Leading with Intelligence: A CSO’s Playbook for Proactive Security

0:00

Manish:

Raju Bhatia is the Chief Security Officer at Regions Bank, where he leads enterprise-wide efforts to protect the organization’s people, clients, assets, brand, and reputation. He brings a unique perspective shaped by more than 25 years of experience across public service and private sectors, including over 20 years with the FBI, and more than six years leading global corporate security and executive protection at Bank of America. Throughout his career, he has built world-class teams and developed proactive programs that mitigate risk in an increasingly dynamic threat environment. Please join me in welcoming Raju to the Connected Intelligence Podcast. Good to be with you, man.

Raju:

Manish, thank you so much. Wonderful to be here. I really appreciate the opportunity to speak with you.

1:16

Manish:

We’ve run in the same circles for a few years now, but I don’t think most of our listeners know your background. So why don’t we start there? Tell us a little bit about your journey and how you got to where you are.

Raju:

Yeah, thank you. And I’m excited to share. So, you know, my background, I came out of university thinking I would be a finance professional, the Gordon Gekko, you know, of the 1980s with the slick back here and making money with suspenders. Spent a number of years working across Wall Street, consulting, really in financial background, took a left turn and took an interest in joining the government, CIA, FBI. It was one of those things you dream about, but never really pinch yourself and say, this could be real. Got a great opportunity to join the FBI in ‘97. and had a tremendous career, you know, globally for the next 20 some odd years, and saw just a tremendous amount of, you know, great work, mission-led purpose work across the globe, supporting, you know, the country, the Constitution, our partners across the globe. What I learned though you know, it’s a global threat environment, things that happen in different corners of our country, or globally, impact all of us in some way or shape. It was very complex, and I don’t believe that I was really thinking about it when I first joined. You get some cases, you go after that one or two criminals in that case confined, and then you start to learn that these have impacts everywhere. So something that’s happening globally, that butterfly that spreads its wings in the Amazon has that ripple effect. And as I got into particularly counter-terrorism, counter-intelligence, transnational crime, I started to learn how those connected pieces of information, data, could really inform the way that we went about our work to investigate and eventually bring people to justice. And so that was really powerful to me. 9-11 shaped a lot of how I thought about not being reactive to a threat, but being proactive and how we can think about those data points and connect them early to help potentially prevent incidents from happening in the first place. But that’s what shaped me over those 20 years working globally and why I think it’s made me into who I am today as a leader. That’s great context.

3:57

Manish: 

That’s great context. Before we talk about what made you move into the private sector, there are many listeners who have been, similar to you, part of a three-letter agency, have had a similar journey. But what could you share with our listeners about connective tissue that you were able to develop in the public sector that you’ve been able to bring over to the private sector? What are some parallels or patterns that you’ve matched across the two?

Raju:

Yeah, I think in, you know, three-letter agencies and law enforcement, military, intelligence does drive operations and missions. It’s just, it’s part of the fabric of what we have. You know, if you’re in local law enforcement, intelligence from the street helps you understand the environment that you’re working on. And similarly, across the globe, as we share information across all of our agencies, you know, Five Eyes and other ways to share information, that’s all connected intelligence. That’s what drives the work that we do. And then I came into corporate America, and the first thing I saw is there was really no system of collecting, refining the collection process, and then particularly sharing and operationalizing that intelligence, it was very reactive. We have a threat, let’s handle that threat. We have an incident, let’s handle that incident. And so my view of corporate security was a little skewed. I thought it was much more mature stepping in. And I’m sure that many organizations are maturing along that line. But it to me was all about how do I help lead strategy that says “intelligence led corporate security.” And then we’ll get into all the other parts of what corporate security really does and how it helps the organization. But I was really thrown back that intelligence was not leading security operations in a corporate environment as I was used to in that public sector.

6:00

Manish:

All right, so you have to talk about your first six months, maybe nine months, when you joined a very large corporation. What was that like? What did you learn? Maybe what would you do different in that transition?

