CUNA Mutual Group's Scott Sysol
isSC Magazine CSO of the Year.
Editor-in-Chief Illena Armstrong reports.
Transformative things can occur in short periods. As an example, it takes just 30 to 40 days for the monarch butterfly to complete its lifecycle of becoming the brightly colored adult insect seen fluttering through summer months. For humans, changes are no less miraculous. In three years' time, for instance, a toddler usually can stand on one foot, count to 10 or ride a tricycle.
When Rick Roy, CIO of Madison, Wis.-based CUNA Mutual Group, sat on a team of executives looking to hire their first CSO three years ago, one candidate stood out to him: Scott Sysol.
“He has a depth and breadth of both infrastructure and security knowledge, which is really rare,” he says. “A lot of times, security experts that don't have a depth of infrastructure knowledge will contemplate [methods] to secure the enterprise in ways the infrastructure can't support.”
For him, this combination was key to Sysol being hired for the position of CISO and head of infrastructure. Since his start, in that same short, three-year period after which a fledgling 3-year-old can have meaningful conversations with adults, Sysol has led various successful and far-reaching IT security initiatives. These include a push for data privacy across the company, implementation of enterprise-wide IT controls, adoption of tapeless backup and more. Then there are the mainstays, the goals that any CISO always has in mind, such as enlisting the help of outside partners – from technology providers to analyst firms – to help point out innovative processes and technologies to use in the security process, says Sysol, who is this year's SC Magazine CSO of the Year award winner.
“Similarly, it is important to take advantage of the corporate executive board's ability to gauge our progress against our peers and keep enhancing processes accordingly,” he says. “From a CISO's perspective, it is also important to play a role in developing and implementing standards for threats facing the industry as a whole. Right now, for example, we're collectively focused on combating the rising threat of malware. Finally, the ultimate goal of a CISO is to put together a great team that can strike a balance – and make the case for it company-wide – between the sometimes-conflicting pressures of security, compliance and productivity. This is an ongoing effort, but CUNA Mutual Group is fortunate to have a great team in place.”Sarah Buerger, director of information security, governance and risk management at CNA Insurance, where Sysol worked for seven years prior to joining CUNA, says that before Sysol arrived the organization had an outdated vision of security. As CISO he developed the information security roadmap and mission necessary, getting needed traction with executive leaders. Even now, after he has left, she says her department is still using that roadmap, with, of course, the appropriate modifications the passage of time demands.
She recalls Sysol as a very collaborative boss, sitting in his office with her and other staff for hours debating the best ways forward to execute the proper security roadmap – always making sure business goals helped to drive IT security planning.
“I could tell when he took the job that he had a better feeling for that balance – for technology and business use,” she says. “It was reflected in the strategy he developed. He got away from the security tool for the security tool's sake.”And he sought his team's input constantly, as well as helped them learn and grow, she says, trusting them to do the job at hand, providing guidance whenever it was needed and never playing the “helicopter manager.” Their commitment to the vision he crafted, she explains, was sealed because their roles in developing it were integral – he brought everyone along so that they, too, were invested in its success.
“You don't come down from the mountain bringing your strategy, hoping that everybody comes along,” Buerger adds.With approximately 400 applications and systems and tens of millions of consumers that use its products every day, CUNA Mutual Group has plenty to protect and a constant demand to evolve its security strategy to reflect the everyday changes made to such a large infrastructure. Though the company employs about 4,000 people, placing it in the medium-sized category of organizations, it is a $2.6 billion business that sells everything from property insurance to disability insurance. Plus, it works closely with credit unions and individual customers, says CIO Roy.
In his first five months, Sysol together with Roy and other staff focused on developing a robust risk and controls framework tied to longer-term business investments and goals. They also made sure to involve internal and external auditors to constantly vet the framework they were building, says Roy. In this way, Sysol played a pivotal role in creating a climate of collaboration with auditors, which, at many organizations, is non-existent.
“It is not that we agree on everything every day,” says Roy, “but when we have those debates it is always against the backdrop of what we've agreed to.”This has led to a much more organized approach to how the company prioritizes information security issues that all – from a network engineer on up to the CEO – are concerned about. Additionally, this has gone a long way to easing those annual IT risk reports he and Roy must give to the board. In the future, Roy says Sysol will continue focusing on security and privacy priorities, as well as infrastructure-related aims.
