Profiles in Confidence: Dr. JR Reagan, Global CISO Deloitte
AN ADVANCED, CONSISTENT, AND CENTRALIZED SECURITY PROGRAM Dr. JR Reagan, the Global Chief Information Security Officer for Deloitte Touche Tohmatsu Limited, began his career in the security industry, but he does not have the typical resume of a security industry veteran. An early boss who did not think highly of security encouraged Reagan to study innovation, marketing, and analytics. Reagan maintained his interest in security and saw how these areas could intersect. Today, Reagan is a TED speaker on innovation, a marketing and analytics professor at Johns Hopkins, Cornell and Columbia, and Global CISO at Deloitte.
In his TED talk, Reagan explains how innovation can come from anywhere – from children and from third world countries - not just Silicon Valley. He puts this belief into practice in his security organization. Being “advanced” is one of the groups three main tenants. “It is not enough to do what is just ‘okay’. We don’t have all of the answers, but we have to think about the future. How will we do things three or five years from now? What do we need to be prepared to address?”
Reagan stays clued in to advancement by tapping into a vast network of peers, CISO forums, and hot spots of technology innovation. “Innovation moves so fast these days you can start to get a feel for where things are going and better prepare for it. We architect our solutions today to be open to the innovation that is coming.”
Reagan’s security program is also centralized, which is no small task for a company with offices and clients across the globe. “We look for commonalities to set global standards while allowing for specific regulatory and data privacy laws within each country. Our customers require this of us, and my team works with member firms to articulate our security program to these clients. This is something that is happening much more today than in the past.”
Lastly, Reagan’s team strives to be consistent. Deloitte makes a brand promise, and part of that promise is that the client’s information is secure with us. “We maintain consistent levels of security, and in a sense we are like the plumbing. You rely on us, but it doesn’t really impact you. We are consistent in that way. But we are not just technology, in fact, I rarely talk about firewalls. We talk about the business. We need to enable new business models and support change and advancement. We do that by protecting information.”
DOES SECURITY HAVE AN IMAGE PROBLEM? Since Dr. Reagan is a Marketing Professor in addition to a CISO, we asked him to weigh in on how security is positioned in the enterprise. “The security industry has a little bit of an image problem. It’s viewed as geeky and technical. That was how security professionals valued themselves. But right now CISOs are going through a similar transition to the CIO. In security, this is causing an identity problem. Today it’s not enough to talk about encryption. Tell me about the business. We are going to see rapid transformation in this regard. You’ll start to see people entering the field without the typical technical background and that will change security’s image.”
SECURITY AND INNOVATION “For the longest time, information security teams have been ‘Dr. No’. We are overdue to think of new ways of addressing security with employees. That is where innovation comes into play. User behavior dictates whether security programs are successful. We have to find ways to embed security instincts in the natural way people work. This is something our industry is not good at right now. We cannot just have folks doing online awareness training. The airline industry is a great example. They have fundamentally changed how people respond to the safety videos by making them engaging, funny, and interesting. We are rolling out new training videos at Deloitte, “Don’t Be that Guy”. We are going to show the security mistakes everyone makes, in a funny way, and hopefully with humor change behavior.”