everyone’s interactions
with clients, customers, and data. So this human-focused McAuley takes security out of the back room and
approach to security is really just a natural extension makes it something everyday users can understand
of the Mercer mission.” She continues, “My biggest and talk about. Bringing security out of the back room
objective is expanding ownership of security. I want means technical team members have to be competent
to empower people in accounting, HR, and executive communicators. “Communication in general is so
assistants – everyone in the company – to realize that important. We need to translate the technical aspects
they can be a part of the security solution.” of what we are doing to a non-technical audience. This
is likely the most important factor for career growth for
COMMUNICATION, REVENUE security professionals. You have to be able to translate
ALIGNMENT, & EFFICIENCY GAINS battlefield to boardroom. The ability to communicate how
security impacts sales and revenue in a business manner
McAuley employs a number of security awareness is critical.”
training programs. One successful program was a blog
campaign tied to Cyber Security Awareness Month. For Prior to Mercer, McAuley worked in consulting, where
31 days she posted a new, easy-to-understand blog she had to prioritize financial impact for her clients. She
post each day about a different security topic, such as says, “As a consultant I was forced to think about driving
profitability. As a CISO you need to be competent in all
12 FEATS OF STRENGTH
“ For a CISO, the CIO can be a very powerful ally so long as the organization they are running PROFILES IN CONSULTING
is not solely a technology shop. Information Security and Cybersecurity are broader than
IT. Security is based in risk and it has to be something that is aligned to business strategy.
As long as you have a broad enough perspective into these business functions, then
the security program can be effective under the CIO. When the CIO function starts with
information, not technology, the CISO and CIO functions can be highly collaborative and
”successful.
technical domains. I need to be competent as an incident coaching those same priorities and challenges two levels
responder, as a SOC engineer, I need to understand threat down the organizational hierarchy. This approach allows
intelligence. But layered on top of that is the sense of driving her team to understand motivations and drivers across the
profitable growth.” organization and effectively communicate and position
security to be successful.
Another way McAuley is instilling a security aware culture is
by saying “Yes”. She says, “These days clients are buying McAuley has open dialogue with her CEO and the rest of
with security as a consideration. They need to know that the executive team. While being open to any questions
their information is protected, and used appropriately. This or concerns they have, McAuley makes an effort to drive
is a great opportunity for our team to show our impact on their conversations by proactively providing educational
growth. Instead of viewing security as a cost-center, we aim information. “Rather than waiting for a question from my
to present security as a key business enabler that can drive CEO, I try to keep the leadership team well-informed. I send
profitability and client experience. We need to take down a weekly communication explaining what has happened in
some of the challenges and frictions between security and the industry and the potential impact it can have on Mercer.”
process in an organization and focus on how to be more By driving the conversation, McAuley is able to better direct
operationally efficient with our security. We need to make it the CEO and various executive committees’ questions and
easier for employees to be productive. We do that by saying areas of attention.
yes instead of no and figuring out how to securely enable
those functions.” STARTING EARLY WITH CYBER
SECURITY AWARENESS
DRIVING THE CONVERSATION
WITH THE LEADERSHIP TEAM It is no surprise that a CISO who values
the human element of security would
“Transparency is a big part of how I communicate to my want to start early with security training.
leadership team. I present a realistic portrait of where we are As a member of the Executive Women’s
and where we need to be. If you want the CEO and CFO Forum, McAuley regularly participates
to understand the technical risks and the value of a solution in the Cybersecurity Schools Challenge.
you want to implement, then it behooves you to articulate In the challenge, security professionals
the ROI. That means answering questions like ‘How are teach kids as young as five to think
we mitigating risk?’, ‘What is the commercial viability of a about online safety and security.
solution?’, ‘How does this solution drive the growth agenda
we have as an organization?’. Understanding our growth
agenda is of critical importance. If I don’t understand where
we need to grow then I don’t understand how to securely
enable it.”
As with many companies, growth will come from innovation,
a large priority for Mercer. McAuley needs to be in lock step
with the CEO’s vision in order to align security appropriately
to enable innovation. To do so, McAuley says she follows the
military concept of “two-up/two-down”. This means the team
needs to have an understanding of the priorities, challenges
and decisions being made two levels up, while teaching and
13
C PROOFNILESSUINLTING
JP SAINI
CTO, TRC COMPANIES, INC.
HEADQUARTERS: Windsor, CT
EMPLOYEES: 3,800
ANNUAL REVENUE: $646 million
JP Saini has held the position of CTO and Head Success came because Saini put a premium on the
of Information Security at TRC for past 8 years, a human elements of Information Security. He says that
national engineering, environmental consulting and it is important to put a few layers of security, including
construction management firm. In that 8 years he technology and processes around critical assets,
has evolved the Information Security program with but the most important step is securing the human
commitment from the CEO and the CRO, and with a element. “Many of the security organizations spend a
lot of hard work and effort put into the people-side of lot of money on technology and process, they forget
security. In fact, Saini says that his biggest challenge about the people,” says Saini. He believes this is a
in business has been change management. “People mistake. “You have to invest in the people and prove
tend to dilute the challenge of change management. the value of Information Security.” This will engender
It takes effort to effectively engage your target change and make the organization more willing to
audience – employees, partners, clients, or the Board embrace it. Saini says CISO’s must, “Find a way to
– to embrace changes in behavior.” While Saini lists continually present the outcomes of security efforts so
change management as his biggest challenge, he has that the credibility of the program is not lost.”
found success in the process. Showing results includes tracking annual and
quarterly progress via reports for the Board, but is
“ You have to invest in the better explained to the company as a whole with
people and prove the value anecdotes and progress updates. Saini says, “At the
”of Information Security employee level we continually highlight any progress
and updates that we can in the employee newsletter.
14 FEATS OF STRENGTH Now, we cannot disclose every single detail to our
employees because of employee turnover and
confidentiality, but we are constantly communicating
at a high-level about the progress being made. We A FUTURE-FOCUSED APPROACH PROFILES IN CONSULTING
talk about ease-of-use, things to be aware of, and TO SECURITY
recent successes. The mind does not know what the
eye does not see, so we put as much information as TRC is a company focused on growth and expansion.
we can in front of people.” As a result, Saini spends a lot of his time evaluating
Saini notes TRC’s employees’ willing adoption of and reporting on risks related to acquisitions and
self-implemented mobile device management as effectively combining and acquiring organizations into
an example of effective change management that the company in a secure manner. The company is
improved security. “We allow up to five devices – pursuing an ISO 27001 certification, which will ensure
whether they are TRC provided or not. We put the it meets international security standards. “ISO 27001
instructions for enrolling on intranet, and people use will allow us to effectively scale as we grow beyond
it. If you make information meaningful, accessible and the United States. We will not have to worry about
visible, your audience will respond to it.” changing our security practices to meet international
As Saini considers change management one of his standards,” said Saini.
biggest challenges, it is notable that he considers
empowering TRC’s people as his greatest success. BUSINESS ACUMEN ENSURES
Saini says, “Beautiful things happen when you MORE EFFECTIVE SECURITY
empower people, including your team, your peers,
and your board. Empowerment does not mean Saini believes business expertise and acumen are
that they have access to the cruise missile push becoming critical to effectively run Information Security
button, but empowerment does give them access programs. Saini believes business skills can be
to information, and the authority to make smart learned outside of the classroom as well. Saini says,
decisions. Within the IT department at TRC we have “Business experience is a relative term. I do not think a
empowered our people to be confident employees business school will give you all those skills. You need
and we have seen great results, including high to have the right level of business experience. You
retention rates. People raise their hands to lead new need to have a good mentor. Plus you need to have
projects and initiatives.” some formal training in understanding the basics of
business. You can become a CISO because you are a
WORKING WITH LEADERSHIP TO great techy; to be a great leader you have to harness
IDENTIFY SECURITY CONCERNS a few skills from the business side.”
The important thing is that CISOs understand how
Saini reports into the CFO who is also the Chief Risk business functions so they can align security to
Officer. He also works regularly with the company’s business priorities. Saini says, “In my view, if you
Senior Management team and Practice Leaders to cannot run your own business, you cannot help
ensure a security-focus in all projects that impact anyone else run theirs. You have to be able to run
customers, partners, and employees. Saini reports any segment of an organization as a business. With
both the CFO and the CEO are proponents of a purely technical skill set it can be easy to get stuck
Information Security. The CEO is very interested in your own world and become too focused on the
in engaging in security discussions. Recently, TRC best technology or best certifications. You have to
started a program to evaluate the Information Security go beyond technology, process, and people and
strength of TRC’s many subcontractors. Leadership take a business approach. You have to understand
came together and decided that as the company what is happening in the market. What is driving the
strengthens its’ own security posture, it must also clients? This is your biggest strategic driver. Within
look at the posture of its’ subcontractor eco-system, the company you have to be able to sell security to
because anything those companies do as agents of the other stakeholders. That is easier to do when you
TRC impacts the organization. Saini has a leadership understand their priorities.”
role in helping to evaluate and ensure subcontractor
performance as it relates to security.
15
PFRINOFAILNESCINE/BANKING
BARRY ABRAMOWITZ
CIO, LIBERTY BANK
HEADQUARTERS: Middletown, CT
EMPLOYEES: 705
ANNUAL REVENUE: $4.5 Bliion
INFORMATION SECURITY TAKES Abramowitz leads a team of security engineers who
CENTER STAGE implement the organization’s security controls. He also
partners closely with the bank’s Risk Management
As CIO of Liberty Bank, Barry Abramowitz’s responsibilities organization which is responsible for information security
cover the entirety of technology operations for the policy and procedure. Abramowitz said, “In business
company, including security operations. Liberty Bank is today, security is everybody’s job, but my role is to be
the oldest mutual bank in Connecticut with more than one of the thought leaders for the bank as we address
$4.5 billion in assets and 56 banking offices throughout information security. I work closely with the head of the Risk
the central, eastern, and shoreline areas of the state. “My Management team to implement the necessary controls.”
role has shifted from 80% technology innovation and 20%
security, to 80% security and 20% technology innovation. It’s TECHNOLOGY STRATEGY
just the nature of business now; security is front and center,” REFLECTS CORPORATE GOALS
said Abramowitz.
Abramowitz and his team create a technology strategy
“The shift in my focus is a byproduct of our environment. In to mirror and support the bank’s overall goals. The bank
banking, internet services have really taken off in the past clearly states their goal to maintain a positive reputation with
decade, with mobile apps and the Internet of Things leading customer service, even as they grow their digital services,
the change. More systems are connected, more business expand their market position and evolve to support more
is done over the internet, so this creates more security non face-to-face transactions with customers. Other
issues. Twenty years ago, security was about access and important aspects to the bank’s success include maintaining
asset management, now security is about protecting your a well-trained and engaged workforce and being
business from the world.” responsive to risk and compliance requirements. “Those are
our top corporate strategies. Relating to what I do and how
As head of the technology and operations division, our group performs, I take the corporate plan and develop
16 FEATS OF STRENGTH
a technology strategic plan to support it,” commented edge solutions that address today’s concerns best,” said PROFILES IN
Abramowitz. Abramowitz.
