Profile: Tom Meehan, CISO, CONTROLTEK

VIEW FULL PROFILE
VIEW MAGAZINE

STARTING OFF ON THE RIGHT FOOT
Now nine months into his role as Chief Strategy Officer and Chief Information Security Officer at CONTROLTEK, Tom Meehan’s positive relationships with the Board and CEO began during the interview process. He explains, “It was probably one of the more transparent interviews that I’ve ever had. The Board was open to discussing what they did and didn’t know. There were no barriers to the discussion. It was different from what I usually experience. Many companies see cyber security as a necessary evil, but at CONTROLTEK it was quickly apparent the company wants to be as advanced as it can be for the security of customers and employees.”

This is Meehan’s first time as a CISO and he comes to the position with a strong background as an entrepreneur and experienced leader. He believes his transition into the role at CONTROLTEK proved straightforward and wholly supported by the organization. He continues, “While my responsibilities have changed, it is still a job that requires me to get into the weeds and understand what the business needs in order to run. I started out here the same way I have in other positions. I focused on learning as much about the business and consuming as much information as I could. I did not come in expecting to change things, but just to understand as much as I can and help the business grow.”

During his first three months in the organization, Meehan focused on policy, education and security awareness. He says, “In my first 60 to 90 days I was observing the company culture and developing an understanding of what the physical security standards were, and what software and policies were in place. From there, I focused on delivering a security solution that makes our customers and in-house team feel comfortable and confident.”

With almost a year under his belt, Meehan continues to emphasize a business enabling approach. He explains, “Nine months is not a long time, but I have absorbed the culture and I am establishing a balanced approach to buying product and implementing policy, procedure and ongoing education about threats to the business. I am focused on reinforcing good habits. I am working closely with the IT team to understand their strategy. I am avoiding doing anything that will cause unwarranted business disruption.”

Meehan encourages new CISOs to validate their strategic plans with an additional third party. Early on, he made changes to the security program based on his third party confirmed analysis. These changes put into place systems and procedures he knows will support the business. He says, “It can be hard to get past the ego of it for a CISO, but when you are making decisions that will impact the customer, it is important to confirm your opinions and evaluations with a trusted party. Have someone with a high degree of credibility come in and see if they come back with the same recommendations.”

From a tactical perspective, Meehan is focused on security product solutions to add value and protect the business. “I’m not keeping up with the Joneses. People like to play with new toys, but I want to focus on what will really protect us. I keep apprised of new solutions by talking to peers and taking the advice of people whom I trust.”

When it comes to risk, Meehan describes himself as low-tolerance, but believes risk must be measured and assessed. He explains, “In certain places, I have higher tolerance for risk because we need the efficiencies. As an example, I have a higher tolerance for risk related to the people in our New Jersey office than our staff that needs to travel to Russia or China to conduct business. We deliver location-based protections when our employees are in higher risk markets. We increase monitoring when they are there.”

PROTECTING THE CEO, CUSTOMERS AND EMPLOYEES
Meehan reports to the CEO, demonstrating a shift from how most organizations structure their teams. Furthermore, the CIO reports to Meehan. He believes this structure makes sense when you consider the ever-increasing dependency CEOs have on the security program of their companies.

He says, “My role is to protect the CEO. He is highly visible, like any CEO today. I think we will see a shift in a lot of organizations where there will, at minimum, be a dotted line between the CISO and CEO. Almost all significant breaches these days lead to the CEO resigning. If I were the CEO, I would want to make sure I have all the information I need about the security program and that I am getting it right from the source.”

This reporting structure makes sense for CONTROLTEK’s business, and provides clear advantages for Meehan. He explains, “The first benefit of reporting to the CEO is access. We interact almost daily. I can bring my concerns right away and get a fast response. It also makes sense when we talk about education and security awareness in the company. I educate the top person first, and information flows from there. My conversations with our CEO are focused on the business and how security can impact, not impede, operations.”

Meehan’s conversations with the Board also put security in terms of the business. He says, “All Boards recognize cyber security is important. I make sure I talk through the business and explain how information security technology, process and procedures impact operations. What impact will this security solution have on the customer, brand or the bottom line? How do we protect everyone in the room and our customers? While Boards recognize cyber security is a technical issue, they do not need or want to get in the weeds about it.”

Meehan says the Board is thoughtful and interested in hearing about the security plan. He continues, “They want to understand how the plan plays a role in managing risk to the business. They have thoughtful questions about how we balance prevention and awareness with response. Because I typically only have 10 to 30 minutes with the Board, I like to anticipate their questions and have responses already prepared.”

GROWING WITHIN THE ROLE
As Meehan looks forward, he is focused on continued growth and developing his leadership skills. He plans to continue to rely on his peers and look outside of the information security industry for motivation. “Often, I speak about leadership with someone who is 25 years my senior, and holds an executive position in sales and marketing at a very large company. There are so many other ways to gain valuable knowledge. The depth of information available to us today is amazing, from what you can watch on YouTube to podcasts you can listen to in your car. Not to mention social gatherings and online platforms where we can engage with other information security community members.”