Profile: Kevin Hamel, CISO, COCC

Hamel Title



Kevin Hamel is not the typical CISO, nor is he in the typical corporate
environment. As a 12-year-veteran CISO at COCC, one of the industry’s leading suppliers of technology for banks and credit unions, Hamel greatly outpaces the industry average of 16 months in the CISO role. COCC exemplifies one of the few companies in the world that lists security and compliance as the number one corporate priority. In fact, this has been the company’s guiding principal for 15 years. Hamel states, “We recognize that security and regulatory compliance are vital to our business. If we have perpetual regulatory problems or a security incident, that would be a real threat to our success. Where other companies in other industries might prioritize profit, market penetration, or shareholder value, our top priority is security and regulatory compliance.” Hamel points out that this priority is client-driven. As a cooperative, COCC is owned by its’ clients, and CEOs from a select group of clients comprise COCC’s Board of Directors.

Hamel states, “Our CEO is one of the most vocal supporters of security and risk management as a top priority. It is absolutely true that the security mindset has to start from the top. It makes it easy to get security ingrained in corporate culture when the CEO and the Board are committed to the effort.”
Hamel clarifies it is not necessarily a passion for information security specifically that is driving the CEO’s attention to the topic, but it is his passion for the company and client satisfaction that dictates the security and regulatory compliance emphasis within COCC. Hamel says of the CEO, “He has been CEO of COCC since 2002, and CFO before that. He is passionate about the company as a whole; the clients, the employees, the work environment, our products, etc. His commitment to customer satisfaction helps him recognize the importance of regulatory compliance and security.”
Because COCC’s CEO is focused on security, Hamel has a closer working relationship with him than other CISOs might have with their CEOs. In regular conversations, Hamel and the CEO focus on the client base. “COCC is focused on delivering the best service possible. That includes the best and most appropriate security. We talk about what is right for the organization and our clients from a security perspective, just like he talks to the CFO about what’s right for the organization and our clients from a financial perspective. We are in constant communication, and the focus is always on delivering the value we are supposed to be delivering to our client base. That keeps us focused on our mission and strategic goals.”
Hamel continues, “You might not see us talk specifically about security as a competitive advantage, but I think that’s implied and our clients understand it that way. From a customer service perspective, the message to our clients is that we care about the safety and security of the information you have entrusted to us. That is one part of our value offering as a co-op.”
Hamel focuses on integrating security into the business at every level, which requires as much business skills as technical and security competency. He says, “As an organization, we are here to provide banking services. We are running a business and you can’t be an effective executive if you don’t have a solid understanding of your business and general business concepts.”
Hamel believes his MBA and business background have been helpful in enabling him to align security with the organization’s customer-centric business philosophy and to work more collaboratively with other executives in the company to achieve their goals. He states, “For me, the organizational behavior courses in my MBA program were most beneficial. These courses put a focus on interactions with co-workers, how to build relationships, and how to communicate with people at all levels of the organization.”
Given the emphasis the company places on security, it is very easy for Hamel’s team to align with business goals. After 12 years of advocating for security he is now focused more on guidance. “We spend little time promoting security as a concept or getting people bought in to the idea of security, and more time helping to ensure we make the right security-focused decisions as a company.”
While getting time in front of the Board is a challenge for many CISOs, Hamel has significant opportunities to present to his own board, and many others in the financial services industry. As a successful veteran CISO at an organization that emphasizes security to its banking and credit union clients, and as a member of the Massachusetts Banker’s Association Cyber Security Task Force, Hamel is often asked to present to the Boards of other financial institutions. “With the release of NIST’s Cybersecurity Framework and President Obama’s Executive Order on cybersecurity, there is a lot more interest in security at the Board level. In the past year I presented to the Boards of 17 financial institutions. They wanted to learn what they need to do from a cyber security perspective to fulfill their fiduciary duties,” said Hamel.
Hamel says, “It is important that Boards recognize cybersecurity is much more than just a technical issue. When there is a cyber incident, your technical teams will be working hard to resolve that issue. In the meantime, what will you be communicating to your customers, your partner, the local media, your Board, etc.? Who will be communicating to those groups? How will you continue to provide your services if your systems are unavailable? There are a multitude of non-technical issues that need to be managed by the organization.”


    Stay up to date with cyber security trends and more