Q&A with Tom McAndrew, Chief Operating Officer at Coalfire
Maurice Gilbert: How did you get started on a career in compliance?
Tom McAndrew: I started my career in the Navy. As the Navy started putting more technology on ships, they realized that they needed to create better certification programs to ensure that all the systems operated correctly, specifically the combat systems (missiles, radars, guns, etc.). After getting off two deployments in the gulf, I was asked to audit and assess the designs of future Navy ships. After I left the Navy I took a totally different turn and supported more than 100 banks and credit unions with their IT assessments following GLBA requirements.
MG: Who helped shape your views?
TM: I’ve been very lucky to have a long list of mentors, including CFOs, Compliance Managers, Regulators, Inspector Generals, Lawyers, Privacy Officers, and Federal Agencies leaders. With the pace of change of technology and regulations, I think it’s important that people have a broad understanding of best practices across other industries and technologies. In the mid-2000s, the skills for compliance in IT were very different for Banking, Healthcare, Government, etc. Today we see a better alignment of controls and frameworks.
MG: How do you stay current on ethics & compliance issues?
TM: There is so much out there that it’s easy to get behind. Luckily at Coalfire, we have a fantastic internal marketing team that pulls trends, news, and articles from a variety of sources so I can get the best of thousands of resources. As I’ve grown in my career, I’ve spent more time on sites like NACD and other sites targeted for the Board/CEO level, rather than just Compliance/Risk Managers. There is a big jump from C-Level to Board/CEO communication. As I’m still in the Navy reserves, I also get a fair amount of ethical training which is (sadly) lacking from most of corporate America.
MG: What are some of the significant issues facing CCO’s, Risk Managers, etc.?
TA: As a cybersecurity expert and compliance specialist, I’m lucky to be in one of the hottest areas. It seems like every day you hear about a cyber incident or breach. And that always raises the questions of what the CCO and Risk Managers did to prevent the breach. By far, the biggest challenge that I see is that many CCO and Risk Managers are negligent in their Cyber Security Risk Management. I use the word “negligent” because I have been brought on as an expert witness and seen firsthand that some very basic controls and programs have been totally lacking. Cyber Risk Management is not an IT issue; it’s a Board issue. The Board and their C-Level executives are expected to know the current trends, what is changing, and to stay onboard. With the shortage of cyber talent, companies need to either invest heavily in hiring and building strong cybersecurity teams or augment them with co-sources/outsourced expertise. I’m constantly amazed at how many large organizations simply don’t appear to have the skill or will to build effective cybersecurity programs.
MG: What do you believe is the optimal reporting structure for the CCO and why?
TM: I do think that the CCO should report to the CEO, but have an open line to the Board (or a committee of the board). CCO’s can define the “what” – what is needed to be compliant, what are the risks, what are others doing. But they generally do not have the authority of “how/when.” Those are business leaders. Ultimately, it’s about mitigating risk and taking smart risks. Just because a risk is HIGH doesn’t mean you shouldn’t do it. There may be many reasons why you accept the high risk because of the business drivers.
MG: How do you effect change within your client’s environment?
TM: Education, collaboration, and technical expertise. One of the first things should be two-way educational sessions where the client and Coalfire are aligned to the business objectives (not compliance objectives). Businesses create and use regulated data for a reason, and many people skip over that part. You should expect your auditor to come with a point of view and understanding of the requirements and your environment. They should customize an approach based on the business understanding before they just go off assessing risk. Otherwise, they may go down rabbit holes and ultimately fail to bring the business risk back to key stakeholders. Next is the collaboration: which tools and processes can be used to ensure that the engagement has strong collaboration. We have addressed this as a platform called CoalfireOne, which creates a consistent process. The days of smart people showing up with excel documents and e-mails are coming to an end. Finally, one of the key areas that we provide value is in our deep technical expertise. Working across 2,500 clients, including most of the major tech services companies, gives us a lot of insight, which we provide as part of the engagement.
MG: How do you see the CCO role evolving within the next 3 years?
TM: This is a tough one. I think that the role is important, but I’m seeing trends that compliance is being pushed under a Chief Risk Officer (CRO) or someone like that. Compliance without authority/accountability for the results is not going to be a C level position.
MG: What do you see as the greatest business risks facing companies today?