FINANCE/BANKING
The bank’s current technology plan is focused on customer Abramowitz does caution other CIOs and CISOs to look
and employee self-service and security of those systems. carefully at their existing assets and infrastructure before
The technology team is also focused on managing data making additional purchases. “You have to be very
in an effort to make Big Data more available and easier to pragmatic and go back and revisit your tool sets from
digest and understand, and more secure. time to time. Can we improve our current processes with
existing systems? Are there updates or enhancements to
Abramowitz’s team selected the NIST Cybersecurity our existing solutions that will solve a new problem we
framework as a way to measure and manage security efforts have encountered?” said Abramowitz. He continued, “We
as well. He stated, “Once we decided to work within the do a good job of tracking enhancements with our core
NIST framework, we had an independent assessment to banking system, and we are working to extend this to all
help us baseline our maturity level. This really helped us of our systems. When new releases come out, we track all
understand where we are as an organization and where we of enhancements, even if we do not implement them. The
need to go. It helped us prioritize our efforts and gave us a worst thing you can do is bring in a new provider to solve
way to measure success. We over-laid our risk assessment a problem that an existing system could address easily and
process on top of NIST and we have a good roadmap for cost efficiently.”
our security program. Now we report our progress against
NIST to the Board on a regular basis. ” LOOKING BEYOND BANKING FOR
INNOVATIVE SOLUTIONS AND
Abramowitz reports directly into the CEO, who approves EXPERTISE
his plan and budget, along with the Board. “Our CEO and
Board are very engaged in cybersecurity and they recognize “I am a committed community banker. I have been in
the importance of it to our organization.” Abramowitz foster’s banking my entire career and have many peers in my
this interest through regular interactions with the Board. industry that I rely on for expertise and shared insights. What
He provides monthly reports and presents to the Board in I do now is take myself out of my comfort zone. I routinely
person every two-to-three months. In those presentations attend functions with representatives from other industries
Abramowitz focuses on making cybersecurity relatable to – such as healthcare, pharmaceuticals, insurance and
his audience, through emphasizing business impact and manufacturing. Sometimes I am the only banker in the room.
drawing comparisons to issues they may recognize as Because industries sometimes march in line, the group
general technology consumers. “We have also brought in can overlook other ways to address issues and approach
third parties to give perspective on security to the Board. opportunities. Speaking with peers in other industries
That format also works very well,” he said. exposes me to new solutions,” said Abramowitz.
EVOLUTION IN THE INDUSTRY He continued, “Likewise, there are vendors who get strong
OVER 20 YEARS footholds in different industries. This could be because
of word of mouth, and those vendors may not be working
A key evolution Abramowitz experienced during his with the financial services industry because of their traction
long tenure as CIO is the bank’s approach to technology elsewhere. But their solutions can be very relevant to
purchasing decisions. Abramowitz said the emergence our problems or what we are trying to accomplish. I have
of numerous technology startups with impressive and met a different set of vendors this way, and when we
innovative solutions, particularly in IT security, has made bring them into our environment it is very refreshing and
the bank more willing to make investments in technology very educational.” In general, Abramowitz believes it is
solutions from emerging companies. “Previously, we had necessary to stay educated and be open to new solutions in
a minimum requirement of a certain number of years order to keep pace with emerging threats and issues facing
in business in order for us to work with a technology businesses today.
provider, but the technology market is evolving so rapidly,
we are moving away from that requirement. Especially in
security, we need to be able to evaluate the most cutting
17
PFRINOFAILNESCINE/BANKING
JAY LEEK
CISO, BLACKSTONE
HEADQUARTERS: New York City, NY
EMPLOYEES: 2,190
ANNUAL REVENUE: $7.4 Bliion
“I believe that we have a CEO-led information risk and We have a responsibility to do our best to protect the firm for
security program,” says Jay Leek, CISO at Blackstone, a our shareholders and limited partners.”
New York based asset management firm. According to Leek,
a CEO-led information risk and security program means Since Leek has regular interaction with senior management,
Blackstone executives contribute to a strong top-level he has developed a proven approach to effective
commitment of protecting company assets and information. communications. “Facts,” continues Leek, “We weave in
Leek became Blackstone’s first CISO four years ago due qualitative analysis about our company, and support that
in part to support from senior management in the firm, information with external data points. Our program is focused
who were the major drivers in creating the position. During on situational awareness, intelligence-led information
this time, senior management clearly identified security as security and risk management. With regards to threats
a priority for the company, something that remains a top and incidents, we need to know who, why and how they
priority today. are attacking us. We need to know their motivations – that
requires intelligence gathering and situational analysis. So
Leek reports into Blackstone’s CTO, who reports to the CFO, we educate our senior leadership on this information and
yet still possesses ample visibility with other senior leaders approach, and back it up with facts. This approach helps
throughout the firm. When Feats of Strength spoke to Leek us frame the problem on a continuous basis and helps the
he had just come from a regular, standing meeting with executives wrap their heads around it.”
Blackstone senior leaders. In that meeting Leek presented
the three year security plan for the company. Leek says Leek states that part of building and maintaining an
Blackstone senior management’s commitment to security executive-supported security program requires thinking
comes from understanding the value of the firm’s information. like business people, specifically your company’s business
Leek says, “My senior management feels confident in where people. “If our senior leaders think of me as just ‘the security
we are, but remains on guard about the unknown. The key guy’ then I have failed in my mission. I believe that our
takeaway is that we can never slow down. In fact, it is how leadership team views our security team as business leaders
can we speed up? We are constantly challenged to push the who simply happen to know a little more about security than
program as fast as we can without breaking the organization. others in the room. This approach allows us to function as
18 FEATS OF STRENGTH
Mentors and a Network of Peers Help Leek Make Tough Decisions PROFILES IN FINANCE/BANKING
Leek is fortunate that he has access to a large network of security professionals, which he has helped to hire at Blackstone’s
portfolio companies. Accordingly, Leek serves on the Board of some early stage security companies, so he has multiple
opportunities to engage with security leaders. One of Leek’s mentors is Jim Routh, the CISO of Aetna who was also featured in
Feats of Strength last year. Leek says, “I have so much respect for Jim. I have consulted with him, in an advisory way, before I have
made big steps in my career. When we see each other, we compare notes and collaborate. I have a lot of senior level security
executives like Jim in my network and am both grateful and fortunate for this. We make a concerted effort to get together on a
regular basis and compare notes. We are a collaborative community so no one has to reinvent the wheel. We learn from each
other’s successes, and yes, failures, too.”
trusted business advisors in conversations about cyber risk. The Blackstone security program is not my team, it is the
We must be thoughtful in how we frame that risk in regards firm. We support a culture that understands security. Our
to all the other risks across the firm.” program is not perfect; we need to get better, but we have
been building this culture of education and responsibility for
Retaining a sturdy business-focused approach permits Leek four years. Now we have people from across the company
to consider security through the lens of a financial business weighing in on how Blackstone can be a safer place.”
leader. He asks, “What is the impact of this security function
on the business use. How does the business user feel? That collaborative, open environment starts within Leek’s
Does it impact their work? What is the benefit the business team, which includes dedicated internal security personnel,
gets from this security control? Is it worth it in the end?” an outsourced SOC and numerous other personnel who
help support security functions in other areas of the
With security as a central priority for the company, Leek technology group and in regional offices. “We have a ‘no
acknowledges the opportunity for security to be considered ego’ policy,” said Leek, “I don’t believe in a hierarchy. I do
a competitive advantage for Blackstone, even though have a deputy CISO to help scale our program, but we
the company does not talk about security externally very maintain a flat organization and a team of equals. There
often. “The alternative asset management community is implicit trust between us. Every now and then someone
is close knit. There may be eight or nine firms that have needs to make a decision and that is what I am here
CISOs. We are very open in communicating across all for, but we work openly and collaboratively as a team.
these firms and believe this is an important advantage. We Communication is pervasive across our team. Everyone
also educate our limited partners on what we are doing knows what is happening across the program with a few
from a security perspective and why we are doing it. They exceptions, for things like sensitive investigations. Everyone
ask about business continuity and disaster recovery, and is held accountable and empowered to make decisions.”
we go beyond that to explain information security risk
management. It sends a positive message to our limited GROWTH AND EDUCATION ARE
partners. These limited partners are making 15-20 year PRIORITIES FOR THE YEAR
financial commitments with us. They want to know our
strategy and our culture to make sure their investments and Leek says his team works continuously at educating the
information is safe.” Leek believes their security program can
be a differentiator in many of those conversations. most seSniToAr leRvTelImNaGnagEeAmRenLtYonWtheITimHpoCrtaYnBceEoRf
securityS, bEuCt hUis RteIaTmYmuAsWt foAcuRsEthNe EfirmSSas a whole. It is
A “NO EGO” POLICY MEANS GOOD
SECURITY IDEAS CAN COME FROM everyone’s responsibility to help protect the firm, and it is
ANYONE our jobIttoisemnoposwuerpr rthiseemthwaitthathCeISknOowwlehdogveaolunehsow to do
it. “We ttrhyetohturaminaenveerleyomneenwtitohfosuet cbueirnitgy awnouuisldance. We
“I believe that over the last 20 years, as an industry, many wadnoadnstoatr,oebAwmufsoatalnblakoteewmctosianeuugsrmsetpeaberrtoevthcreeeeroyaysforusletnnyhsedewenurioEntshtdxtabeesnercedscuctaattuhuinversdieetsvyaWtshlteureoaceymuiniwrteiitbneynrgr’is’ens.pgtouslrdtpootose
of us have done a disservice to our security programs with BlackstFonoeru.”m, McAuley regularly participates
complex frameworks and too many controls. Security needs
to be described simply so that everyone outside of the in the Cybersecurity Schools Challenge.
security and technology teams can also understand it,” said Lwsnceoaaetnlktetas’sloktooaItfinnetpbhmgahtoehcayaurehksbgtieockcooauhihanldtilsaclSsiialsntilexepaeianasSnmtcsigeygiatreomoynf,,epuaawsetln,lyeyhrrgaaicaflttoeauehncsrewdauirttfosyisjtevruwekpedsicitnrcooutageonrfueiftttethhoyshwie.smsiineirtaoekretnaihfnfmaoigclu.simerHsnae.cn“yIuaaml
Leek. functions and becoming one thousand times more efficient
as a result.” They are constantly striving to get closer to this
He continues, “Others [in the organization] can come up goal.
with security ideas that can make your business better
when they understand security’s objectives and necessity.
19
FPRINOFAILNESCINE/BANKING
JOHN NAI
CISO, PAYPAL
HEADQUARTERS: San Jose, CA
EMPLOYEES: 16,800
ANNUAL REVENUE: $9.25 Billion (2015)
“I don’t need to “Our brand is built on the trust and security we deliver for our
convince the Board customers and merchants,” said John Nai, the CISO of PayPal. “That
means security is not as much a competitive advantage as it is a table
to make security a stake. It is an absolutely crucial part of our service offering.” Unlike
priority. They get it. many CISOs, Nai did not spend extra effort convincing his Board
At the executive and and executives about the value of security. He said, “When I sit on
board level, we work committees about building new products or applications, security is a
to ensure they fully consideration from the onset. I have an equal voice at the table with
understand our security business unit and profit owners.”
risk profile.” SECURITY-FOCUSED CULTURE
- JOHN NAI PayPal’s security-focused culture lands Nai in front of the Board on a
regular basis. During these meetings, he helps them understand many
20 FEATS OF STRENGTH aspects of security, including the key measures his team takes to protect
the brand. He commented, “I don’t need to convince the Board to make
security a priority. They get it. At the executive and board level, we work to
ensure they fully understand our security risk profile. Transparency with the
board and the executive team is critical. The more information we share
with our teams about our risk profile, our defenses, and how we are being
attacked, the better we are all aligned and the better we can maintain
brand trust.”
Innovation stems into PayPal’s products and services, with a key goal of
doing so in the most frictionless and enabling way possible. Nai and his
information security team work hard to ensure this frictionless experience
“We have the benefit of having massive scale in payment volume. We PROFILES IN FINANCE/BANKING
have 188 million active customers. From a security perspective we are
“in over 200 global markets. The scale in which we can do things is
”significant.”
has a secure foundation. Nai said, “We are always walking the a bounty for uncovering bugs. So of course we look at security
balance to make frictionless experiences that are highly secure. internally, securing our own infrastructure and apps, but we also
It is an ongoing dialogue within the company. Even though take a leadership role securing the technology ecosystem in
security and trust are in the DNA of PayPal, challenges still exist. general for our customers and merchants.”
