A few weeks ago, I posted this piece describing why to merge physical security and cybersecurity, which is also known as "security convergence."
When I posted that piece on LinkedIn, the response was dramatic, with a surge in likes and comments. While a few people oppose this security convergence strategy, most readers support it. Furthermore, many respected colleagues offered bold testimonials. You can see the details of some of those LinkedIn exchanges here.
This follow-on blog offers "the rest of the story" from one such response. It comes from a trusted colleague and respected industry expert in the financial services industry, Marc Sokol. I asked Marc to elaborate on his security convergence experiences, and he agreed to this interview offering details.
Over the course of his 25-plus-year career in security and operational risk management, Marc has played an integral role in shaping the industry and leading/implementing these programs at several global market-leading companies. Key aspects of these programs include advancing risk management transparency and effectiveness, convergence of physical and cybersecurity, strengthening resiliency and self-efficacy, recruiting, developing and mentoring staff into leaders, and meeting myriad stringent regulatory requirements, while always remaining aligned with key business objectives and a focus on doing "the right thing the right way" for the client/customer, the company, and the multidisciplinary teams and staff he has led or influenced. He is commonly referred to by his peers as mentor, trusted adviser, and an authentic, pioneering, compassionate, and inclusive leader. He has an unwavering commitment to doing "the right thing the right way" and applying a "team of teams" approach that delivers proactive, business-aligned information/cybersecurity solutions as well as actionable risk management intelligence to facilitate organizations meeting their financial goals and service clients/customers who rely on and trust those companies for critical products and services.
Marc currently is a director and the global head of information security risk management for one of the largest global bank's institutional businesses that provide market-leading digital channels, commercial cards, liquidity management services, payments, receivable and global trade services to companies and governments in the U.S. and more than 140 countries, processing trillions of dollars in global transactions daily. It also serves almost all of the world's Fortune 100 companies with 10 regional centers worldwide. Prior to his current role, Marc has held similar leadership roles at several market-leading companies and industries including banking, brokerage/investment banking, insurance and software companies.
In addition to his corporate roles, Marc has been an executive adviser to several software and security services companies, and significantly contributed to the security risk management and financial services industries, serving as a board director for the Financial Services Information Sharing and Analysis Center (FS-ISAC) for almost a decade. As part of that role, Marc led several strategic national initiatives in partnerships with local and federal law enforcement and other government agencies to help build and strengthen information sharing between the private and public sectors to advance the country's ability to protect and defend the United States from both domestic and foreign cyber and physical threats. He has received numerous industry awards for his accomplishments and contributions to the industry, published several industry and peer-reviewed white papers, has a bachelor's degree with cum laude honors in law, and holds a CISM certification. In his spare time, Marc enjoys a variety of outdoor sports, touring on his motorcycle, being with his family and laughing at every chance, and both playing and giving endless love to the dogs his family has rescued and adopted.
You can learn more about Marc's career and roles by visiting his LinkedIn profile or his personal website.
Dan Lohrmann (DL): Marc, can you describe your role when you converged cyber and physical security risk management?
Mark Sokol (MS): In 2002, I was recruited by and joined one of the top-five mutual insurance companies in the United States as their chief security officer (CSO). Initially, my focus was developing and implementing their information security, cyber risk and business resiliency programs. Interestingly, the company had also, only several months prior to me, recruited its new chief financial officer (CFO). The existing CEO and new CFO (who was also my boss and director on the company's Board of Directors), developed a long-term growth strategy for the future of the company that would require a substantial digital transformation, significant investment in updating the company's technology and in its people, and the development of a world-class risk management program. Additionally, the board identified that it also had a concern meeting its risk management governance obligations due to a lack of understanding regarding the company's operational risk and cybersecurity postures. Specifically, while it had clear line of sight regarding market, credit, investment, strategic and emerging risks, it didn't feel the same way about the company's operational, security and resiliency risks. It was at that time that the board asked if I was interested in expanding my roles and responsibilities to include enterprise operational risk, which I gladly accepted. To succeed in this expanded role, I realized we were going to need to expand the strategy through innovation and pioneering a new approach, and explore a convergence-based security risk management approach. In consequence, we needed to think more broadly, explore industry collaboration and information sharing, ensure a strong inclusive environment that encouraged brainstorming and breaking down silos by bringing disparate teams together through a common mission that would implement a convergence-based approach to security and operational risk management.