Raju:

Yeah, mission. I think the lack of a defined mission across the teams was really sort of a jaw-dropping moment for me. Everybody has a mission statement and a value statement written on some piece of paper. But does everybody understand it? Can they pick that up? And from the junior most analysts or SOC operator to Chief Security Ifficer, and then beyond to your partners, do they understand the mission that the value that you’re trying to bring to your organization? It’s very easy when you’re the FBI or police officer, you know what that mission is every day, and everybody’s, you know, rowing towards that mission. Here it felt very siloed, so my SOC operations team might know what their day-to-day role and responsibility was, their tasking, but they didn’t see how that fed into the larger environment. And so that, to me again, was like, I have to break this down, those first six months. And I think the other thing was the velocity of the information coming at us, the day-to-day incidents. How do you triage those to what’s really critical? What’s “I can do this today” but it’s not going to impact operations too “this is just noise”, and it’s just so much info. The world is getting faster and faster, and those threats are coming at us with a velocity that’s really hard to keep up with. And so it was really understanding, how do I break these silos? How do I make everybody understand where they fit in? And also, what drives impact for us? That was really very concerning to me when I first stepped in. To your second question, if I could do it over, which I would, it was diving in faster to break silos and to really getting everybody on that same sheet of music about why our work matters. That just, that took me a while to understand and to get, you know, shepherd everybody into that one single pain.

8:24

Manish:

Very insightful. I’m going to give you a frame just to think about, and then I want you to reflect on what you did well in the corporate environment. So there’s the frame of managing down, so your team itself, and you can draw upon your prior history and experience. Managing across, so think of your peers in a very large multinational organization, and then managing up to upper leadership, executive leadership, senior leadership. What are things that you learned over time that you cracked the code on?

Raju:

Yeah, and to your point, you have to do all three well. You have to manage down, right? You have to work across your peers, and then you have to influence up. And I think those are three different skill sets that you have to master and then bring together. For me, I felt it was natural and easy for me to manage down. People looked up to me as a new leader. You know, I had the credentials, I had the background. I’d sort of, you know, subject matter expertise in those areas. So it was easy for me to manage down. That was almost natural after a couple of decades of, you know, working and rising. Working across my peers again, naturally bringing them into the fold, being a good partner, not just to the people on my team, but partners across the organization. You have to get everybody into that single tent. Right? And there that is cooperation, that is collaboration, that is being a good partner and sharing that vision and again different skill sets—It’s not managing your people down, it is being a great partner and it’s that give and take. There were times where I felt my view is right or stronger, but understanding that I’m in a very large matrix organization that legal gets to say, risk gets to say, that the business itself gets to say. And you have to have that risk reward, which was not easy for me because my risk reward calculation in a federal government around a threat was very different than a business decision being made. So I had to really learn that balance. And then of course that influence upward into executive leadership. When I walked into the doors, I came in having retired with a badge and tremendous power to impact. I had to learn I was no longer the business. I was a part of a large business in corporate security. You walk in a room and I didn’t have that level of influence. So you have to build that. You have to build it for your program and help sell it. I hate to use the word sell, but you have to influence corporate leadership, the very top, the board, the executive level, to understand, again, where you add value, what your team is doing, and where you need resources. And so again, three very different skill sets. Felt really good at one, worked on the middle level and had to really learn that influenced sphere.

10:07

Manish:

Excellent perspective. Raju, we have many listeners who are up and coming leaders. They have aspirations to become CSOs themselves. You achieved that at Regions Bank, congratulations. What have you discovered about that title, that role that maybe you didn’t quite see at Bank of America or that you took the lessons from Bank of America and brought them here at Regions and said, I’m going to do things a little bit differently?

Raju:

Yeah, a lot of lessons. And, you know, I think every opportunity across your career, it’s those lessons learned that if you can tie them together, weave them together and continue to learn from them, you know, along my career, you learn more from failures than you do from your success, right? That’s what I teach my kids as well. So I took a lot. It was a great place for me to learn the corporate environment at a global scale, at a velocity where you know, times felt overwhelming. I would say this, you know, when you want to continue to rise, the title really doesn’t matter. And a lot of people get fixated on the title itself. Concentrate on the work and on learning. Be a subject matter expert in your area. I think that starts with that because that’s how you build that trust factor with your team. So you build trust factor with your partners and how you have the ability to influence. So, you know, you may come from a different environment. You don’t have to come out of law enforcement or military to be a great CSO. As a matter of fact, there are a lot of great CSOs that I work with daily, a lot of great leaders that work with me that did not come from that background, but have a business background, an HR background, a legal background, a risk background, because that’s what we do at the end of the day. We’re risk managers. So, become an expert in the work that you and your team lead. Understand it deeply. This way you can help around the edges to help make it more efficient, make it more effective. So that’s what I would say is to continue to learn the work that we do and then learn those, what I would call soft skills of not just managing people, because that is a huge part of what we do, but that ability to bring people into the tent, to learn that risk matrix. And then the ability to influence is something I think we continue, I continue, to try to learn more and more how to do that more effectively so that I can speak the language of the business, not the language of security. That was a big shift for me as well, to speak the language of the business, not where I came from.

14:43

Manish:

I think this would be a great opportunity for you to maybe color in what your role, actually the breadth of your role, particularly at Regions, at a bank, and maybe just give our audience a little sense of all of the areas that you’re responsible for, and maybe what, in your opinion, makes the bank a little bit different, given the breadth of everything that you have to cover.

Raju:

Yeah, well, you know, as a typical CSO, the first and foremost thing is the physical safety, security, duty of care for all of our associates, for our leadership team, for our board, for our customers. I talk about risk a lot because I also manage fraud investigations, internal investigations. We have an aviation group. We have a real estate group facilities across 21 states, 20,000 employees that we’re responsible for daily and every one of our customers. Where I sort of balance the line between risk, and I talk to my team about this quite often is, we may have some fraud losses. We anticipate having some fraud losses. We want to minimize that impact of those, and try to stop fraud where we can. But we know that in a given year, we will have some level of fraud losses. In a retail environment, you’re going to have some shrinkage and loss. We can handle that. You want to minimize it and get after it, but it’s going to happen and you have to live with that. We’re going to have some level of vandalism to our properties, whether it’s an ATM or a broken window, facilities is going to be a concern. And again, we will fix that. We have insurance for that. We’ll get people out to fix the properties and make them safe again. Where I draw the line of risk is the safety of our people. The one thing I don’t want is to put our people, our customers, the human element, at any sort of elevated risk. So I balance that there and I would, you know, challenge you always to think about it that way, the one thing you do not want to take risk on, is when it comes to a violence or threat to your people. We’ve seen what’s happened with EP over just the last year after a horrific shooting in New York City last December ago. People are really learning a little bit about, you know, more holistic executive protection, but I take that to executive protection for every associate. It’s not just the CEO or the corporate leader that’s traveling. It’s every associate coming to work each and every day, bringing their best self to work. And how do we put duty of care around them? The other things I learned, Manish, were, you know, safety after the pandemic is not just security—it’s around health. How do we ensure that our people are in a healthy environment to come to work every day? And that’s just not from sickness or disease or illness, but to my point earlier about the commute in, how do we think about that for everyone? Brand, reputation, those were things I had not initially thought of as the CSO, but every day I worry about the brand and the reputation for the company I’m working for and how do we protect that. And so I think, you know, I have oversight of fraud, have oversight of internal investigations. We work very closely with our real estate partners around facilities issues. So it’s a broad spectrum, but I know where my critical risk tolerance lies within that spectrum. And I will just say this about Regions, if I could give a quick shout out. It’s a great, great culture. The people are aligned in that culture. And that’s, I think, one of the real strengths of our company is we’re very community based. We want to be very local. And for us, that means that duty of care for everybody that we serve, including our own people.

18:42

Manish:

So Raju, to get the funding you need to do everything you just described, what’s the approach that you’ve used and maybe what’s unique at Regions? Is it scare tactics? What’s the approach that you’re able to get the attention of the executive leadership team and maybe all the way up to the board of directors?

