Phil Umrysh has a unique job.
As the director of information security and compliance at LoyaltyOne Inc., he’s the head of security in a company focused on marketing – and that puts him in a role where he sees that sometimes, the two industries can be “diametrically opposed,” as he puts it.
Umrysh will be speaking at Toronto’s SC Congress next week, as part of a panel discussing the top threats in the security industry. ITBusiness.ca caught up with him for a quick chat on how the security industry is changing – and how security professionals need to change with it.
This interview has been edited and condensed for length and clarity.
ITBusiness.ca: To get things started here, next week you’re on a panel talking about the top three threats in the security landscape. Do you have any preliminary thoughts on what those are?
Umrysh: It’s hard, actually, to pick only three. There’s a lot of stuff that keeps me up at night, and certainly week by week, as the landscape changes, those threats and priorities change. I think it’s kind of an overlying message to security these days – you have to be pretty quick and agile to move with the business and where it’s going, or you get left behind. And we know what happens – you end up like Target, and nobody wants that as an example.
Out of the top three, third-party access to data and your environment. So looking at the vendors that you do business with, strategic partners, you know, anyone who comes through that door on a short term or continuous and long-term basis. And what are their controls in place, and are they equivalent or better than your own? … The reality is, Target was compromised by an HVAC vendor, who didn’t have the same controls as they did. It’s a good example of where, you can invest millions of dollars and hundreds of hours, but if you let someone in that doesn’t have an equivalent of control, you’re certainly exposing yourself.
The second item that I’m going to speak to is shadow IT. Asking the question of, do you really know what your users are doing with your company hardware? … What’s the right balance to monitoring what’s going on, to being over-the-top and restrictive with controls and invasive monitoring practices?
Really what security has to do is embrace the shadow IT movement. It’s happening. You can’t beat it, so if you can’t beat it, what do you do, you join it. Start leveraging some of the tools that you’ve got and looking at using things like data loss prevention software to see where your data is flowing, and then going to the business and saying, OK, we see a lot of people using this service – why? Why is what we have not good enough? … And then potentially harnessing that service and certifying it for use as an overall enterprise strategy, or diverting to an acceptable service.
And then the third point is overall endpoint protection. It’s not as catchy or sexy a term these days, but we’ve got a real mobile workforce. [Bring your own device] is becoming a reality … But as a result of that, you have to really look at your endpoint as that new, hostile frontier.
So how do you handle that? Tooling with behavioural analysis, malware sandboxes, active and continuous campaigns are pretty key to help you mitigate those threats. Security-minded associates who are well-educated on current threats will really help prevent threats down the road … as well as integrating all of your endpoint security logs into your monitoring infrastructure. Correlation historically really happens at a server network infrastructure level, but now really rolling that into, what is the end user seeing and doing? And getting things like your real-time alerts on what’s really happening within your organization.
ITBusiness.ca: What kind of security policies have you implemented at Loyalty One, to get employees to be on board with security measures?
Umrysh: It underpins what we do day to day, but the key is not to get trapped into compliance … What we find is most successful is getting involved in active educational activities. An example of that would be targeted company-sanctioned phishing emails, where they click a link and get a popup saying, hey, we’re LoyaltyOne, but you could have really made a mess of the network. Here’s some visual aids and guides on how to look for this in the future, and why you should look at this link and this email … So that kind of active process in education, but it has to happen a lot. You can’t do it once a year.
ITBusiness.ca: You used to work in automotive, aviation, financial, marketing – all those things. How different is it really, to be working as head of security for a marketing and loyalty company?
Umrysh: Oh, it’s totally different. A good comparison was when I worked for ADP Canada, the payroll processing firm. That was like working at a bank – it is a chartered bank, and risk-averse … very policy-driven, which it needs to be.
Whereas LoyaltyOne, what the attraction was, and what continues to be the attraction, is that it’s forever changing. Our business model changes, we pivot, we move, we pivot, we move. And when it’s driven by marketing, that’s just accelerated. What’s really different about that is the culture of experimentation.
We have to be more involved with, where’s the company going from a marketing perspective … to really arm them with tools they can use that’s quick, understandable, and speak to them in their own language.
Don’t hit them with a 700-page vulnerability report that really can be boiled down to a quick paragraph of, fix these 10 vulnerabilities, please.
That’s the main difference with LoyaltyOne. It’s a hundred miles an hour, it’s exciting, and in turn, it can be a bit nerve-wracking with security … The expectation of my team is that we’re at all steps of that.
Information security, it’s become more and more important, but a really successful person in information security will be able to speak to the business, become a trusted advisor, which is really our role when you come to think of it. We can identify risks, here’s the risk to what you’re doing, and here are some options to mitigate that risk.
You have to build those relationships and trust where people will approach you and say, hey Phil, here’s what we’re building, and not be afraid of being shot down. The stereotypical security perception is that it’s the no department, and you can’t do that. You have to be able to sit in their shoes and understand, hey, this is a really interesting way of doing what you’re trying to do and drive revenue, and become part of that innovative team.