The modern-day battle against cybersecurity threats shares many similarities with traditional military tactics. David Poczynek, the chief information security and privacy officer for BOK Financial, a $31 billion regional finance-services company based in Tulsa, Oklahoma, speaks to Sync about lessons extracted from his military career and expounds on some of the biggest threats in cybersecurity today.
Learn more about cybersecurity prevention and response in the legal and IT fields with a white paper from Sync titled The General Counsel’s Guide to Digital Defense. The Legal Side of Cybersecurity. Click below to download this complimentary industry insight report.
How did your time in the Army prepare you to be chief information security officer for BOK Financial?
David Poczynek: I experienced the direct implications of good leadership as well as bad leadership during my span of twenty-two years in the military, and there’s no doubt those influences shaped my leadership style. I tried to make it a habit to observe leadership practices, and then tried to emulate those that I thought would work for me.
“I find myself managing a lot of individuals who are smarter, brighter, and have a deeper understanding of what the technical issues are, and so for me it’s more about making sure we have a game plan that everyone can get behind.”
I prefer an “orchestrator” style over a directive approach. Information security is such a broad, complex, multidomain discipline—similar to military operations—that no single person has all of the information or expertise. Today, as it was then, I find myself managing a lot of individuals who are smarter, brighter, and have a deeper understanding of what the technical issues are. And so for me, it’s more about making sure we have a game plan that everyone can get behind, that everyone understands what direction we’re heading, so when they make day-to-day operational decisions, they have something to check themselves against and ask, “Is this consistent with our strategy? Is this consistent with our annual plan? Can I connect the dots with our objectives?”
You have said communication and engagement skills are more important than technical skills. Can you elaborate?
Poczynek: I call it contextual collaboration, a soft skill that is challenging to master. To be able to translate complex technical issues in a way that your audience can relate to can really facilitate a productive dialogue. From my experience, a security practitioner that has this communication ability is worth his weight in gold. Often technology risk engagements between security and business teams turn into swirls of technical details that lose many in the audience. I think it was Einstein who said something like, “If you can’t explain it simply, you don’t understand the issue.” It’s about bringing clarity to what the issues are. Once this happens, solutions can be developed that both address the technical vulnerabilities and allow the business to innovate products and services.
How do you keep that communication going?
Poczynek: I have had the most success within an organization when I can align and dedicate information-security risk specialists with each line of business or major functional area. It creates an environment that fosters mutual trust and understanding of each other’s roles and contributions to the success of the organization. These security-liaison roles become pivot points between the business and multiple security activities. These relationships can provide the needed insight and understanding of what’s coming around the corner. Early engagements always produce better results than finding out about something late in the process.
How are current tech-evolution trends affecting information security at financial institutions?
Poczynek: Financial institutions have leveraged automation and connectivity to drive their business models for years now. If you look at the dependencies we have created or inherited with technologies connected to the Internet and the year-over-year increase in cyber-incidents and threats, it’s enough to make even the most optimistic of us take pause.
What we are witnessing is unprecedented. We focus on cybercrime, which is trending up in just about every measurable category: credit- and debit-card fraud, wire fraud, ATM or skimming operations. Protecting customer data is job number one for us, and mobile technologies, cloud, and social media are opening up new threat vectors, and those risks have to be managed.
Some ask, at what point does the cost of risk management negate the value of that interconnectivity? I believe we crossed that point of no return a long time ago. I think the better question is, are we making the right security investments to shift the odds in our favor of being able to continue to operate during a significant cyber-event, be that a distributed denial-of-services attack, major outage, or breach scenario? For the most part, I am trying to make sure that fundamentals are solid, and then driving enhanced capabilities in our detection, response, and recovery capabilities.
What are some specific initiatives you’ve undertaken at BOK Financial to help employees understand best practices in cybersecurity awareness?
Poczynek: It’s been known for some time that the effectiveness of the traditional perimeter defense was rapidly dissolving due to the Internet of Things, cloud computing, social media, and third-party service providers. We still have to guard the gates, so to speak, but I am shifting my investments to provide better capabilities in our core. Application whitelisting, data protection, network segmentation, and end-point protection capabilities that work on and off the corporate network are some of the initiatives we are taking.
We’re also putting increased focus around what’s referred to as “hunting exercises,” where we take more frequent and deeper looks into our infrastructure environment, looking for indications of compromise that might be there. You really need to focus on your ability to detect, respond, and recover. I think the mindset now has to be, how can our business continue to operate during a disrupting cyberattack event? Do we have the right kind of redundancy on our Internet connectivity? Can we continue to operate our online-banking capabilities under a distributed denial-of-service attack? It’s about achieving operational resiliency.