He'll also be reviewing the ways the company can help its customers and credit unions in more consultative ways to remedy specific IT security problems.His many past successes, along with his influencing skills, his ability to translate security priorities into business requirements, and his understanding of being transparent to and involving the rest of the business, undoubtedly will help address these future challenges, says CNA's Buerger. “Scott's got a presence about him where he can talk to [executive] leaders, and he's confident and people listen to him.” It was because of these many solid traits and wide breadth of business and IT security knowledge why he “was one of the top three bosses” she has ever had.
As for his continued work at CUNA, says Roy, “I see great things for Scott in the future.”
Illena Armstrong: How long have you been in information security? Can you highlight the positions and organizations that helped you prepare for your stint for CUNA Mutual Group?
Scott Sysol: I have been in information security for more than 12 years. I have spent the last three years at CUNA Mutual Group as the CISO and the head of infrastructure. Prior to CUNA Mutual Group, I spent seven years at CNA Insurance in Chicago -- five years leading the architecture function. In that timeframe, the company didn't have a CSO, so I was responsible for providing overall security vision and strategy for the company and executing supporting programs. I then accepted the formal promotion as CSO two years before leaving CNA. Prior to CNA, I spent time in a number of roles, including four years as a consultant with a focus on infrastructure and security, as well as other engineering leadership roles where security was a core responsibility.
IA: What have been your major achievements in the last year of which you're most proud and likely helped you receive this recognition?
SS: Enterprise-wide IT controls: This initiative involved implementing an enterprise-wide controls framework that included assessing all financially significant applications for compliance, while building remediation plans for emerging gaps in controls compliance. The project has yielded numerous benefits. Perhaps most important for the user constituency, the controls framework has actually increased productivity among IT developers and systems engineers by helping them avoid potential rework in the future. In addition, the project helped internal audit teams by developing clear and concise reporting structures, which also increases productivity by giving those responsible more time to focus on auditing other areas of the organization. Finally, the initiative has influenced external audit partners to use more of CUNA Mutual's internal reporting systems when they're auditing the company, which is an annual process, and this in turn saves the company approximately $1 million annually.
Data privacy initiative: This effort is still in process, but there's already been major progress in lowering risk exposure across a number of business areas and closing audit gaps. The program to date has implemented a number of key controls, such as data leakage prevention tools and processes that have already helped the company avoid potential data loss. The implementation of processes around loss prevention has also given security and privacy teams a key ability: They now engage more with employees at an individual level to discuss why they need to protect data, the potential fallout from a data breach, and ways to adjust processes and behaviors to work more securely.
Implementing a tapeless backup solution for the enterprise: This seemingly routine project paid off for the company in several ways. It not only lowered operating costs, but also removed the threat of a data center outage by replicating the data in real time at the disaster recovery location. In addition, the effort eliminated the perennial fear of actually losing a tape and having a major data breach.
IA: What were the major challenges associated with these? For example, given the economic climate, things generally have been tough for many CSOs with whom we speak. Did you find difficulties here or in any other areas when trying to achieve your aims this last year? How did you overcome them?
SS: Security professionals and CSOs have always been challenged with making strong business cases to get the funding needed to meet our goals. The economic climate hasn't helped matters any, but at CUNA Mutual we have a strong commitment to our customers and members of credit unions. That commitment allowed me to continue the work we needed to do to protect the data for which we are entrusted. As with any funding request, you have to make your case. Security initiatives rarely have hard-dollar paybacks, but I am able to show the risk reductions we will accomplish across the enterprise, as well as our ability to continue to meet our compliance and regulatory requirements. Those things, coupled with my ability to find reasonable solutions to the problems we face -- without taking an overly conservative attitude toward security -- is what I believe helps me overcome the funding and economic issues we all face.
IA: What processes and solutions/vendors helped you reach your project goals?
SS: We have strong relationships with numerous technology partners, including EMC, Cisco, Microsoft, Voltage and Symantec. I believe it is vital to regularly share ideas, vision and roadmaps bi-directionally in order to enhance each other's strategic focus and help meet long-term goals. Rather than keeping technology providers at arm's length, I believe it is important to let key partners “inside” the organization to help them better understand the challenges our customers face.
IA: Who in your organization helped with these achievements?
SS: While there have been many groups within IT and CUNA Mutual Group that have helped us meet our goals, the one I must call out as having been instrumental in this is our corporate compliance team and its leader, our chief compliance officer. The strong partnership between our security and compliance organizations has enabled a solid foundation that can be leveraged to further our overall security and privacy programs. We communicate as a cohesive team and also successfully advocate the need for each and every CUNA Mutual employee to be mindful of protecting the data that we are entrusted with and manage.
IA: Do you get enough support from your colleagues and bosses?
SS: My boss, the CIO, has been fully supportive of our initiatives. We, as an IT organization, have to report annually to our board on the progress of our security initiatives, as well as our audit and overall risk exposure positions. This requirement alone is a big reason that we have the attention of everyone throughout the IT organization. Each person understands the criticality of meeting the needs specified by our board and other corporate executives. Our IT organization has a team mentality in everything we undertake, and that has certainly also been the case for our security programs. Our programs will touch everyone as we fully deploy the controls needed to protect our applications and data assets. Without the support of my peers in those efforts, we'd fail.
IA: What steps do you find integral in getting and maintaining such support?
SS: In the past, I often worked with senior executives -- particularly in the insurance industry, which is in the business of risk assessment -- who simply didn't understand or didn't want to understand the complexities of information security. Keep in mind, though, that their concerns are valid. They need to focus on delivering value to their customers, and the same customers largely take security for granted. Rather than getting into unproductive battles, carefully listening to executives talk about their needs and pressures helps CSO and our team to empathize and build relationships while being able to communicate the benefits of security and compliance controls. It eases the process with the company at large and builds credibility with the management team. Corporate executives view me as a leader who tempers serious security needs with what's best for the business given current circumstances.
IA: When you're undertaking various projects, do you have to work with managers of various business units?
SS: Yes, working with business partners and managers throughout the organization is key to successful projects at CUNA Mutual Group. We have a highly collaborative environment.
IA: Who do you report to? Is there an ideal hierarchical structure when it comes to ensuring IT security is being addressed adequately in a corporate environment, do you think (for example, answering to the CEO as opposed to the CIO)?
SS: I report to the CIO. I find this structure works very well at CUNA Mutual Group. I am able to easily work outside the boundaries of IT into our business areas with the key partnerships we have cultivated with peers in the business. Our organization is very conscious of its regulatory and financial responsibility to our customers and members – we have parlayed that into strong commitment to our initiatives and goals to secure the enterprise.
In some organizations, reporting to the CEO would be viewed as the ideal situation to garner the proper level of support for the office of the CSO and its initiatives, but I don't subscribe to the idea of “one size fits all” when it comes to the setup of a security organization. So much depends on the culture of the company, its financial position and the industry served.
IA: The economy has been tight – some have experienced budget cuts, layoffs, travel freezes, hiring freezes and more. How did you fair? Do you foresee more of these stressful budgetary challenges in 2011? Or are things expected to improve?
SS: I was able to maintain my budget year-to-year from 2009 to 2010, and even to 2011. The strength of our company is the real credit behind that. Our financial performance during the economic crisis has been strong. In turn, our company continues to invest in our capabilities, including our efforts to maintain our security and privacy programs.
IA: In regard to compliance demands, what are your priorities and how do you adhere to such regulations? Must you contend not only with regulations in the United States, but also with other countries' regulations?
SS: Compliance ranks high on the list, with regulations ranging from the PCI standard, HIPAA and GLBA to a wide variety of complex and often diverse state privacy laws. While most companies say they hold to a high security standard, those in the financial services industry -- CUNA Mutual's entire business model is in service of credit unions -- face much greater scrutiny from customer and government alike. In fact, a web of issues combine to present unique challenges to security executives in this field.
IA: While compliance has prompted corporate leaders to understand security needs more, there may be some thought that compliance with certain mandates means security of critical data. As incidents like Heartland or WikiLeaks illustrate, that is not the case. How do you make sure those corporate leaders who are supporting you and are responsible for allocating resources understand this so that you get the required support and budget you need for your projects (which ultimately are part and parcel of business activities)?
SS: My vision always needs to be the same: To integrate security and data privacy into everyday thinking across the enterprise, and to implement information technologies and processes to make that possible. For the record, with processes, threats and solutions changing constantly -- and with some staffers continuing to see security as a burden rather than an enabler -- this is always a moving target and involves efforts on multiple fronts.
One critical element is to involve the security team earlier in the process to build more effective defenses from the inception of each new initiative, thereby avoiding costly mistakes, rework audits and remediation causes that arise later. This requires continuous training and communication. We've had good opportunities to inform senior-level executives, as well as the audit committee and board, of the challenges and issues confronting the company and the best ways to meet them head-on.
Another goal is to continue bringing in external constituencies such as technology providers, other partners and analyst firms to identify other innovation possibilities in the security process. Similarly, it's important to take advantage of the corporate executive board's ability to gauge our progress against our peers and keep enhancing processes accordingly. From a CISO's perspective, it's also important to play a role in developing and implementing standards for threats facing the industry as a whole. Right now, for example, we're collectively focused on combating the rising threat of malware.
Finally, the ultimate goal of a CISO is to put together a great team that can strike a balance (and make the case for it company-wide) between the sometimes conflicting pressures of security, compliance and productivity. This is an ongoing effort, but CUNA Mutual Group is fortunate to have a great team in place.
IA: If you have a number of mandates to which you must answer, how do you avoid duplicating efforts to address these?
SS: Our partnerships with our compliance, audit and legal teams are very strong. We don't just communicate together -- we plan and strategize together. This has kept costs down, repeat work to a minimum, and sent a unified message across the organization. Our strategy strives to meet our security, compliance and regulatory needs at once. Good security programs lead to strong compliance positions.
IA: How do privacy issues factor into what you do? What privacy regulations (in the U.S. and abroad) must you comply with? What are your organization's main objectives when it comes to privacy and how do you ensure these goals are met?
SS: Privacy and meeting associated regulations is a major concern for CUNA Mutual Group. As an insurance and financial services company with a broad product portfolio, we must comply with a number of regulations, namely, GLBA, HIPAA, SB1386, PCI, state security laws, state insurance laws and more. Our goal is ensuring the right people see the right data at the right time and for the right reasons. With that goal in mind, we combine the efforts of the compliance and security organizations to meet the overall goals of security and privacy together.
IA: When hiring information security practitioners, what experience/knowledge/certifications/attributes do you look for? What advice would you give to individuals looking to enter the field of information security?
SS: Obviously, you need experienced people who have the right level of knowledge, skills and, if needed, certifications. But those are merely “table stakes” for me when I search for quality security professionals. What matters to me is a proven ability to balance risk by weighing the decisions that we must make as security professionals with the true needs of the business. Too often I see what I like to call “hard core” security professionals -- people who take an almost militant position on each and every topic. This type of person just doesn't cut it in the business world. My advice to those who want to grow as security professionals into the CSO role and beyond is to learn this balancing act – understand that every decision we make needs to be a risk-based one rather than black and white.
IA: How do you see the job of information security professionals evolving in the distant future?
SS: I expect to see the security professional continue to be a highly sought-after skill set and in high demand throughout the country. The need for talented individuals who have the skills I mentioned previously will be in even higher demand. The individuals who can fully understand their company's business, its objectives and find creative ways to marry those needs with security will be the security professionals that are the most successful.
IA: What is on your agenda for the coming year?
SS: My agenda for 2011 is to strengthen our security program with the initiatives we have in flight, continue to look at our long-term strategy and how the threats that continue to escalate affect that strategy. The good news for a CSO like me, who likes constant change, is that there's never a dull moment in this seat. I like the continuous change that the security industry brings. Every year, we take a significant portion of our resources to evaluate our position, the solutions we have in place, and how they need to evolve to accommodate the changing landscape.
IA: What other specific projects are on tap for this year and maybe starting in the next? Any forward-thinking plans that you'd like to highlight in the way of security implementations/other projects?
SS: Our biggest initiatives for the year include continuing to drive our privacy agenda deeper into the applications and systems we have across CUNA Mutual Group to further strengthen our security position. In addition, in 2010 we started our identity management initiative, so 2011 will be a big year for that program as it starts to really demonstrate an impact across our application portfolio.
IA: What are some of the major challenges you believe you and your counterparts at other companies/government entities face in the next year? What about the major threats to your organization and its critical data?
SS: Cybercrime, data theft and the threat of malware continue to be among the biggest threats. Because the threat landscape continuously morphs, it's difficult to stand still or rely on “traditional” strategies to protect.
IA: Any advice on how to tackle these?
SS: We have successfully leveraged technology and solution innovation for more advanced, infrastructure-wide approaches to data protection and compliance.
IA: What are the threats/newer applications that you think you and others in your position must address this year? How will you do this?
SS: Data protection and privacy rank high as criminals try new ways to get access to sensitive information.
The scope of our end data protection project involves meeting or getting ahead of regulatory compliance mandates, and addressing internal security policies and privacy concerns at the same time. The implementation was first launched in 2009 as a component of a broader privacy initiative. The project involves myriad issues, but the central goal is to safeguard private information -- such as Social Security numbers, date of birth, account numbers, and more -- as it is gathered, and while stored in databases and used by applications. The program covers a two-year period where the focus is on closing the gaps for comprehensive protection of private data while meeting compliance needs.
By any definition, this is a complex undertaking. Data belonging to credit union members is housed in a number of key systems. Granting access to anyone – including IT personnel such as database administrators, application developers and systems administrators, as well as business users – presents a risk to members, as well as to the company and its brand. And there's a large and varied mix of technologies and platforms affected, including Windows, Unix and z/OS, along with many applications containing sensitive data across a broad spectrum of compliance areas.
CUNA Mutual Group is taking on this complexity with the simplified key management and extended information protections offered as part of Voltage SecureData – solutions that bring innovation and breakthrough technologies to bear in addressing the issue of end-to-end information protection. Data masking and technologies, like identity-based encryption (IBE) and format-preserving encryption (FPE), bring massive scalability together with ease of use, administration and management. They also enable quantifiably lower TCO benefits, and involve minimal changes to infrastructure, systems and applications. Additionally, they provide native operation on a wide variety of platforms, systems and devices. They just work, and the end result is end-to-end protection of data at rest, in motion and in use, across databases and applications and desktops and email boxes enterprise-wide and throughout the user community.
IA: What about policy/program updates in 2011 and beyond?
SS: Aside from the obvious -- firewalls, web and email security, DLP and so forth – a strong approach to end-to-end data protection that can enable the enterprise to get ahead of security policies, industry and compliance mandates, and emerging technologies like virtualization and cloud computing, is key.
IA: What's your best advice to others when it comes to building a strong security program?
SS: In the financial services industry, IT in general and IT security in particular, play a vital yet sometimes unrecognized and unrewarded role. Some people notice the function only when things go wrong. Working and succeeding in this field requires not just technology talent, but a clear understanding of the unique rhythms of industry, as well as constant awareness of the diverse pressures of external threats, internal compliance controls and the effect of each measure and implementation on productivity enterprise-wide. It also takes a thick skin. And from the CSO's office, building a strong team takes a good mix of experience, persistence and constant communication. It is also important to realize when specific individuals who might otherwise have unique skills don't fit the team, and take steps to change the structure. Team members say I am tough but fair, reward hard work and provide plenty of opportunity to grow professionally.
We asked Scott Sysol about his life beyond work. What are his hobbies? Are their destinations that he and his family just can't help but hit every year? Just what does he do to relax and clear his mind a bit of all things information security.
“My biggest enjoyment comes from the time I spend with my family – my wife and our two beautiful daughters, and their passion for competitive gymnastics,” he says. “Both our daughters compete, and my wife and I are very involved with their team.”
The family also enjoys taking trips to Florida for sun and fun. Beyond that, says Sysol, he spends time in his home theater and enjoys such sports as swimming and hockey. As well, he's “an avid fan” of football, hockey and baseball. So, who was his team in this year's Super Bowl?
“I did root for the Packers since I work in Wisconsin and I'd be banned from my office if I didn't, but I am a New York Jets fan,” he says. “For baseball, I am a Philadelphia Phillies fan. And, for hockey, Philadelphia Flyers, so I am happy to still have hockey going.” – Illena Armstrong