In 2005, I was nominated and elected to the Board of Directors for the Financial Services Information Sharing and Analysis Center, a public-private partnership created under U.S. presidential directives and endorsed by the U.S. Treasury, DHS and U.S. Secret Service (USSS), among others. Many industry peers called this new convergence-based, business-driven risk management approach pioneering, and said it would bring great value to the protection of the financial services critical infrastructure sector. Thus, the FS-ISAC also wanted to expand its focus from cyber/information security to include physical security and resiliency. Hence, I was tasked as a board director with building out such capabilities at a national/global level and advancing its ability to both serve its members and combat the expanding threat landscape the sector was (and continues to be) facing. Following our success in partnering with Bob Weaver from the USSS in expanding its Electronic Crimes Task Force (ECTF) to become a national program (as evidenced by our drafting and acceptance of Section 105 of the USA PATRIOT Act) and having worked so closely with the best and brightest in the USSS' financial crimes and protection divisions, it was then that I realized a new and pioneering approach toward the convergence of physical and cyber security was going to be needed to protect and defend our nation and sector in an ever-evolving threat landscape that was systematically incorporating both cyber and physical threats/attacks.
DL: What were the original goals of converging cyber and physical security?
MS: From a corporate perspective, with the recent terrorist attacks that had occurred in 2001 fresh on the board's and executive management's minds, and the understanding that to be successful in their digital transformation and growth (including acquisitions) strategy, they requested that I deliver a security risk management vision, strategy, and 1/3/5-year road map. Therefore, this road map had to include both a short- and long-term strategy for implementing a highly optimized, adaptive and convergence-based program that spanned information security, physical security, life safety, incident management, investigations, fraud mitigation, resiliency, crisis management and third-party risk management. A key board requirement was that these programs must demonstrate full alignment with the company's growth strategy, ensure the company would remain aligned with its established corporate "risk appetite" in a similar way it had done for credit, market and investment risk, and positively impact the bottom line. In other words, it had to be sustainable, demonstrable, realistic, pragmatic and measurable, and we would need to communicate these risks in both a quantitative and qualitative manner that was consumable by various audiences within the company.
From a critical infrastructure protection perspective, as noted above, there were many of us on the Board of Directors and the CEO of the FS-ISAC, along with government organizations including the USSS, Treasury, DHS and others that realized the legacy and siloed model of separating physical and information/cyber security was not going to be successful in a future that would include threats to the digital economy, combined with ever-growing global combined cyber/physical threats (e.g., terrorism, nation-state attacks, etc.) to the U.S. and its allies. There are direct physical consequences resulting from cyber attacks as evidenced by the recent attacks on the Colonial Pipeline and JBS, among others. Thus, the velocity of these attacks, combined with the ability of a single malicious actor or nation-state cyber attack could have a significant impact on our economy and way of life. In consequence, through collaboration, we were able to combine and implement both industry-proven and effective physical security and cybersecurity methodologies that would advance our ability to prevent, detect, protect, contain, respond and recover to these advanced, combined risks we faced and still face today.
DL: On LinkedIn, while commenting on the original security convergence story, you said, "I can confidently say we achieved many positive outcomes, transformed the perception of the role/function, optimized productivity, lowered expenses, lowered risk, all while broadening growth opportunities for staff and the company (M&As)." Can you elaborate on this? How did this happen?
