Podcast with Tom Meier: The Roles and Responsibilities of an Information Security Director

Gene Carozza

Gene Carozza sits down with Tom Meier and discusses the day-to-day interactions that an Information Security Director has with the rest of the organization, and how his job is crucial to the functioning of the company.

information security podcast

Gene: Hi everyone. This is Gene Carozza, Senior Vice President at PAN Communications. Today I’m joined by Tom Meier, Information Security Program Director at a large manufacturing company here in Boston. Tom, thanks for coming in today.

Tom: Thanks, Gene. Thanks for having me.

Gene: On behalf of PAN I really appreciate it. So, not only are you in charge of security at your company, but previously you ran the entire IT operation?

Tom: Yes, that’s true. The security organization grew out of the IT organization. We’ve had that function for a number of years. But recently the board had requested us to make that a permanent separate function that reports up into the business, and we’re finding that this is more and more common.

Gene: So, your experience runs pretty deep across the whole IT spectrum and that’s one of the reasons why you’re here today. And, you know, we’re talking about marketing, and most people wouldn't think of somebody in your role as something that contributes to the marketing efforts of the company, but actually you do. Can you tell us a little bit more about that?

Tom: We certainly contribute in terms of their marketing campaigns. We enable them to have software and communications that reach out to the customer base so that they can better select our product and understand who our company is. And that’s no small feat, especially with all the noise that exists on the Internet.

Gene: And how do you engage and interact with some of the marketing executives or the CMOs?

Tom: So, the marketing executives in our organization are tasked with putting together plans for the new product line. They understand what’s happening with the market and that’s where we help them out. The first part is to understand where their market is, who their market is, and with that you need data. So, we help them acquire the data. We help them work with companies that own or operate or populate large databases regarding where sales are in particular industries and localities. And we can use that data to help make better decisions about targeted marketing campaigns.

Gene: You must work with or evaluate a lot of vendors. For evaluation information gathering, who does this? Is it you or is it somebody else within your organization?

Tom: Well, it gets kicked off by me through the business. The business would basically lean in and work with us to say we are interested in a new segment. We have a new product we want to reach a certain locality or country. Then I particularly task that out. We have analysts who are really the up and coming data gatherers and data messengers for any organization. They then use the software that we may select through our technical staff as we task that out being a project. And then they grab that data, and they’re able to work with marketing directly –  marketing managers and product managers – and then put together a series of reports that better support their findings or basically what they think their plans are going to be.

Gene: Right. So, many of our people sell to people in your position, and I guess the ultimate question that they're asking is, what does it take to make the shortlist?

Tom: That’s a difficult question. There’s a lot of things that you can do to get my attention. So, when I started on the technical side I came up and it was really important to understand all the technologies and the consequences of particular selections. When you get into the senior management and the executive management of IT you really share the responsibility with the business for the success of the business, so a lot of the focus is around making sure you’re plugged in with what the business wants to do. You’re in those meetings rather than technical ones. When it comes to the technical side you really need lieutenants within the organization. Most of the guys were still two feet still in the technology side, with their head a little bit above the water, able to speak in a concise way to the business and to me and say, “we think that this is what reflects what you need.” or “this is a good trend going forward.” So, to answer your question, you really need to connect with those individuals and the places that they go trolling for information.

Gene: Right. One time you gave me the basketball analogy: Can you explain that a little bit?

Tom: Sure. It’s back in the high school days when a gym teacher basically took 25 or 30 guys and would want to put together some kind of a basketball game. What they would do is they would pick a couple of leaders, and those leaders are picked for different reasons in that they can do something like play or sink a lot of balls. So, what they’ll do is they’ll typically pick their own friends or somebody that they get along with very well. And between the two of them they’ll select the team that is appropriate for them. A lot of it is really relationship based. And I think that really focuses back on how we make IT decisions or connect with new vendors. A lot of it is relationship selling, and there are other kinds of selling, but this is, I think, a very important one.

Gene: Right. When it comes to evaluation during the mid-funnel, I’d love to know the tools to use – whitepapers, other kinds of content. Do you rely on analyst reports or case studies, or other industry influencers? What do you use the most?

Tom: So, at my level what I use is what I think that the other executive managers and the CEO will use to familiarize themselves with the market, with business in general, with government and things that affect the business as a whole. So, the first thing I do is I read those things that they read. I remember when I got hired, my boss used to read USA Today. I never had actually read it, but I knew from that point forward I was going to be reading it every day. And, sure enough, on occasions he would call my office and say, “So what do you think about this particular topic or that particular topic.” And if I hadn’t read it in the way that he had read it I would have been completely out of position. I wouldn't have been relevant to what he was interested in. So, for a lot of my peers when I talked to them they use the business newspapers – Wall Street Journal, New York Times, Barron’s. Some people read The Economist on the technology side because you still have to maintain some connectivity.

There are a lot of whitepapers, so I have a tendency to work with consulting companies in the Boston area where we’re located, and they provide whitepapers that are specifically vertical in the IT space, but also for our industry. Then we can look to see based on topic, or based on industry needs, what they think are the biggest issues that are out there. And then, from then on it is working with our consultants some of which are very close to us. We’ve had them for several years. Others are relatively new and they don’t have to be big. They just have to offer us a solution not just a box to buy.

Gene: Interesting. Let’s get back to the security side of things for a moment. The security market has been crowded for decades. But how can a security vendor utilize marketing to help get in front of folks like yourself? What are the things that you’re seeing out there?

