Innovation is key to staying ahead of the curve on cybersecurity, and at Wintrust Financial, Chief Security Officer Jack Burback has established innovation teams to create new resources and develop subject matter expertise.
“We take volunteers from each of my teams, representing fraud, access management, information security, corporate security and the like, they look at all of the different threats and opportunities that we have, and then they create recommendations,” Burback said.
“They formulate a training curriculum, identify use cases and different technologies we should consider. One of our goals is to develop a subject matter expertise group within our team that can evaluate the space and provide recommendations on how we could move forward, as well as help support the business when it has questions.”
The first team was created around artificial intelligence, and another is considering the future of financial services.
“The team members, who meet virtually, really like it because it’s not part of their daily job, and they really get to think outside the box,” he said.
Burback started out in the industry doing information technology consulting, then joined HSBC to help build out its global security programs for incident management and third-party risk management.
At HSBC, he saw an excellent opportunity to strengthen his understanding of the financial industry.
“It was pretty obvious to me that most of my strengths were in the technology side of things, and that I really needed to expand my understanding of business to be a better leader and business partner,” he said. “So that’s why I went to get an executive MBA.
“These days, to be a successful CISO, you have to understand the business. If you’re strictly focusing on it from a technology or risk perspective, you’re going to miss a lot of the opportunities to support the business by reducing the risk as it moves into different areas or considerations.”
After several years at HSBC, Burback moved to security integrator Forsythe Technology, advising Fortune 1000 customers on building security programs. He then pivoted to the startup world, building Ionic Security’s services program from the ground up.
A former HSBC colleague brought him into Wintrust as his deputy CISO. He was appointed chief security officer nearly three years ago, with responsibility for information security, access management, fraud and physical security.
“Part of information security ties back to the physical controls around protecting information,” he said. “A large part of fraud is also tied to technology components. And so we decided as an organization to bring those together since there was quite a lot of intersection, and it’s worked quite well.”
Burback’s wide-ranging experience has given him “a unique opportunity to see both how the vendor side works, in addition to the corporate side, from a financial services perspective as well as professional services,” he said.
At Wintrust, Burback places an emphasis on bringing in good talent and developing the team. He offers a well-defined career path that includes getting team members the training and opportunities they seek to make an impact within the organization.
“If we’re able to continue to challenge them and bring them new opportunities, I think it goes a long way,” he said.
He has also developed a program to help recent college graduates get a foot in the door.
“You don’t have very many positions at all in the industry for entry level recent graduates. So we’re seeing individuals with master’s degrees in cybersecurity taking internships because they don’t have entry level positions available to them,” he said.
“We created a rotational program where we’re taking recent college grads full time for two years, and each six months they work in a different area of information security. This program makes them very well rounded, and they can take a position somewhere in the team when that opens up. It also gives them a better understanding of what they would like to do in the information security space, where there is such a broad array of jobs.”
Becoming well-rounded is his top advice to all new security practitioners.
“Don’t pigeonhole yourself in one area. You really need to understand the full scope of the information security space as a whole by leveraging opportunities to expand your role and ongoing training.
The other big piece is to understand your business, he said.
“Start to network within your organization with those who are not on the information security team to understand different departments, what’s important to them, and what makes the company successful as a business,” he said.
“That gives them some great visibility to why the business may push back or have concerns with certain controls, or how their requirements may change over time.”
Five years ago, Burback and a group of other CISOs founded a not-for-profit called ChiBrrCon, which mounts an annual conference in Chicago to help develop information security talent, and to provide networking and other opportunities for people trying to get into the business.
Outside of work, Burback, his wife and four children are very active, going boating and fishing and camping. He serves as assistant coach on his boys’ hockey team, and plays a lot of hockey himself, as goalie.
“There’s a direct parallel to my playing goalie,” he said. “It’s been pointed out many times that it correlates to my profession.”