DIVERSE EXPERIENCE LEADS TO A BALANCED APPROACH TO SECURITY Damian Laviolette, CISO for Webster Bank, a regional bank headquartered in Waterbury CT, cites balance as the key to success in security. At multiple points in his career, Laviolette has been able to blend two very different viewpoints to be successful in security.
Laviolette spent 20 years in technology and information security for the US military before retiring from active duty and taking a role at one of the most forward-thinking and quirkiest banks in the United States, Umpqua Bank in Oregon. Umpqua Bank is known for hosting yoga and even weddings in its banking centers. It would be hard to find a company culture more different than the military. While he acquired most of his technical training in the military, Laviolette took just as much of an education away from Umpqua. There he learned the importance of differentiating the business from competition and was able to apply that to his security programs. For example, at Webster Bank, Laviolette has helped the company differentiate its mobile offering from his competition by providing different security parameters based on the sensitivity of the transaction. Simple transactions require minimal security actions from the customer, which improves the customer’s overall experience.
Laviolette’s security philosophy calls upon another dichotomy. In referencing The Godfather, Laviolette explains that ten years ago most companies were looking for a peacetime consigliere, someone who focused on compliance, audits, and exams. In recent years the focus has switched, companies needed a more aggressive or wartime consigliere. The wartime consigliere is focused on defense in depth, DDOS, and other aggressive defensive technologies. Today, organizations require a more balanced consigliere one that is capable of understanding business requirements and wartime efforts. That is where Laviolette tries to focus.
CAPITALIZING ON THE BOARD’S INTEREST IN SECURITY Information security and cyber security are the top concerns for Webster Bank’s CEO and the Board, so Laviolette gets plenty of face time and interaction. Fifty percent of the time, meetings focus on threats and questions that the Board has about incidents, both within the company and in the news. The other fifty percent of the time, the group relies on Laviolette to educate them on his plan and forward movement. Still, as smart and security-savvy as the group is, they were surprised when Laviolette explained that “focusing on total defense and protection would put us out of business”. Laviolette explained that to be completely secure, the Bank would have to forego critical technology advancements, which would result in losing customers to competitors in the process. Instead, Laviolette focuses his team on reasonable prevention and incident response. “An attack is going to happen, it’s how quickly we can recover and be back on our feet that will determine how much damage the breach does to our bottom line.”
WHERE WILL SECURITY BE IN FIVE YEARS? Even though Laviolette has a great working relationship with the CIO of Webster Bank, to whom he reports now and previously at Umpqua Bank, Laviolette believes that in the near future there will be an industry-wide shift that will bring CISOs out of the IT department. “The most positive and effective shift happening right now is the CISO starting to report into the CEO. Most CEOs realize that information security has to be a top focus. They are fooling themselves if they do not realize it. But they are unsure of the cyber security world – they need a translator and that is what the modern consigliere (CISO) has to be. The CISO needs to educate the CEO on cyber security as it relates to business risk. CEOs need to understand security at their level, and they need their CISO to be a right hand man.”
EDUCATING THE NEXT GENERATION OF SECURITY PROFESSIONALS Like many in the industry, Laviolette is challenged to fill staff positions with security professionals who can balance technology acumen with business skills. So, he set out to do something about it.
“Webster Bank is involved in the local community, and our CEO has a close relationship with the leaders of Naugatuck Valley Community College (NVCC). NVCC invited me and Webster’s CIO to speak about Information Security as a career path, and from there the CIO and I helped the college develop a two-year program for future security professionals. The training includes technology skills, but we made it clear that those interested in cyber security have to understand that they cannot expect to sit around in a dark room with a Mountain Dew and minimal social interaction. That’s what the bad guys do. Good security professionals need to know how to talk to senior business leaders about risk management and policy, and deliver user awareness training, in addition to technical know-how. We emphasized to NVCC that the training program must include communication and presentation skills, along with technical certifications. The new program is designed and expected to produce entry level security professionals who can jump right in to today’s security organizations.”