Secret CSO: Tracy Reinhold, Everbridge

Name: Tracy Reinhold

Organisation: Everbridge

Job title: CSO

Date started current role: April 2018

Location: Burlington, MA

As CSO of Everbridge, Tracy Reinhold is responsible for advancing the company’s enterprise-level security strategy, as well as working closely with customers and partners to optimise their organisational approach to managing and responding to critical events. Reinhold previously held senior-level security positions at Fannie Mae and Walmart and served as an Associate Executive Assistant Director for the FBI.

What was your first job? I started my professional career as a United States Marine and then served for 22 years in the FBI.

How did you get involved in cybersecurity? As an executive with the FBI, I had oversight of the cyber program in one of our field offices.

What was your education? Do you hold any certifications? What are they? I have a BA in History from the University of Maryland and have attended the Leading Strategic Change program at Northwestern University.

Explain your career path. Did you take any detours? If so, discuss. I spent the early part of my FBI career working in the violent crime program and later served as a supervisor of the violent crime program in the FBI’s Las Vegas Office. I transitioned to working on National Security matters after the 9/11 attacks and was promoted into the Federal Government’s Senior Executive Service in 2004. In 2006, I served as the head of the FBI’s operations in the state of Kentucky and then was promoted into the Intelligence Division at FBI headquarters in Quantico, Virginia. I then became the Assistant Director of the Intelligence Division and finished my career as the Associate Executive Assistant Director for National Security. After retiring from the FBI, I served as a corporate officer for the Walmart Corporation and established their global investigations teams in the US, Asia, India, Africa, and South America. I became the first CSO for Fannie Mae in 2015 and continued in that role until accepting the challenge of being the first CSO for Everbridge.

Was there anyone who has inspired or mentored you in your career? I have been inspired by many great leaders during the course of my career, particularly Robert Mueller, who assumed his role as the sixth director of the FBI, just days before the 9/11 attacks, and led the transformation of the FBI from a reactive to a proactive organisation. His leadership and vision continue to inspire me to this day.

What do you feel is the most important aspect of your job? The role of the CSO is to not only protect the assists of the company, but also to understand the nature of the organisation’s core business and that of their customers. It is critical that a CSO provide strategic and thought leadership in the space, as well as mentorship to younger employees. It is not enough to be a tactical executor of policy or strategy. A CSO must look across both industry and the organisation to identify needs, risks, and opportunities that will lead to a more successful organisation. 

In the event of a threat or attack, the CSO is responsible for understanding the attack itself, the vulnerability, and the risk. Not all attacks are equal, and not all risks are equal. If the impact of the attack is not critical, you can wall that off and continue to operate. If it attacks your core system and affects your ability to continue business, then different steps must be taken. The first thing that you need to do is assess the damage with competent professionals who also understand the risks and technology. Communication is an invaluable aspect of the role. The CSO must make sure that the board understands the risks and vulnerabilities that they face, and they should be brutally honest, transparent, and very untechnical in their explanation by speaking English.

As the CSO, we talk about what we're doing, the risks, the exposure, and how we will mitigate them if they come to fruition. This transparency enables your C-suite to make an informed decision about how they want to continue business, and what they want to be able to communicate themselves. What you can't do is try to solve the issue yourself before informing your senior leadership team - that is a recipe for disaster. It will not end well for you as a security professional, and it will not end well for the company as a whole.

What metrics or KPIs do you use to measure security effectiveness? While there are many metrics to consider, the ability to recover from a business disruption is the most critical. Organisations should prioritise having a comprehensive crisis management strategy that looks at what happens from both the brand and reputation perspectives. If an organisation cannot map a clear path to recovery, it will not be able to meet the needs of its customers. Detection and prevention are also critical. It's not enough to be successful in business - you also have to be successful in preparing and executing a defense strategy for your network, customers, and upstream and downstream dependencies, such as vendors. What we find is a lot of companies will be very careful inside the four walls, but they can open themselves up to exposure by not doing the due diligence on their upstream and downstream dependencies, whether they're vendors, suppliers, or other folks that they interface with normally.