TM: Their reluctance to accept change. Technology is changing the environment so quickly, and organizations are hesitant to accept these changes because they have been burned in the past. But technology has become so complicated and ingrained into our businesses, that you simply must constantly be reviewing your business, sensitive data, architecture, and future initiatives. Very few organizations are going to create their own secret sauce when it comes to technology. When I worked heavily in banking, you saw a very limited number of core banking platforms in use. I was amazed at how many banks were basically no different from each other. Today, if you are just like your competitors, you’ll be out of business. Smart companies are finding a way to adapt to new technologies, reducing the number of people and manual process. You can see this everywhere: grocery stores no longer have cashiers, ATM’s are replacing tellers, many organizations are throwing away their brick and mortar stores, restaurants are replacing their cashiers with kiosks. You can’t let risk and security stop your progress.
MG: What do you see as the greatest regulatory risks facing companies today?
TM: Cyber Security concerns. In the US, we have a different mindset on privacy vs. security. Organizations today have so much data and they aren’t aware of the risks they are carrying. They are likely taking in more data than they need, holding it longer than necessary, and sharing it with too many people, internal and external. GDPR has one of the highest penalties of any regulation in existence. We have seen that the result of these data breaches is almost unquantifiable – if you get caught in a breach, it’s almost unrecoverable. As risk managers and humans, we are still not very good at addressing the low probability, high impact risk.
MG: How might Chief Compliance Officers, Chief Audit Officers and Chief Risk Officers prepare to face these risks?
TM: Stay ahead of the technology risks and understand the new regulations. Our company tracks about 200 separate regulations, and we are constantly looking at new regulations. CCO, CAO, and CROs are expected to know the regulations, and they should be involved in their development (i.e., don’t wait until it is final, get involved in the drafts and the discussion). Second, understand the solutions and what other organizations are doing. No one needs someone to tell them that they have credit card data and need to be PCI compliant, what they need are solutions and options for becoming compliant. This requires an understanding of the business, competition, and technologies used. We had one company that had a huge initiative driven by compliance to secure all credit card data. After a few weeks with us, we were able to change the business process so that they didn’t have any credit card data at all. They focused their efforts on compliance rather than a new solution to address the problem.
MG: How does your company help its clients mitigate risk?
TM: We offer three general types of services. First is our Cyber Risk Advisory (CRA) team. This team has the expertise and can help organizations design and build effective cybersecurity programs. This includes board communication, C-level engagement, architecture, and hands-on technical cybersecurity assistance. Second, we have a large Assessment team, which includes some of the premier experts in compliance (PCI, HIPAA, GDPR, SOC, ISO, FedRAMP, etc.). We provide third-party attestation that programs are effective. Finally, we have a Labs group, which does the “hacker” type of work like penetration testing, application assessments, etc. They try to break in and test for weaknesses before the bad guys do.
MG: What new service offerings do you have in the queue?
TM: We are seeing a strong pull into the international markets. China, Germany, UK, Australia, and many other countries are pushing out new regulations and requirements. Our business is driven by our clients’ needs. We think that GDPR is going to be a huge push in 2018 (even for U.S. companies). We are also pushing to integrate our services into our CoalfireOne platform to make it easier for our clients to manage their engagements and audit cycles in one place.
MG: Compliance departments are often asked to accomplish their work with limited resources….do you see this situation changing anytime soon?
TM: Yes. It’s only going to get worse. Regulations are growing exponentially, budgets will not. Compliance departments need to relook at their investment and build a scalable model that allows for priorities, audit cycles, and staffing to rapidly scale up or down based on the business needs.
Tom McAndrew is chief operating officer for Coalfire. He is an experienced leader with IT assessment and audit expertise in Cloud ecosystems, financial services, healthcare, government, and retail. He leads Coalfire’s professional services practice and provides oversight and expertise for Cyber Risk Advisory, practice development, and service delivery across several regional offices. Tom is the current president of the Seattle chapter of the Information Systems Audit and Controls Association (ISACA), and holds numerous certifications in audit, compliance, and information security. Mr. McAndrew worked with information security and weapons systems for the Space and Naval Warfare Command, Naval Sea Systems Command, and the U.S. Navy. He is a graduate of the United States Naval Academy, holds an MBA from the University of Washington and a Master of Science degree in Information Technology from the University of Maryland.