The CIO of TravelClick, Joe Eng, and the company's CISO, Ken Hehl, sat down with Steve Rovniak from Heller Search to discuss how they have expanded cybersecurity beyond just technical controls and into the realm of organizational behavior. Here is an edited transcript of the conversation.
Steve Rovniak: What does it mean to make cybersecurity a business priority?
Joe Eng: It means making security much more relevant, making sure it is understood and incorporated into everyone’s day-to-day work. Sometimes, cybersecurity can be viewed as strictly a technical subject. “It's for the IT team, or the security team.” Our approach has been to say, “yes, it's led by technology, but it's more pervasive and it’s relevant and critical to absolutely everyone.” That's the theme we've been going after.
Steve: What brought about this approach? Was it news of breaches at other large organizations?
Joe: I wouldn't say the security incidents at Equifax, Target, and so on were the catalyst. We are a technology business ourselves, so this has always been a pressing subject - how do we make security much more relevant, or pervasive to everyone, and not just viewed as a technical subject? We believe that all our employees - not just technology employees - are part of the security regimen and our defense situation.
Ken Hehl: If security is done well in an organization, it's one part technical controls, one part risk management, and one part organizational behavior.
If you go on a job website and look through information security job listings, you'd have to page through dozens and dozens of postings before you find a single one that mentions the softer skills of organizational change management or organizational behavior. Security today is so intensely focused on technical controls, but that produces security that is “bolted-on” instead of “built-in”.
Instead of relying mostly on external tools, penetration tests, and things like that to find the flaws in other people’s work, why not engage with people at a different level and help them see where you're trying to go and give them the motivation to go along on that journey with you. That's really what we're trying to accomplish.
Steve: What did you have to do to bring everyone at TravelClick along on the cybersecurity journey?
Joe: You know, security can be this very complex, or esoteric, or even a fearful subject, just like technology can be. Any good technology leader or security leader must be able to communicate about it in terms that a non-technical person can understand. And I think that's what Ken has done.
In one sense we've treated security as a product, and we've marketed it. Rather than treat it as a secret, stealth subject, we’ve tried to do the opposite and make it much more understandable and explain it, explain it often, and in different ways. That way everyone can understand it and identify with it instead of thinking, “security is something that our CISO Ken Hehl and these other people do.”
|"We believe that all our employees - not just technology employees - are part of the security regimen and our defense situation."|
Steve: Can you give some specific examples of how you marketed the idea of security to everyone?
Ken: First of all, there's no single modality that you can rely on. People need to hear the important messages coming from all different directions, via different modes of communication, over and over again. It should be a constant drum beat.
One of the things that we do is offer security training on a monthly basis instead of once a year. The problem with annual training was that people would only think about security once a year. So, we moved to a monthly training program broken down into 12 parts, and I send out a message each month that puts it in human terms.
A good example of that messaging is that recently we had someone try to come after TravelClick employees - not the company, but our employees - in a phishing attack in which they tried to steal their email credentials, log into their email account, and then trigger a "forgot my password" at the provider for our paychecks. We chose to use that example in a message to our employees. There was a little bit of debate first about whether we wanted to scare employees or not, but we wanted them to understand that when we ask them to take steps to be cautious, it's not just because we have a self-interest in terms of the company, but we have their personal interests at heart as well.
Joe: Right. If not for the sake of protecting TravelClick, protect yourself! Forget about the company. Protect yourself."
Steve: What are some initial steps you would recommend to other CISOs and CIOs interested to take this approach?
Ken: When I arrived at TravelClick, I knew where Joe stood on security from having worked with him previously. But I said to him, "we're going to need to increase the staff." We needed to add some additional staff to allow us to spend more time on the non-technical aspects. That's the first thing that any team should be looking at. Do they have the capacity to redirect some of the focus from the technical aspects of security over to the organizational behavior side of it?
I would also recommend setting up an information security governance board. Our security governance board included multiple functional and product leaders. At the first meeting I remember them asking, "why am I here? Why am I in this conversation with you guys about security?" But it honestly didn't take very long for them to see that they're part of the solution.
