The morning Ken Stillwell talked with StrategicCFO360 about his role in securing his company’s financial data, Colonial Pipeline, operator of the biggest gasoline pipeline in the United States, was the victim of a ransomware attack that shut down the pipeline. Not that Stillwell was surprised at this extraordinary disruption in business.
“The impact that cyber gangs like Dark Side have is more far-reaching today because of the fact that everything is interconnected,” said Stillwell, CFO and Chief Operating Officer at Pega, a public company with nearly 6,000 employees and more than $1 billion revenue that provides business outsourcing software solutions in the cloud.
Like other CFOs, Stillwell has been compelled into becoming a cybersecurity specialist, although he’d be the first to say he’s constantly learning. The reason is the threat posed by so-called bad actors to Pega’s financial operations. “The dangers are real, especially for companies like ours that store and transmit our own and clients’ financial data,” he said.
Organized crime syndicates like Dark Side have one goal in mind—capturing and encrypting a company’s data to prevent access until a ransom is paid. Often, this data is financial information traveling across the corporate network and voyaging to connect with customers, suppliers, vendors, partners, remote employees and government regulators. Sales are notched, journal entries are dispatched, accounts are reconciled, vendors are paid and taxes are filed, all of them on a virtual basis.
“Most every business process today is performed by some kind of technology and all of them will be soon,” said Jay Persaud, Americas Vice Chair at Big Four professional services firm, Ernst & Young.
If cyber extortionists seize and encrypt the financial data transmitted by these processes, routine operations in finance and accounting can be turned off like Colonial Pipeline’s spigot. “The threat is huge and growing, requiring constant vigilance and top-level attention,” Persaud said.
Well aware of the dangers, Stillwell and other CFOs have elevated cybersecurity to strategic planning status. By setting goals to identify, manage and mitigate cybersecurity risks, these CFOs are able to make more insightful decisions on the allocation of capital and other resources to prepare and react to the threat.
“We used to think of cybersecurity as an internal audit-like function reporting to the head of our cloud organization,” said Stillwell. “This is no longer the case, not when the bad actors strike from places across the world where the U.S. has no legal jurisdiction. It’s under my function now, where it can receive the credibility and executive support it needs.”
It isn’t just public company CFOs like Stillwell who have become as knowledgeable about cybersecurity as they are about finance and accounting. Among them is John Tunison, CFO at Houston-based Trussway Manufacturing, a leading maker of wood floor and roof trusses, with around $250 million in annual sales.
“I spend more and more of my time every day to ensure we are cyber ready,” said Tunison. “Just about everything we do now—our taxes, projects, business processes in the different functions and even the accounting advice we receive—is digital and virtual. Our seven office and plant locations are all networked together.”
When Tunison signed on as CFO in 2018, Trussway was at a disadvantage when it came to cybersecurity. So was the rest of the industry. “Companies making trusses widely believed they weren’t a target of cyber criminals, which were out there chasing bigger fish,” he said.
They were mistaken, however. Shortly after becoming CFO, Tunison said a key competitor was driven out of business by a ransomware attack. “The company didn’t have cyber insurance to absorb the business interruption, but then neither did we,” he said. “I met with our CEO (Jeff Smith) to discuss the need to buy the insurance. He agreed and I contacted our insurance broker and bought a basic cyber risk insurance policy.”
The following year, the broker reached out to Tunison with bad news—the insurer covering the company’s cyber risk losses had decided not to renew the insurance policy. At the time, the nation’s cyber insurers were experiencing a sharp uptick in claims, forcing some carriers out of the market and others to become more conservative in their underwriting terms, conditions and prices. To get cyber insurance, Trussway needed to become a better risk. As Tunison put it, “There were several things we needed to do to improve our security posture before we could be covered.”
Upon hearing the news, he realized that cybersecurity had become a strategic imperative, one falling under his oversight. Fortunately, he was prepared to assume the responsibility. A few years earlier, he was the CFO at Kaseware, a specialist provider of investigative services and customized cybersecurity solutions. The firm’s primary market was the U.S. government. Kaseware’s four founders formerly were senior cyber special agents at the FBI, one of whom was a classmate of Tunison’s at the U.S. Naval Academy.
“To say these guys were paranoid about the threat posed by cyber criminals is an understatement; they were among the world’s foremost experts and knew the dangers inside-out,” Tunison said. “Listening to the stories they told and working alongside them as they developed cybersecurity solutions for our government clients was a front-row education.”
Tunison has since put his learnings into Trussway’s cybersecurity strategy, an effort the CFO heads up. Among the changes he has directed include moving the company’s financial data from physical on-prem servers to a multi-tenant data warehouse in a quasi-private cloud environment and switching to an upgraded tech stack used in building and running applications. Other changes to boost security include requiring multi-factor user authentication processes and implementing a series of ethical hackings designed to penetrate IT systems—something he learned while at Kaseware.
