Keeping Information Security at the Heart of IT Strategy
MODERATOR
Steve Heston
Steve Heston is a career “growth guy,” having led companies and divisions of companies large and small, private and public to grow revenue, profits, market share and operating efficiencies. In his role as a Solutions Consultant for HBS, he works to help a select group of Clients grow by establishing and executing Information Security and IT strategies and solutions. With experience across multiple industries ranging from consumer packaged goods to broadcasting to banking technology, Steve is a “Why First” leader who helps clients challenge the status quo as a means of creating positive impact on their businesses and the teams they employ.
PANELIST
Marty DeDecker - Chief Information Security Officer and Director of IT Operations and Services - Ruan Transportation
Native of Central Iowa. Graduate of Iowa State University in Computer Science and Computer Engineering. 35 years in the IT Industry delivering all aspects of IT services, including application development, enterprise infrastructure services, data center management, security administration and enterprise security program management, and overall IT Services Management following the ITSM guidelines. Currently the Chief Information Security Officer at Ruan Transportation overseeing our IT Security Program and our IT Infrastructure Services.
PANELIST
David Orr - Director, Information Security – Intoxalock
With an extensive 32-year background in Information Technology primarily focused on Infrastructure, David has transitioned to Information Security, where he is able to leverage his profound insights to help fortify his organization's digital landscape against evolving threats.
PANELIST
Todd McCombs - IT Operations Manager - Growers Edge
Todd has a BA in Marketing Management from the University of Northern Iowa, an MBA from Drake University, and is certified in ITIL Foundations and as a Lean/Six Sigma Green Belt. He has 25+ years of experience in Information Technology, including holding various senior leadership positions for 20+ years. He has a strong passion for building and leading organizations to deliver innovative solutions to meet customer needs and has been blessed to do this in leadership roles in service management, service delivery, IT support, end-user training, infrastructure management, product management, portfolio management, project management, application development, and business relationship management. Much of his career was with DuPont Pioneer and DuPont. He has also built and run his own consulting company, led IT for a non-profit organization, and currently works at Growers Edge Financial, Inc., a local Ag Fintech startup organization, as the IT Operations Manager, leading IT security, infrastructure, and support. From an information security perspective, Todd has led SOX compliance efforts for an ERP software system within a $5B business and SOC2 compliance efforts across the company for Growers Edge Financial, Inc.
Panel discussion has been edited for length and clarity.
Steve: The theme of this panel is keeping information security at the center of corporate strategy, but maybe dive a little bit into IT strategy as part of that bigger ecosystem.
Todd: I would say that information is critical to most if not all, businesses — Growers Edge is no exception. In a company similar to us, a financial services company, information is core to our business. It's actually the backbone of all of our products and services. As we started to morph into that type of a company a few years ago, it quickly became evident that we needed to beef up information security. Our board of directors, customers, senior leadership, and even prospects demanded that we do what we can to keep our information secure as well as information of our customers. We as an information security team work across the entirety of our company. We work with all of our different teams as well as our leaders to make sure they understand what our information security policies and procedures are, and we also make sure that they're involved in setting those policies and helping mitigate any gaps if we have them. As we roll out products to our customers, a lot of times they're asking, “What are you doing?” We'll touch on some of our security compliance a little later, but we've become SOC 2 compliant in the last few years — that is a big help when you're talking to some of these potential customers.
David: So for us, it's a little bit more of a struggle. And part of that struggle is the fact that we're in high growth mode. When I started with the company years ago, we were roughly 300 employees. We're now pushing 1,200 if you include contractors. So, we're moving very quickly, and we're taking on new ventures on a daily basis. And so trying to keep information security at the forefront of what we're working on, and trying to keep it in front of our executive eyes, sometimes it's difficult, because sometimes you have this speed of delivery as well as trying to wrap that around the controls to try and keep everything in place and working forward. Earlier this year, we did a large roundtable event where we had more than 45 executives participating. It was interesting just trying to emphasize to them security, trying to keep it in everybody's eyes through training, through different things that can happen and working through events as they take place, that is how we try and keep everybody focused on it.
And acquisitions throw a huge wrinkle into things as we try and move forward. There have been times during an acquisition where we've said that there is going to be no involvement from a technology perspective, and then two seconds after the paperwork is signed, we're intertwined very heavily trying to get things working. But also working with new personalities, new technologies, new things that are out there and trying to roll them into the fold. It's a challenge. It's a challenge on a daily basis to keep everybody on the same page and trying to move forward.