Raju:

Yeah, I think it’s prioritizing, right? What’s important, what is impactful to us as an organization, to our people, to our customers? You know, do what is right, protect that customer, protect that employee. So there’s so much noise, Manish, as we talk about, I mean, everything going on globally. We’re not a global organization. When I was at B of A, like any small geopolitical thing that happened across the globe was an impact to us in that location. And as an organization here, I’ve had to learn, okay, I’m not global here, but that doesn’t mean that something happening in Venezuela may not touch us because of a related protest activity or travel posture that we may take. The biggest thing I think I try to cut through every single day, and I did it at B of A, did it at FBI, do it here today, is what’s impactful to us in the moment? One is strategically looking ahead and being aware of the environment, but then so much is coming at all leaders today. I’m a leader, but I have people above me that they’re seeing even more coming at them. How do I cut through the clutter for them? I don’t want to go to my executive team for every incident that comes up. I would overwhelm them. You have to have that trust that you’re managing the important things day by day, minute by minute. You have the right team in place to help you manage that and to really cut through that clutter, see the stuff that’s really impactful, that can make a real difference. and then triage those for presentation to executive leadership. I have a pretty standing routine that I brief upwards weekly, monthly, quarterly to our board as well. So I think it helps me get that balance back of once I brief, what’s the level of engagement? And then I ask, what other things would you like to see? Again, it’s like collection requirements, right? If I don’t know what my leadership is really interested in, it’s hard for me to brief them on the things that matter to them.

21:16

Manish:

Great perspective, very helpful. So here’s a question for you. We know, and you talked about this earlier, silos being so prevalent and an enemy often of security teams, but there’s another one that’s, we’re all reactive, and the aspiration, the desire, the utopian end state is to be proactive and predictive and prepared. How do you think about that? And what’s required for you, for Regions, for the industry to shift from reactive to proactive?

Raju:

Yeah, I love this question. You know, reactive chases after an incident that’s already happened. And we do that well. Every strong organization that’s mature does that really well. I’ll go back to when I mentioned 9/11 to you. I knew that the FBI was one of the premier, if not the premier organization to investigate an incident and bring justice. But that’s reactive work. And after 9/11, the thinking was, how do we incorporate stronger intelligence model into being proactive, into being preventative. Those to me really stuck with me and what I’ve carried throughout my career, particularly into the corporate sector, is how do I turn that ship from, we have tremendous people that when an incident happens, we’re able to sort of solve it, you know, triage it, mitigate it. But how do we prevent those incidents in the first place, minimize the impact even when they do happen? Those are critical to me. And so again, it is this partnership, breaking down silos, working with my HR team when we have a behavioral threat issue to get to it early before it becomes a full-blown incident, working with intelligence models to say, we see a group doing this MO of fraud or attacks. How do we get after that, engage local law enforcement, engage our partners, our peers, so that we minimize the number of incidents? You know, we have great technology that can triage incidents faster, but if we have more and more incidents, they’re just triaging more and more incidents. I wanna reduce the actual number of incidents. And that to me is being that proactive model. You know, predictive is something I’m still wary of, but it is part of our ecosystem, right? This AI modeling, predictive in nature, being proactive by using that predictive modeling, where do you put your assets? Where do you put your mitigation plans? How do you think about crisis response? That’s all proactive work. And that’s where I think leaders need to spend more of their time rather than in that, you know, reactive space that we all, we feel comfortable in that reactive space, something happened. Well, I know what to do. I’ll get it fixed. Harder part is that strategy to really focus on strategy on preventing incidents in the first place.

24:23

Manish:

I really like that. All right, Raju, you went there, you used the two letters we were trying to avoid in this podcast, but AI. What’s your perspective, point of view, and opinion?

Raju:

Yeah, I think in some form or fashion, we’ve been using, you know, modeling forever. This just takes it to another level for me. It’s the ability to so quickly access just vast amounts of data and synthesize it into something that we can action on. It could be easy as writing performance reviews, honestly, but that cuts the time for a manager from maybe a full day of writing performance reviews to a couple of hours and, you know, and doing it in a much more effective way as well, which allows the other associate to get better feedback. I think AI is here. First of all, it’s here to stay. It’s how do we operationalize it in what’s important for us again. We’re using AI to help us determine crime trends, and at a micro level, not at a macro level, so I know where I need guards. I know the risk tolerance for those areas. That can help us be much more effective and efficient in how we deploy our assets and money. AI helps us work faster, smarter, again, less human resources that we need. The AI stuff I’ve seen in some of the new technologies and the cameras, I mean, it’s a game changer where, you know, previously we would have to have a human try to assess all this data and then make a reactive momentarily decision, we can take that away and we can really be a lot more effective, efficient, and predictive in that model. I think it’s a game changer. There are a lot of issues about how we use it internally, but I think for any corporate security team, that’s not at least exploring every possible way to make your organization better is probably behind the curve.