We need to be an enabler and not a progress inhibitor. Too
many security organizations think their role is to say ‘no’. We Similar to other internet companies, PayPal invests heavily in
say, ‘no’ when we have to, but we know our prime role is to security infrastructure and purchasing security firms to build out
enable the business.” strong teams. In 2015, PayPal purchased the Israeli predictive
malware detection firm CyActive. “That acquisition gave us their
SECURITY IMPLICATIONS FOR product, but also their talent. Now we have a large presence of
CUSTOMERS AND MERCHANTS highly technical security professionals in Israel,” said Nai.
“In respect to threats, PayPal is similar to most companies in Nai’s team, which includes hundreds of security professionals
Payments and Financial services; we are under constant attack and 16,800 employees at PayPal who make security a priority,
from bad actors, so we need to make sure the Board knows is set up to enable innovation. “Our team is spread out across
what controls and risk mitigation we have or need. The Board’s three geographies. We have a core team in our San Jose
understanding opens the doors for communication to all of our headquarters and many security engineers in our Security
other communities. We start at the top level to get the support Operations Center in Arizona. We also have a second Security
we need.” Operations Center in Israel, so we have 7x24 coverage,” Nai
remarked.
With an influx of people’s personal information and financial HIRING EXCEPTIONAL TALENT
lives online, many security implications arise for PayPal’s
merchants. In regards to his relationship and approach with Even in a well-tapped industry when it comes to recruiting
merchants, Nai commented, “I engage with some of our largest security talent, Nai acknowledged a clear advantage at PayPal.
merchants. They want to know what we are doing to protect He commented, “The security industry knows that PayPal
ourselves and their business.” He continued, “One of PayPal’s prioritizes security, and that is a great enabler for us when hiring
value propositions is that we provide secure transactions. exceptional talent.”
Clearly secure processing is core for our largest partners as
well, so they want to know what we do, how we do it and how TtohehisSitleicSSaomTEn’sAVCasRUullecTycReIcINsuTsltGYaunredEAitshAWaenRirAiaLmRbYpilEoityWrNtatonEItTinSfaHncSotvoCartteYh.aBt“OcEonnRetrbibigutes
we ensure our brand promise of trust and security.”
thing for us is we participate in information shares, peer-to-peer
Merchants and customers have come to expect innovation
from PayPal, something that extends to the information security workingItseisssnioonssuinrpSriliiscoenthVaaltleay.CPeISoOplewthhinokvthaelureesgion is
team. Nai said, “We have the benefit of having massive scale in compettithivee,hbuumt thaenreeilseamloetnotfocof ospeecruartiiotyn hweoreu,ltdoo. At my
payment volume. We have 188 million active customers. From level, I swpeaankt wtoithsmtayrtpeeearrslyabwoiutht thsiencgus rliiktye htroawintiontga.lk to the
a security perspective we are in over 200 global markets. The Board.” As a member of the Executive Women’s
scale in which we can do things is significant.” What is Fnoexrtufmor,tMhecfAutuulreeyofrePagyuPlaalr’slyinpnaovrtaitcivipeaetceossystem?
Nai saidi,n“IthisehCarydbtoerpsredciuctritthyeSfucthuroeoalnsdChhoawllceonmgmee. rce
SECURITY OF THE INTERNET will evolIvnetohveerctihmael,lebnutgwee, saerecluoroiktyinpg raot fpeasrtsnieornsahilpss with
commertceeaicnhnekwidcsoanstexytosuanndg haoswfitvoeprtootetchtinthkat at the scale
“We look at security internally and externally. We build security wtheerneewediallbtbooedumot oobruensliiinnnneeossvs.aaTtifoheanttyinisatahnepdhFseinenTocemuchreitninyad.luosptrpyoirntugneitnyearnadl.”
into our own platform and we also help with security of the
technology ecosystem. For example, PayPal was one of the
founding companies behind DMARC email protection and FIDO
for authentication. We were among the first companies to offer
21
FPRINOFAILNESCINE/BANKING
MICHAEL MCGOVERN
SVP, CISO, & CTO, METRO CREDIT UNION
HEADQUARTERS: Chelsea, MA
EMPLOYEES: 300
ASSET SIZE: $1.5 Billion
INFORMATION SECURITY AND provides an update on threats and how personally identifiable
DISASTER RECOVERY GO information is protected. “Discussions with the CEO can
HAND-IN-HAND get fairly technical. We talk about stats, data and metrics –
including, for example, geo-blocking stats,” said McGovern.
Michael McGovern, CISO and CTO of Metro Credit Union, He continued, “We want to make sure the key people in the
stands in a unique position. He leads the company’s security organization understand information security threats and our
effort, but also holds responsibility for the organization’s objectives.”
disaster recovery planning. Within this role he provides regular
reports to the organization’s Enterprise Wide Oversight McGovern’s disaster recovery work is strongly supported by
Committee (EWOC). The EWOC is comprised of the CEO, CFO, the CEO and Board of Directors. “Because we receive the
COO and SVP of Operations, each with a strong interest in budget we ask for, we have built a strong technology-based
supporting and advocating for the company’s security and infrastructure that allows us to replicate our data offsite to
disaster recovery programs. disaster recovery locations in a manner that is close to real-time.
When I talk to other financial institutions, as well as auditors,
“We meet with the EWOC once a month to go over Metro’s they are surprised at the detail around our disaster recovery
information security posture. They want to know about new plan and the amount of testing we do on a quarterly and annual
security threats that are seen by other organizations and out basis.” For McGovern’s program, disaster recover covers
in the wild, areas where we can improve security. This meeting technology (infrastructure), operations, as well as people. In the
is our opportunity to share important information with the event of a disaster, he ensures a clearly defined process is in
leadership team,” said McGovern. place that takes into account a number of different scenarios.
He commented, “With my CEO and Board of Directors, we talk
Conversations with the EWOC often become specific as about recovery point and recovery time objectives. If we had a
they review data breach prevention tactics and McGovern disaster today, what data would we lose? How quickly could we
recover?”
22 FEATS OF STRENGTH
TOUGH LEARNING EXPERIENCES a very involved and engaged CEO, who makes security a key PROFILES IN FINANCE/BANKING
priority. He said, “The CEO is involved in all aspects of the IT
McGovern’s interest in the intersection of disaster recovery and organization. We connect three or four times a day.”
information security stems from his early career experiences. “I
have been working in the financial services industry for about BALANCE IS KEY
15 years, and before that I was in the technology industry. Years
ago, when I was in the high tech field, information security was One of McGovern’s proudest achievements at Metro Credit
not much of a concern. We were all concerned about 24x7 Union was creating the credit union’s disaster recovery
employee access and availability. But, I clearly remember my infrastructure. In creating this, he pulled on lessons learned and
first experience with a virus – It was the Nimda virus and it experiences from earlier in his career, while realizing he needed
took our company out for a week or more. It took our company to embrace innovations, such as Cloud technologies. “We built a
down to its knees and we had to call in a lot of help to clean great disaster recovery solution for my previous employer, but at
our network up and get virus-free. That was the first time I Metro Credit Union I had to step back and evaluate if that same
realized the huge role information security can play in business solution was still valid for Metro’s environment. I looked at Cloud
and uptime.” McGovern also realized the key importance of technology, which has matured recently. It took me six months
establishing a thorough disaster recovery plan in preparation to review new solutions and evaluate from a cost and control
for this type of incident. perspective and put the right solutions in place for a successful
disaster recovery program.”
After learning this valuable lesson while working in high tech,
McGovern then moved into his first role at a financial services Even with broad experience as a well versed leader, McGovern
organization as VP of IT at a large regional community bank. continually works hard to balance traditional IT functions,
In the position for ten years, McGovern had the opportunity to information security and business continuity planning with a
greatly expand his security expertise. He said, “The financial relatively small staff. Because his team is responsible for a
services industry was ahead of high tech in terms of taking diverse set of requirements, he looks to hire well-rounded
information security seriously and protecting member data. We problem solvers with good time-management skills. McGovern
were subjected to several audits by the state and the FDIC, as ensures they receive the technical and business training they
well as internal audits. In the early days, compliance was really need to support the solutions in their environment. “We train at
driving our security efforts and purchases.” least two people on the team in every technology, so we can all
collaborate to get our various tasks completed,” said McGovern.
VALUE OF CORPORATE CULTURE
PEER COLLABORATION
Since arriving at Metro Credit Union, McGovern and information
security programs in general have evolved to be less McGovern commits himself to his own educational growth and
compliance-driven and more focused on aligning with the continues to keep pace with evolving threats and emerging
business to ensure positive member experiences and better approaches to information security. He leverages communities
protection. like FS-ISAC, Infragrard and ISSA to keep abreast of best
practices and to share critical information with peers. McGovern
“Our role now is to make sure the credit union can perform attends monthly sessions at the Federal Reserve Bank to keep
day-to-day activities in a secure environment,” said McGovern. up-to-date on cyber threats. He said, “The Department of
“Our Board is really supportive of making sure we have a strong Homeland Security gave a recent presentation and individuals
security posture. They want to know we are doing our best from the Federal Reserve have given presentations on the
for our members’ protection. We have put additional security threat landscape. These are incredibly helpful forums.”
mechanisms in place and now we are focused on strengthening
as much as possible and still allowing our employees to service McGovern said the events and exercises that involve peer
our members.” collaboration represent learning experiences to the success of
security programs. Just as critical to McGovern are key vendors
McGovern believes in the value of corporate culture and and trusted partners that help keep him up-to-date on security
mindset when building out a strong security program, best practices and emerging technologies. “It is impossible to
something which starts at the top. His Board represents a manage all the vendors and keep pace with the innovations
skilled and experienced group committed to making Metro without help,” said McGovern.
Credit Union number one. Furthermore, McGovern reports into
23
can understand. “We learned how to present to the Board. I information assets, intellectual property, and PHI from internal PROFILES IN HEALTHCARE
call it ’Boardroom Mode’. You need to speak slowly, avoid fillers, and external cyber and information security threats.”
and repeat your message in laymen’s terms. You also have
to dress the part. Lots of executives pre-determine who you Siravo lists education, training and awareness as one of
are based on how you are dressed. Technical people do not several strategic security goals for Lifespan. Ensuring the
always realize that how you dress matters. When I first started entire workforce understands cyber threats, improves the
presenting, I wore business casual. When I switched to suits, all organization’s ability to protect the patients and people, and
of a sudden they wanted to hear more from me. This is called deliver on their purpose. To achieve this level of awareness,
mirroring. If you make them comfortable by dressing the part Siravo’s team focuses on educating users about ransomware
you will have better results.” and phishing scams. “I launched a phishing campaign at
Lifespan that notifies a user when they have been successfully
Siravo attended the MBA program at Bryant University, where phished. More than half of our executives failed our first phishing
they also emphasized the importance of working in a team. test. They were mad! Now they are our biggest reporters of
“The program used the Meyers Briggs test to methodically phishing. They took the exercise very seriously and we have
create teams of diverse personalities. We had to learn to work dramatically improved as a result.”
together. Every team member hated it at first, but by the end we
were all best friends. It showed that you can work with anyone if His efforts are paying off as the organization continues to move
you put in the effort.” to a more formalized security process. He said, “Exception
approvals used to be verbal, we now have a written system.
