Paul Mocarski, Vice President and Chief Information Security Officer, Sammons Financial Group Member Companies
Some people have successful careers in the military. Others make their decades-long career in the civilian world. Paul Mocarski has both. He is simultaneously the vice president and CISO at the Sammons Financial Group Member Companies as well as a US Army colonel and the Regimental Commander of the Regional Training Institute of the Ohio Army National Guard.
Mocarski’s dual-career path started when he was pursuing his bachelor degree in mathematics in the late 1980’s. He had several friends who were members of the Ohio National Guard. “They seemed to enjoy what they were doing, and I ended up enlisting as a combat engineer,” says Mocarski. “I went off to basic training, then advanced training, and I came back to the Ohio National Guard. I continued in the Guard as I went to college.”
A college degree and an Army commission
Mocarski originally planned on going through the ROTC program at Cleveland State University, but it didn’t align with the courses he needed to take to complete his college degree. “I figured I would just finish out my time enlisted, but then I was offered an opportunity to go to Officer Candidate School at the Ohio Military Academy. I did that while I finished my last undergraduate year in college,” says Mocarski. “In June 1990, I graduated with a bachelor’s degree in mathematics and I was also commissioned as a second lieutenant in the Army National Guard.”
He had planned to work at NASA’s Lewis Research Center in Cleveland, but jobs were tight in 1990. Instead, Mocarski took a job in construction, and then went back to college to do graduate work in physics. Not one to sit still, he started working at a small insurance company while pursuing his master’s degree. “I worked in the basement of that insurance company doing computer operations, which largely meant loading printers with paper and tape drives with tapes. That was my introduction to working in IT. I was killing it at $6.12 an hour back then,” recalls Mocarski.
Looking back, Mocarski says he ended up being very successful in that job. “I had increasing responsibilities within the organization, and before I left there I was an AS/400 system administrator and the network administrator for the Novell networks. That’s where I got my start in information security, because one of my assigned responsibilities was to be the security officer for all systems.”
He eventually left the insurance company and had short stints with other large organizations in the Cleveland area before getting on with Sherwin-Williams, where he worked for 18 years.
From jack of all trades to leading the InfoSec department
“I did a lot of different things at Sherwin-Williams, from system administration to different management roles. I managed the disaster recovery program, as well as Internet engineering team which had a big PCI compliance requirement. I built teams around software quality assurance and software change management. The big factor for driving those teams was SOX compliance. With our ERP system, we had to validate that it was available after we put our software changes in place, and also that we controlled the changes and were able to track and audit them,” says Mocarski. He eventually ended up leading the information security department at Sherwin-Williams.
Wanting new challenges, Mocarski accepted a position with Valspar. He moved his family from Cleveland to Minneapolis for the job. That was November of 2015. Four months later, it was announced that Sherwin-Williams was acquiring Valspar. “From my perspective, that wasn’t part of my career plan,” says Mocarski. He stayed with Valspar until the acquisition was finalized, and then moved on to his current position with Sammons Financial Group Member Companies, where he is vice president and CISO.
“When I look at the responsibilities that I’ve had on the civilian side, just about every role has had a very strong security component,” says Mocarski. “Even at Sherwin-Williams when I wasn’t on the security team, I was managing the disaster recovery program, which is one of the pillars of information security. I was involved in the software change management and helped develop the PCI compliance program.”
He made a very fortuitous decision in the 2001 time frame. “I decided that, long-term, I wanted to end my career in the security area. It took a number of years to actually get onto the security team but it was a very deliberate plan on my part to get my CISSP, to have the right credentials, and to move into a senior leadership role in security. I’ll say I was a little bit of a visionary and a little bit lucky to have chosen security as a career back then. It was something that I enjoyed and I was passionate about and I thought there was a big future for it, so everything just aligned really well.”
An enduring Army career
At the same time that he was progressing in his civilian career, he was going through the US Army War College associated with his military duty.
“I have completed 30 years of service to the Army,” Mocarski is proud to say. “I am commanding the Regional Training Institute in Ohio, which is the evolution of the Ohio Military Academy where I went to Officer Candidate School. So, at the end of my career, I am back where I got my start.”
In his military career, Mocarski has done three missions, two of which sent him to Iraq. “Throughout my military career, I did a lot of things associated with security—information security programs, physical security programs, force protection. In 2005, I was the Anti-Terrorism Vulnerability Assessment Team Chief for the 4th Infantry Division in Baghdad. It was a busy year for anti-terrorism vulnerability assessments.”
Mocarski draws parallels between his civilian work and his military work. “When you look at an anti-terrorism vulnerability assessment, it’s very similar to an information security vulnerability assessment. It’s just that the tools are different,” he says. “We’re looking at vulnerabilities in the perimeters of our bases. Do we have appropriate procedures and the appropriate controls? So, as you are identifying these things, the processes to report on, mitigate, and correct are very similar. Where is the gap? How do we fix it? Who is responsible? What funding is required? From a process standpoint, it’s very similar.”
“I really draw on the training and experience from the military to benefit me on the civilian side,” says Mocarski. “My wife used to think of me as an IT professional who happens to be in the service. Now she sees me more as a soldier who happens to work in cybersecurity. I never thought of it that way, but when she said it, it made sense to me. I have gotten so many great things out of my service and that’s one of the reasons I’m still doing it now, because I think I can still contribute and give back to the programs that have given me so much.”
In the “us versus them” world of cyber incidents, we need to collaborate
He has a philosophy on information sharing. “I used to see sharing as a bad thing and I thought that I would be at an advantage by keeping information to myself. Now I have more of an ‘us versus them’ perspective, so the ‘us’ is us in the United States and all the US-based businesses. Really, if you look at a lot of today’s threats, they are nation-states and foreign cybercriminals. Certainly, we have our own criminal activity in the United States but foreigners pose quite a significant threat. Small organizations can’t really compete against nation-states. We all have common enemies out there and the best way we can be effective is if we partner and share our information. I’m a big supporter of collaboration,” says Mocarski.
He and his wife have three sons, ranging in ages from 16 to 28. “My oldest son is in the Navy, stationed at Great Lakes Naval Base near Chicago. He’s an instructor in their gunner’s mate school and he’s going to college to get a degree in cybersecurity.” If the son is even half as ambitious as his father, he’ll do well in life.