Manish:

Let’s extrapolate that for one minute. What pressure, if any, are you getting or are you delegating down to your leadership team on the use of AI? And where does this go? Does this mean, Raju, that you can truly do more with less and you don’t need to hire more people and suddenly automation means less heads?

Raju:

I think that’s the hard thing to talk about is, yes, we will be able to do more with less. I mean, that’s just the fact of technology in and of itself. And it’s more effective at, you know, seeing, doing what we needed to do. What I talk about is not, does that mean we need less people? It means that the people we have can be more strategic and work in an environment that allows them to make more critical decisions than the work that we are having technology do for us now. So to me, it is effective, but it’s also more efficient, right? There are a lot of governance issues still. I mean, we’re a financial institution, so we have a lot of regulatory pressure on the use of modeling to begin with, not just AI. We can compartmentalize some of that for what we use in corporate security, but we still have to get through that governance model, which is difficult and rightfully so. I’m not sure we know all the outcomes yet, so we have to be careful in how we deploy it. But the difficult conversations of, does this mean less people? The reality is it might mean less people. Where I tend to think is it makes our people smarter and much more effective at what they do because they become more efficient. So I don’t talk about it as less people. I just think it’s a smarter way for us to all work. 

28:31

Manish:

I tend to agree with you on that point. Raju, great conversation today. I have two final questions for you. The first one is really giving some of your insight and learnings over your career to our audience. So what advice would you give someone who has been on a similar journey to you and is ready to take that next step in their career? And then we’ll end with one final question.

Raju:

Terrific conversation. I know we could go all day. I would say the learnings for me are continue to evolve. People who get to a certain level, maybe it’s a title, maybe it’s a position, maybe it’s within a company. You know, if you’re not evolving, you’re not growing. And every day there’s an opportunity to learn something new, to lean into a teammate that you’ve brought in who has a different perspective, that comes at an issue from a completely different lens. I love being challenged. I never want to be the smartest person in the room. I know I’m in the wrong room, right? And for me, that’s continuously talking to my peers, reading industry newsletters, getting out of my comfort zone, meeting with partners in my organization that I don’t normally meet with, and continuing to evolve around our business. Each business is a little bit different. So depending on where you’re at, it’s not just learning what you do each day, but what are the business’s overall mission and goals? And how does the work that you do tie in directly to those to those values to that mission statement. To those metrics of your business. And for me, it’s just continuing to evolve. I don’t feel like I reached any pinnacle. I have so much more I want to do, so much more I want to learn. And I just value the time that I get to spend with great people across our industry, including at your company. I’ve learned so much in the way to think about ROI, in the way to think about what a technology platform can do for us. And you meet people from all walks of life that have come to this space that helped me broaden my perspective on what corporate security is and what it can achieve. 

30:55

Manish:

Excellent, my friend. So one final question for you, and maybe a short answer on this one. What does Connected Intelligence mean to you?

Raju:

Connected Intelligence just is what we’ve been talking about. It’s taking data from so many different sources and understanding how all of those small little sets of information create that holistic picture that you really need. You know, the shooting of that CEO, there’s a lot of different connected pieces of information that we can all learn from, you know, digital leakage about potentially that schedule. Did we assess the event itself for protest activity? or the other speakers that were going to be there, location. They’re all small pieces, data points of information, but I think Connected Intelligence means looking at that holistic picture and coming up with an assessment of what the threat landscape really looks like. You know, connect the dots is the easy answer to it, but that’s really what it is, there’s a piece of information that we are not seeing that could be impactful to us. And how do we ensure that we’re bringing that in so we have a really true threat assessment for the work that we do and the people we protect?

Manish:

Love it. Our guest today was Raju Bhatia. Raju, thank you so much again for joining us on our podcast.

Raju:

Manish, thank you for having me. Just really enjoyed it. And thank you for leading the work that you do every day. 

Manish:

We’ll talk again soon. 

Raj:

Thanks.