These actions put Trussway in a position to acquire comprehensive and cost-effective cyber risk insurance from American International Group earlier this year. The insurer also provides free training to employees on a quarterly basis, on topics like proper email etiquette to not fall prey to phishing scams and the need to always use the company’s virtual private network (VPN), as the data traffic is encrypted to secure internet connections against an external cyberattack.
“My advice to other midsized companies is to push your insurance broker to get you an insurer that specializes in cyber risk management,” Tunison said. “In switching to a new broker, we’re able to engage with AIG’s cybersecurity experts, keeping us apprised of current and emerging cyber threats.”
Castles in the Air
Stillwell’s chief ally at Pega in the ongoing war against cyber criminals is Chief Information Security Officer Carlos Fuentes. Fuentes, who joined Pega in June 2019, is considered one of the world’s top CISOs. He previously served as Vice President of Security and Data Analytics at the Federal Reserve Bank of New York. Before that posting, he was Vice President of IT at Verizon, Senior Vice President and CIO at Mitsui Sumitomo, and Senior Technology Officer at AIG.
“Throughout my tenure, the threat landscape has continued to evolve; what you do to keep you secure today may not be sufficient to keep you secure tomorrow,” Fuentes said.
To illustrate the threat level, he used the analogy of fortified castles in medieval times. “There are different kinds of castles, some with walls around an entire village and others that look like a traditional castle with a moat and archers patrolling the battlements at the top,” he said. “The reason for the differences is the perceived threat level.”
Leveraging this analogy, a company’s “crown jewels,” the term describing mission-critical data and other cyber assets ensuring business survival, would need to be protected in the largest and most secure castle. But Fuentes pointed out the folly in this thinking. “If you put all your vital data in that one castle and it is breached, the attackers have everything,” he said.
The alternative is to build 20 different castles, which is better strategy as it spreads the risk, he said. The downside is the cost. “It is impossibly expensive to secure 20 castles,” said Fuentes. “So, what we do instead is secure the roads between the castles, controlling the access points to each one.”
Each “road” represents the byways by which data travels across the internet—information transmitted either by wires or by high-frequency waves through the air. Like all roads, ruts, cracks and potholes are inevitable, requiring software patches to repair them, reducing the possibility of a data breach.
“Unfortunately, no security system is foolproof,” Fuentes said. “Cyber criminals are smart, very smart. You think you’ve patched every configuration, but there’s always the possibility you missed something. That’s when you hire pen testers.”
Who You Gonna Call?
He’s referring to third party cybersecurity firms that perform penetration testing—the ethical hacking of a company’s IT network and systems to evaluate overall security. The pen testers have the equivalent skills of Dark Side and other cyber extortionists, the difference being the intent of the cyberattack.
This type of ethical hacking is also known as “purple testing,” as it involves two teams of cyber players on opposing sides, one playing defense (the “red”) and the other offense (“blue”). The goal is to maximize the effectiveness of the cybersecurity strategy by integrating the defensive tactics and controls of the blue team with the threats and vulnerabilities discovered by the red team, Fuentes said.
Stillwell, who participates as an observer in the cyber wargames, gets pumped up when discussing the subject (who wouldn’t?). “It’s like playing a sport with two opposing teams—the good guys and the bad guys—except the bad guys are hired to play that role,” he said. “They run their plays and we run ours. It’s pretty thrilling at times.”
Fuentes agreed, describing the matches as a “brutal cat and mouse game” involving constant pursuit, near captures and repeated escapes. As the captain of the red team, his aim is for the cybersecurity experts he’s hired in IT (the cat), to hunt down the pen testers on the blue team (the mice).
Although his team has gotten better at this task, the pen testers (Fuentes is contractually obliged not to divulge the company’s name) “are always sneaking around undetected and one step ahead of us,” he conceded. “The first few times they got in we couldn’t find them. Out of sympathy more than anything else, they made some `noise’ and we finally caught them.”
That’s good news in a way, as it points up a specific cybersecurity vulnerability the red team can strengthen for the next wargame. Twice a year for nearly eight weeks, both sides play the game 24 hours a day, an exhausting but worthy effort, as it guides ways to hunt and catch the mice, and with follow-up guidance from the pen testers, figure out how to remove the pesky critters from the network.
Not that this guidance in any way means the blue team is going soft. “Once they help us, they stick in some booby traps for the next chase,” Fuentes said. “But we’re getting better and better at fighting the good fight. What used to take a few days for them to penetrate a system now takes three to four weeks.”
In many respects, both teams are equally adept at playing the game. Fuentes emailed a list of his cybersecurity team’s certifications and attestations, as well as their compliance with international and local cybersecurity standards and regulations. He often receives emails and phone calls from clients and other companies looking to test the effectiveness of their security. “It used to be the CISO or CIO calling me, but now it’s often the CFO,” he said.
Stillwell is not surprised his professional peers are taking this tack. “Having Carlos on my executive team has reinforced the strategic partnership that must exist between finance and IT as the bad actors get badder,” he said. “It’s become that crucial.”