MATURE SECURITY STRATEGIES IN New risks are managed in our enterprise risk register (in
THE HEALTHCARE INDUSTRY conjunction with Corporate Audit), providing proper evaluation,
and are addressed by Lifespan executives. There was no risk
At Lifespan, Siravo came into the position after a number of register when I came in.”
shorter term predecessors, creating a challenge to piece
together a somewhat disjointed information security program. In addition to users and executives, Siravo holds business
He said, “While I wasn’t starting the security program, I have partners more accountable for information security. He
had to act as if I was. We were nearly starting from scratch.” established his own security analysis program for third parties
and partners, and keeps tight control over security policy
Another challenge Siravo faced was understanding the adherence. He said, “The SRA (Security Risk Assessment) is a
appropriate methods to increase budget and resources. To process that all new vendors must go through if they access,
overcome this challenge, he put his MBA-acquired skills to use store, or transmit personal health information, personally
through strategic communication. He commented, “I spoke in identifiable information or payment card information and
business language while I presented and educated the Board business confidential data. We based our SRA on the NIST
and business leaders. I put together real business cases, not framework. The questions in the assessment align with
PowerPoints that do little more than point out threats and risks. I generally accepted practices for a comprehensive security
have an open-door, education-focused policy.” program. Once we have the answers, my team presents the
results of the SRA to the legal, purchasing and the business
Through discussing risk as it relates to business goals and sponsor for consideration.”
metrics, Siravo further aligned information security with the
organization as a whole. He emphasized, “Security is not the Another important strategic role for Siravo is his position as
only risk to an organization, so you really have to build your security consultant during intra-hospital or business partner
case to get the budget you need.” organizational activities. He commented, “When new business
partners inquire about our security capabilities, my office will,
According to Siravo, “Lifespan’s mission is to “Deliver Health upon request, provide descriptions of our capabilities and our
with Care” and we accomplish this by prioritizing the 4P’s. operational security execution.” By being a vocal and willing
The 4P’s are Patients, Providers, People, and Purpose, with contributor to all conversations about security process, Siravo
sub goals to increase quality and safety in order to provide makes it easier for the business to collaborate and engage with
patients a better experience. Our security effort aligns with partners, and important business objective for the company, and
these corporate goals by ensuring compliance with regulatory an obvious example of Siravo putting his MBA to good use.
requirements such as HIPAA, CMS, and TJC and securing
the technology and patient data that help deliver health with
care. My organization seeks to protect Lifespan’s network,
25
PHREOAFILLETSHINCARE
ARTHUR REAM
CISO, CAMBRIDGE HEALTH ALLIANCE
HEADQUARTERS: Cambridge, MA
EMPLOYEES: 6,375
“ I try to engage the BALANCING MULTIPLE
leadership in security and RESPONSIBILITIES
help them understand where
our security program is today “Most moderate to mid-sized healthcare organizations
”and where we need it to go. have yet to commit to a full-time CISO,” said Arthur Ream,
the CISO and Director of Applications for Cambridge
26 FEATS OF STRENGTH Health Alliance (CHA), an innovative health system serving
more than 140,000 patients in Cambridge, Boston and
surrounding communities. “In fact, most managers, not just
the CISOs in a healthcare organization of our size, have
multiple responsibilities.”
To be clear, Ream is not complaining. “I enjoy the fast-
paced nature of the CISO role. In security, we always have
to be planning for the future and reacting to the changing
landscape. There is always something to learn and, a new
issue to prepare for, or address. In my role as Director of
Applications, things are a bit more methodical.”
While Ream’s dual position may be the rule and not the
exception, in the healthcare industry today it still poses
specific challenges. The biggest challenge for Ream’s
team is time and resource management as they balance
application and information security demands.
“With a non-dedicated staff we are challenged to manage for them at the pharmacy. This type of program has a direct PROFILES IN HEALTHCARE
volume. We must be focused to ensure we are safeguarding impact on the city and our patient’s lives.” Ream’s team
our patients, our assets and our integrity within our budget played a key role in ensuring the integrity and security of the
and with the resources we have available,” said Ream. applications and systems supporting the program.
Ream addresses this challenge through education and PRACTICE AND EDUCATION AT THE
discussion with senior management and the Board. He said, EXECUTIVE LEVEL
“I try to engage the leadership in security and help them
understand where our security program is today and where Beyond working on application specific security efforts like
we need it to go.” eScripts, Ream and his team regularly work with other senior
managers to ensure the organization is doing its best to
As a mid-sized organization, Ream has become more protect critical assets.
creative and adaptable when creating his security program.
Without the resources of a larger healthcare organization, In addition to occasional presentations to the Board, Ream
he focuses less on following the details of specific regularly meets with senior leadership. “On a monthly basis
standards. “We use NIST and ISO. We don’t report against I run a committee meeting that oversees the overall security
the frameworks. We work to the intent of the standard,” said of Cambridge Health Alliance,” said Ream. Participants
Ream. in the committee include the General Counsel, Chief
Compliance Officer, Chief Privacy Officer, CIO, HIM Director
For similar reasons, Ream is holding off on embracing any and Senior Director of Technology. “This groups reviews
specific certifications. “We have to constantly weight the new applications in our environment, current threats, HIPAA
value versus the cost, and I am still watching to see exactly requirements, policy updates and our security plan.”
where the industry will fall in terms of which certifications are
industry standard. The certifications do have value, but often Ream and his team also participate in quarterly breach drills
times experience is what matters most. I am a big fan of on with the CEO, marketing and other senior managers. “All of
the job training.” the drills are based on scenarios that could really happen at
Cambridge Health Alliance. A private contractor who knows
BUILDING A HEALTHY COMMUNITY our environment creates the scenarios for the drill – no one
on our team knows about it in advance. For the next several
One of Ream’s favorite aspects of working at CHA is his hours we run through the logistics of the breach, practicing
dual roles and his team’s flexibility. He commented, “We get policy roll out, communication skills, action and remediation.
exposure to so many things, no one is pigeon-holed.” We receive a report and feedback based on how we
performed. As a result of these drills we have been able to
Ream also appreciates the impact CHA has on the improve policy, open better communication channels and
community, something that truly motivates him and his make our overall efforts more effective.”
team. “Cambridge Health Alliance is the organization of the
public health commission for the city of Cambridge and a Ream sees more involvement with the CEO and senior
teaching hospital for Harvard Medical School. Our mission is business leaders in his future, and in the future of CISOs
to improve the healthcare of the community we serve, which in general. “There will be a transformation in information
includes a large behavioral health population. My teams security at healthcare organizations. I think we will see
value and me as the CISO is to wrap appropriate policy and CISOs evolve to a position similar to how the Chief
technology around the assets to safeguard our patients and Compliance Officer is currently positioned. CISOs and
our corporate integrity.” their teams will roll up directly to the CEO. But, there will
always be a tight and integrated relationship with the CIO,
Recently, CHA rolled out a program for e-prescribing working collaboratively at a peer level.” To get there, Ream
controlled substances via Bluetooth. Doctors may now pointed out that CISOs need to be comfortable speaking
send prescriptions straight to the pharmacy, helping limit the language of business and translating technology into
prescription fraud and curtail the city’s opioid epidemic, but relatable stories. He expects more CISOs to come in with
also to help patients. Ream remarked, “Many of our patients MBAs in the future.
might have needed to take time off work to pick up a paper-
based prescription before. Now the prescription is waiting
27
PHREOAFILLETSHINCARE
DR. DAVID REIS
INTERIM CIO & CISO, LAHEY HEALTH
HEADQUARTERS: Burlington, MA
EMPLOYEES: 15,000
ANNUAL REVENUE: $2 Billion
APPLYING AN INNOVATION “The Innovation Framework is qualitative and mathematical
FRAMEWORK TO INFORMATION in that it can help you track your progress towards creating
SECURITY a security program that brings value to the organization.
Through this approach we look at what is going on today,
“Trends in the security industry change so frequently we and what happened in history. We review how breaches
need strategies that help us deal with the near term while occurred industry-wide. What has changed over time and
also preparing for the future,” says Dr. David Reis, CISO at what has caused that shift? This allows us to identify future
Lahey Health. “We have to get a step ahead. There are indicators and prepare for them in advance. In security, it is
specific frameworks to use to get through that process. counterproductive to look out more than a year but we can
The Kellogg [Northwestern School of Business] Innovation be ahead of this week’s malware.”
Framework resonates really well with me. It helps you
develop an innovation engine for reacting to today and The security program at Lahey facilitates business
preparing for the future.” programs by moving past “blocking and tackling”. Dr. Reis
accomplished this enablement by demonstrating how
Many CISOs regularly leverage frameworks and controls information security can drive innovation and evolve to
such as NIST and the Top 20 Critical Security Controls, become a high-functioning service. An example of this is
however there is a lack of CISOs who implement specific the robust role of security in connected health, described
business approaches. Dr. Reis fundamentally aligns with the as “telemedicine” with patients and other providers, where
Kellogg Innovation Framework to cohesively run Lahey’s doctors and patients can interact outside of health care
security program. Dr. Reis explains how maintaining an eye facilities.
to innovation helps enable a strong competitive advantage
and makes a lasting impact on organizational revenue. Lahey demonstrates a cutting edge technology, delivering
healthcare outside of the four walls of treatment rooms and
28 FEATS OF STRENGTH in an easily accessible and secure way, as a direct result
of the information security program. Dr. Reis says, “We are Rosetta Stone for me. I already knew about security, now I PROFILES IN HEALTHCARE
giving patients access to providers who they would not had a new language to communicate it to executives.”
otherwise be able to access. For example, someone may be
in the hospital with a chronic illness, and that person would • Never Say No – “Executives have their trusted advisors,
typically have to come back to the hospital for on-going the people on the team they go to in order to get things
visits. This might be the appropriate treatment plan for some done, and you have to do the work to join that circle. “My
patients, but others would benefit from telemedicine. Our motto is never say no. Instead we say ‘yes, and here is how’.”
security team is driving the effort to extend the patient portal By saying yes when executives or others in the organization
and video conferencing technology to connect patients to want to implement a new tool, or introduce a new process,
providers for follow-up after discharge without having to Dr. Reis engenders collaboration and positions security as a
come back for an in-office visit. This is novel for healthcare.” business enabler. To do so he must understand the team’s
business goals and objectives. Then the necessary controls
Dr. Reis understands the significant role information security may be put in place to make the process work in a secure
plays in an organization and acknowledges a potential manner.
for impact on revenue. While he stops short of saying the
program is a revenue generator, he does believe security • Never Promote Fear, Uncertainty and Doubt – Dr.
enables revenue. He comments, “I can show you how we Reis advocates for security by talking about pragmatic
have enabled millions of dollars a year in new revenue approaches and security’s impact on positive business
because we have securely opened up our services and outcomes. He focuses on risk management and incidents
access to populations that we could not reach before.” in the company, and the industry, that can impact revenue.
Sometimes, the Board will ask questions related to
Dr. Reis also recognizes that revenue impact is strengthened incidents in the industry, but Dr. Reis works hard to steer
by support from Lahey’s business leaders, including the the conversation away from FUD. “What you present is
CEO, CFO and Board. Dr. Reis says, “The organization has as important as the fact that you are in the Boardroom
given IT security a lot of resources and we are able to show presenting in the first place. You have to establish credibility
our value. It can be hard to show ROI in security, so I focus as a business thinker. This is developed overtime. We
on value. Kellogg teaches that value is equal to service plus can now anticipate the questions our Board will have
quality divided by cost. At Lahey, our team is relentlessly and proactively address them. This allows us to lead
focused on proving value.” the conversation and helps establish confidence in our
program.”