Transparency is key, so the biggest challenge that we have with cyberattacks is not really the day zero remediation – it’s the communications plan that has to be coordinated both internally and externally. It is essential to have a consolidated, concise message that instills confidence and reasonably articulates your ability to mitigate to both employees and key stakeholders outside of the organisation.

An often-overlooked part of security is the education of the employees of the organisation. They are the first and best line of defense through the use of good information security practices. While harder to measure, the cross-functional ability of a company to enable enterprise resilience is a key indicator of an organisation’s capacity to ensure a return to revenue quickly after a disruption.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Globally, virtually all organisations are experiencing the “Great Resignation” and security is not immune to this issue. Building a motivated workforce and empowering them to grow their careers is the best way to avoid a significant skills shortage. Ensuring teams are aware of the corporate vision and values and then mapping the significant contributions of the team helps to gain employee buy-in and retention.

The most difficult roles to fill are those that have soft skills - the ability to communicate and write are so critically important. It's about more than just knowing security: many security professionals understand how to install visitor access management systems, how to monitor them, and how to pull the data, but they can't talk to somebody in another department because all they can speak is security. It’s essential to be able to articulate your value and your vision when it comes to something as simple as building a business case for your security team. It’s also invaluable to have the capability of developing relationships, especially with executives, so that you have executive champions - you don't want to go to your Executive Vice President for the first time when you need something. Take an interest in the business: educate yourself about the company you work for, understand what's important to them, understand how revenue is generated, understand why. You can teach all of the technical skills associated with security, what you can't teach is how to be a human being.

Cybersecurity is constantly changing – how do you keep learning? One of the things about cybersecurity in general is that if you stop learning, you can become obsolete, so continuing education in cybersecurity is incredibly important. Fortunately, there are just a plethora of opportunities to keep learning. Being open to new ideas, most of which are developed by the security team, allows us to keep current in the security landscape. Introducing younger workers to the security environment and then allowing them the opportunity to expand their knowledge provides a platform of continuous learning. Also, diversity, in every meaning of the word, is another way organisations can stay apprised of new and emerging threats, as well as opportunities to innovate. It is important to understand that cyber threats are constantly changing and keeping abreast of these changes is critically important as security continues to transition from a cost center to a value center.

What conferences are on your must-attend list? While not directly related to cybersecurity, ASIS is a must attend if you are in the security field. More than conferences, membership in organisations such as ISMA, OSAC, and DSAC are critical to keep up with trends and threats. With the elevation of enterprise resilience, it is important to attend as many events around this as possible.

What is the best current trend in cybersecurity? The worst? The worst trend is denial, when people refuse to accept that there is a real threat. There are senior executives and board members who are simply not well versed in technology. The challenge for these leaders is to be open to learning from those that work for you, as opposed to learning from those you work for.

As a result, one of the best trends is professionals being brought into security with incredible backgrounds in cybersecurity, either from the military, law enforcement, or other private sector entities. They are leveraging that skill set to help protect companies. Some of the greatest developments are ones that engage the workforce to take ownership of critical assets and foster collaboration between CSOs and CISOs – the elevation of the role into the C-suite is critical. We're finding that what we are addressing today will be irrelevant tomorrow because the threat actors will come up with new methods of attack, so the closer together we work, the better we can protect our companies.

What's the best career advice you ever received? The best advice I have ever received is that it is not about you, it is about the mission and your ability to improve it. The job of security is to enable the company to be successful. Our job is to get to “yes” in a way that both protects and enables the company.

What advice would you give to aspiring security leaders? Open your aperture and think broadly. Take care of your people and become a student of the business. 

What has been your greatest career achievement? Being married to the same wonderful woman for 31 years.

Looking back with 20:20 hindsight, what would you have done differently? I know this sounds unusual, but I have enjoyed every aspect of my career. My work with the FBI allowed me to make significant contributions to the security of the country while also allowing me to mentor those that came after me. My time at Walmart was a crash course in the challenges facing a global leader in the retail sector, and at Fannie Mae I was once again helping people by providing a secure environment that allowed employees to concentrate on making homes affordable for the average American. I have been extremely fortunate to be a part of exceptional organisations and I feel the same way about the mission of Everbridge and the help we provide companies to recover from significant business disruptions.