Cox Automotive Drives Into the Cloud

How Patty Smith partnered with technology leadership at Cox Automotive to support a move to make the organization safer, stronger, and faster.

Big changes can be scary for an organization. And transitions like the movement into cloud-based computing can generate apprehension and uncertainty. Patty Smith, vice president and chief information security officer at Cox Automotive, understands those feelings. But she works to ensure that her coworkers are as effective and agile as the technology that she threads through their work.

“You have to come to accept the fact that the way you’ve always done things doesn’t have to be the way that you continue doing them,” Smith says. “Don’t resist the change.”

Cox Automotive governs fifteen businesses with nearly fifty data centers across the United States, as well as fifteen additional international businesses across the world. Smith is directing the security initiatives around the company’s ongoing transition from on-premises applications into cloud services. A few of the organization’s public-facing applications have already launched. This move has inspired confidence in the process. Over the next few years, Cox will bring more and more of those on-premises applications into the cloud environment.

Facing Hesitation and Making Change

Smith initially had some hesitation about the move. But the business demanded speed, agility, and automation. Smith had the opportunity to work as a proactive partner in those pursuits. “The business and technology leaders were aligned in their goals at Cox Automotive, providing a vast array of technology and services to the automotive industry with the aim of transforming how the world buys, sells, and owns cars,” Smith says. “Our core competencies are in building software applications for our customers, not in managing data centers.” The move to the cloud enables Cox Automotive to focus on what it does best. Leadership looked to the security team both to partner in the initiative as well as to ensure they could minimize risks.

“For the most part, security professionals maintain a level of control. You initially feel that you are giving up some of that control with this architecture,” Smith says. To successfully navigate that transition, she has had to communicate with her team and verify with their stakeholders and cloud providers in new ways. Smith advises leaders in similar positions to validate each security control in their cloud environment through automation.

“Things are happening so quickly that you have to automate and validate that the security controls you’ve defined are applied to all of your applications and environments,” she explains.

Automation in the Cloud

In fact, automation has been an enormous benefit for Cox Automotive. Implementing cloud solutions has enabled the organization to streamline its coding, compliance, and deployment procedures. This eliminated a number of human steps. That helps foster a faster-paced development environment, which gets new products to markets and clients more quickly.

Smith also notes that the user experience for Cox Automotive’s clients has matured and advanced with this transition. “Moving to the cloud has enabled us to provide new products quickly and enhance our products frequently—all while strengthening the security of these applications,” she says. “It has enabled us to serve our clients better.”

The Road to Cox Automotive

Smith now serves clients by protecting private information. However, she had long thought that her calling was in a different kind of protection: law
enforcement. Her grandfather, father, and brother have all served in police departments in New York City or the surrounding area, and she feels that the “protection gene might simply have been in her DNA. Smith assumed that she would follow in their footsteps, and she even spent her last few years of college taking police officer examinations at the county, city, and state levels.

But after graduating in 1997 with a degree in computer science, Smith accepted a job digitizing academic journals. Then, a friend at Chase Auto Finance called, offering a meeting with management about an online development opportunity. She accepted, and began creating the tool set that would become Dealertrack. Now part of the Cox Automotive suite of products, Dealertrack provides auto dealers the interface to submit consumer financing applications and perform credit checks.

When the Dealertrack team discovered that a number of user accounts were displaying abnormal behavior, Smith headed the company’s first security investigation. They realized that some malefactors had set up a portal to impersonate the Dealertrack website and were harvesting login credentials. Smith and her colleagues set up a honeypot to identify the culprits, redirect their access, and deliver them to the authorities.

A Legacy in Protection

Those challenges and rewards were the very things that had initially drawn her to law enforcement. “That kind of problem solving, cracking the case, doing the right thing—it was very exciting,” Smith recalls. We got the bad guy and justice was served. Seeing it come to a head was an amazing feeling.” In recognition of Smith’s talent and persistence, the CIO asked her to start Dealertrack’s organizational security program. That was 2002, in the early days of enterprise information security, and Smith had discovered the protection path she would follow for years to come.

Now, Smith calls herself lucky to work at an organization where the strategic direction is highly visible. At Cox Automotive, the security team has a clear understanding of the company’s course. They also maintain strong relationships with the relevant stakeholders.

She advises other security professionals to act as partners. She suggests they work to advance the organization rather than impeding its development. “Successful security programs are all about relationships,” Smith says. “Some companies perceive internal security organizations as roadblocks: they slow down the business. A good security organization enables the business. They form good relationships. They help find solutions.”

Rather than saying, “No, you can’t do that,” she advises her team to ask, “How can we help you do that securely?” In fact, Smith urges them to take ownership in developing an approach.

Constant Growth and Improvement

Of course, Smith admits that the team is always learning and improving. “Never say you’re done,” she says. The rate of technological change and the necessity of adaptation compel her team to stay agile. These efforts coalesce to protect Cox Automotive.

As the transition to cloud services moves forward, Smith has committed herself to ongoing education. That effort, she argues, is necessary for all present and future information security professionals. Her mission now, she says, is to learn as much as possible from other security leaders. Then she strives to help others who are just starting down this road. To that end, Smith is a board member at LISTNet (Long Island Software & Technology Network) and NTSC (National Technology Security Coalition), where she can gather knowledge and cultivate a fruitful learning environment for others.

And all of this, she maintains, emerges from that same early impulse that directed her toward law enforcement. “It relates to everything I do: building controls to protect our team members, our clients, our data, our assets, and the environment,” Smith says. “It’s all about protecting and educating our team members and our users, making sure that they’re security-aware. That gives me a great feeling.”

That feeling resonates between Smith’s calling and her profession—keeping stakeholders safe, doing the right thing, and fearlessly navigating change.

Dealertrack utilizes Gemalto to encrypt all their sensitive data residing at the Automotive Dealerships within the United States and Canada. A global leader in digital security, Gemalto delivers a vast range of solutions to businesses, governments, and other organizations, protecting identities and data so they’re kept safe wherever they are: in personal devices, connected objects, the network, the cloud, and in between.
Adversaries are just like any other predator: they attack the weakest link. In fact, 84 percent of successful breaches target the application layer. Applications by their very nature must be available anywhere, at any time, and give anybody access to practically anything.  Applications have become the new perimeter.
HPE Fortify addresses all three disciplines of application security and does so through a combination of on-premises, on-demand, and managed services to help IT orgs build the application security program that fits their organizations and processes. Find out how you can get your own Application Security testing program up and running in thirty days. Fortify.com