THREE COMPONENTS TO EXTEND
SECURITY’S IMPACT The First 100 Days
To establish the security practice as a business enabler Dr. Reis has advice for new CISOs and says,
within Lahey, Dr. Reis focuses on communicating without “Gartner has a great CISO Framework for
security jargon, acting as a trusted advisor, and resisting the first 100 days. The most important thing
temptations to advocate through Fear, Uncertainty and is to engage the leadership population and
Doubt (FUD). to understand at a general level what is
working and what is not within the business.
• Communication – Dr. Reis believes effective Ask, “What can I influence?” You can gain
communication is integral to developing a satisfactory credibility by delivering on things that
relationship with the Board and senior organization leaders. address specific pain points, even if they
He learned the language of business when he got his MBA, are tangential to security.” Dr. Reis suggests
and now easily translates security requirements and needs that by establishing yourself as a business
into financial and business conversations. “You have to partner who can get things done you gain
speak the same language as the executives,” he says. flexibility and leeway to implement vital
programs.
Communication skills were fundamental in the early 2000s
when Dr. Reis got his start in information security. He learned 29
this lesson at a large, regional audit accounting firm where
he performed internal and external audits. He says, “That
is where I learned how to eliminate security jargon from
my presentations because you could not get past the audit
partners with security jargon in your report. That became a
changes and has three levels of graduated safeguards of IT is both a big challenge and great opportunity for PROFILES IN HEALTHCARE
depending upon an organization’s size and complexity. CISOs. Bringing other business units on board with
information security efforts is vital to the program’s
“Before we adopted the CSF, we had a security assessment success. “It is the CISO’s responsibility to interact and
done, so we knew what we needed to accomplish. We set a communicate with leadership and people outside of IT,”
baseline and now we know that we are gradually elevating said DiDonato, whose early career in auditing gave him
up the maturity ladder. The ladder gives us a grading an understanding of business terminology and objectives.
system to make it very clear how we are performing,” said DiDonato acknowledged that for CISOs who grow up in IT,
DiDonato. For him, the CSF ladder represents a tool to easily collaborating with other departments might pose bigger
communicate information security and risk to other business challenges.
people. “We can clearly articulate our current level, the steps
needed to get to the next level, and how getting to the next DiDonato acknowledged the fact that information security is
rung makes us better prepared and more secure.” relatively new to many departments, with little to no historical
precedent for collaboration. “Most departments have no
DiDonato said that nearly every CISO knows how well idea how they can best help us. We need to educate, and
prepared or exposed their organization is, but it may be reach out to them, to set expectations for our role and how
difficult to explain current postures to business people. we can work together,” said DiDonato.
“Pictures help – the ladder gives a clear indication of where
we are, and where we are headed. Our plan for this multi- In the Information Security Office within Baystate, DiDonato
year effort is to continue to execute on security priorities to puts in a strong effort to ensure his own team understands
move up the ladder.” how meaningful and key their job is to the overall
organization. He said, “One way I do that is by removing
DiDonato benefits from a very supportive CIO, President, barriers for them. I show them we are getting the resources
CEO and Board, who are all interested in making continued to make the program stronger. I depend on the professionals
security improvements. He continues to rely on the CSF on my team to put together criteria for the technology
within his presentations to senior leadership and the Board. resources that we need and then I go get it for them.”
DiDonato said, “They are very receptive to the CSF and they
understand the value of aligning with the framework.” Baystate Health continues to make investments in
information security, enabling DiDonato’s team to grow and
DiDonato’s meetings with the Board are not just further advance their skill sets. “When they have the chance
presentations of the CSF. He said, “The Board does not want to learn new technologies it is exciting for them. When
to see detailed flow charts or diagrams of networks. They we give them tools and resources to do another level of
need to understand the security program from a business investigation and analysis of incidents they are intrigued and
perspective. I build credibility with them by explaining motivated,” said DiDonato.
security’s impact on the things they care about.” They
are outcome oriented. For example, DiDonato recently This on-the-job-growth is an important aspect of
presented on the opportunity security has to become a DiDonato’s team management approach, as he has almost
competitive advantage for the organization.
dterxeucedluicpsariovtSSeefedTElysaAsChnioiRrdUneTaidnRlstIfeINrwoTremGhYsotwetEAdiathkAWieinnR.stAh“eLMeRcYiuyrErjaioWtNpyb.psEIMrTsoSoeaHsrcStiohoCuifssmYlytoyBaihndEidreeRnastriehfyave
COLLABORATING ON SECURITY
OUTSIDE OF IT shown a dedication to security even before they join my
team, bIyt sisittninogsfourrpthreisCeISthSaPtcaerCtifIiScOatiownh, oforveaxluaemsple.”
At Baystate Health, interest in security extends down from Howevethr,eDhiDuomnatno edlidemnoetnrtuloefosuetclouoriktiyngwoouutlsdide of
the Board throughout the entire organization. Senior leaders, the orgwanaiznattitoonsftoarrht ies anrelxyt wtwitohhsireecsutoritbyritnrgaionninmg.ore
including the General Counsel and the CFO, stay engaged advancAeds saemcuerimtybeexpr eorftistheealEoxnegcwuitthivuenWiquoemseknill’ssets. It
with DiDonato. “Our CFO is concerned about the potential will depFeonrduump,oMn cthAeuslekiyllsreogf eualacrhlyhiprea.rticipates
financial impact of breaches and incidents, so he purchased Regardilenstshoef CwyhboejorisnesctuherittyeaSmchaondoltsheCshpaellceifnicgsek.ill set
cyber insurance as a way to manage that risk. His group has they briInngt,htheecghraolulepnaglrea, dsey ckunoriwtyspitrhoafes sasciolenaarlfsocus and
been targeted for wire transfer fraud, but they are an alert strategytefoarcthhekifdustuares–yotoucnogntainsufeivteo tcolimthbinthke HITRUST
group and always investigate first. Our General Counsel CBaSyFsltaadtaedbeHoreuaatnltdoh.nfulirntheersaefveotlyveatnhde sseeccuurritiytyp. rogram for
is always sharing phishing scams, news of viruses and
regulatory alerts with me.”
DiDonato believes that working with others outside
31
PHREOAFILLETSHINCARE
KATHY HUGHES
CISO, NORTHWELL HEALTH
HEADQUARTERS: Great Neck, NY
EMPLOYEES: 61,000
ANNUAL REVENUE: $7.4 Bliion
AT THE HELM OF EMERGING challenging the status quo, motivating staff to think outside
DEPARTMENTS the box and empowering them to drive change,” said
Hughes.
Kathy Hughes began her career in manufacturing as
a financial analyst, but she quickly transitioned to the While working at a government contractor, Hughes
computer and technology field, which was in its infancy. A created and managed the first Information Center, a
business major with minors in computer information systems shared computer center for company employees. From
and economics in college, she was one of the few people there, she took on positions of increasing responsibility,
well-versed in computer technology before most knew what creating infrastructure services departments at other
computers were. She established centralized computing companies. A position as a outsource service provider
centers, installed computer networks and implemented for Northwell Health overseeing the Infrastructure teams,
distributed computing technologies. More recently, her led to an opportunity to create and manage Northwell’s
career path has evolved to information security, where
today she is CISO at Northwell Health, a healthcare network “I like the challenge of
based out of New York. establishing programs from
scratch or bringing them to
As she developed in her career, she worked for industries the next level of maturity by
as diverse as government contractors, publishing and ”creating efficiencies which
retail. The one common thread across each job was being bring value and benefit to
consistently tasked with developing programs to respond the organization.
to changing business demands. “I like the challenge of
establishing programs from scratch or bringing them to
the next level of maturity by creating efficiencies which
bring value and benefit to the organization. I also enjoy
32 FEATS OF STRENGTH
disaster recovery program which gave her exposure to risk risks involved. It helps people understand the business PROFILES IN HEALTHCARE
management. With the disaster recovery program well- impact and get support for our initiatives.”
established, the CTO of Northwell Health asked Hughes to
take on the role of interim Director of IT Security, a position TECHNOLOGY IS CHANGING THE
that lasted three years. Once a new Director of IT Security HEALTHCARE INDUSTRY
came on board, Hughes transitioned again, this time to
develop a new, formal program for risk management. “In At Northwell, similar to other healthcare organizations, the
developing the risk management program, I was able to focus weighs heavily on creating innovative solutions to
develop strong relationships with the Chief Compliance improve the delivery of healthcare services. For example,
Officer (CCO) and Chief Internal Audit Officer (CIAO) which the company’s Telestroke service allows doctors who may
established a level of credibility when I transitioned to the be offsite, to immediately respond and care for stroke
CISO position,” said Hughes. patients. A timely response is especially important when
dealing with stroke victims, enabling the Telestroke solution
BAPTISM BY FIRE to save lives. Protecting the secure delivery of patient data
from the hospital to the remote doctor is an important part
Northwell Health’s CIO knew Hughes was the right of the process.
person for the CISO position. Hughes acknowledges that
her background in infrastructure, disaster recovery and Northwell built an Innovation Lab, where vendors like
business continuity, ability to successfully build programs, Philips, Allscripts or GE may co-develop wireless or mobile
and the strength of her relationships with the CCO and tech solutions in a health environment without impacting
CIAO, led to the CIO entrusting her with the increasingly patient care. “As the security team, we need to make sure
important CISO position. we are involved from the beginning, and not viewed as
an impediment to fast progress,” said Hughes. “We need
“I transitioned to CISO just as security was really becoming to enable innovation in a secure environment that is as
critical to healthcare organizations. As an industry, we have transparent as possible.”
transitioned from paper to electronic medical records over
the past few years, which has made us a prime target for According to Hughes, “While we have state-of-the-art
cybercrime. This reality became a baptism by fire for me as security technologies in place supported by people and
well as for other healthcare CISOs.” process, healthcare as an industry is playing defense and
continually preparing for a security incident. We need
“Really quickly in my tenure, we had some difficult incidents to make sure we have a good response plan in place, if
come up,” continued Hughes. “I realized we needed to something does come up. We need to be prepared to
further enhance our programs. My team and I have worked respond with a tested process and already have in place
very hard over the past year and a half to mature our alliances with outside entities like law enforcement, PR,
programs, with adjustments to our organization, structure, media, cybersecurity firms, and forensic firms. We need to
budget and with senior leadership support. I communicated have the whole infrastructure of a response plan laid out,
the program changes to senior executives at Northwell and regularly tested and ready for different scenarios.”
helped them understand the environment and the threats.
Other CISOs have had a bigger struggle than I have in that In some regards, Hughes believes the healthcare industry
regard.” is lagging other industries, primarily due to recent
government incentive programs to shift from paper to
Hughes takes a plain language approach to communicating electronic medical records. As a result, Hughes looks
with senior executives. “Most people are very intimidated outside of the industry when hiring. “I specifically look
by security,” said Hughes. “They know security is something to onboard employees from financial services and retail
they have to do, but the return on investment is difficult because those industries lead in cybersecurity. They have
to calculate so it can be hard to justify. One session at faced more incidents and have more mature processes
a conference helped me put this into perspective. The in place which can be applied to healthcare. I tell my
speaker’s advice was to relay complex security concepts employees you are protecting data in the same way, but
into words that people can relate to. The best way to do in healthcare the responsibility is even more critical. When
that is through stories. Tell them a story of what happened it comes to things like medical device and application
at an organization like our own, what lessons were learned security, you are literally protecting people’s lives.”
and how some of those lessons can be applied to our
environment. When you explain security through stories,
people can relate and quickly understand the very real
33
HPREOAFILLETSHINCARE
KEN PATTERSON
CISO, HARVARD PILGRIM HEALTH CARE
HEADQUARTERS: Wellesley, Massachusetts
EMPLOYEES: 1,400 employees; 2,900 workforce
ANNUAL REVENUE: $2.5 Billion
“We have seen many TRUST - THE COMMON DENOMINATOR IN
examples of data breaches BUSINESS & SECURITY SUCCESS
occurring at other companies,
especially those in health At Harvard Pilgrim Health Care since 2000, and CISO during that time, Ken Patterson
care. We know, as hard has the benefit of historical knowledge and years of reputation and relationship
as we try to prevent a data building to help advance the company’s security program. During his tenure, his ability
breach, if someone wants to align security imperatives with business goals through risk management has resulted
us bad enough, they will in strong support for the security program within the organization. He says, “Since
most likely get us. To this I began working at Harvard Pilgrim in June 2000, my security staff has grown from
end, we make every effort to one person to seven people, with additional support from co-ops and summer hires.
be prepared to ensure we The executive leadership is aware that healthcare is a highly regulated industry and
continue to earn the trust of compliance initiatives must be met, as well as protecting against a major data breach.
our members. To me, that’s As a not-for-profit healthcare organization, the privacy and security of our members’
what it is all about.” sensitive information is a part of our culture, and continuously reinforced through
the privacy and security training of our entire workforce, including our employees,
- KEN PATTERSON contractors, consultants and temporary personnel.”
