People and Strategy

Chris Rackow on a People-Centric Approach to Cyber Defense

Episode Summary

In this episode of People and Strategy, Google's Chris Rackow speaks with host Tony Lee on topics that include the growing role of CHROs in corporate security, overlooked methods to prevent phishing and ransomware attacks and how the rapid expansion of remote work is impacting security and safety.

Episode Notes

Chris Rackow was both a special agent in the FBI and a Navy SEAL. Today, he’s vice president for global security and resilience services at Google, as well as and president of the board of directors for the International Security Management Association (ISMA). In this episode of People and Strategy, Rackow speaks with host Tony Lee on the growing role of CHROs in corporate security, overlooked methods to prevent phishing and ransomware attacks and how the rapid expansion of remote work is impacting security and safety.

This episode is sponsored by Mystery.

Learn more about the SHRM Executive Network.

Episode Transcript

Episode Transcription

Speaker 1:

This episode is sponsored by Mystery. Mystery creates meaningful connections at work by curating virtual events for teams based on their shared interests. With hundreds of quality vetted events, Mystery has something for everyone. For a special BOGO offer, head to trymystery.com/shrm to book your first event and get the second for free.

Tony Lee:

Welcome to today's People + Strategy Podcast. I'm Tony Lee, vice president of content for the Society for Human Resource Management and the SHRM Executive Network, which is the premier network of executives and thought leaders in the field of human resources.

I'm excited to speak today with Chris Rackow. Chris is president of the board of directors of the International Security Management Association. And in his day job, he's vice president for global security and resilience services at Google. Before joining Google in 2016, he was the chief resilience officer for AECOM. And prior to that, he served as VP of corporate security at ABB. Chris, thanks so much for joining me.

Chris Rackow: Thanks, Tony, for having me. It's great to be here.

Tony Lee:

Yeah, no, it's our pleasure. You are not in HR, but from an HR standpoint, corporate security and especially cybersecurity have taken on a new importance in recent years, as you know. From the risks that come with employees working remotely, to ransomware attacks and other cybersecurity threats, many CHROs are investing time thinking about the impact of those threats to their businesses. Where would you suggest they start?

Chris Rackow:

Your words of new importance, right on target. I mean, if we look back just over these past two years, COVID has absolutely changed the security threat landscape for employers. Through the impact and the ways, how businesses and governments and people want to and expect to interact today. We, all of us, all the functions, we're challenged with new, large variances and how people want to interact with our employers.

From us as security and HR perspectives, remote and hybrid work absolutely is introducing new challenges in areas such as intellectual property protection, data loss prevention, employee security, occupational health and safety asset protection, accommodations benefits, just to name a few. Directly to your question, where to start? For me, everything always comes back to the employee. We should always focus on awareness and educating and building up good inclusion with our employees and how they relate to the employer.

Employees are always the first line of defense for us. There are plenty of subject matter experts, whether it's physical security like myself, my partners in information security, the enterprise risk management teams. They have and can develop the specific reactionary tools to mitigate when signals arise from let's say developing incident or a risk. But the employee is where we can start with proactive efforts to begin to normalize new, good behaviors in this new world and actions that can benefit both the employee as well as a company.

And we'll talk about this a little bit. This feel safe, be safe concept that we try to use at Google. Being proactive with these behaviors, they have the greatest likelihood to have an effect on shrinking some of these attack vectors, whether they be phishing, ransomware, data ex-filtration, workplace violence, which fits into this arena in other areas. And I look at this as it's the greatest threats as well as opportunities for how we get this right or wrong going forward.

Tony Lee:

Yeah. You do this for a living. You are in the corporate security world. Should HR be managing security management in the workplace along with folks in jobs like yours? Or should they leave it to the corporate security people to do it? Who should be thinking about this? Who should be doing it?

Chris Rackow:

Absolutely. It's a team-based effort here. And I think we learned this across multiple different areas in that if a function tries to own it itself, you just by default create gaps. The high level answer for me is as many parts of the company should be thinking about it, especially in today's world. And at a minimum, security and HR together should be doing it.

If I look at both functions, there aren't any others that have as much crossover because both HR and security, we're hyper-focused on the individual, and that experience of the one employee. And if anything, COVID has demonstrated that alliance between the security and HR functions.

And if we do it together, we eliminate some of these assumptions. We eliminate some of those gray areas and we can actually have a synergistic way of being able to provide good experience, good awareness, good education, good inclusion for all of our employees is why we build this new relationship between employers and employees in this new world.

Tony Lee:

No, it makes sense. You mentioned COVID and you mentioned remote work. We're starting to see people coming back in the office, but remote work is still here to stay, obviously. What has been the impact of the big increase in remote work to security and to safety?

