“The truly alive Security program is dynamic and it’s not static.”
Mark Robnett, CIO Justice Federal Credit Union is a rising star in the Credit Union industry and I asked him to detail for you in this episode how he put together his IT Security presentation to his board regarding his IT security, strategy, and tactics.
I have found that Justice FCU is about 1-2 years ahead of Credit Unions of its size. I would put them on par with firms many times its size. Mark also has the added pressure of having very smart and technically savvy board. There is no hiding behind jargon and complexity with them because the board is comprised of FBI and Justice Department. What a challenge!
Here is what you will learn from this episode
- How Mark compares financial risk and IT Security risk…
- How to avoid boardroom flare-ups..
- How to build inside advocates…
- How to use virtualization techniques to avoid complexity traps
- How to communicate with transparency without being seen as weak.
- Learn how to separate Compliance and Real IT Security
- Learn how to discuss Data Governance and IT Security Risk as a part of strategy.
Point number 6 is a big deal because this is a big problem with IT leaders communicating to the CEO/Board that passing an Audit/Compliance Audit doesn’t mean you are secure. Compliance and Real IT Security are two different things and starting to have these discussions at a high level is very important.
I would say one of the big wins that Mark achieved, and CIOs have to mimic moving forward, is showing the board what this means.
- How to build internal support well in advance of the presentation
- How to handle non-sequitur media fear
- How to avoid ping pong ball discussions in
- How to use appropriate humor to ease tension
- Bonus – 5 Presentation tips that you can read in the show notes below at 28:24
One of my favorite quotes from Mark is that “Once fear grips a board, this is not a good thing” In this interview Mark reviews both the tactics and strategy he employs to raise the communication bar about IT Security to a very efficient and effective level. I hope you enjoy.
- What does being a VP of IT at Justice Federal Credit Union entail? [03:50]
- Operate at a furious, rapid pace. Always trying to get to market with same products that bigger credit unions offer. [04:21]
- Credit Unions are audited by NCUA under Financial Services umbrella and have to meet stringent disaster recovery and security requirements on a limited budget. That seems like a challenge. [04:54]
- Leveraging specific internal knowledge and vendor knowledge comes in handy. [05:15]
- Board Meeting had wanted comprehensive review of IT Security – what precipitated such an enquiry from the Board [05:56]
- 2014 is called the Year of the Intrusion. Pretty educated Board – they read everything. Increased awareness from media [06:30]
- It reached fever pitch and they asked for a presentation on IT security and how it affects Justice FCU [06:56]
- Walk through what you are doing – mapping out where we are, where to go and how to get there. Running through internal staff and reaching out to trusted vendors was the first step. [08:25]
- Then put it in a package that was easily digested and understood even if the technology was foreign to them [08:44]
- Can look for products that fit our unique mold and our assets. – on-board them prior to the presentation [09:25]
- Cost effective APT and Malware program in place. Talked about strategy but got into details as well. [09:55] * RedZone Technologies was invited in to assist – and important to understand that IT departments need help.[10:44]
- What do we do when something happens – talking about insurance and place bets with Insurance carriers. Talk about whether we have the proper coverages [11:12]
- Board wants to know you are looking at all angles – Boards want to know you are looking at this specifically as this is in flux at the moment [11:32]
- Do table top exercises with disaster recovery vendor. [12:10]
- CIO has to rely on leadership for flare-ups. To understand flare-ups you had to craft the presentation to deal with flare-ups. Currently nothing done in the Cloud but making sure they understand what the Cloud means, and getting them comfortable with technology – not using a lot of jargon is important. Explain what utilizing systems in the Cloud is, so they Board knows what to expect prior to the stage of getting there. [14:20]
- Get ahead of fears like Target and Home Depot – make sure you cover what you think the bad guys look like. And where are they from. [15:34]
- Most of them don’t know that the intrusions were right here in the US!! [15:47]
- Define success in a presentation is leaving them wanting to know more. This is the world we live in now. [16:42]
- Giving the board the feeling that the CIO looked at all bases – and gave them peace of mind that he had looked at all aspects is crucial [17:14]
- We are protected with multiple technologies but raise awareness of IT activities, who the players were and understanding the playing fields is important [18:13]
- Risk based approach to managing members being applied to the IT organization. Financial institution is managing risk every day and that’s the same in IT. [19:36]
- Using a visual chart with the Scoreboard Tool was a very clever way of showing risk. Step through layers of security – but step through layers of security quickly and give them an understand of where we are and why we are where we are but play to aspect of living in reality – taking appropriate steps through multiple vectors [20:55]
- We have to be compliant and follow directions of regulators. Being diligent is one component and the second part is following vendors and using their knowledge. Using tools from Alert Logic is completely different from the tools we would use from Redzone Technologies. The truly alive Security program is dynamic and it’s not static. We are evolving as threats evolve, and we are educating ourselves and seeking knowledge from our vendors and that’s the way forward. [22:25]
- We are doing the right things daily – then the audits will never be a problem. We can keep our eyes on the horizon and see what’s coming. We are moving from a defensive model to an offensive one. [23:07]
- Real security means you are conscious of the threats and not just defensive [23:22]
- Fear is infectious and once it grips a Board is not good. To combat that – try to stay educated. [24:31]
- In doing a good presentation I recommend:
- Adding some levity and humor.
- Think through your process and the goals that you want to achieve.Don’t be afraid of what’s going on today. (current news)
- Be aware of ping pong ball conversations that can go on – diffuse that prior to the Board presentation. Go to individual Board members prior to the meeting so their concerns are raised. Do your homework and research so all the points of surprise is limited and strategy is addressed. Know your playing field, your boss and your team. (avoid the situation of the board member bringing up a topic that he read on the back of the plane seat.)
- Leave them wanting more. [28:24]
- Mentors/ customers are important, through work and everyday life. Always evolve and better yourself and learn. They have valuable knowledge to impart if you want to listen [32:12]
- Contact details to reach Mark [34:30]
Love this episode? Leave a Review
If you haven’t already, please make sure you leave us a review on iTunes.
About Bill Murphy
Bill Murphy is a world-renowned IT Security Expert dedicated to your success as an IT business leader.
Connect With Us On Social Media
Join The CIO Innovation Mastermind Community
We invite the top 20% of Business IT Leaders for my CIO Innovation Mastermind Events group to participate in monthly discussions on things like VR, AI, and other disruptive & emerging technologies. If you want to become a member, email Chief of Staff, Jamie Luber Jluber@redzonetech.net for more information.