From Fed to Fortune 100: The Security Mindset Shift That Changed Everything

0:00

Fred:

Hi, I’m Fred Burton here today with Scott McHugh. Scott is an old friend of mine. We go back many years, and the founding executive of the Institute for Homeland Security at Sam Houston State University. He serves as executive manager for corporate critical infrastructure protection. He is also a professor of practice at Rice University’s Baker Institute for Public Policy, teaching in the Master of Global Affairs program. Previously, he held senior security roles at Walmart and Lyondell Bissell, and was recognized as one of Security Magazine’s top corporate CSOs in 2020 and 2021. Scott’s career spans decades of public and private service, including roles with the U.S. Foreign Service, DHS-TSA, and the U.S. Coast Guard Reserve. Scott, welcome to the Ontic Connected Intelligence Podcast.

Scott:

Well, thank you, Fred. It’s an honor to be here. Really enjoyed having that opportunity.

1:27

Fred:

Well, it’s our pleasure, Scott. With your unique experience leading both federal agencies and Fortune 100 security programs, what are some of the most effective public sector practices you’ve carried into the private sector?

Scott:

So I was actually pondering that question when I first saw the list of topics that we were potentially going to talk about. And that actually boils down to, the public sector brings forward a sense of urgency and brings forward a sense of dedication to mission and more importantly, the utilization of intelligence as a foundational basis for creating security programs. And so if I had to sum it up into one thing that I was really able to bring with me, It is that ability to understand what is intelligence, because unfortunately, intelligence is often really misunderstood within the private sector, as well as some components of the government sector, and how to use that information as a basis for building risk-based dynamic security management programs.

2:49

Fred:

Conversely Scott what private sector innovations or approaches do you believe could enhance federal or public security systems if adopted more widely.

Scott:

So the private sector is much more attuned to risk-taking than the government is. The government tends to be very methodical and very process-oriented with respect to not only new tactics, but also new technologies and new tactics, and in some cases, strategies and doctrine as well. Whereas the private sector is much more willing to embrace those concepts if you are able to make a compelling use case. And so again, if I had to think about the summary answer to that very good question, it is that the private sector is actually much more willing to utilize emerging technologies. And let me just give you an example of what I’m talking about. The emerging technologies of security drones and security robots. They are being embraced by the private sector for incident response, surveillance, and reconnaissance. And as a result of that, they’re able to be a force multiplier that really provides an exponential increase in the proficiency and the efficiency of the security programs. The government’s been a little slower on that. The government’s been very active in that space militarily for the military adaption of security drones and robots in particular, but not so much as it relates to the utilization of it for practical security processes as a force multiplier.

4:43

Fred:

Yeah, that’s fascinating. Scott, when you transitioned from the federal service into the corporate world, what was the biggest mindset shift you had to make in approaching risk?

Scott:

So that actually is something that I’m very, very aware of. And I talk about this often when I’m giving speeches or doing classes. Because I tell the audiences, When I retired from the government, I actually had, I was very blessed. I had a relatively successful government career, having retired at pretty senior level, and thought I was pretty hot stuff. and went into the private sector thinking that I was going to carry on in that space and came to find out immediately that nobody in the private sector cared about the things that I did when I was with the government. That got me in the door, that is what enabled me to be hired, but they did not expect nor want the same type of performance or cultural outcome that had been successful for me in the government to be applied in the private sector. To be honest with you, for about the first 18 months that I was in the private sector, I went into work each day thinking I was going to be fired because I really didn’t understand what I just said to you a minute ago, what that meant, and didn’t understand how to translate that into performance that mattered in the corporate business sector. And it was only when I learned that what the private sector wanted was a business executive that could use security management techniques to solve business problems. They were not looking for someone who was going to apply security management solely because it was the right thing to do, which was really the mantra of government, doing those things because they were the right thing to do for society writ large or the country writ large. Whereas on the private sector, there has to be a business reason. And you have to be able to look at the issues that a company has and how you can use security management to address those security issues in a way that is meaningful. Let me just give you a quick explanation of what I mean by that, and that post-pandemic, And actually, in a number of years before the pandemic, this existed, but it was really exacerbated by the pandemic. There became a real problem with recruiting employees into the private sector and retaining employees into the private sector. And so what became very apparent to me was that the utilization of security management as a means to build a culture that could be used within a company to recruit new employees and retain employees became a significant business force multiplier. And so it was going to achieve the security outcome that I was seeking, but the business case and the use case that is presented for providing that type of service actually was formed and framed in the context of its business impact, not its security impact.

