IPG: building trust in cybersecurity
We live in an era of unsurpassed connectivity. The ongoing digital transformation of the global business landscape is bringing everything from robotic process automation (RPA) to artificial intelligence (AI) out of the pages of science fiction and into the homes and workplaces of billions of people. Nearly every person walks around with a rectangle of glass, plastic and silicon in their pocket that can access nearly the sum of human knowledge, and possesses about 100,000 times the computing power of the thinking machines that put man on the Moon. In seconds, we can convey information, opinions and our innermost thoughts to an audience of millions. We can share memes using a refrigerator now. Never before has information, interaction and human connection been so readily available, but this new world is not without its challenges.
“What I don’t think a lot of people understand is that every single person that owns a smartphone, tablet, smart watch [even a smart fridge] etc, is under attack, every minute of every day,” explains Chris White, Deputy Chief Information Security Officer at Interpublic Group (IPG). “There is a global war going on in cyberspace. There are criminal elements, state-sponsored elements - that classic idea of the kid in the hoodie in his mom’s basement doesn’t even scrape the surface.” Far from attempting to instill mass panic, White’s tone is one of reassurance. “Inevitably people hear that and say ‘well now I’m afraid to go outside,’ so to speak. ‘What do we do now?’ The answer is just to behave normally. There’s no sense in becoming a doomsday prepper, living in a bunker with the phone lines cut, because all the companies that make and support everything you do at home and for work, they understand that cybersecurity is critical to doing business. That’s why they have guys like me who are doing our absolute best to protect you.”
White’s career in cybersecurity started in the US Air Force, working as a signals intelligence operative around the dawn of the internet. Over the course of a 30 year career on the front lines of cybersecurity, he has developed a wide breadth of experience in security automation and telecommunications. He took on his current role at Interpublic Group in April 2019, working to support and execute the security vision of IPG’s CISO, Patricia Hinerman, who moved over from her role of Corporate CIO in March.
Interpublic Group is one of the foremost advertising and marketing holding companies in the world. With offices across the globe, the company employs more than 54,000 people specialising in advertising, digital marketing, communications planning, media and public relations. “Because IPG is a holding company, my job is to provide IT services, including cybersecurity, to our portfolio of companies, which all operate in a culture of consensus. I’m responsible for more than 100,000 endpoints, tens of thousands of users across hundreds of companies supporting thousands of downstream clients. My security team is 30 people,” White explains. Along with Hinerman, White and his team are facing up to the challenges before them and executing an intelligent, modern cybersecurity strategy that balances the challenges of a constantly evolving threat landscape with the unique demands of IPG.
Across global companies, operational functions and departments are transforming their operations to ensure they not only perform those functions but also enable, support and add value to the enterprise as a whole. As IPG, a business fueled by creatives working in the world’s best advertising agencies, this is vitally important. “We’re ensuring that we’re never, ever ‘the office of no,’” says White. “IPG has a creative culture. The people here are working on how to make the next great Superbowl commercial, how to really support their clients with a marketing campaign that’s intelligent, appealing - all those things. The upshot is that I can’t just mandate that people use particular tools or software. I need to enhance my agency's function, and that means creating an environment that is secure, but also not restrictive to the creative process.” Constantly finding the solutions that provide security, without restricting freedom or disrupting operations is a core element of White’s role.
Even as businesses’ operations become increasingly digital, the industry-wide emphasis on the human element is only growing more pronounced, something made even more apparent by demand for security personnel that outstrips the current supply. “There’s a dire need for cybersecurity professionals. If you can hire them, it’s hard to hang onto them,” says White. “I have to find the talent that's right for me in my environment, in my culture, and work with them to give them the things that they need to get their job done the way they want to do it. I have to think of creative methodologies.” In addition to a shrinking pool of cybersecurity professionals, the amount of data that a modern team handles is growing exponentially, something that is transforming the way teams like the one at IPG function. “The talent shortage combined with this data increase means there’s no way that you can follow traditional security practices of identifying a problem, sounding an alert, prioritizing it through as critical, high, medium or low, and then tackling it,” he says. “If you do that, you’re going to get buried in data.” The answer, in addition to careful cultivation of an existing security team, is to harness cutting edge automation technology. “You have to apply automation to help direct people's brains to where they need to be focused. This is one of the reasons why I am very excited about our new companies Acxiom and Kinesso. When IPG acquired one of the world’s leading data solution companies in 2018, it afforded my team the chance to partner with the incredible expertise they have around the understanding and use of data to support automation,” says White, “because the most important tool in your toolbox is people. Period.”
In a world of talent shortages and increased digitalisation, expert help is an essential commodity for White. “I couldn’t do my job without having supportive partners,” he says, “and I use the word partner intentionally. A partner is someone you trust implicitly and that is going to do what is right for you, and a good partner in business brings new insight and new ways of thinking about what you do.” Early thinking about cybersecurity methodology centred around the maintenance and development of an effective firewall. Then, in the 2000s, applications added an additional dimension. “Not only do I have to have the network protected, but every application needs its own individual defense in-depth stack,” says White. “Proofpoint exposed me to a new dimension of thinking - a whole new axis. We need to be thinking about identity as a third dimension that needs its own levels of protection.” Today, as digital identity becomes more dispersed, both inside and outside the enterprise - across a host of different applications - IPG is working to protect its employees’ identities beyond the standard provided by normal identity access management solutions. “That’s something that Proofpoint brings to the table, because digital identity is primarily controlled through email, and they showed us how to harness our data to start protecting the identities of our users more effectively,” says White.
Reflecting on the first few months at IPG, White and Hinerman are still putting their stamp on the department and the team. “With both of us being new to the role, I think our short-to-medium term goal is to ensure that our agencies are confident in us to do the job that they've asked us to do, and that comes through in good production results that are based upon good data analysis, and that's impactful,” he explains. Looking forward to the new year, the IPG team has internally branded 2020 The Year of Data Quality. In both the short and long term, though, the most important thing that White is working to build is trust. “I need to increase services efficiently, build trust, and continue to make IPG’s operations more secure without incurring a cost to its ability to do business. I’m really very grateful to IPG for this chance. I never, ever, in my life thought I would be deputy CISO for a Fortune 300 company. Never. Not five years earlier I was working with the Department of Defense, and then 15 years before that I got out of the Air Force as a lower-level enlisted member. This is kind of like being a kid, hitting a home run and all of a sudden I’m playing in the Major Leagues.”