MS: I knew we were successful based on the following three key observations:
The first was facing two of the biggest operational and business challenges we, and likely the industry, would face during that time and we successfully AND confidently responded to them both: the economic crisis of 2008 and Superstorm Sandy. While we were nominated and won several high-profile industry awards for our convergence-based program, the first real-world test of these programs would come in 2008 when the country faced a major economic crisis that would truly test our risk management programs, and how the rating agencies would evaluate them in such tumultuous times, especially for the financial services sector. The rating agencies' ratings were an extremely important business driver for the company. They were also closely monitored by the board and our executive leadership team as they represented the financial strength of the company and directly influenced our ability to be competitive in the markets we served. After being audited and rated by the rating agencies, we were only one of a few companies in the U.S. that the rating agencies, even under scrutiny themselves, were confident enough to give us a ratings increase. Furthermore, they highlighted both our investment risk and operational risk management programs as the primary driving factors that led to that increase in ratings.
The second was when the company, like all the others in the Northeast region, faced the devastation of Superstorm Sandy. Our convergence-based programs and self-efficacy would be put to their biggest test in response to this natural disaster. It would test whether the company could continue all its key business operations even in the face of this physical natural disaster that spanned not only our corporate headquarters, our key support centers, and both our primary and secondary data centers, but also impacting the personal lives of thousands of our employees all at the same time. Because we had implemented a convergence-based approach to security risk management and embraced a "team of teams" approach, our Incident Command System capitalized on that convergence-based approach. Hence, our businesses and corporate teams seamlessly worked together to respond to this challenge with unwavering commitment, efficiency and cooperation. Every aspect of the company was touched both directly and indirectly by the wrath of the storm. However, thanks to our preparedness, development and growth in our self-efficacy through our convergence-based security risk management approach and the organic development of natural synergies across the company, we successfully responded and the company incurred no material impact to any of its core or key business operations. Additionally, our employees often told us during the crisis and after how important it was that we always put their (and their families') safety first above all else, and as a result motivated them and their resolve, even while facing their own adversities, to help ensure the company would continue to service its clients, policyholders and customers.
The second indicator of our success was the double-digit percentage growth and material increases in the company's financial strength and dividend payouts. Specifically, the company grew in size and product offerings, and exceeded annual revenue projections year over year. The quality of our products, time to market and expansion of services continuously improved, and we were making highly strategic and financially beneficial acquisitions that, each time, proved to be more efficient and seamless. In parallel, we helped empower our sales force with greater flexibility and agility to serve our clients/customers while also advancing and strengthening our security. We were proving our success because we were "minimizing risk while maximizing operational productivity" (the slogan we adopted) through intelligent implementation and business alignment of various security solutions.
Many of those solutions were frictionless and transparent, and in many cases, the feedback from the sales force was that our solutions were actually making it easier to use the company's technology, thereby supplying quicker access to essential data they needed from anywhere, anytime and on any device. We saw our annual costs and the frequency decline in areas such as security incidents, near misses and investigations by large double-digit percentages.
We also experienced annual reduction in the costs of our third-party onboarding processes while also reducing our supply-chain risk. These benefits enabled us to reinvest those savings in our staff (along with expansion of staff resources), recognition for high performance and new capabilities/innovation. The board expressed their support and trust in our program, as we were able to communicate our risk posture and its alignment with the company's risk appetite across our multiple businesses, operations and technology organizations. Where residual risks were found to exceed risk appetite, we were quickly able to identify and execute corrective action plans as well. In consequence, we had built a corporate culture of collaboration where business CEOs, COOs, CROs, CIOs, legal, compliance, HR, finance and security/operational risk management all contributed to prioritization of both tactical and strategic planning as well as execution and operational sustainability. We had successfully broken down the silos and employed an effective "team of teams" approach with mutual respect across varying specialties and expertise within the company.