34 FEATS OF STRENGTH EXCEEDING STANDARDS
Harvard Pilgrim recently completed its five-year IT strategy in which security played
a major role. Patterson is now focused on a three-to-five year roadmap at Harvard
Pilgrim. To accomplish these goals, Patterson starts with ensuring he is fully integrated
into the business mission, goals, and approach. “We have a top down push of our
objectives; our CEO pushes down to our CIO, and she pushes these goals down to
her direct reports. We all try to understand how we can align • Integrate with the Business - Listen to business executives PROFILES IN HEALTHCARE
with those performance goals,” says Patterson. and understand what they want to get done and be a
Patterson has put the work in with his executive-level facilitator - help them get to their goals.
peers to ensure the program exceeds standards. Patterson
says, “Today’s CISO needs to be a strong collaborator • Increase your Business Acumen – Similar to what others
with all of his or her business units within an organization in the industry have recognized, Patterson points out that
and needs to integrate their work successfully into the CISOs are often promoted for their technical background,
fabric of the enterprise. To help the business make optimal but it takes a different skill set to be a successful CISO. New
risk-based security decisions, the CISO must have a solid CISOs need to master the skill of business communication
understanding of how the business operates. Leadership, and place security within the realm of business goals when
collaboration, communication, and the ability to establish articulating strategy and advocating for security budget and
and nurture effective relationships are required for today’s priorities.
CISO to be successful.”
• Work your way up to the board - For many CISOs there
UNDERSTANDING CORPORATE are still at least one (and often more) layers of management
GOALS between them and the Board. CISOs who do not have direct
access to the Board should focus on making their case to
Patterson says, “The mission of Harvard Pilgrim is to improve other executives. Patterson suggests CISOs prove their
the quality and value of healthcare for the people and communication skills and value to CIOs, CEOs, and CFOs to
communities we serve.” The Harvard Pilgrim Corporate gain access to the Board.
Business Strategy is:
• Be Prepared - Patterson says he meets with his CEO
• INNOVATE - Grow membership in selected market before presenting anything to the Board. This way he is
segments by using pragmatic innovations in product and prepared for questions, and he has the support of the CEO
network design, provider partnerships and payment models, in the room.
and customer decision-support and wellness programs.
SECURITY-FOCUSED CULTURE
• DIVERSIFY - Continue to diversify by expanding our
business geographically and demographically. Patterson and his team work hard to improve privacy and
security around compliance with regulations, which has
• MANAGE COSTS - Strengthen our competitive position helped instill a security-focused culture. “My executives
through a campaign of disciplined cost management. send me emails concerning recent articles they read about
security because it often captures their attention. They
Patterson aligns security goals with the mission and understand the importance of being prepared and have
organizational goals of the company. Patterson states, “Our helped me advocate this to our entire workforce,” says
security goals are to align risk management, governance, Patterson. Harvard Pilgrim requires security training for all
and security programs to business goals; and establish employees, resulting in an organization-wide understanding
principles that executives and business managers can of the consequences of a breach in terms of financial loss
recognize and support during market segment expansions or reputation. “We make good use cases to demonstrate
and new healthcare programs. We listen to business what could happen here and how we build a process to
stakeholder needs and engage stakeholders in the planning rapidly detect and respond to any incidents that occur. Even
process. We are focused on improving the ability to react if something minor happens, the workforce knows about it,”
to (and potentially prevent) unforeseen security risks and comments Patterson.
events.”
“Listen to business executives
ADVICE FOR THE NEW CISO and understand what they
want to get done and be a
Patterson’s career in Information Security dates back to the ”facilitator - help them get to
late 1970s. He stands out as one of the first pioneers in the their goals.
industry. When speaking about the leadership role of CISOs,
he says, “Empowerment comes from experience, if you don’t 35
have leadership or communication skills you are not going
to make it, those are the skills CISOs need to be effective.”
He suggests new CISOs should:
the Human Resource system so all access is revoked BE NIMBLE AND BALANCED TO BE PROFILES IN HEALTHCARE
automatically on the employee’s last day. Also, many EFFECTIVE WITH A SMALL BUDGET
non-employees work at CHSLI, and with this system
we can run a check on their status every 90 days in Darienzo states, “CHSLI is half the size of the Health
order to ensure we keep access rights current.” System I had worked at prior to this position. So, while
A large portion of CHSLI’s security focus is on we do not have as many resources, we are more
employees and how they interact with patient data, nimble. You can do a lot with less, if you focus on the
reinforcing the importance of Darienzo’s team in right things. Some of the things we accomplish are
keeping employees informed about the value and astounding when you compare it to our annual spend.”
importance of security efforts. Each employee
receives security training during on-boarding and Darienzo emphasizes the importance of a team
the security team publishes a monthly newsletter on consisting of smart and efficient people, but he is
their intranet. He explains to new employees, “Our cognizant of not over-working his security team. He
security processes are the primary defense standing says, “I am here to clear hurdles for them and help
between CHSLI and an incident affecting our patients them get their job done. To some extent I would say
and business.” CHSLI does not evaluate employee I try to be hands off with my team. I just focus on
security awareness via specific tests, yet Darienzo giving them the time and room to get their job done
consistently sees an increase in reports of suspicious effectively.” Darienzo is also trying to see that steps
emails and messages, a strong sign the organization are taken within the security plan to give the team
is evolving to become more security conscious. ample support when possible. One project that will
help his team this year is a SIEM project, which will
MEETING HIPAA REGULATIONS provide more comprehensive monitoring; Darienzo is
REQUIRES A TEAM APPROACH essentially outsourcing that function so his team can
focus on higher caliber priorities.
CHSLI includes six hospitals, three skilled nursing
facilities, a regional home nursing service, hospice Pulling a Rabbit Out of the Hat
and a multiservice, community-based agency for
persons with special needs. Darienzo works with a Some days CISOs may feel like security requires
team of appointed privacy and security officers at a ‘magic touch’, something with which Darienzo
each entity. “They are our satellite arms and our first would agree. While his full-time career is a
point of contact if any security incidents come up. healthcare CISO, he is also financially supporting
They file incident reports with us and we conduct his magic hobby with regular performances as
the analysis.” Darienzo balances his time between a magician. To Darienzo, a clear connection
officers, while maintaining productive ties with each. exists between magic and information security,
For the purpose of reporting HIPAA incidents to the a possible reason why many of the CISOs
Office of Civil Rights (OCR), each incident is assessed he meets also enjoy partaking in the hobby
by the CHSLI’s HIPAA Executive Steering Committee, (coincidentally, the CHSLI CISO before Darienzo
which includes Darienzo, the CIO, the CPO, the CMO was also a magician). Darienzo says, “Magic is
and representation from the Legal Department. about deceiving people. You draw their attention
The group reviews all incidents and determines if a to one spot, while you perform some sleight of
breach requires reporting, or if an additional formal hand where they’re not looking. Security is the
risk assessment is needed. All decisions of whether same thing, you have to be aware of what is
or not an incident meets the definition of a breach going on beyond your line of sight. Both security
are documented, along with the facts upon which the and magic are about deception and it’s a skill
decision was made. In cases where the OCR has knowing how to spot that deception.”
reviewed CHSLI’s assessment of an incident, Darienzo
states they have supported the CHSLI decisions.
37
PINROSFUILRESAINNCE
BRIAN HAUGLI
VP & CISO, THE HANOVER INSURANCE GROUP
HEADQUARTERS: Worcester, MA
EMPLOYEES: 4,800
ANNUAL REVENUE: $5 Billion
ELEVATING THE CISO ROLE AT THE has regular access to the company’s leadership.
HANOVER INSURANCE GROUP “Information security is critically important at The
Hanover. Maintaining security around the data our
“I report to the Chief Administration Officer (CAO), agent partners and their customers entrust to us is
as do the CIOs for all of The Hanover’s lines of essential. With that in mind, I meet monthly with the
business. This was really important to me when CEO to go over operational security areas, security
I took the position,” said Brian Haugli, who is ten posture, and on-going initiatives,” said Haugli. “His
months into his role as CISO and Vice President at interest in security and support around making our
The Hanover. “This reporting structure is incredibly security initiatives more effective makes my job much
valuable. I participate with the CIOs in discussions more rewarding.”
around efficiency and operations; my opinion is
valued equally. When I speak to CISOs in other ASSET OWNERSHIP AND
companies who report to CIOs they tell me they have RESPONSIBILITY
the problem of having to defer to their CIOs regarding
those kinds of discussions and decisions. I don’t have “I get really solid questions about The Hanover’s
that issue.” security posture from the members of our leadership
Haugli’s boss, the CAO, was hired just four months team. They want to know what we are doing, what is
before Haugli, and highly values the role of the CISO. going on in the news, and what the global picture is.
This support gives Haugli tremendous confidence They want to talk about business risk and take that
in his ability to evolve the security program at the into account. It’s an open dialogue that is influenced
company. by our strategic business goals,” said Haugli.
With executive-level responsibility and visibility, Haugli “We talk a lot about asset ownership, and
understanding what is most critical to the business
38 FEATS OF STRENGTH
units. We look at the systems and processes that During the hiring process, Haugli approaches PROFILES IN INSURANCE
are revenue generating for each line of business,” candidate searches by focusing on skill sets and
said Haugli. “They want to make sure our technical overall ability to adapt. More importantly, he believes
investments and capabilities align with business there is not a “one-size fits all” in information security.
needs.” For example, the manager Haugli hired to perform
When Haugli speaks to the business units about security training was a math teacher with a Masters
security he focuses on two areas – asset ownership in Psychology, resulting in an impactful team member
and general security awareness. “I am a big proponent with the ability to better understand user actions and
of establishing asset ownership,” Haugli reiterated. If teach new behaviors. He is able to take feedback
I am looking at a network component, I want to know from operations about what they are seeing in terms
who owns it. That person needs to take responsibility of security issues and go talk to the employees
for what is on the system and ensure systems and responsible for the asset and hash the issue out
processes are secure. If no one takes ownership of effectively. He is able to understand their process and
a system it is very difficult to make positive changes work with them to make the process more secure.”
to it, and it probably should not be in the technology
portfolio.” “Strict hiring specifications can often preclude really
Haugli uses education and awareness training to solid candidates who would perform well in specific
heighten awareness and change behaviors by roles. I will look at the person who might not fit into
employing practical applications of security best a corporate workspace and see if they are the best
practices. “I use a lot of analogies to educate about person to hunt for malicious activity on our network.
vulnerabilities and the need for patches and security You have to understand and evaluate specific skill sets
changes. I say, ‘Just like you do not want your against the job function.”
kids’ friends to be playing computer games on the
computer that you do personal finances on, you also Revenue Impact of Cyber
want to limit access to your systems at work.’ We want Insurance
to be certain that access privilege is given only to
those who need it.” “Insurance is one of the few sectors where
security has a clear opportunity to impact
BUILDING A TEAM AND A revenue,” said Haugli. “I cannot think of how
ROADMAP FOR THE FIRST 18 a manufacturing firm or a retail company can
MONTHS empower a CISO to drive revenue. But in
insurance there is a clear need to enhance
Just ten months into the job, Haugli has just begun our cyber security insurance program
the transition from what he describes as “unboxing and that takes insight from Information
the company” to creating a strategic 18-month plan Security and a solid understanding of
to strengthen the foundational aspects of network risk management practices. At Hanover, I
security and vulnerability management. While Haugli’s have been working with a specialty line of
background is in the Federal Government, the learning business on improving risk management
curve has been minimal and he is quickly developing and bolstering our capabilities around
an understanding of the network, people, and cyber insurance.” Haugli says Hanover has
organization. several different cyber security products but
“I am growing my security team internally and I have what the industry really needs is a uniform
hired a new Director for Governance, Risk, and national standard to measure risk against in
Compliance who, like me, came from a government offering these insurance policies. “NIST is
background.” He also created and hired a dedicated one of the best standards to come out over
Manager of Training and Awareness Outreach. “His the years, and is a great first step in the right
entire role is focused on the human element of the direction.”
company. Everything is about the employees, in order
to train them and make them more aware.”