Marty: Well, we're fortunate, I would say, because of our long duration as a company. Our founder had a very keen sense for safety. And safety has been a very key part of our culture for many, many years. Ruan invented the Megasafe program back in the 1970s; they realized that safe driving, accident-free driving, with no damage to your freight was really a huge advantage to the bottom line. Safety has permeated our culture for a long time, and I've been able to piggyback on that and even use that safety culture as a analogy — Ruan doesn’t send out trucks without brakes or good tires, we shouldn't be sending out our people or our data without the proper security surrounding them.
The other big thing for us, and something that I didn't initially realize as I was getting into the transportation industry, is that data is absolutely critical. Our customers need a lot of data from us and we've all seen it every day, we all buy from Amazon, you want to track your package and know exactly where it's at all the time. Well, so do all the people that are shipping stuff to Amazon and other places. Data is really driving our company and our growth, and security around that data, is not only being demanded internally, but also by our customers. They're sharing that data, and they want to know what we're doing to secure it.
Steve: Let's touch on each of your perspectives on third-party risk management.
Marty: I would say for Ruan, it's evolving and growing. When I got to Ruan, we couldn't even name or list all our vendors and partners. Just knowing them all, and what Ruan's relationship is with each of them, we've continued to grow that. For key strategic ones, obviously, we put more emphasis there. And then there's a lot of smaller ones, like who you buy toilet paper from, right? Maybe that's not too important, but for a lot of our key suppliers of fuel and equipment and similar, we have ratcheted up supplier management, looking up and down those third-parties to make sure everything's safe and secure and then paying attention to what's happening with them. We have had some issues from some of our suppliers or people that we transact daily with, that have caused us to have to pull back, take a more secure stance, and wait until they resolve their issues to resume connectivity. It is growing a lot more, I would say, in five years, we will have a very mature vendor management program, but today it is at its infancy, but growing.
David: As we continue to acquire companies, I mentioned we're roughly 1,200 employees that we're dealing with. In reality, 750 or so of those are FTE for the company, and the rest are contractors. And those are the vendors that we are having to work with and make sure that they're safe. Just in the last month, I've had to pull one vendor completely off our network because of an incident that took place on their network, trying to isolate it from impacting us. Attempting to stay on top of that is extremely difficult. We're also in the infancy of the program of rolling out vendor management. It will continue to grow, and it will ably grow at a more rapid pace for us because we also have the data privacy and everything else that rolls into it. We are dealing with tons of personal data for individuals that range anywhere from name, address, and location, to even geolocations. It's important that we isolate all that.
Todd: I would say that for us, it is also continuing to grow and evolve. There are a number of different vendors out there that provide a lot of services. Some are one-stop shops, they do everything, but I think what we see, and I think a lot of companies see now, is there are a lot of niche vendors out there. As you come across a new technology need or some new service, and your company doesn't have that ability or that capability, you go find someone that does, and it doesn’t take very long before all of a sudden you have several different vendors that are providing many different services or software, and you've got to figure out how to manage all of that and make sure it all works together and in a secure way.
Steve: As strategies shift, how do you, through the course of a budget year, keep information security in the conversation?
David: It starts with a lot of begging and pleading, and ends with a lot of screaming and yelling sometimes. Not quite that bad, but again, as we continue to push and we move forward, that growth is important to us as an organization. There's a very fine line between trying to stem growth and try to put in the secure methods we have. We're a company that, in any given month, can roll out 20 different ideas to see if one will stick. So, trying to be on top of that, trying to keep the focus with everybody, trying to control a new vendor that I know very little about is a constant challenge. Then as we look at the budget and everything else it just compounds on; at the end of the day it becomes a trade with the organization. As we look at securing our information, what do we have to trade with the other entities within the organization, and then building those partnerships with everybody to have them keep us in mind and working with us as we move forward.
Todd: For us, I think performing regular risk assessments across the company has really helped us keep information security at the center. We work with our leadership team as well as teams across the company to go through and look at the processes and procedures that they have to ensure that for one, they're meeting our current guidelines, but also working with those teams to update those policies and procedures where it makes sense to do so. If we see gaps, we work with them to help mitigate those gaps. We are not over here on an island being the information security team saying, "This is how you have to do it.” We partner with them to make sure that we not only are protecting our company information, but we're protecting the customer information, because that is really critical when you're talking to customers or even potential customers.
Marty: I'd say that what drives keeping security at the top for Ruan is sales. Our executive team asked me “Why does security matter?” And I responded, “Because it will lead to other sales.” We were seeing more and more prospects asking us questions about our cybersecurity program. Do we have business continuity? Do we test? Have we had breaches? So as those questions were coming through from the sales team, the operations guys didn't really know anything about it. I was able to say, “This can be a competitive advantage, or at a minimum just staying in the game."
