To Michael Mangold, the CISO of rural lifestyle retailer Tractor Supply Company, located outside Nashville, Tennessee, the most important skills for a CISO are not only technical.
While his background includes technical qualifications and certifications, and the ability to evaluate new and emerging technologies and risks, Mangold also relies on his background and training in marketing and communications to effectively protect the assets at the retailer, which is responsible for over 1,600 stores in 49 states, with more than 26,000 employees.
He uses these marketing skills to evangelize the message of information security to other employees, to senior management, and to the Tractor Supply Board of Directors. A finalist for the Information Security Executive® in the Southeast of the year award, Mangold also uses his expertise to promote the message on the importance of a comprehensive information security and threat management process beyond Tractor Supply.
Mangold has been with Tractor Supply Company for more than five years. He began his information security career in Nashville at Healthways, a healthcare provider, starting first in the IT department. Like many CISO’s, information security and data protection were added on as requirements for overall IT management. And like many other CISOs, Mangold found that he was drawn to security. He moved to Tractor Supply because of the opportunity to help build out their information security program.
“Tractor Supply was looking to hire their first leadership role within information security. I wasn’t really looking to leave healthcare or move to retail, but Tractor Supply had a very interesting model and growth story, and I really was attracted to the approach of the company’s executive leadership and the support overall that they provide their Team Members. And for me it’s all about the team. So, that’s when I made that move,” he said.
At Tractor Supply Company, Mangold has been able to develop a comprehensive information security program and build a top-notch team to support it. He’s expanded the information security team within the last five years from four people to 16 people.
“We’ve tried to transform the way the company thinks about security. Like many retail operations, information security was centered on regulatory compliance. The primary concern was ensuring that the company was compliant with PCI requirements, but true security requires much more than meeting these mandates. As a security executive, you have to understand the business strategy and align your security programs to meet that strategy,” he said.
When it comes to information security solutions, Mangold uses a combination of in-house and outsourced technologies and personnel. For example, he now runs a 24/7 security operations center, which shares responsibilities with a managed service provider as well as a dedicated in-house staff. “There is a shortage of security professionals in the industry which can make it difficult to find qualified people, those with specific training and experience in information security,” Mangold noted.
The same mixture of vendors, cloud providers and outside experts, combined with the trained and dedicated inside staff represents Mangold’s approach to the other areas of information security as well. This includes security incident response, assessment services, and overall member services. “We have a core incident response team at Tractor Supply, and we involve all of the key stakeholders in our operational plan. We also conduct simulations, tabletop exercises, and other drills involving other parts of the business. And we have tie-ins to third party services for forensic investigations as well as local law enforcement response that we test at least once a year.”
As CISO, Mangold also emphasizes the importance of conducting comprehensive information security assessments. You can’t know where you are, particularly with respect to third parties, unless you conduct such an assessment.
When he began his job at Tractor Supply, the first thing he did was to engage an outside consultant to conduct a comprehensive review of the company’s information security posture, including where it stood with respect to information security standards, where it needed to be, and how to develop a road map to get from point A to point B. Since then, he has concentrated on integrating information security into the overall project management lifecycle. “What keeps me up at night,” Mangold noted, “are the things that I don’t know.” That’s why Mangold uses the skills he developed in marketing to develop clear lines of communication between all of the business units and information security. “I see our role as trying to facilitate the business while maintaining the utmost security. This is a partnership across all lines of business. I don’t want to be seen as a team of No” Mangold remarked, “I would much rather be seen as a team of Yes.”
To accomplish this he tries to be involved from the outset with all aspects across the business that could impact security. This includes ensuring, for example, that the CISO is consulted in the negotiation of contracts that relate to access to sensitive company data, (including PCI data and sensitive consumer data developed for the company’s loyalty program) and third party access to Tractor Supply’s networks and facilities, as well as its overall cloud and third party strategy.
“We make sure that we’ve got gating points and that security is involved with new contract discussions with third parties, commodity selections and service selections, just so we can have a seat at the table and say, ‘Are there areas of concern, based on what the business initiatives are going to be?’ Then we can talk through whether there is a level of protection or if it not a sensitive issue and there is not a lot of security required for that particular initiative. So really that gating process allows us to make those types of decisions.”
But, at the end of the day, no CISO will be successful without the backing of a strong Board of Directors and executive management team. And Mangold credits both for his current success. “The Board, our CEO and our CIO view security as a priority. They understand the risks that are out there. At Tractor Supply we have great support and the Board wants to hear about security every quarter as part of their updates.”
While once an avid weight trainer (lifting weights about six days a week) and a golfer, Mangold spends his days between protecting the assets of the giant retailer and his kids, a 12 year-old son and a 10 year-old daughter. That means long days and attending a lot of soccer practices and dance recitals. But he wouldn’t change a thing.