39
I PNROTFEILERSNINET
CORY SCOTT
CISO, LINKEDIN
HEADQUARTERS: Mountain View, CA
EMPLOYEES: 9,900
ANNUAL REVENUE: $2.99 Billion (2015)
When Cory Scott joined LinkedIn more than three trust in the security program at LinkedIn is the guiding
years ago, he took on an emerging, yet highly visible objective for Scott’s group.
role at one of the largest social networks in the world. “Trust in our platform is integral to how we execute on
“LinkedIn is in a unique position in the ecosystem. We our vision to connect professionals and make them
are a large social network focused on the professional more productive and successful. If members believe
aspect of peoples’ lives. The platform has influence on that LinkedIn is a trustworthy place to do business then
peoples’ careers and personal growth, and I was very they will engage with the platform more, and the more
attracted to the job. When I came on board there was they engage, the more valuable the platform is to them,
not a significant security presence, so this was also and to us as a business.”
an opportunity for me to build the information security “In my three and a half years here we have learned a
program from the ground up,” said Scott. lot about the value of trustworthiness. What matters is
In order to strengthen and elevate the security not just the impact of security actions, but the message
program, Scott understood he needed clear support you send about security as an inclusive, participatory
from most senior executives. “When I was considering initiative. It signals to the rest of the world that the
the role, one of the things I was concerned about was organization takes security and privacy into account at
the support of senior management,” Scott continued, “I every step of development and innovation. Security is
was lucky to speak with Jeff Weiner, CEO of LinkedIn, moving more into the forefront of peoples’ minds. It is
during the interview process. We talked about the something they consider more now than ever before.”
priority he knew LinkedIn needed to give to security. I Scott runs his security program to support the
found he had an incredibly detailed and technical grasp company’s mission of connecting professionals to make
of the challenges of security. He had taken the time to them more productive and successful. Three specific
educate himself on its value. He was very supportive of objectives drive the information security organization’s
putting security first to build up the trustworthiness of ability to make a positive impact.
the platform.” 1. Attract and Retain Talent Who Execute on Vision –
The trustworthiness of the platform is a central theme When building an effective team, Scott knew he must
for Scott. Building up consumer, internal and partner
40 FEATS OF STRENGTH
first consider the audience and culture. LinkedIn has legal counsel, the internal audit committee and PROFILES IN INTERNET
a strong engineering and data-driven culture, so his engineering leadership. We want a lot of people to
security team consists of employees who succeed in be aware of our organization’s performance.”
that environment. “Even the program managers on 3. Foster an Inclusive Program – “We emphasize
my team have written software. When the security that security is not a team in the corner or in an
talent aligns with the rest of the organization, we ivory tower,” said Scott. “We try to be available and
have more successful interactions. It also makes our involved. That means we are visible, both online
organization more attractive partners to the other and offline. We hang out where engineering and
business units.” operations congregate and spend time in the
Scott continued, “It is no secret there is a shortage same internal chat rooms. Our role is as internal
of security talent. Because we are LinkedIn, we consultants to help teams find solutions to security
have access to a lot of data on supply and demand problems and reduce risks. We want them to see us
for professionals. For every four people employed as advisors more than regulators.”
in information security today there are three open Scott’s team expanded upon the standard security
positions. It is hard to find talent with specific security ambassador programs that some organizations run,
expertise. To combat this, we try to bring people when they created the Security Champions program
over the wall from other parts of the technology to foster inclusion and commitment outside of the
organization into our security team.” security team. This program requires 25% of an
He said, “We have a strong technical bar for almost employee’s time and is a six month commitment.
all security employees. We also look for people with “The program is broken into two halves. The first
key soft skills, who understand how to problem solve half requires participation in the Stanford Continuing
and work with multiple stakeholders. Most important Education program to obtain a certificate in
of all, we want our team members to be curious. advanced computer security. Once that is complete
They need to want to figure out how things work, the Champions become advocates for security
and how things can be improved.” within the company. They also perform a “tour of
2. Achieve Operational Excellence – Scott’s duty”. We put them to work on security, this is where
team must understand how to handle demand, our program goes beyond traditional ambassador
standardize on approach and processes, and programs,” said Scott.
effectively communicate success as it relates to key Scott noted that interest in the program is high
metrics. When measuring success and reporting on (they have a waiting list) because security is fun
metrics, Scott divides the functions of the security and interesting, but also because it is a good
team into two sets – internal demand and external career move. He said, “LinkedIn is committed to the
demand. “Internal demand includes securing the development of our employees. Our founder and
infrastructure, discovering new attacks, maintaining executive chairman Reid Hoffman wrote a book
plan alignment and reducing security risks. Progress called The Alliance that focuses on the relationship
on these efforts can be tracked via traditional means, between employee and company and the mutual
such as milestones and achievements. But the other agreement to support advancement, including the
50% of our time is spent on external demands, which employee’s next play. The Security Champions
are tougher to measure. This includes servicing the program fits right into that approach.
organization, ensuring new projects and programs Scott believes LinkedIn’s approach exemplifies what
kick off with strong security, doing compliance the future will look like for information security, as the
work and reviewing contracts and plans because discipline takes on a bigger role. He commented,
policy requires it. External demand boils down to “Security is becoming a key differentiator for
supporting someone else’s big project. But we products as they go to market. Large organizations
still have to measure our work. So we measure talk about it now as part of their core message.
things like the number of security reviews we do, There is always a need to tell a good story about
the number of bugs found before the application security to the market.”
goes live, and we have metrics to measure incident
response.” 41
It is important to note that Scott shares these metrics
with all stakeholders, not just his team. He said, “We
report on our performance to my direct manager
and CEO, but also horizontally to the head of IT,
M PRAONFILUESFAINCTURING
KEVIN BROWN
CISO, BOSTON SCIENTIFIC
HEADQUARTERS: Marlborough, MA
EMPLOYEES: 24,000
OPERATIONAL REVENUE: $8.1 Billion
“I have strong knowledge and experience in cybersecurity, ten months as CISO under his belt, Brown possesses a
but I also have a business background, managing significant strong will to expand his program while working closely with
cybersecurity profit and loss portfolios,” said Kevin Brown, other business departments.
CISO at Boston Scientific. “That combination helps me make
a difference in the CISO role at Boston Scientific.” DATA PROTECTION AND A
TRUSTED SECURITY PARTNER
Brown started his information security career with the
Federal Government as a U.S. Navy officer where he Shortly after his arrival at Boston Scientific, the company
worked with the National Security Agency. After leaving launched a global Data Protection initiative led by the Chief
the Navy, Brown was an early member of SAIC’s startup Security Officer, Senior Counsel-Global Privacy & Data
information security division, where he spent seventeen Protection, and Brown as the Chief Information Security
years growing the business unit to $180 million in annual Officer. The leadership team conducted a cross-functional
revenue. As a Senior Vice President at SAIC, and later and stakeholder data review identifying location, owner(s),
Vice President at Raytheon, Brown was responsible for classification, protection, access, and sharing/collaboration
profit and loss organizations providing information security in order to ensure that the company’s comprehensive
services, technologies, products and consulting to federal data protection strategy remains robust. As part of its’
government, commercial and international customers, initiative, the company also established a formal Global Data
particularly in support of CISOs. Protection Council.
After twenty years into his commercial information security The Council is an important partner and channel for
career, Brown decided it was time to get back to his Brown’s team in many ways. He says, “Through the
cybersecurity roots and work internally as a CISO. Brown Council, the security team is more easily connected across
wanted to work for a company that was making a difference the corporation not only for ensuring the protection of
in the world, and Boston Scientific, with its medical device Intellectual Property and personal information, but as a
innovations transforming lives, exemplified a strong fit. With way to further enhance our security awareness efforts.
42 FEATS OF STRENGTH
The cybersecurity team and Council have aligned on key and if left unsecured, a medical device connected to a PROFILES IN MANUFACTING
initiatives such as threat intelligence, privacy, forensics, and hospital network may create an access point. While many
employee education and awareness.” are focused on just the devices, we are also looking at what
supporting infrastructure and applications can be used to
Through coordinated efforts with the Council, Brown and pivot into our devices or a customer’s network. We want our
his security team work actively on partnering and engaging customers to be comfortable adopting our entire ecosystem,
various organizations throughout Boston Scientific. “As the not just our devices. We want to build upon our trusted
CISO and member of the Global Data Protection Council, partnerships. Those are the types of things we are thinking
I meet regularly with the leaders within the businesses as about with our medical device security program. Ensuring
well as key partners such as Legal, Human Resources, R&D, security at those points can be a differentiator for us with the
and Finance, for example,” Brown relates, adding “but the hospitals and healthcare providers.”
real partnership comes from the interaction my security
team provides with those same organizations at their level.” The medical device initiative requires Brown and his team
Brown describes this interaction as recruiting “Security to work closely with the research and development team,
Champions” throughout the company which act as primary which continues to demonstrate a strong commitment
points-of-contact who the team works regularly with in such to security. According to Brown, the process has gone
areas as awareness and training, alerting, and support. smoothly because his own team is working collaboratively
“Top down leadership is a necessary start, but fostering an and openly. “We don’t say ‘no you can’t do that’. We work to
enterprise-wide culture of awareness and ownership is really find a secure solution in support of the business. Of course,
the best way to ensure engagement,” Brown believes. patient safety and confidentiality is always paramount.”
