A conversation with Mark Morrison, chief security officer for Options Clearing Corporation, or the OCC, the world’s largest equity derivatives clearing organization. This is one of a series of security leadership profiles prepared by Cybersecurity Collaborative in conjunction with SC Media. Cybersecurity Collaborative is a membership community for cybersecurity leaders to work together in a trusted environment. Find out more here.
Mark Morrison joined OCC in 2017 and is responsible for all information security, cyber risk, business continuity, privacy and records management. Before joining OCC, Morrison served as senior vice president and chief information security officer for State Street Corp., as well as multiple senior executive and information security roles in the federal government, including at the Department of Defense, Office of the Director of National Intelligence, Defense Intelligence Agency and the Mitre Corp. Morrison graduated from the University of Massachusetts at Amherst with a bachelor’s in economics.
What makes a successful security leader?
I think what makes a successful security leader is obviously having an understanding of the current state of cybersecurity technology and the threat environment — both the current threat environment and the emerging threat environment. I think understanding how the cyber threat relates to the core business is really the key. Most places, including where I am and most in the financial sector, do not do security for security's sake — we do security to support that core business functionality. So when you're laying out your security program and your architecture and your set of controls, you've got to make sure that it's aligned to achieve that balance between the operational environment and — if you're in a development cycle, introducing new technology — a balance against the security threat environment. You want to achieve “an acceptable level of risk” for security wishes — that balance where you're making the systems useful for the business side and your customers and clients, but you're achieving regulatory and common-sense cybersecurity capabilities that you need to participate in a modern technology environment.
What internal and external priorities should today’s security leaders focus on?
We have what we call the new Information Technology Risk Assessment Program, and my folks actually do a risk assessment of all the proposed apps that users want, whether they're business or IT. We do work with our third-party risk office to ascertain what the current security controls of the application may be, whether it's a SaaS application or off-the-shelf, everything as large as, say, Microsoft Office 365 down to a specific app. And then we actually break it down to say, based on our security controls catalog, what security controls would be applied to that, what are some of the restrictions that would be put on the use of that app or the integration of that application. It’s really hard to separate the internal and external policies, so there’s a huge amount of interplay between the external and internal world.
And then we also do a lot of training. The two things I think that are very important for a security program are awareness and training, so people don't think you're making this up as you go along and that they're invested in the security program. It sounds cliche, but if you're relying on a few security folks to keep the entire company secure, you're most likely going to fail. You need buy-in from the entire workforce, to include the board and the senior management — it's got to be part of that organic culture of the company to stay as safe as possible.
And we do a lot of testing. We have a lot of areas of security testing, whether it's phishing simulation testing, whether it's red team and blue team testing of our controls and our environment. I'm a big believer of empirical testing to get data to actually identify where you may have knowledge gaps of your users, as well as technology gaps within the systems and applications that you're using.
How can cyber leaders work with corporate peers to win buy-in from c-suites and boards of directors?
We have very strong support from our board of directors. I'm part of the c-suite, which is a little bit different from some companies. I don’t work for the CIO, I report directly to the CEO, and so we have a seat at the table. And then we have a technology committee of the board of directors. By charter, I directly report to the technology committee so I can give what they call unvarnished assessments of the security program directly to the board. So there's a lot of visibility into security as a systematically important financial market utility (SIFMU), security is an important factor in our operations. So the battle of making security at OCC important is over and we’ve won, sort of. I think that’s paid a huge amount of dividends for us because we are integrated into the decision-making process.
What kinds of non-technology training do security leaders need to be successful in large and/or global enterprises?
We participate in a lot of financial sector trade groups — FSARC, FS ISAC — other groups where we participate in both security and non-security related activities directly that gives us more insight on what's going on in the financial sector. The other part is as simple as having the head of our business unit come in. Most of my folks are cyber folks and having them learn how options are traded and understanding what an option is — going down to that basic. We bring our legal folks in for my folks to understand what the regulatory environment so they understand how the regulations apply to us. I think that's important.
Why did you join Cybersecurity Collaborative?
I've been in cybersecurity for 42 years. I look for various groups that you don't have to spend a huge amount of input to get relevant output. And the Cybersecurity Collaborative is one of those organizations where you can ask very pointed questions at a relatively deep technical level, and you can get decent answers in response and in a relatively short period of time. So I think the breadth and the scope of the folks that are involved in the cybersecurity collective has really been impressive.
What is most valuable about your membership with the Cybersecurity Collaborative?
We [Cybersecurity Collaborative members] all have some individual nuances in our programs, but there's a vast majority of it that's very similar. Most of us deal with regulators. We all have cyber adversaries that are trying to exploit us. We all have insider threat issues. So there's a lot of commonality across the space. The collaborative allows us to explore better approaches and novel ideas. I think it's a good exchange of what works and what you know and how to move the program forward collectively, so we raise all the boats, so to speak.