Chris Rackow:

Yeah. I touched on these a little bit, but some of the big ones, intellectual property protection, employee security. And I use the terms at rest and in a motion as our people have different dynamics on where they work and how they move between work locations. Occupational health and safety is a new focus area because once again, those underlying dynamics have changed.

And asset protection, in the broadest definition of what assets are and what's I important to the employer. For example, if people are not using secure and improved methods for accessing your company's crown jewels and data, there is a risk of data breaches and downstream cyber attacks. Additionally, if people aren't taking proper precautions working from home, they could be putting themselves at risk of accident or injury.

Tony Lee:

Yeah. Obviously, this is something that everyone's concerned about. But are you actually seeing cases where remote workers are being attacked through ransomware and through other means?

Chris Rackow:

From an industry's perspective, speaking as a voice of ISMA and my peers across companies, the simple fact that we have more employees that are outside the traditional workspace, there have not been defined rules codified yet on how to do proper asset protection with intellectual property. Just that, that increased surface area has impacted phishing schemes, ransomware schemes. And by default, those numbers have increased a bit.

Tony Lee:

We've published some articles lately about unfortunately cyberstalking. And an increase in the number of employees who, believe it or not, research is showing that romantic relationships at work actually rose during the pandemic, which seems so strange since people are talking to each other through Zoom. But that of course then leads to threats and to cyberstalking and related problems. What would you advise HR leaders to help minimize that threat?

Chris Rackow:

Yeah. Cyberstalking, it's a very challenging area that it requires a long term effort again, between employees and HR and security. Cyberstalking unfortunately, it can have a significant mental and physical effect on victims. And unfortunately, the reality is it's very difficult to find and punish attackers because they know how to anonymize themselves behind fake personas.

While investigating is very important, having real impact requires being proactive. It'll be hard to investigate your way out of a cyberstalking environment. HR can be a huge help in this area by amplifying, through multiple and continuing reminders, the awareness information provided by the security professionals, whether it's the physical or cyber teams.

And this should be a recurring drumbeat and as many engagement forums as possible. And the added benefit is that the same awareness package, it also mitigates against some of these other issues that we've been talking about, phishing, ransomware attacks. And unfortunately, the most common attack vector of penetrating an information system of a company remains via the one employee who has been socially engineered.

And then the last piece, which is probably the most important for a function like HR is being incredibly open and available to victims. It's one of the most important things. And victims can be really embarrassed and scared. And they find it hard usually to report and come forward if they feel that it is not going to be completely open and received and they're going to get help.

If they see the company and HR being completely open, accepting, helpful, this likely in turn leads to more victims coming forward. Then what you actually create is you create a open, shared awareness amongst the employee base. And they discuss, they adopt and they share best practices. And looking back historically, this, the same methodology has been really successful in the years in addressing the unfortunate topic of domestic violences.

Tony Lee:

Yeah, well solid communication. I mean, it's always about a great communication strategy. That seems like a great way to go after the attack has occurred. And even before, letting people know that they should be open and communicate. But are there ways to prevent phishing, prevent ransomware, privacy invasions, things that companies should be doing today that maybe they aren't?

Chris Rackow:

It comes back to the steam of the first line of defenses is the employee. And building on that, the best prevention is a team-based approach for comprehensive organization-wide effort for educating and building awareness among the employee base. And building that really strong relationship between the employee and the employer.

And I alluded to this concept of the be safe, feel safe principle. The majority of these attacks, they start with that one employee. And more often than not, and it's not due to malice. It's typically, just being from socially engineered. They take that step and then that is the entry point to providing access into corporate data.

This topic really expands between the HR function, the security teams, information, physical communications. It really has to be a team-based effort. Because it's so complex among multiple vectors, now that we have offices, we have more of a hybrid workplace. It's being able to have a balance and empathetic approach to educating and also having that employee feel that they have a responsibility back to their peers and the company for protecting that, which is most important to all of us within our respective organizations.

Tony Lee:

Chris, at Google, I'm sure you have a great relationship with the senior HR leaders. But unfortunately, not all senior HR leaders have good relationships with their corporate security colleagues. What do you think from your perspective is the best way to forge that relationship?

Chris Rackow:

I know this might sound simple, but it starts with that one conversation. And just over the course of this discussion, there's a lot. There are so many risk areas out there that one, can seem overwhelming. Two, the bright side is we can solve them together. But in totality, it feels overwhelming. What I always recommend and what I follow personally is I pick one or two topics, get the right people together and just start the conversation.

Let's do one to two things really well together. You build a relationship. You actually start to have an effect because you're taking action on one to two things. And then, by default, you're building that ecosystem of trust and understanding how to work together. And then you start adding the third, the fourth, the fifth item. And over the course of time, you look back and you've actually accomplished quite a lot.

And then by default, you are absolutely setting yourself up for success when the next crisis hits. And best practice that I know we share between security and HR is how can we work today to shrink the decisions we're going to have to make when things go really bad? Let's not wait till things go bad to do that.