Tom: They have a tendency to focus on these seminars that come to town and those guys have a tendency to reach out by e-mail and say, “Hey listen we have a Boston security seminar.” They use that for a marketing hook that a lot of security people need to have certifications or they should have certifications, and so they say, “Come to our seminars and you’ll get 16 points.” So, for example, Secure World in the Boston area, they do that and you attend classes and then they have a little Expo, and the Expos are actually not that little. It’s probably a good 50 or 60 vendors, and that’s how you really get connected because you are not only dealing with salespeople, you're dealing with technical people who’ve seen a broad spectrum of issues. So, when we connect on the security side, it’s similar to what we do on the CIO or IT side except there’s a little bit more vetting that has to be done, and how I do the vetting anyway is related to government. We have a number of connections to governmental agencies that basically produce their own whitepapers or their own alerts and help formulate with standards. There’s a number of standards – 27,000 in one and an IST nest – that help guide you along in that process, and if you follow that then you start tripping over vendors and people who would sell into our space.

Gene: What about the role of social media in your world. How does that come to play?

Tom: Super important. For us, I think the migration away from sort of centralized TV and just magazine stores although all those things still exist, and I think they have their own relevance.

It’s much more the subliminal side, so even if you’re on Facebook, oftentimes if you have identified that you’re interested in technology or if you’re interested in security, or frankly even in cooking, they have a tendency to find individuals or basically a matchup of potential vendors with you as a potential interest seeker. Not even knowing if you are a decision maker or not. For a quick 15-second blurb or 30-second blurb, they can get in under the radar because you’re basically sitting waiting for a meeting or you’re at home after dinner and you’re looking through your Facebook or your LinkedIn or your Twitter, and all of a sudden you just see a little blurb on “hey check this out” or “this was a problem” or “we have a solution.” So, sometimes it’s very general, sometimes it’s specific. This company has a solution that’s just perfect for you. So, for me I like social media, not only because it gets under my radar, but also because of the millennials who are very familiar with that particular channel. Those guys constantly are sitting in that space and they get how things relate in that space, they build their own networks of understanding, and they are the ones who are influencing me. And that is absolutely critical because they are the up-and-coming relevant group.

Gene: What do you think is the biggest security story lately, and how do things that break in the news affects what you do in your position?

Tom: So, the last part first: I think that what breaks in the news is what happens on a global level and oftentimes that will impact board members, executives and they will come to me and say, “Well, what is our story in this particular place?” Most recently, what’s been happening in politics, hacking of the Democratic National Convention emails, hacking of what's been going on in France. Those kinds of influencers, basically what they hear is hacking e-mail and bad things. And so they say, “What are we doing? How did they do that? How do you know how they did that, and what can we do to protect ourselves?” Then, a little bit further back, what happened with Dyn, there’s not a lot of people that know that the company was responsible for creating sort of a DNS resolution on the Internet.

Basically, how do you transfer that? Gene lives at this particular address here in Boston or works here. That’s a very very important issue, because from the boards point of view, from the executive point of view, it was, service was working or service was not. And you couldn’t get it back, you couldn’t get it back for a few hours, and that was very scary. And then when some of the details came out that it was related to devices like your thermostat on the wall, that scares them even more. But even prior to that it was just phishing attacks, malicious e-mail attacks, and a couple of them hit two board members and one of them hit the owner. The other one hit the CEO, and that was the straw that broke the camel’s back. Because prior to that time CIOs were saying "we have something to do with this if it comes into our network," or "we have something to do with this if it hits one of our PCs that our sales guys have in the field". But after that occurred it was now, they’re not necessarily targeting our company, they’re targeting our employees. If they’re targeting our employees and now part of the company, that’s a bad thing. They can drag all of that in and now they were thinking about it from a different point of view - that could be the owner’s family, that could be the executive’s family, that could be money transacting and that’s what really makes it very relevant and very acute – meaning that we have to take care of it now, not later.

Gene: Interesting. Tom, we appreciate you coming in. I’m going to give you one last question. You’re involved in all sorts of things including security, IoT, big data, you name it. What is the one takeaway for any vendors listening that you would want them to know?

Tom: Well, from the security side I would say that as companies start adding more into the cloud, they need to understand how security in the cloud is great, and when you’re coming from the outside into the cloud, that the weak link is always your customer premise. So, wherever you have your PCs, whether it’s at your home or at your office space, you need to get to the cloud, and that’s the opportunity for hackers and fraudsters to get in and wreak havoc. The other is just from the business perspective that IT is an important part of our lives. We are all becoming digital companies. If we are not already saying that we’re digital companies now, we are digital companies in the future. In order to do that, you need good channels for getting information, you need trusted partners, partners that are not interested in just making a sale and selling you a box. But finding a solution for you and willing to stay in it with you for a few years. And I think in order to do that you need to have good honest conversations with whoever is selling to you. They need to have the best interests of your company at heart. And if they can’t do that, then they’re not necessarily a good fit. There is always the people that want to go and get a hamburger at a local hamburger joint, and then there are people who need to sit down and make sure that they’re feeding their family for a long time, that it’s not just junk food. And you need to have those longer relationships because that’s where you keep things safe, and moving forward and finding the innovation that you need to stay ahead of your competition.

Gene: Very good, Tom, appreciate your time. Thanks for coming in.

Tom: Thanks for having me, Gene.

Content Fitness Report 2017

Topics: Customer Experience, Industry Expertise

New Call-to-action

Subscribe to Our Newsletter