Steve: If you were the authority, the end-all, be-all, and you could send the folks in this room out of here with one cornerstone that you would want to make sure that any company had in place, what would that be?
Marty: I think the key term is partnership. In the days of the past, you think of the glass house and the data center — IT could dictate how many bars had to be on that window and how secure it was, and how long your passwords had to be. But in today's world, you need to partner with the different entities of the business on their needs, how can IT help them succeed with security? What things are in their way? How can we help them move forward? And when they start seeing what security can do for them, it opens up a lot of doors. Don't be afraid to ask for feedback — we've received some very interesting feedback from our driver community on how they logged in and used passwords as they started to use more systems, and that kind of came out of left field. We didn't even realize there was a problem. Our scenario was that our drivers are required to do training every quarter, and our password expired every 90 days. So, every time most of the drivers logged in to use some of the corporate systems, they were pinned down with a password expiration notice, and most of the time, because many of the drivers log in often enough, they were having to go through the password reset process. We ended up partnering with our operations team and decided to change our password expiration length for our drivers, making our password requirements longer and stronger while providing more value to our drivers.
David: I agree with the importance of partnerships with everybody in your organization, but I would also extend that to your incident response plans. If you end up in an incident, chaos ensues, so create a checklist, and move down that checklist. You're not going to have everything on it, leave it in an outline format so you can continue to expand on it, but create a framework so that the day that an event does happen, you can pull that incident response plan out, look at it, and you can move down item by item. From a personal standpoint, as a leader within the organization, make sure data is flowing through you, and that you have whatever control you can around that data, so you are able to rally the troops and keep everybody moving down the same path — and then take five minutes for yourself, freak out, do whatever you need to do and then come back into the room, calm and collected, and try and pull everybody along with what needs to happen and try and rein in the chaos the best that you can.
Todd: I'll jump on this partnership train. For me, I think it's partnering with your senior leadership, ensuring you've got their involvement, their buy-in, and their support for your information security plan, policies, and procedures. Get some of those senior leaders involved in creating and updating those plans, implementing those, and also, as we have talked about already, if you're doing risk assessments and there are gaps, have the leadership team be a part of those discussions on how you're going to mitigate those gaps. That will make you a stronger organization, and it will definitely make implementing those policies and procedures much easier.
Steve: And we'll throw in one from an HBS perspective. If you have not had a risk assessment, make sure that you have a risk assessment. It's the foundation upon which you and these gentlemen build the rest of your operation.
Steve: Let's look ahead 18 months — what do you believe the biggest change in your day-to-day job will be?
Marty: I think ensuring we stay ahead of the things like artificial intelligence, how can we leverage it for our success, I think that will give all of us a lot of technical challenges and how we bring that in and harness the value of it instead of trying to block it out. Technical complexity I think will change and continue to challenge us, and I look forward to that. As an IT practitioner over the years, the changes have been wonderful with all the different things we've been able to embrace and accomplish. I look forward to trying to find ways we can harness that, harness it securely, and find success for our business.
David: I think 18 months from now, things will look better for us from a landscape perspective. We'll have better vendor management controls in place. We'll continue to leverage HBS, and leverage HBS even more. We use HBS as our SOC team, so from a technology standpoint, they're on top. We've talked about phishing emails — when an executive clicks on a phishing link, 20 seconds later I'm getting a phone call from HBS telling me that a link was clicked and then we can resolve it in nearly real-time as those things are happening.
Todd: I would agree with what both of these guys are saying. I think staying ahead of that technology curve is going to be crucial as the curve keeps coming faster. Everything we can do to drive information security deeper into our organization, helping people understand why we're doing this, what we are doing, what our policies are, but also, as we're working with our customers and potential customers, coming up with new products and services, we've got to keep information security core to those relationships, so that we're protecting their information as well as our information. If companies are looking to invest in you and you can't prove that you're secure, they're simply not going to invest in you.
The collective wisdom Marty, David, and Todd shared underscores a critical message: information security isn't peripheral — it's central to corporate strategy. Their experiences highlight the necessity of adaptable security postures that resonate with corporate culture and customer expectations. Whether you're steering through the challenges of rapid growth like Intoxalock, ensuring the safety and integrity of vast transportation networks like Ruan, or securing sensitive agricultural financial data like Growers Edge, the principles remain — vigilance, adaptability, and deep integration of security protocols into business processes. For any organization, these insights are not just valuable; they are essential.
It is clear that the journey toward robust information security is multifaceted, demanding ongoing efforts, evolution, and buy-in from everyone in an organization. For expert guidance tailored to your company's unique challenges, contact HBS today. Our specialists in information security are ready to assist, providing the strategies and support your organization needs to safeguard some of its most valuable assets.