Security is embedded in IT departments in the vast majority of shops. I think that’s a last-generation way of thinking, because security and IT have different goals.

The technology department’s goal is to enable the business, to support the business, to manage its operations, and develop good operational outcomes for the sake of the business.

Security’s responsibility is different. Security’s focus is on protecting the business and being proactive about doing so. It’s about supporting the culture. Information technology is not focused as much on people. IT’s focus is on process and technology.

For us, the company’s technology is what it is. We almost don’t care. It’s our job to provide the protection, regardless of what technology is there. We don’t expect to have a lot of say in what technology the company uses, because that’s not our area of concern. We protect whatever is brought in the house.

So when the security department is embedded in an IT department, you end up with a security department that’s focused on technology. You end up with a security department that’s focused on the guts and the infrastructure, and not as focused on the individual, the workstyle of individuals, the interactivity of products with customers, and the usage of technology by employees. You don’t pay attention to things like that. You don’t pay attention to the culture of the business and whether or not it supports a secure environment.

This can create the confusion and lack of focus that gets you massive breaches, like the ones we’ve seen in organizations that have traditional layouts where security is seen as a branch of technology.

Every CEO should have a CISO or CSO reporting to them because when a major blowout occurs, it’s the CEO who will have to take the brunt of the blame. It’s ill-fated for a CEO to go into a situation like that unprepared. That’s why CEOs need to have that direct contact with their person in charge of security.   

At Customers Bank, my boss saw that vision, and that’s the reason I report to the chairman of our holding company and to the board. They understand the risks that we go through on a routine basis, and they understand our processes and our procedures. I train them regularly to make sure they’re prepared and if something does happen, they know what things we put in place to lessen the impact and protect the company.

I think every company needs to focus that way, because the risk to their business is that great. Alignment is everything. Businesses that are poorly aligned always suffer for it.

When I started at the bank, everyone thought I was a tech guy, and I had to impress upon them that I’m a people guy, and a business guy with a tech background. It’s a completely different way of looking at things.

To be honest, the cyber industry includes CIOs and CSOs and CISOs who do not know how to bridge the gap, who cannot have the business conversation, who are not risk-driven. They’re not people-driven. And that’s unfortunate. We’ve got to evolve the culture around our industry if we’re going to improve some of these things.

Management has to play a part in this, too. I think companies need to start promoting people who can support those facets of their business and who completely understand those concepts. It’s critical for a security person to be risk-focused and business-aware. 

I’ve spent two of the nearly five years I’ve been with Customer Bank learning about banking. Even though I’m a security guy, you can ask me how interest rates work and how net income margins work. I can talk to you about banking because it’s my job to learn it.

You need to take the time to learn your industry inside and out so you can have an impact on the culture of the business. It is the only way that you can make business-related decisions and move outside of the technology.