Everyone, regardless of department or "rank/level," had an equal voice in our ongoing transformation and innovation while also prioritizing, investing, developing and implementing solutions to address short- and long-term challenges we faced. As leaders, we ensured everyone was comfortable having open and honest conversations among teams and with executive management. Also, it was the executive leadership team who helped this environment exist because they consistently demonstrated and lived the values of authenticity, integrity, diversity in debate, respect and commitment to ensuring every voice is equally heard, essentially eliminating "groupthink." As a result, we planned to succeed, became comfortable with both our fears and dissenting opinions, and that enabled us to lean both forward and into the curves rather than slow down or stop. Thus, because it wasn't just one department or group, everyone had a voice and contributed to our success as a company.
The most rewarding aspect of these successes to me was much more personal in nature. I had the opportunity to work with some of the best and brightest leaders, as well as mentors who truly inspired and influenced me to do more and better than I thought I could do. I had the pleasure to build a world-class diverse team of leaders and staff that embraced a pioneering vision of security convergence, and in turn exceeded all my expectations with their accomplishments. I was uniquely empowered and trusted by the board and executive leadership team to execute on an innovative vision and strategy in a measured way that was not forced to meet unrealistic, arbitrary dates, but rather accountable for the delivery on the commitments we established. They appreciated the difference between "managing the metrics" versus "managing the risk." As a result, we achieved amazing results, and much of the thanks still should go to the many great leaders, team members and staff who embraced the convergence-based approach. We didn't just improve the company, we enabled others within the company to succeed too.
Finally, while I am proud to have been part of such a great company and information-sharing industry organizations like the FS-ISAC, I am most proud of the positive impact I had on others and their careers both within the company and in the industry, which I really didn't have an appreciation for until years later when they would contact me and, with excitement, tell me how they have advanced in their careers or strengthened their self-efficacy because of the things I did.
DL: You mentioned transformational changes that took place when you started this journey. Were those items already in place when you started, or a result of the convergence efforts? Why were they so important?
MS: The desire of the company to implement transformational change was the outcome of the exceptional vision of the company's CEO and CFO shortly before I joined. Fortunately, I joined the company at the birth of this initiative and had the opportunity to actively participate in developing the road map for the company to realize this vision by employing a pioneering security convergence-based model that expanded to cover all of operational risk through a common mission with individual accountability and shared responsibility with the businesses, technology, finance, legal, HR, compliance, procurement and finance, among others. We all quickly realized that we were going to be part of this transformational change in a 150-year-old company that would have a resounding positive impact on its future. Moreover, we knew that if we demonstrated the company's values in this journey which included inclusion, collaboration, respect, open and honest conversations, we would be successful in our journey to grow the company and "do the right thing the right way" in servicing our clients and customers.
DL: Can this converged security model work for most organizations, if implemented correctly? Or, are some industries and/or organizations not good choices for this effort? Why?
MS: As we saw when we shared our convergence-based programs with peer organizations through information sharing and industry conferences/presentations, I believe that any company of almost any size or industry, can implement this highly effective, business-aligned program. However, there are a couple caveats to be successful and realize the benefits:
- Active engagement and support from the board of directors (or equivalent governing body) and the executive leadership team along with their setting the tone that collaboration, open and honest conversations, cooperation across disparate corporate and business areas within the organization, and all share responsibility for the company, it's effectiveness in managing risk and it's self-efficacy. The culture of the company must be one of unity toward a well understood and common set of goals and objectives.
- Identifying a problem without also identifying a solution will not be accepted.
- Compassion and empathy for people who work differently and EVERY voice, regardless of title or rank will be embraced. All voices will be heard.
- A leader's role is not to have all the answers, but to inspire others, to hire and build leaders who will be empowered to lead and execute, and be held accountable, but will be positioned for their success and the success of every team member.
- Taking measured risks and trying something new or different should not be feared, and may result in learning how not to do something, but it will be the foundation for growth, maturity and long-term success and innovation.