8:13

Fred:

Now, I appreciate you sharing that. That’s very sage counsel. Scott, let’s move off to critical infrastructure and system resilience. As executive program manager for critical infrastructure protection, how do you define resilience in today’s environment of hybrid threats, physical, digital, insider, and geopolitical?

Scott:

So the threat environment, Fred, as we’ve talked many times, it has been evolving significantly over the last several years, particularly in the space of critical infrastructure protection to where nation states are now very much involved in the targeting of critical infrastructure, and that they use many of the risks that you define, the digital threat, the cyber threat, the insider threat, they use those channels as a mechanism to be able to carry out those attacks. So what we’re seeing is that critical infrastructure risk has evolved into what I call two parallel paths. We have the traditional risk paths that all CSOs and CISOs have had to deal with, such as fraud and insider workplace violence and insider threat and unauthorized access, so on and so forth. Those are pretty traditional types of threats to a company, no matter what that company’s business is. But what we’re seeing now is, potentially existential threats by nation states who are partnered up with transnational crime groups to carry out these attacks that are designed to attack critical infrastructure as a means to an end. And that end is to create chaos within society, to cause governments to have to look internally to manage stress issues internally, and thereby take their eye off the ball of events geopolitically. That’s a very different environment that companies are operating within today. And there are many, many examples of how this has been evolving over the last, well, roughly 10 years, but certainly within the last seven years, it’s really exploded, no pun intended. to where companies are actually, in some cases, on the verge of having to go out of business because their brand has been so tarnished and so disparaged that they’ve got to look at other alternatives. So how I look at these risks is in that context of the parallel paths And the one commonality to both of those risks is what we started talking about at the beginning of this podcast, and that is intelligence, and how it is that you’re going to utilize intelligence, not as an adjunct, not as an alternative source, but as a primary tool in helping a business across all functions to understand what information is out there and how that needs to be integrated into decision-making for creating business decisions that minimize that risk and that threat to that potential existential threat that is out there. So that’s how I would paint that on a general response to your question.

11:54

Fred:

Scott, how can private sector leaders more effectively participate in federal threat preparedness or response initiatives like DHS’s Protective Security Advisory Program or sector-specific councils? I know you’ve got your ear to the ground with this at Sam Houston.

Scott:

So that’s a really loaded question, Fred, and one that we could actually have a whole podcast on. During my 25 years in the private sector, I have come to the conclusion and the realization that the government really has no idea. And I say this as one of the original founders of DHS. And so I say this as one who actually was not successful in achieving what we were seeking to accomplish back in 2002 when this whole DHS-TSA thing got started. DHS and the government in general has not been very successful in creating partnerships with corporate critical infrastructure in the private sector. And I’ll use CISA as an example. CISA has been an organization that started in 2018 formally, but it actually began years earlier before it was amalgamated into the CISA organization. And they’ve been an organization that has been looking for a mission. And that mission has been very poorly defined. And their response to the mission is even more poorly defined. And as a result of that, it’s very difficult for the private sector to view them as a value-added partner, because it’s not clear what is it that they bring to the table to be able to partner with the private sector to protect critical infrastructure. And why that is important is nearly 90% of the critical infrastructure in the United States is owned, operated, and protected by corporate entities.

Fred:

That’s a fascinating statistic too.

Scott:

The government has no responsibility for actually the execution of critical infrastructure protection and this is where it becomes difficult and where the government has not been successful in creating that value-added partnership. They keep advocating that they have a role to play in this environment, but they have no responsibility, both from a legal perspective, from a financial perspective, certainly from a fiduciary perspective, to actually run a company or even a critical infrastructure sectors, corporate critical infrastructure program. As a result of that, we haven’t really achieved the partnership that we need going forward. And the problem has been that the mission creep that has been growing and growing within DHS, and CISA in particular, has kept it from being focused on what is a value add, what is it that they can do that can provide that force multiplication partnership with the private sector. And as a result of that, I am not very much of a fan of the DHS approach that has been put in place thus far. If they were only focused upon the two things that I think they do really potentially well, but for reasons that are, again, complicated and probably go beyond the time limit for this podcast, they have been hesitant to embrace it. The role of DHS should be in the threat and risk information sharing, and on the joint training between the private sector and the government, and with DHS CISA being the honest broker that helps to bring everybody together as need be for those entities, or excuse me, for those incidents that require joint response by state, local, federal, and private sector folks. And neither of those two topics are their top priorities. They say they are, but again, having spent years and years interacting with them and seeing that their actions betray what their actual thoughts are, those two particular functions are very low on their priority list.

17:20

Fred:

Scott, with Ontic recently achieving FedRAMP authorization, what’s your take on how federal security compliance standards influence corporate security operations?

Scott:

So again, this is something that I think we’re on the wrong end of the problem. The FedRAMP is not unlike what we’ve seen with CISA’s CFATS program and with the Coast Guard’s MTSA program and with the Department of Energy and EPA and the Department of Transportation and their various programs, all of which are really a checklist, one-size-fits-all approach to this. And I get that the whole idea was that if you put in place these programs and say that on FedRAMP in particular, that if you want to do business with the government, you must be able to do X, Y, and Z, and that that would drive change. But this is where we’ve got we’re on the wrong side of this issue. And by that, I mean computers. The fundamental weakness with respect to cyber issues today is people. And it’s people not fully embracing, understanding, or embodying the level of performance that is needed for any type of consistent approach to cybersecurity. And unless and until we’re able to achieve that, we’re going to be constantly playing catch up and constantly reacting to events that have occurred with respect to cybersecurity. Now, what do I mean by that? Well, let me just give you a really good example and a model that I advocate that we think about very seriously from the point of view of how would we implement this. When the automobile was developed late in the 19th century and it became a common common tool that more and more families became part of in their daily lives, it required basic skills to operate the vehicle and basic skills for the rules of the road. And that as a result of that, governments became involved in establishing what those rules of the road are. Now, in the case of the automobile, mainly those government governance involvement were at the state level. And maybe that’s the way that we would look at this on the cyber side as well. But my point is that we need to establish a standardized baseline of knowledge, which again, if you look at the 50 different states have differing 50 different testing programs for driver safety, but they’re pretty similar. They’re extremely similar from Maine to California, maybe different terminology, but the behavioral outcomes for rules of the road are the same. If we take that approach, that before you buy a computer or before you log on to a network that is outside of your home, for example, you must be able to provide your computer driver’s license number. And having completed and passed successfully a test, maybe even had to perform a practical test like you do with driver education to show the instructors that you have the skills beyond just the checking a box or answering a multiple choice question. And as a result of that, we would be able to embrace that cybersecurity is all about anytime you touch a computer, because what we are experiencing today is that any computer that is out there, whether it is an individual computer like we’re on right now, Fred, or whether it is a company or an NGO’s computer or a faith-based organization’s computer, they have access to various and sundry entities that have access into critical, oftentimes have access into critical infrastructure. And again, we’re seeing that these nation state attacks, these criminal group attacks, these transnational crime group attacks, and in some cases, just sort of individual criminal hackers recognize that people are the weak link And because they are a weak link, we’re able to exploit that, or they’re able to exploit that, because we don’t have that uniform understanding of what you must do anytime you turn on and use a computer.

22:18

Fred:

Very thought-provoking, and I appreciate you sharing that. Scott, you’ve been a mentor of mine and trained me back in the day when we were both agents and you’ve led security at organizations ranging from Walmart to Lyondell Bissell. What common gaps do you see in how organizations treat security as part of business strategy?

Scott:

So that actually goes back to the question that we talked about earlier, in that what my experience was that once you really understood that your role was to be a business executive that was using security for solving business problems, that you didn’t have nearly the size of the gaps that we’ve talked about in years past, and you didn’t have anywhere near of the, oh, security is just a cost center approach, is that if you’re able to show value to the business, because at the end of the day, You have to remember that a corporation is there legally, ethically, and from a fiduciary perspective to make money for their shareholders or their stakeholders. That is the reason they exist. They don’t exist for homeland security. They don’t exist for homeland defense. And any CEO who is out there advocating that won’t be a CEO for long. They will be removed because their board of directors wants a CEO that’s devoted to what their actual mission is about. So as long as the practitioners understand the reason that they need, that they exist, and what their role is in protecting the business. And part of that is protecting the brand and the reputation of not only the business, but the industry. That’s quantifiable balance sheet type issues that are out there that are very real. But unless you address the problem in those types of contexts, you’re going to find that you’re not effective. Now, the one big gap that is out there is I have gone to innumerable conferences and seminars and workshops with respect to security issues as it relates to critical infrastructure protection. And they’ve always wanted the CSO or the CISO or the vice president or whatever, vice president of security to be there. But what they never have created conferences around is CEOs, chairman of the boards, chief operating officers. because you need to have the impact and their points of view of what they’re looking for and how they want to use the security practitioner. That’s if there’s any one gap that is out there that is a a huge chasm, that is the one that is out there. We’re not really including all of the decision makers in these interactions. And unfortunately, the government, in their interaction with businesses, never talks to the CEOs or people at that level. It’s always just at the practitioner level. So they’re speaking to the choir with respect to people that want to be doing the right thing from a protection perspective, but not necessarily the people that are going to be the decision makers as to how that adds value to the business.

26:00

Fred:

Very good advice. Scott, as we wrap up here for the sake of time, what does Connected Intelligence mean to you?

Scott:

So that’s actually a very useful term today. And I say that in the context of the artificial intelligence emergence and evolution that is taking place. Today, we have an opportunity. It goes back to what we were talking about earlier. We have an opportunity to be looking at intelligence, not just through the lens of security, but what interConnected Intelligence means that we need to have a process within the corporate world that brings together intelligence across all functions, that is aligns the data that is collected and the analysis that is done on that data into business decision making that goes beyond individual functions. It really needs to eliminate those stovepipes, which unfortunately, I have to admit, in today’s environment, still exist in many companies. But as artificial intelligence becomes much more prevalent is likely going to diminish those stovepipes because artificial intelligence is going to be able to give companies the ability to analyze and communicate voluminous amounts of information more rapidly than has ever been done before. Again, the best example that I can give you of that is, and this is something that you well know from your days working with us at Walmart, is that we used indications and warnings analysis for mergers and acquisitions. And we did that for big, important questions that needed to be quantified with respect to the emergence of that risk. Doing that, the methodology for that has existed for almost 80 years. Actually strike that, it’s closer to 90 years at this point. And it works, it works very well, but it’s a cumbersome process, very labor intensive. And as a result, it’s extremely expensive in the past, to do that. And as a result, we only did it for really important, big time, high profile mergers and acquisition questions. But today, because of artificial intelligence, that indications and warnings concept, which is multi-dimensional with respect to your collection and your evaluation and your analysis of the indicators, It crosses all boundaries, not just security. It includes government relations and IT and all of the business functions that are important components of the analysis. And artificial intelligence enables that analysis to occur in a matter of minutes. What would have taken five, six months to develop all the indicators for a indications and warnings question can now be done in 30 minutes total, and can be done no longer for seven figures, but can now be done for four figures. And it’s very reasonable and very effective. And so it gives us that ability to truly create that aligned and to use the term of within the title that interconnected information for decision making.

Fred:

Well, Scott, in closing, I want to thank you for being on the Ontic Connected Intelligence podcast. And I also want to thank you for your friendship and mentorship over probably darn near 30, 35 years now. Thank you for what you’ve done for me. Thank you for what you’ve done for all of these companies. And thank you for what you’ve done for the government.

Scott:

Well, you’re very kind, Fred. I thank you very much for those very kind words. And it’s been my honor and certainly my privilege to participate in this podcast with someone of your stature. So I’m always looking forward to the opportunity to be able to carry on on your coattails. And that’s what I feel like I was able to do today. So thank you very much. I don’t think so, my friend.

Fred:

Thank you.

Scott:

Thank you. This has been great.