Joe: Ken has helped our product leaders better understand that security is a key part of the value proposition for our offering. We have products that rely on assurance to our customers that we are protecting their data, and that we're good stewards of that data. Security is part of the feature functionality that we explain to our customers.
Steve: As you know, the talent market is tight in application development and in security, so how have you attracted and retained top talent?
Ken: Fortunately for us, our security team is based in Orlando, just down the road from the University of Central Florida. When you hear that name, it probably doesn't ring for any notoriety in particular. However, UCF has one of the best cybersecurity programs in the country. There is a national competition in cyber defense, the Super Bowl of cybersecurity. It probably doesn't make it on CNN, but the UCF team has won it three out of the past five years.
That is a tremendous program that we've been able to leverage here at TravelClick. We bring members of their competitive team, their starting lineup, into our organization as interns. They'll work at other big-name companies like Facebook and Amazon during the summers, but during the school year they work with us. That's been our primary recruiting avenue.
Steve: You’re quite fortunate.
Joe: Yes, we are. We have UCF and they have such a strong program. But anyone should try to affiliate with the local university or program. First, it's a good source for talent. Secondly, it's also access to a certain demographic. We're all experiencing a changing workforce, and we need to understand this younger demographic. They are very mobile literate, texting and social media-oriented. So, you could also say that we're trying to make sure we have a better feel for this generation, how they think, work and interact.
Steve: What would you point to as the biggest success factors with how far you've been able to come with cybersecurity?
Ken: I think one of the key success factors is really shifting accountability for security from the CISO, CIO, and CEO, to the broader leadership organization. We're asking functional leaders and business unit leaders to own security for their organizations. Before, the mindset was, "you are IT, so you own security. Tell me, the business or functional leader, what I need to do." And we're shifting that to, "no, you own security as the business unit or functional leader. How can we, the CISO or CIO, help you?"
For example, we want our HR leader to be able to attest that she is following the documented procedures for how they protect employee or personnel information at TravelClick. When you have to put your name on the line and say, "this is how I do it and how my organization does it," soon you stop thinking that security owns this, and you realize, "no, it's my ownership. It's my name. It's my reputation. I'm accountable."
Joe: It's a combination of using carrots and sticks. The leaders have to understand that there's ownership and accountability as part of their performance evaluation, and to demonstrate command of their operations. No one wants to get embarrassed that they were the ones that let something malicious through, or they were the last one to finish the training module for that month, right?
I've even done this with Larry Kutscher, our CEO. "Hey, Larry, I can see you didn't do the training yet. It's getting near the end." Everyone's busy, so you have to do that. That’s the stick.
On the carrot side, we recognize people who are doing a great job with security. For example, a group that improved from X percent to Y percent on not falling for the phishing test. We recognize and praise people when they have reported a security issue – when they have demonstrated that kind of cultural ownership and brought something to our attention as opposed to just deleting it.
Ken: There is an opportunity for us to build in incentives that motivate people to be more secure. In the future I would like to see, for example, people receiving security bonuses based on hitting certain KPIs. Doing that, you're keeping security top of mind and you're providing positive incentives for people to perform well - the carrot, which Joe spoke of.
Steve: What would be the KPIs?
Joe: Because we are a technology company that produces a technical product, we have KPIs geared toward security developer training, security design principles.
Steve: What will you be tackling next on security?
Ken: I think sometimes we don't give a good evaluation of risk. If we're going to ask product teams to build in security, they've got to understand, “how valuable is this?” They can usually rank things for how much more revenue will be generated, but it's much more difficult to rank something for how much cost this will avoid when we don't have a security incident.
We have to figure out how to put that number together more like an actuarial science. Today it is more like scare tactics. So, that's something that I would say still lies ahead - figuring out how to do that more effectively.
Steve: Thank you both!
Joe Eng is the Chief Information Officer and Ken Hehl is the Chief Information Security Officer at TravelClick, a company that offers hotels world-class reservation solutions, business intelligence products, and comprehensive media and marketing solutions.