Profile: Richard Timbol, CISO, Davis Polk Wardwell LLP

VIEW RICHARD'S FULL PROFILE HERE

COMMITTED TO PROTECTING CLIENT DATA
Richard Timbol took the role of global head of security at the New York based law firm Davis Polk & Wardwell, LLP almost two years ago. He says, “I was not actively looking to move. We all know security has a hiring problem and nearly all of us field a dozen recruiter calls a month. I ignore most of them. But when Davis Polk called it was different. Management really sold me on the role because they are so committed to protecting client information. Davis Polk is not just completing an audit, we are committed to doing security the right way.” 

With a long history in the IT and information security industry, Timbol knows the commitment the firm shows to security is not always the case. “One challenge for our industry is that security programs are all over the map in terms of maturity. Across every vertical there are companies doing security the right way, and others that are doing the bare minimum to meet compliance. It is a real challenge because the ‘bad guys’ are all innovating. We really need every organization to step up.” 

When Timbol started in information security a decade ago, he recognized the need for the industry to embrace security in a positive way. Quickly, he understood it is not enough for companies to approach security as a check box for compliance. Early in his career, Timbol leaned on peers and colleagues for advice about how to build successful security programs and how to position security as a business imperative. He says, “In the beginning of my career, I learned a lot about information security from a network of peers and at conferences. I learned how to approach security in a strategic way. I remain grateful I had this kind of a start in the industry.” 

Now at Davis Polk, Timbol is a seasoned security veteran in a company that embraces security. From the start of his tenure at the law firm, Timbol has focused his team on empowering the organization to achieve its goals within a secure environment. 

“My approach to the role is the same at every organization,” says Timbol. “I first understand the specific objectives, processes and goals of the business. A law firm generates revenue in a certain way. My last position was at a market research firm. They had a completely different revenue model. I cannot use the same security playbook from one organization to the next - that would be a disaster - but the basic approach of creating a security program that reflects and understands business goals is the same.” 

He continues, “Step one is to identify the firm’s priorities and align with business goals. This does not mean my past experience is irrelevant. You can build a holistic security practice when you combine technical expertise with business acumen. Once my business goals are identified I can then easily pick out the low hanging fruit - the specific initiatives that can be executed on quickly to drive exponential growth in data protection and cyber security for the firm.”

Timbol states one of the most important aspects of developing the security program is transparency with business users and management. “When building out the team, purchasing new technology or implementing a new policy, it is important to get buy-in from peers and management. Ideally, if you do security correctly, the user base feels nothing. But sometimes security does impact processes. If changes are required, it is important to explain the benefits. It is important to evangelize security efforts. Clients increasingly ask our lawyers questions about security, so it is important they understand and can communicate our security posture.”

REPORTING ON RISKS AND EVANGELIZING AT THE HIGHEST LEVEL OF THE ORGANIZATION
Like many other security leaders, Timbol reports into the CIO. He is also a key member of the firm’s information security committee that includes leadership representation from many areas of the firm. “I present a report on the state of our security to this committee. That report includes updates on the effectiveness of our security and on ongoing initiatives to continue to lower the firm’s security risk. We talk about overall security posture, more than operational updates.” explains Timbol.

His communication with the firm’s leaders does not end there. In fact, Timbol reports an open door policy with the firm’s directors. “They want to enable security in the organization and most have an interest down to the operational level of security.”

Timbol credits his team and the firm’s management with the firms security success. “From the beginning, management empowered me to grow my team as needed,” says Timbol. “The people on my team are creative, out-of-the-box thinkers. They need to be. Our field changes every day, so we have to be able to think creatively about solutions. When hiring, I ask questions that help me to understand how the person solves problems. Of course my team is technically competent, but their ability to solve problems is just as much the key to our success.”

As Timbol reflects on his career he considers building teams and mentoring security professionals among his successes. He thinks the future for his team, and the industry in general, is bright. “There is no limit to growth for smart, talented people in security,” suggests Timbol. “I have seen interns rise to the point where now they are my peers in the industry. There is so much innovation and opportunity in security.”

TIMBOL SHARES HIS THOUGHTS ON CLOUD SECURITY
CASB is a huge market. Its advancements show that the cloud in general has matured a great deal. But many security executives still have concerns and prejudices against the cloud. They think that data in the cloud is not safe.

The cloud is not an appropriate option for every instance. You have to consider how and why you are putting data in the cloud. It requires a whole new way of thinking about security. A lot of organizations simply do not have that knowledge in house and they are learning as they go.