- Take the time to showcase the successes and accomplishments, and the people who contribute to the successes of the program, especially the more junior team members.
- Embracing information sharing and industry collaboration is an essential aspect of the success of these programs. Therefore, participation in organizations like the ISACs will prove to be invaluable.
DL: Do you think the global security industry as a whole will go in this direction over the next decade? Will the majority of the public and private sector get there?
MS: My hope is that the global security industry will embrace this convergence-based model to protect and defend the companies we work for, our industries and our homeland. We face an ever-growing dependence on technology that impacts not only our digital lives, but our physical ones as evidenced by the recent natural disasters, physical attacks (e.g., 9/11) and cyber attacks mentioned earlier that had the potential to cause serious impacts to our daily lives such as the Colonial Pipeline, JBS and Florida's Oldsmar water treatment processing security incidents, among others. However, with the growing velocity in which a single malicious actor can have a macro impact on a nation from anywhere in the world (e.g., cyber attack) combined with the ever growing natural and manmade physical threats, our resolve to adapt and be flexible by supporting such a transformative model will be a major factor in our long-term strength and resiliency as a country.
DL: As far as government agencies go, as well as critical industry owners and operators like energy and transportation, is CISA offering a good model? Will this approach work for local, state and federal agencies? That is, bringing together physical and cybersecurity for critical infrastructure protection efforts?
MS: I think there are many industry forums and standards available that we all can capitalize on and benefit from in developing a highly effective convergence-based security risk management program, and no single organization or technology alone is the answer. Each company, just as each government agency is different, the program must be adaptive and flexible to the ever changing threat landscape. However, these organizations must embrace the importance of investing in such a program and view it, from the top down, as an investment and enabler, not a cost center. Ultimately, success depends on strong leaders who empower and position their leaders and teams for success. Therefore, it is paramount that these leaders' appreciate and understand that there is no single "silver bullet" solution or technology. It will always come down equally to people, process, technology and the environment in which we operate that will drive us forward into the next chapter of this journey.
DL: Is there anything else you want to add?
MS: If I could succinctly make a few suggestions, they would be:
- Technology alone will not solve any of our problems or challenges.
- Information/cybersecurity is not a technology issue; it's a business risk management issue, and if a company wants to be successful and takes security "seriously," the CSO/CISO needs to be a respected part of the executive leadership team who has a level of independence equivalent to the chief audit executive or chief compliance officer.
- Information security and cyber risk management are core components of a company's operational risks, and thus need to be an integral part of the company's overall enterprise risk management program.
- Don't accept managing the metrics, or KPIs for KRIs, as risk management.
- And to my son Michael's credit, in his law and policy undergraduate studies, along with having spent many summers throughout his younger days essentially interning and being mentored by some of the best and brightest in the security and risk management fields, he recently authored a paper for college on the subject of cybersecurity as a major homeland security policy issue where he discussed that, in order for true change to occur in advancing U.S. public- and private-sector cybersecurity defenses, leaders, especially the CEO, CFO and directors of boards in private companies (who own the majority of the U.S. critical infrastructure), need to treat cyber/information security with the same importance, rigor, accountability and responsibility as they do for financial reporting under regulations such as the SOX Act.
- I completely agree with him and his recommendation (and am very proud of him). In that regard, whether or not such SOX Act type laws/regulations are passed, enforcing such accountability for cybersecurity, these leaders need to hold themselves personally accountable for understanding the risks and effectively managing them. They need to understand the importance of the necessary duty of care they must employ and the trust afforded to them by their clients and customers they serve in the private sector, or the citizens they serve in the public sector. There needs to be an end to "breach speak" such as "we take security very seriously" AFTER the breach or security incident occurred, and demonstrate that same "seriousness" and "duty of care" required every day in today's world. Individual accountability of the CEO and directors on the board are great motivators to truly take security risk management seriously in today's digital economy, and I'm sure we would see greater change and appreciation if my son's recommendation became reality.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.