As the CIO of The Mohegan Tribe for almost twelve years, Chuck Scharnagle oversees the entire IT department, along with a heavy focus on managing information security. With an influx of attention around information security in recent years, Scharnagle has shifted more of his focus onto security priorities. Scharnagle comments, “There was never as much of a focus on information security as there is today, especially when it comes to buying tools, education, training, awareness of end users, internal testing, and audits. Everything has grown so much. It’s really been the last five to seven years where there’s been a bigger focus and it’s drawing up more of my time and thus my interest.”
He continues, “We’re focusing on information security more than ever because it’s a greater threat today. The bad guys have always been out there, but let’s face it, 15 years ago you didn’t hear about the security breaches that you hear now. And we hear about them on a regular basis. We hear about them almost too much. So, I would tell you today alone, I probably put a quarter of my time on security related projects.”
FOCUS ON SECURITY AWARENESS
Spending budget and utilizing resources to improve information security required Scharnagle to approach his Council to gain their awareness and alignment on his decisions. One key area he focused on was security awareness training. He explains, “We started mandatory security awareness training for everybody within the Tribal government and fortunately my management took it very seriously. This was something we made mandatory for everyone, in order to make sure we were protecting and educating the government employees as thoroughly as possible.”
Buy-in from the Council was key to Scharnagle implementing a strong security awareness program. He met with all employees and had meetings across the campus where he presented on the state of security and how it relates to not only their work, but their home life as well. He comments, “I started it out by telling everybody that all of this applies to you not only here at work but at your home as well. And it is interesting because you could see the lights go on for a few people. I talked to them about how people are targeting you at home, that people want to know your credit card information, and bad guys want to know your personal information. It’s not just here at work. It’s across the board. My philosophy has been to try to educate through open communication as much as possible.”
Scharnagle’s top strategic priorities are aligning to the CIS controls and evaluating the current technology toolset. He is actively working with his team to ensure they have strong processes and policies in place to address most of the CIS controls. Evaluating his toolset requires a multifaceted, holistic approach, and brings up important considerations such as outsourcing to alleviate any unnecessary strain on his team. He also believes in being flexible and not engaging in longer-term contracts because of the diverse volatility of threats and the rapid speed at which capabilities of tools evolve. He explains, “You have to start evaluating if you want to buy the tool or if you want to start outsourcing or looking at the capabilities of some of these organizations that have tools they’ll run for you. And I think that’s where we’re getting to because one of the things with us is that we’re trying to find synergies with the properties that we operate and figuring out the tools that overlap.”
When acquiring and purchasing new tools, Scharnagle believes in aligning with smart, experienced people with agnostic knowledge on different technology products. He relies on these experts to ensure all technology decisions align back to the overall business. This approach alleviates the potential to get stuck on a point-in-time technology decisions and helps Scharnagle make justified decisions on any new investments.
BUILDING A COMMUNICATIVE TEAM
Located in the quiet town of Uncasville, Connecticut, retaining and attracting talent poses a unique challenge for Scharnagle. As with many organizations who recruit IT and information security talent, the small talent pool may be exhaustive at times, and even more so for Scharnagle being located further from major cities. However, the desire to work for an organization with a healthy work life balance is attractive to many people and something Scharnagle pushes when recruiting. Perks include an 8:30-4:30 workday, full-size gym on site, and a smaller, more connected community environment.
When recruiting, Scharnagle focuses on finding talent who have the skill to speak to both business and technical people. He believes it is much easier to teach someone a technical skill if they already have strong business aptitude. He says, “I’m looking for somebody that can come in, likes to communicate, understands the value of it, understands the value of customer service, and any other similar qualities. Whether they’re going to be a developer, a network analyst, a help desk person or my director of technology, I want them to be able to communicate. I can send them away to a class for them to learn a technical skill, but the customer service skills are very important.”
Scharnagle practices what he preaches by communicating with his team about any strategic discussions he has with council members. He explains, “I try to be extremely transparent on where we’re going, what we’re trying to do, what we’re trying to deliver, and why. It is a bit of a challenge because even though we’re a government, we have a holdings company which is a series of businesses. So, we do have to support many different things and most of my team must wear many different hats, but they seem to like that challenge as well.”
Scharnagle strives to secure budget so his team may engage in various trainings to stay up-to-date and fulfilled in their careers. He sits down with his team at their regular meetings and asks about their training goals for the quarter. He believes in asking them about how they want to build their career, what they need to do their job to the best of their ability, and how he can help them grow. Overall, he believes in investing in his team so they continue to build their skillset, enjoy their work, and set aspirations for future growth.
“My focus is how do we do more with less, like purchasing a tool that allows my team to focus on what’s important by automating recurring tasks. When it really comes down to growth, I don’t want to grow as far as adding more people, I want to grow as far as knowledge. I want my team to be trained as much as possible in new areas so that they can come back with an acquired skill that improves our security stance. Another goal is to find solutions that require little from us and allow us to really focus on the bigger and more complex issues. And that’s what it really boils down to with security and our team. Again, I’ve got one set of eyes in security at all times, and I’ve got to find ways to take advantage of them.”