More Articles
Information Technology

Moving From Reactive to Proactive Risk Management

Niel Nickolaisen

Niel Nickolaisen

CIO at O.C. Tanner

Neil Nickolaisen, Amy Knapp, O.C. Tanner

When risk management is entirely reactionary and not well thought out or planned for the future, you’ll always be responding to a complaint or request, making it impossible to break the cycle and get ahead.

Quartz Network Executive Correspondent Britt Erler sat down with Niel Nickolaisen, CIO, and Amy Knapp, VP of Information Security during their tenure at O.C. Tanner, to discuss steps they took to help the company become more proactive than reactive when it comes to risk management.

They share proactive ways to balance risk management by:

  • Solving the root cause of problems so issues don’t resurface
  • Balancing client requirements and regulatory changes
  • Managing companywide manufacturer-to-technology transformations

Quartz Network: Can you both give a little bit of insight about your current roles and your backgrounds?

Niel Nickolaisen: I’m CIO at O.C. Tanner, a legacy manufacturing company focused on employee recognition programs primarily for the Fortune 5000. The market dynamics had changed so they started a digital transformation and brought me in.

Being the purse smart person that I am, I knew the first thing I had to do was bring Amy Knapp with me to O.C. Tanner seven years ago, to help them transition from being entirely a manufacturing company to a software and an HR technology company. That’s what we’ve been working on for the last seven years.

Amy Knapp: I’m a VP of Information Security and Compliance, which has been an evolved role since I joined seven years ago. My background was primarily in IT operations. That is an area that we really needed some help in and I acquired the Information Security team when I joined. That was a change for me, but also a big change for O.C. Tanner as we moved forward with what we needed to do.

Quartz Network: Neil, when you started, what was the situation and condition?

Niel Nickolaisen: At O.C. Tanner, for employee recognition programs, we end up consuming and using our clients’ employee data files. We know a lot about their employees. The security of that data mattered a lot. The security really had two elements to it, our internal security and privacy – making sure we’re doing things right – but then particularly for our clients, because they wanted to make sure that we’re protecting the data that they were providing us. Now, when we got there, we did kind of the bare minimum of compliance in a mostly interactive way.

The focus on security and privacy was really ramping up for our client, and we were not very well prepared to deal with it. We weren’t reacting very well. We weren’t responding very well.

Confronting that, we knew we had to make some changes. Not just in our operations, our internal processes and our tools, but also how we interacted with our clients, and also with the company. As it was, if somebody asked us to do something, we would think about doing it. And if we did it, we’d do only that one thing. Everything was entirely reactionary, and not really thought out well or planned for the future, or how to get ahead of the game rather than just always be responding to either a complaint or request.

Quartz Network: What were the immediate changes that you felt you needed to make?

Niel Nickolaisen: First of all, we had to change our attitude as a company. Rather than something we’re forced to do, this is something we need to do, and we want to get good at it. And so, the first thing we did was sort of a risk assessment. The risk had never really been part of what the company looked at from a security or privacy perspective. Everything was a risk. Now, let’s evaluate the risk on likelihood and impact. Let’s focus our attention on the higher risks, not the lower risks. Let’s get our act together with the basics—the blocking and tackling.

One of the things I’ve always looked at from a compliance perspective, whether it’s PCI or Sarbanes-Oxley, or FERPA, or whatever it is, if you’re doing the right things, compliance shouldn’t be an issue. At the same time, compliance wasn’t the goal. It’s an outcome because you’re doing the right things.

We started with what frameworks do we want to adopt? What are the gaps we have? Then those gaps don’t inform us on how to become compliant, they inform us on things we should be doing anyway. Compliance then becomes a natural part of just doing things well.

Quartz Network: Amy, what changes did you make?

Amy Knapp: We were also very much an information security team, and so it was enforcement not enablement. Changing that aspect to be able to further promote what the organization needed to do, but also still secure us as well was a big piece of that culture shift for the team.

The team that we had at the time was also very much the police policing the police. They were doing a lot of the administrative work and a lot of the hands-on stuff, as well as being the advocates of the advisories.

I worked towards being able to kind of separate those duties so that we didn’t have any of those conflicts, which is usually a sign of maturity in terms of how you progress in security. For a long time, it was a side group of people that weren’t really that much of a focus. It was there because it had to be. It was there because the questionnaires kept coming from clients and the security questions kept coming, as Neil said, the reactionary aspect to it.

The gap analysis was mandatory for being able to work through what it was that we were actually doing, and where we were missing certain key aspects. Then it was a case to look at how to bridge those gaps. We kind of rebuilt that team, probably about six months after I arrived based on the skill sets and the need for the organization and that reframing. We basically moved some of the people that were really hands on deep into those areas that should have been owning that in the future, so a little bit of a shift in personnel.