And the same methodology applies in this space. Let's get together now and start the conversations on those one to two things and we'll get that ball going. And then, when we actually have a crisis, well, we've already got the ecosystem built to be able to do what we need to do in real time to keep people safe, keep our companies safe and keep our assets protected.

Tony Lee:

Yeah. No, that's great advice. Now, there is another challenge that many of our listeners have. And that is not everyone is working at a larger company with a lot of resources. Many folks are at smaller companies, mid-size companies.

And there's a recent survey we just saw. About 45% of all companies do not have a chief information security officer. What would your guidance be to those people in HR, where security maybe hasn't even been on the radar? Or there might have been an incident here or there, and they've handled it, but they're nervous about what's coming in the future because they don't have a security officer on board of a company with 100 employees, 200 employees. What should they be thinking about?

Chris Rackow:

Yeah, great question. And you've alluded to there's so many different models out there. And in respect to today, for example, I'm the chief physical security officer for Google, and I have a peer who would be the CISO and it's a great lash up. And we are fortunate to be able to have that.

The key to your question is, regardless of size, every company at a minimum should have at least one designated role that is looking at the topic of security for its people and assets. And it can be a collateral duty, but it can't be something that is overlooked in today's world. And I think just from all of us reading the newspaper and being attuned to what's going on in the world, it's more likely than not that the next few years are going to be more dynamic than the last five to 10 years were.

Having this as one of the key areas that companies looking at risk management toward, you got to have somebody in that space. Start with at least the collateral duty, but somebody needs to be looking at the topic of security, because it is going to be increasingly important to have that as part of your overall risk management framework.

Tony Lee:

Yeah. Is there any training you would recommend perhaps to an HR person who's interested in this topic? And again, at a small company, they may not have the resources to have someone dedicated, but maybe with training, an HR person could know enough to know what to look for.

Chris Rackow:

Yeah, absolutely. There's the big trade association, ASIS has some phenomenal training packages. All the way from what is security all the way to the top for the chief security officer awareness packages. It's built toward the security professional, but it's also built for awareness for some of this conversation, functions to get an appreciation of what corporate security is in today's world.

And to use an overused phrase, it is no longer just gates, guns and guards. And to what we've been talking about here, those three elements, of course, need to be done in a certain aspect. But it's more toward the experience of the employee and the team-based approach with their functions to mitigate the overall risk to an enterprise that can be induced from an employee's actions.

Tony Lee:

Well, Chris, this has been great. But before I let you go, I have to ask. You have had a very interesting path to your current position. I mean, a Naval academy grad, a special agent in the FBI, Navy seal officer, the Thunderbird School, an MBA from University of Indiana. And then now as I mentioned at the top, increasingly responsible positions in corporate security management. Talking to other senior leaders, what do you think they could learn from the path that you've taken?

Chris Rackow:

Oh, yeah. Great question, Tony. And at first, I've been incredibly fortunate in my career. Some of it was planned out. Some of it was just being in the right place at the right time. And was very happy for the path I've been on.

But the meta points that I've always tried to stick to is I've absolutely been a proponent of continual learning. To be continually learning about the world around me and to always try to improve myself. And that was a key point. And as part of that, one of the things that popped into my head midway down the track there, was that the more I experienced, the more I realized how little I really knew about the world and people around me.

And then by default, by having that experience, it really has allowed me to one, remain humble. Which I think is key to the more senior you get is to just remain true to where you came from and how you started. But it really increasingly opens you to new ideas, new people, new thoughts, new ways of doing things, being more accepting. Then as a senior leader, by default, you are now coming across richer solution sets.

And last, it's more engaging and fun. You have better relationships. These are my big takeaways at this point in my career that I've been fortunate enough to learn over past few decades.

Tony Lee:

Wow. Obviously, it's suited you very well. Chris, thank you so much for sharing your expertise with us today. We really appreciate it. Before we get out of here, I just want to share that listeners can follow the People + Strategy Podcast wherever you listen to your podcast. And you can learn more about the SHRM executive network at shrm.org/executive.

Also, listener reviews have a real impact on a podcast's visibility. If you enjoyed today's episode, please take a moment to leave a review and help others find the show. Finally, you can find all of our episodes on our website at shrm.org/podcasts. Thanks for listening and have a great day.

Speaker 1:

This episode is sponsored by Mystery. Companies use Mystery to make meaningful connections for employees at work. By breaking down silos and engaging employees, Mystery boosts morale, and builds connections across teams by curating virtual events for teams based on employee's shared interests.

Leveraging data and insights from your team, Mystery curates events that drive an average attendance of 87% compared to the industry average of 50%. With hundreds of quality vetted events, Mystery has something for everyone. For a limited time, get two events for the price of one, visit trymystery.com/shrm.