“If you’ve ever worked in technology, then you’ve heard the expression ‘people, process, and technology,’ as if they are equally important,” says Gary Warzala. “But they aren’t equal.” Today, Warzala is chief information security officer at PNC Financial Services Group, and having spent more than three decades in tech positions, the journey has shown him that it’s people that matter the most. “The technology we use will be obsolete in a few years, and we reengineer processes more times than we’d like to admit,” Warzala explains. “People are the only constant. They drive everything.”
It’s no surprise, then, that as a tech leader for one of the world’s leading financial service corporations, he’s built a strong team anchored by dedicated and high-performing talent. Warzala describes the team as PNC’s band of “digital first responders,” comparing each individual to a member of fire or police personnel units. “We’re not doing this job for the money, and certainly not for the job security. We do it because it’s a calling,” he says. “It’s a career that matters and we are passionate about it.” Those who accept the calling of what Warzala refers to as a “lifestyle job” have to make sacrifices. They are obsessively connected to their phones because they know they could be contacted at any time to respond to an incident. They are always “on duty.”
“The technology we use will be obsolete in a few years, and we reengineer processes more times than we’d like to admit. People
are the only constant.”
Furthermore, they’re often drawn to organizations such as PNC that have higher risk profiles. Warzala has found that it’s relatively easy to recruit top talent to an organization like PNC because cyber professionals want to grow and challenge themselves in a high-stakes environment where they can have a positive impact and drive positive change. “I look for people that are focused on the organization and its mission instead of themselves,” he says. Once he finds these people, he puts them in roles that stretch their skills, surrounds them with strong leaders, and empowers them to thrive. The result is an organization that performs at a much higher level than the sum of its individual parts.
Warzala understands the draw to top employers. In 2000, while at GE, he was asked to centralize the information security function at the corporation’s aircraft division, where his eyes were opened to the importance of this emerging space. Adversaries made moves, and Warzala’s team countered, always working to stay one step ahead and implement proactive solutions wherever possible. He observed that this adversarial interaction was like a “multidimensional chess game” played on a global stage with significant business implications. Shortly after, he was recruited to Aon Corporation, where he built global information security/IT risk management programs. In 2010, he was recruited to Visa, where he had organizational accountability to develop programs designed to protect more than two billion unique personal account information records and more than $6 trillion in annual global payment card transactions.
He accepted the CISO position at PNC in January 2015 to help the United States’ seventh largest bank (by deposits, according to the FDIC) protect its assets and customers’ private information from online attackers—and there’s a lot on the line. “An incident could seriously impact the brand and the trust that our clients have in PNC,” he says. “My team understands the stakes, and will do everything in our collective abilities to both protect the bank and enable its growth.”
Together, Warzala’s team at PNC fights against a growing number of adversaries who are more sophisticated than ever before. They battle cybercriminals, nation states, hacktivists, and insiders, and in many cases, blended attacks from these adversaries. Just as concerning is the changing threat landscape. “I’m concerned that we will look back at distributed denial-of-service and data exfiltration as the good old days,” Warzala says. “We have begun to witness more cases of ransomware and destructive malware attacks.”
In an attempt to stay ahead of adversaries and threats, Warzala will revert back to a formula that he has used successfully throughout his career. First, he builds a strong cyber defense. He insists on doing the basics exceptionally well, building in security, and then engaging the business. Finally, he hires talented people. Having a strong defense plan can sometimes buy organizations time while working in other less mature areas. “Do the basics,” he says. “Never lose focus on the fundamentals such as patching, managing access, maintaining inventories, logging, and monitoring.” The majority of breaches, he adds, still exploit “poor hygiene practices.” Building security into products and services, applications, and infrastructure protects an organization’s most sensitive data, which is the single most effective and proactive program and can be a business enabler.
Next, Warzala says, is engaging the business, teaching and emphasizing that every colleague plays a role in protecting the enterprise. Phishing attacks are still the most economic and effective attack method for adversaries. “Train your colleagues to recognize and respond to these attacks,” he says. “We are all in this together.” Finally, it comes back to the cyber workforce. Talented people, he argues, are drawn in by a clear mission and a strategy and passion to achieve. “Develop a pipeline of new talent by working with universities,” he advises.
In everything they do, the cyber team at PNC follows Warzala’s mandates to protect the bank, enable financial success, and drive innovation. And he’s built the right organization to deliver on those goals. Cyber professionals routinely interface directly with the business in such areas as introducing new technology securely, helping to identify and manage information risk, coding more secure applications, sharing the latest cyber intelligence, or supporting new business objectives.
A CISO that battles in this new era has to demonstrate technical aptitude, communication skills, and sound judgment. “You have to have a presence and strong credibility,” he says. That credibility comes only after displaying sound judgment, strong execution, and consistent delivery. A CISO that does these things will earn a seat at the table. Once, executives in the C-suite thought of the CISO as someone who tinkered with firewalls in the company basement. Today, the CISO is invited to the boardroom on a regular basis. There may not be a corporate role that has evolved as quickly as the CISO role has in the past decade. That’s where Warzala is, and he’s helping protect PNC as the organization advances its goals to move forward in the competitive world of financial services.