Niel Nickolaisen: As an example, we had somebody that was sort of an audit of network security. So we wanted to get ahead of it by putting that person who knows so much about network security on our network team. Let them solve the problems at the root, rather than being somebody who stands outside of the group and says you’re doing this wrong. If you know how to do it right, let’s have you do it right.

Quartz Network: What other specific things did you do to be less reactive and more proactive while ensuring it was not a short-term solution?

Niel Nickolaisen: One of the things I learned a long time ago is what the role of testing is in Lean Manufacturing, and this applies to software as well. What you don’t want is a QA group who’s looking to fix the mistakes others made. What you do want is somebody who teaches the people that are building the stuff how to not make mistakes.

In a perfect world, there are advisors rather than mistake catchers. We took the same approach. Let’s look at our processes, and rather than having a group of auditors or a group of checkers or mistake finders or mistake catchers, how do we have the people doing the work think about security and privacy in a way that they embed it in their work?

We sort of started from a compliance perspective. We said, “This is the framework we’re going to adopt.” Then, over time, we just worked on how do we make information security, data privacy, and all the things we needed part of somebody’s daily work rather than something that was outside their daily work. It’s better to have a Software Engineer never create a bug or if he does create a bug, he catches his own bug. Rather than hope a Software Tester catches the bug.

Let’s take that same approach with everything that has to do with security and privacy. Let’s make sure people know what mistakes can happen, how to avoid those from happening to make sure that they never pass those mistakes on to somebody else. Over time, we shifted the role of our infosec and privacy teams to be these advisors and sort of process analysts and root cause analysts so that they could then push that work back up to the front of how people did their work. I’ll let Amy add her thoughts on the same topic.

Amy Knapp: Another element for frameworks is IT Service Management, which usually tends to lend itself more to operations, but it can effectively flow through anything from HR activities through to facilities maintenance.

One of those things is just understanding that cycle. When we see that something is awry, why is it awry? Let’s work out how to fix it. How do we eliminate that from happening in the future? That becomes more innate in how people view problems. Is this systemic or just a one off? What do we do with this? How do we structure the process and or the parameters for dealing with that technology or that particular service so that we don’t see that crop up again?

A lot of it was establishing those best practices, putting together checklists for repeatable tasks and things that we do, and that kind of flowed into our audit process as well. That was analyzing what our clients were looking for, how the market was shifting, what the adjustments were in terms of NIST and SKUs controls, and looking at our need for certification, which took us down the pathway of going after our SOC reporting—which is not SOCS—just to be confusing with acronyms.

That was another aspect. It was going from reactive from the client, demanding that we do something to being able to analyze whether or not that actually suited our environment. A part of that was also understanding what that environment looked like.

I don’t think I need to say that people really don’t like writing things down. We’re not the most favored at documentation. That was another part of it, which was understanding the environments that we were actually supporting, and also protecting. Knowing what that makeup was, and setting that ground for how to be proactive with those services and also functions. Because not knowing what you have doesn’t help you to not be reactive. It was akin to walking through a graveyard in a zombie movie and being grabbed by things every now and again, because you just didn’t know it existed.

As a manufacturing company, we had a lot of time to learn aspects that just didn’t crop up very often. You would have to find someone that had been working at O.C. Tanner for 15 years and had seen this at least once in their lifetime. Then you’re like, what is that? Half the people around you are like, “I don’t know, I’ve never seen it before.” Making sure that you can account for those things.

I think the other part of it was having people bring you things rather than finding them out, and creating that trust. Where having an outage or having an issue isn’t something to be fearful of. You have to bring it to the fullest so that we can actually understand it and take care of it and make sure that it’s either removed from the environment or we know how to handle it instead of hiding it away.

Niel Nickolaisen: Amy brings up the really good point that we had to get good at root cause analysis. Often when there’s an issue, the IT’s response is, “Let’s reboot the server and the problem will go away.”

No, the problem didn’t go away, the symptom went away. You have to dig deeper and ask why. What caused the problem that led us to rebooting the server. Just from a cost perspective, we had people who’d written scripts to automatically reboot the server because it was going to go down. Now, let’s get out of that business. Let’s find out what’s causing the problem. Let’s apply that across everything we do.

If there are issues with security or privacy, let’s get to the root cause and find out where in the process, we need to change that process and how far upstream so that this never comes back again. We just wanted to get out of the business of react being reactionary.

In my perfect world, all work is planned, rather than reacted to. Each time you react to an incident, not only are you not doing your planned work, but your customers are stopped as well. Let’s eliminate all unplanned work, and the way you do that is improving your processes by eliminating the cost over time.

For more industry best practices and insights from leading IT executives like Niel and Amy, join Quartz Network.