MEDICAL DEVICE CYBERSECURITY TALKING CYBERSECURITY TO THE
INTEGRAL TO PATIENT SAFETY BOARD
In support of Boston Scientific’s Digital Health Initiative, Brown briefed the Boston Scientific Board of Directors
Brown and his security team have focused efforts on after six months on the job. “It was a fantastic opportunity
ensuring security around the company’s products and to give the BOD and several members of the Executive
medical device components and applications, resulting Committee an assessment of the security posture of the
in a clear competitive advantage for the organization. company, provide insights into what is happening in the
“Digital Health is a strategic priority at Boston Scientific and cybersecurity world, discuss the data protection initiative
several things we are doing in security will be differentiators and expound upon the company’s strategy,” Brown says.
for the company. We always ensure our products meet He adds, “There is a real importance in working with our
requirements for medical device security, but we are going executives on security. In today’s world many governing
further than that. There is so much information that can be bodies, including the SEC, are holding executives and BODs
housed on medical devices, or accessed through medical accountable for understanding security threats and risks to
devices. It is not just protected health information (PHI) or their organization.”
personally identifiable information (PII). Hackers and cyber
criminals will exploit any access point to get to a hospital’s Brown is researching the best way to leverage current and
data or any other system the device may interconnect with, future tools to clearly communicate with leadership in a
concise manner. In support of that, Brown has begun the
“ Top down leadership is a process of employing solutions that can not only ingest
necessary start, but fostering and correlate information and minimize manual processes,
an enterprise-wide culture of but also provide customized dashboards that can present
awareness and ownership is relevant information at the appropriate level. “Whether it
really the best way to ensure is third party vendor management, incident data, training
”engagement. metrics, or compliance information, there is a value in
customizing and providing a continuous flow and access of
information to the various partners and organizations within
the company,” Brown states.
43
S PROOFFILTESWINARE
KEVIN HAMEL
CISO, COCC
HEADQUARTERS: Southington, CT
EMPLOYEES: 400
ANNUAL REVENUE: Undisclosed
SECURITY: THE NUMBER ONE is security and regulatory compliance.” Hamel points out that
CORPORATE PRIORITY this priority is client-driven. As a cooperative, COCC is owned
by its’ clients, and CEOs from a select group of clients comprise
Kevin Hamel is not the typical CISO, nor is he in the typical COCC’s Board of Directors.
corporate environment. As a 12-year-veteran CISO at COCC,
one of the industry’s leading suppliers of technology for banks CEO PUTS A FOCUS ON THE
and credit unions, Hamel greatly outpaces the industry average CUSTOMER
of 16 months in the CISO role. COCC exemplifies one of the
few companies in the world that lists security and compliance Hamel states, “Our CEO is one of the most vocal supporters of
as the number one corporate priority. In fact, this has been the security and risk management as a top priority. It is absolutely
company’s guiding principal for 15 years. Hamel states, “We true that the security mindset has to start from the top. It makes
recognize that security and regulatory compliance are vital to it easy to get security ingrained in corporate culture when the
our business. If we have perpetual regulatory problems or a CEO and the Board are committed to the effort.”
security incident, that would be a real threat to our success.
Where other companies in other industries might prioritize Hamel clarifies it is not necessarily a passion for information
profit, market penetration, or shareholder value, our top priority security specifically that is driving the CEO’s attention to the
topic, but it is his passion for the company and client satisfaction
“ Our CEO is one of the most that dictates the security and regulatory compliance emphasis
vocal supporters of security within COCC. Hamel says of the CEO, “He has been CEO of
and risk management as a COCC since 2002, and CFO before that. He is passionate
”top priority. about the company as a whole; the clients, the employees,
the work environment, our products, etc. His commitment to
44 FEATS OF STRENGTH customer satisfaction helps him recognize the importance of
regulatory compliance and security.”
Because COCC’s CEO is focused on security, Hamel has a
closer working relationship with him than other CISOs might as a member of the Massachusetts Banker’s Association Cyber PROFILES IN SOFTWARE
have with their CEOs. In regular conversations, Hamel and Security Task Force, Hamel is often asked to present to the
the CEO focus on the client base. “COCC is focused on Boards of other financial institutions. “With the release of NIST’s
delivering the best service possible. That includes the best and Cybersecurity Framework and President Obama’s Executive
most appropriate security. We talk about what is right for the Order on cybersecurity, there is a lot more interest in security at
organization and our clients from a security perspective, just the Board level. In the past year I presented to the Boards of 17
like he talks to the CFO about what’s right for the organization financial institutions. They wanted to learn what they need to do
and our clients from a financial perspective. We are in constant from a cyber security perspective to fulfill their fiduciary duties,”
communication, and the focus is always on delivering the value said Hamel.
we are supposed to be delivering to our client base. That keeps
us focused on our mission and strategic goals.” Hamel says, “It is important that Boards recognize cybersecurity
is much more than just a technical issue. When there is a cyber
Hamel continues, “You might not see us talk specifically about incident, your technical teams will be working hard to resolve
security as a competitive advantage, but I think that’s implied that issue. In the meantime, what will you be communicating
and our clients understand it that way. From a customer service to your customers, your partner, the local media, your Board,
perspective, the message to our clients is that we care about etc.? Who will be communicating to those groups? How will
the safety and security of the information you have entrusted to you continue to provide your services if your systems are
us. That is one part of our value offering as a co-op.” unavailable? There are a multitude of non-technical issues that
need to be managed by the organization.”
Hamel focuses on integrating security into the business at
every level, which requires as much business skills as technical WHERE DOES A VETERAN CISO
and security competency. He says, “As an organization, we are GO TO LEARN?
here to provide banking services. We are running a business
and you can’t be an effective executive if you don’t have a While experienced in his industry and
solid understanding of your business and general business considered an expert resource by many,
concepts.” Hamel values education and is constantly
seeking new information and knowledge to
Hamel believes his MBA and business background have been continue to innovate his security program.
helpful in enabling him to align security with the organization’s While the internet and conferences provide
customer-centric business philosophy and to work more good resources, Hamel says he learns the
collaboratively with other executives in the company to achieve most in peer-to-peer interactions. Hamel
their goals. He states, “For me, the organizational behavior says, “I belong to one organization that
courses in my MBA program were most beneficial. These I feel is invaluable – the CISO Executive
courses put a focus on interactions with co-workers, how to Network. There are ten chapters with one
build relationships, and how to communicate with people at all in Boston, one in New York, and hopefully
levels of the organization.” one in Hartford soon. We meet about
six times a year. These are closed-door,
ADVOCACY LEADS TO half-day sessions about specific topics.
ADVANCEMENT It is a great chance to learn from other
CISOs in your local area. The networking
Given the emphasis the company places on security, it is very opportunities are phenomenal. I can always
easy for Hamel’s team to align with business goals. After 12 pick up the phone and say to a member
years of advocating for security he is now focused more on ‘hey what are you doing on this particular
guidance. “We spend little time promoting security as a concept topic’?”
or getting people bought in to the idea of security, and more
time helping to ensure we make the right security-focused
decisions as a company.”
A RESOURCE FOR OTHER BOARDS
While getting time in front of the Board is a challenge for
many CISOs, Hamel has significant opportunities to present
to his own board, and many others in the financial services
industry. As a successful veteran CISO at an organization that
emphasizes security to its banking and credit union clients, and
45
SPROOFFILTESWINARE
VANESSA PEGUEROS
CISO, DOCUSIGN
HEADQUARTERS: San Francisco, CA
EMPLOYEES: 1,500
ANNUAL REVENUE: Undisclosed
TRUST - THE COMMON “Our enterprise customers want
DENOMINATOR IN BUSINESS & to know about security. It is
SECURITY SUCCESS ”usually among their top three
questions.
Two and a half years ago Vanessa Pegueros took her
background in security and technology in the banking and Pegueros is often brought into the sales cycle and attends
telecom industries to the rapidly growing eSignature software prospect and customer meetings. “Our enterprise customers
and Digital Transaction Management company, DocuSign, Inc. want to know about security. It is usually among their top three
Pegueros was drawn to the CISO role at DocuSign because questions. They especially like our leadership in delivering
the company put a priority on trust. “Trust is a core principal ‘bank grade security’,” she said.
of the company,” said Pegueros. “It is critical to the success
of DocuSign and it is critical in the success of any security In the time Pegueros has been at DocuSign, the company has
program. So there was great alignment there.” With trust as tripled in size, from 500 to 1,500 employees. The security team
a priority, Pegueros knew she could build the program she has expanded from two to 20 people. Security has become a
needed to be effective. competitive advantage for the company, but Pegueros is quick
to point out that more can always be done in this regard. “I
Soon after coming on board, Pegueros announced that continue to emphasize the impact security can have with our
DocuSign would build out a “bank grade security program”,
a measure that took off within the company along with sales
and marketing, as customers increasingly expressed interest in
understanding DocuSign’s security program and controls. This
level of customer interest in her program has enabled Pegueros
to carve out a role as a business enabler.
46 FEATS OF STRENGTH
product teams. Security is one of a handful of key areas where to help teams get the resources they need to focus on security PROFILES IN SOFTWARE
we can truly differentiate [from competitors] so that DocuSign from within their organizations.” As a result, Pegueros has
is the only company and platform within the customer’s stronger partners and access to dedicated security resources in
consideration set.” In 2016, Pegueros will work to further other departments.
advance the idea that security is not a check box item, but that
it must continue to be integrated overall to positively impact THE CISO’S OBLIGATION TO THINK
performance, revenue, and business goals. STRATEGICALLY
TACKLING THE HARD CHALLENGES Her other challenge for 2016 is to advance her team
strategically. She is asking herself, “How do I build up the
DocuSign is experiencing tremendous growth, and the security thinking capacity of my team?”
industry is evolving at a rapid pace. Pegueros admits that the
two can combine to present significant challenges. But, she Pegueros says, “At this point, tools are an afterthought. How
has a plan in place to tackle those challenges, and has built a do I get ahead of [risks]? For example, I am thinking quite a bit
trustworthy team capable of meeting them. about incident response. How do we build the resiliency in our
team around incident response? If a team is well prepared then
Pegueros reminds her team that accepting risk is okay. they will not be shocked when [an incident occurs]. This does
“Security teams need to be more business-focused and not get not mean doing a few practice exercises. We need to make
emotional. Maybe the risk is high, but it is not the security team’s response second nature, so that we can react very quickly.”
decision to make. Our role is to highlight the risk and ensure She is working to make incident response less of a process and
people have the facts and analysis to understand both the more of a reflex.
impact and likelihood of fruition for any given risk. For example,
we might be 80% sure that an incident will happen in the next “My team has tactical priorities. They are focused on the steady
five years, but can’t pinpoint exactly when. Representing risk to things we have to do. As CISO I have to build out our broader
the board is the most difficult thing because it is not science.” capabilities and address what is missing. The CISO’s obligation
Pegueros believes the industry could be better served by more is to think strategically, and the need for strategic leadership is
sharing of data. This would make understanding probabilities greater than ever. It has to be our priority.”
and presenting risk much easier. “In insurance they can give you
a great understanding of risk. If you are 60-year-old man who CEO SUPPORT
smokes they can tell you exactly how likely you are to get heart
disease. We don’t have that level of analytics in security. In our “Our chairman and CEO Keith Krach is
industry, companies do not share any more information about one of my team’s biggest supporters.
breaches and incidents than is required by regulations.” What is Security is a top priority for Keith and
the right level of information sharing? Pegueros is asking that he ensures we have the time, attention
question of her peers and her team. and resources for success. We meet
regularly where I brief him on the latest
Prioritization is another challenge for Pegueros. She focuses on on our security program and efforts, as
security projects related to revenue-impacting programs first well as more broadly on best practices
in order to align with business goals. Non-revenue impacting and threats across the industry. He
programs are prioritized based on risk. To implement security helps ensure that security remains a top
effectively, Pegueros partners with other business leaders. In priority for every employee at DocuSign.”
many ways this collaboration is made easier because Pegueros
reports into the General Counsel through the Chief Risk Officer,
instead of the CIO or COO.
Her team previously reported up through the Chief Operations
Officer, which meant it was grouped with other departments
who had different needs and priorities. It made it harder to get
things done. Now as a part of the Risk Organization, reporting
to the General Counsel, Pegueros partners with business
units. Since the move, Pegueros reports, “My relationship has
improved with many in operations because now we are allies.
Now we can go to the Board as a consolidated team. I am able
47
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Yearbook 2016.2
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Yearbook 2016.2
- 1 - 48
Pages: