While a yoga-exercising, goofy, attention-loving duck who appeared in his first TV commercial back in 1999 has made Aflac a virtual household name, there are other of its corporate stars beyond the public eye at the insurance company who play vital roles in keeping the organization, its clients, critical data, and intellectual property -- maybe even that of the duck's, safe.
Tim Callahan, SVP and global chief security officer, who took home SC Award's CSO of the Year trophy at the 2017 ceremony, is known as “a partner” to his many colleagues at the Columbus, GA-based company, says Taryn Powell-Aguas, principal, Cyber Risk Services, at Deloitte & Touche LLP who has worked with Callahan for some 16 years. Over the years she's witnessed time and again how he inspires, shapes and builds a team of committed cybersecurity experts to collaborate with other business leaders to enable growth and overall team building.
In fact, with his reporting to Audrey Boone Tillman, EVP and General Counsel, at Aflac, instead of the CIO –- a still typical hierarchical structure for cybersecurity, he and his team have played a transformative role in both the development and maintenance of a robust security program and in embracing an international community safely.
“Interestingly, the decision to have Tim report to me versus our CIO was part of a larger decision to create a new, global security division. The structure we ultimately approved was based on both a year-long study Aflac conducted by a cross-functional committee of senior officers to evaluate industry-wide best practices for similar organizational structures. We then applied the best practices that we believed aligned with the type of global program Aflac needs,” she explains. “I believe that a critical part of our structure is the understanding by senior decision-makers, including me, that stronger security is a business imperative. This has led to stronger awareness and rapid approval of cybersecurity and other security initiatives that have undoubtedly fortified our company's policies and practices on a global scale.”
To do this and help the company make transformative moves from an environment of legacy systems to one relying more and more on cloud applications, Callahan also is known for unparalleled leadership skills that see him investing in and inspiring his team, says Powell-Aguas. Others at Aflac, which is now one of the largest providers of supplemental insurance in the U.S, agree with this opinion, often noting that his business acumen, sincerity and intelligence have proven vital in gaining the support needed to forge a robust cybersecurity plan supportive of the overall business, adds Tillman.
“I believe Tim is consistently viewed by all as an extremely knowledgeable, incredibly talented and collaborative executive who takes a strategic and pragmatic approach to cybersecurity issues. He is strategic in that he follows a systematic approach to ensuring adherence to industry standards and best practices. But he also understands that sometimes the processes that he must implement are not going to be popular with the rank and file. He is very aware of this and as a result, he has a very good bedside manner when discussing why he does what he does,” she explains. “A great example is the Information Security Oversight Committee Tim established that brings senior officers from all aspects of the business together to establish a security policy, review threats and risks, and balance against impact. At the same time, he is very approachable and willing to go the extra mile to help employees, including me, understand basic cybersecurity issues that affect them personally and more complex issues at the global company level.”
And this clarity of needs to progress the company's security posture started the day he began his role at Aflac, says Tillman. For starters, he knew Aflac “needed to modernize its security program,” she says. “He has delivered in every way, while keeping everyone, including the Board, our senior management team, customers, partners and employees aware of our progress and advancements. He is someone who instills confidence by following through on his promises.”
To find out more about the actions Callahan has taken to make cybersecurity resilience priority one at Aflac, we sought out his insight and views.
SC Media (SC): How long have you been in information security? Can you highlight the positions and organizations that helped you prepare for your stint for Aflac? What about pertinent training and certifications?
Tim Callahan (TC): I started in information security as an additional duty (in the role of) information/communications security officer while in the Air Force. I was in a career field that possessed a large volume of confidential information up to the top security-special-programs level. So, all told, I have a little over 30 years total(in information security).
My civilian experience started after retirement when I was asked to organize a security-program-management function and begin managing security projects. My first major project was to centralize security administrative and automate user-access management. From there, I was asked to manage the access management function in addition to a technology risk management program office. Then, in 2006, I was asked to become CISO of a bank in Connecticut to build a compliant and effective program that would lay the regulatory foundation to permit growth through acquisition. Through the years, I have participated in formal and informal security education and training. I hold certifications through ISACA (CISM), CRISC, and ISC2(CISSP).
SC: Any mentors who really helped you over the years to get to this point of understanding about information security?
TC: There have been so many people that have helped form my philosophy and practice in security. David Rowan, SVP and director of Enterprise Technology Risk Management at SunTrust Bank, is someone who had the most influence on me in the early years. Jaci Coleman, EVP and CIO at People's United Bank, helped me immensely in understanding how to tell the (cybersecurity) story and gain support at the board level. Hank Mandel, EVP of Quality and Strategy at People's United Bank, was my mentor and friend who helped in developing critical skills in communication and leadership.
SC: What have been your major achievements in the last year of which you're most proud (and likely helped you receive this recognition)?
TC: I am most excited about the members of my team who are giving 150 percent every day and who are responsible for building our current organization and capability at Aflac to achieve a maturity level that is a bit better than our peers, as validated by an outside organization.
SC: What were the major challenges associated with these? For example, given a still somewhat challenging economic climate, the uncertainty that comes with a new presidential administration (and how they will look at regulatory requirements, etc.) and more, things continue to be a bit trying for some CISOs with whom we speak.
TC: The challenge was to pull together around 30 projects and initiatives which were going on nearly simultaneously while finding and hiring team members needed to be successful. This could not have been done without the tremendous support and leadership from all members of our executive leadership team and the senior leadership team at Aflac. They understood the need and priority of our work and ensure their teams were aligned to support us.
SC: Who do you report to? Is there an ideal hierarchical structure when it comes to ensuring IT security is being addressed adequately in a corporate environment, do you think (for example, answering to the CEO as opposed to the CIO)?
TC: I report to the general counsel. This is the most effective alignment for our company to have a central corporate program.
SC: What about getting the budget dollars, resources, staff and other types of support you need? Have you found difficulties with any of these things when trying to achieve your aims this last year? If so, how did you overcome them?
TC: With the leadership support, the budget was not as big a problem. Execution on our commitments was trying at times. There is a shortage of security talent, so we had to open up the opportunity to work in locations other than our corporate headquarters. We were able to gain security leadership through personal relationships and providing opportunities to do exciting work.
SC: We hear a lot about return on security investment. How do you show your superiors that security enables business/government endeavors? And how do you get the support, resources and funding you require to do your job?
TC: I don't try to sell return on investment to our leadership. That is near impossible. What we provide is risk mitigation to a determined and agreed-upon risk tolerance. Our leadership, including the board, decided where we should be on the maturity spectrum. We then put together a roadmap to get there. As we proved the ability to meet these commitments, we gained the confidence to continue the investment.
SC: Economy's been tight – some have experienced budget cuts, layoffs, travel freezes, hiring freezes and more. How did you fair? Do you foresee more of these stressful budgetary challenges in 2017? Or are things expected to improve?
TC: Our leadership has made our security program a priority, and we have received the funding we need to reach our agreed-upon goals. We have built the team we need to succeed in this area. That being said, we all have an obligation to make sure we are spending wisely. I challenge myself and my team with making every dollar count and to think of it as if we were actually spending our own money. The test of every decision needs to be: “If this were my personal money, would I spend it this way?”
SC: Who in your organization helped with your major achievements over this last year?
TC: The entire executive team has been very supportive. It is hard to name individuals in particular. Without the mandate from our CEO Dan Amos, we could not have achieved what we did. EVP and General Counsel Audrey Boone-Tillman, my boss, has been instrumental in paving the way for accomplishment both in the U.S. and globally. The technology team led by the CIO Julia Davis has enabled us to install the technology we need to monitor and protect the environment. The wise counsel and creative funding prowess of our EVP and CFO Fred Crawford has enabled us to fund the initiatives and operational cost of building the program.
SC: What about Aflac's own solutions? How have you been involved in ensuring that your own customers can trust that the company bears security of their important data in mind? Have you had to worry a bit more about accounting for security practices in your own offerings recently given vulnerabilities that plague everything from web applications to IoT?
TC: As a core value, Aflac always puts our customers first to be there when they need us most. This care for the client extends to protecting the information they have entrusted to us. We have been on a path of modernizing our security program to ensure we stay ahead of the threat to the extent possible. Aflac has invested heavily in a Global Threat Intelligence Program, so we get information early about what is going on. We have automated the threat analysis process and have engaged partners who look into the dark web to find information about Aflac and help us put in the right protections.
We have also implemented a more mature application and web security practice. We have beefed up our practice around penetration testing for the production environment and implementing automated secure code testing in our development environment. Additionally, we have brought in partners that help us in training developers in secure coding practices.
SC: Are you seeing signs that an increased number of companies and individuals care more about how organizations are shepherding their critical content –- that they care about the security of their details when dealing with vendors?
TC: I think all companies are looking more at their security posture, especially those that deal with privacy information or have large dollar transactions. These seem to be where the criminals are concentrating. In talking to my peers across industries, there seems to be a better understanding at the board and executive levels.
SC: What about working with partners and suppliers (whether third-party cloud service providers, device/software suppliers or others)? How have you held them more responsible for meeting your security requirements?
TC: We have ramped up our third-party risk assessment process in response to the threat. We have begun to use services that help us monitor the security health of our more critical third-party services and have reevaluated our criteria for on-site visits. We are also looking more at the business continuity programs of our most critical vendors to ensure they have appropriate plans to ensure continuity of services.
SC: How would you describe today's security threat landscape?
TC: The threat is comprised of three major threat actor groups: criminal, hacktivist and nation-state. The criminal is motivated primarily by profit. The hacktivist desires to make some political or social statement or cause negative impact due to some social or political cause. Nation-state actors are generally motivated by espionage or to make a covert political statement, inflict damage, cause cyberwar or serve some other selfish interest. Some would include a category for corporate espionage, but I just lump that under criminal profit motive.
The more consistent threat for most companies is the criminal threat. The bad guys want money, and if you have something they can monetize, you can bet some evil-doer is thinking about how to get to you. Criminals have become more efficient, also. As an example, ransomware is an attack that can be launched indiscriminately, and the criminal does not have to do anything until contacted by the victim. This type attack has grown from a nuisance to a serious threat to enterprise file systems.
SC: In regard to compliance demands, what are your priorities and how do you adhere to such regulations? Must you contend not only with regulations in the U.S. but also with other countries' regulations?
TC: Compliance with regulations is table stakes. We just have to do it. Our strategy is to transcend compliance to be a threat-based program. We will always comply, but we want to ensure we are implementing leading practices and staying ahead of the threat to the extent possible.
SC: What is your biggest gripe with the way security is done these days?
TC: There has been such growth in security providers that it is impossible to know which can do what they say and which are just noise. The providers generally do not do a good job distinguishing themselves and what actual versus perceived problems they solve. This takes much longer for security teams to sort through when they are looking for solutions.
SC: Are we getting anything right? Said another way, are the adversaries beatable?
TC: Adversaries are beatable, but we have to remember it is a daily fight. There is an old adage that says, “They only have to be right once; we have to be right all the time.” The fight will never be over as long as there is money to be made or benefit to be derived from getting our data or getting into our systems. So, we take our victories incident by incident.
SC: What are the threats/newer applications that you think you and others in your position must address this year? How will you do this?
TC: The threat comes not in the applications but in the necessity to get solutions out quickly to address business needs and to help us be more competitive. Our IT partners never want to put an unsecured app in production. The challenge comes with how we can support them quickly to make sure vulnerabilities are not built into applications. We in security have to take on that challenges and not slow down development. That is one reason we have invested in automated solutions.
SC: Do you get enough support from your colleagues and bosses when it comes to implementing and maintaining strong security and risk management plans?
TC: Security is supported from the top down. I have received the very best support possible from all across the organization. In our security town halls and every time we talk to employees, they want to know what they need to do to keep us safe.
SC: What steps do you find integral in getting and maintaining such support?
TC: The number one step is helping our employees. They want to do the right thing, but they are under pressure to perform in their jobs every day. We try to partner with them to help them do their job more securely; we attempt to implement transparent controls that don't impede them, but help them go fast.
SC: What's your best advice to others when it comes to building a strong security program?
TC: Start with the basics and perfect them before trying to go for the more flashy solutions. I have already mentioned the importance of starting with a risk assessment to appropriately tune your program. For most companies, email is the most vulnerable vector. Certainly, you need an email security solution – that is a basic. But employee education is most important – no employee wants to be the one that compromised the company. So, help them know what to look for. Vulnerability and patch management are basics. Never let the criminals exploit a vulnerability for which there is a patch. So, emphasize sound IT hygiene – it is something you can do that will have a tremendous effect on the program.
SC: How will the role of the CSO look in five years? In 10 years? In 20? Will the job be evermore integrated into day-to-day business? How will this effect job growth and job security in this space, do you think?
TC: I would love to think the role of the CSO would no longer be needed in 10-20 years. Would it not be nice if technology development progressed so there were no coding errors; there were no vulnerabilities in technology or applications; that the internet and web applications had such solid authentication the criminal would not have a chance; the internet was so resilient that it could automatically detect bad traffic and dump it with no damages? There would no longer be DDOS attacks, or for that matter cyberwar. Yes, that would be nice, but it's unfortunately not very likely. So, I think in the next 10-20 years, there will be a CSO-type role. It will be more standard a part of business strategy and discussions – as nearly all business will be e-commerce or dependent on technology. I do think we will have a safer environment because the newer applications that are supplanting the older are more secure or more securable. I think we have learned a lot from the inherent vulnerabilities in IoT devices and will apply that lesson better.
SC: What about executive- and board-level views and support of cybersecurity needs in future?
TC: In many ways, I think we are there, at least in the financial services industry. Due to regulatory pressure, director liability and the reputational damage a financial company could suffer, directors have taken notice and holding management accountable for a solid program. Directors want to hear from the CSO/CISO – the officer accountable – about the state of the security program. I think executive leadership realizes the damage to the brand and the liability of having an effective, not just compliant, program. While we never should spend more than needed, there is a bit more appetite to err on the side of more versus less. It is a lot easier to defend a company that spends too much than not enough.