Cybersecurity Change Management – A Collaborative Approach

Russ Felker

CTO at GlobalTranz

Learning Objectives

Please Join the CTO of GlobalTranz, Russ Felker in this Executive Interview where he will discuss the approach his organization took to putting cybersecurity initiatives in place.


"It's not just technology people...It's the entire company that needs to be involved."

Russ Felker

CTO at GlobalTranz

Transcript

Britt Erler

Hello and welcome to the CIO and CISO VISIONS Leadership Virtual Summit hosted on Quartz Network. My name is Britt Erler QN Executive Correspondent, thank you so much for joining us. I would like to welcome our executive speaker here with us today, Russ Felker, Chief Technology Officer at GlobalTranz, as he discusses a collaborative approach to cybersecurity change management. Welcome, Russ.


Russ Felker

Thanks, Britt. Great to be here.


Britt Erler

And it’s a pleasure to have you here and really excited to dive into this topic today. But before we do so, if you wouldn’t mind walking us through your background and your current role with GlobalTranz?


Russ Felker

Absolutely. Chief Technology Officer: I am actually in charge of all things technology. Now that includes all IT product development, all of those different pieces. And you know, global trends is a top 10 3PL, that’s what we do. We’re in the transportation and logistics industries across you know, less than truckload, truckload managed transportation, but we’ve always been very technology driven. And so a lot of a lot of the services that we provide the offerings that we have are all kind of driven by technology that often falls under my department, I’ve been doing the technology thing for for a long time, I get told off and not to say quite how long I’ve been.


Britt Erler

Hey, we’re open here.


Russ Felker

But you know, over 25 years, I’ve been in technology running different technology companies have started some of my own, and been with global trends now for about a year and a half as their Chief Technology Officer.


Britt Erler

Fantastic. And it’s no secret that you’ve clearly seen how technology has shifted over the years. And really, last year in this year, cybersecurity has been brought really into the spotlight more so than it ever has before. But I think the main concern now for executives is alright, it’s here, we need it, how do we implement it into our organization? What do you believe are some of the key areas to focus on? And where do companies start?


Russ Felker

Well, I think there’s a couple of different things that you that you really want to focus on. When it comes to security. Security’s you know, it’s, it’s about the basics. In many ways, it’s, it’s having that basic hygiene, it’s having the basic processes, and that takes people to make sure that you’ve got people focusing on those things, people executing on the actions that are needed to keep systems up to date, to keep patches in place to do all those different things. The big thing, people I think, Miss in many ways is that and we get it and someday, we just don’t get it in all areas, is that it’s not just technology people. It’s the entire company that needs to be involved. And, and so you’ve got to have that focus on basic hygiene, the focus on basic practices, the dissemination of those out to your staff, but then you’ve got to include them back in, really from that execution standpoint. I think that’s, that’s a that’s a critical point, though, that a lot of companies don’t necessarily execute down.


Britt Erler

I completely agree with you. And I think it’s so key what you said, you can implement all these fantastic technologies into your company. But if your teams, your employees don’t know how to use them, and don’t know what they’re being used for, and how it’s gonna move the company forward, you know, it’s a waste of money, it’s a waste of your time. So how has global trends done that? What is this collaborative approach that you guys are taking on to really implement cybersecurity?


Russ Felker

Yeah, it was a, it was a change that we that we made, and then we made it in part in response to, you know, some of the things that have happened, but, but just as in a general sense, we felt like we were talking at employees a lot when it came to security. And I think if people watching it probably been in that, that same situation, where you get the email that talk about the, you know, the different attacks that have happened, and, you know, don’t click on things and email, things like that. That’s emails everybody gets and and you go through your yearly training, where you’re told about all those same things about how don’t click on this, don’t click on that. Yep. But what gets missed a lot is when you implement policies and you put practices into place, involving the departments and not just executing those things, but having a voice in helping to create those right, and understanding the business impacts of those for for them, because each department has a slump. It’s gonna be different. You’re gonna have different impacts. You know, one group might be like, Yeah, I don’t care about If you rotate my password every 30 days and the other groups like, wait, what you’re gonna rotate my password, I need to remember that I, my my post it on the bottom of my keyboard is only so big, I can’t write all those down. And so you’ve got to involve them and get them in, get them involved. And that’s what we’ve done over the last year is really brought them into the process as opposed to just making them the recipients sure of things coming out of it. And saying this is the new rule for passwords. And this is the new rule for VPN, and all these other acronyms that we’re just gonna throw at you. It’s more, let’s get them involved. Let’s understand their perspective. Mm hmm. align that with everybody else. So everybody else can also hear the different groups perspective, and make sure that we’re being collaborative in our approach for the corporate security.


Britt Erler

Mm hmm. Absolutely. And you know, I think you said it cybersecurity, it’s pervasive, there is no job function, no department that is left untouched, right? It’s crucial for every sector of the organization. So you can’t just say, Okay, this, this belongs in it, we’re going to leave it there. That’s it, you really have to make sure that company as a whole is on board, while you’re, whether you’re upskilling them, you’re training them on the new programs. So talk to me a little bit about the processes, you and your company have put in place to make sure that there is this visibility, and there is this involvement from all of your teams?


Russ Felker

Absolutely. So we actually formed our own security council. Okay, and that, you know, policies were really coming out of it, for the most part when it came, maybe legal would get involved or something like that. But we weren’t really involving our kind of operations teams and our sales teams and our finance teams and the different even sub teams, in some cases within those groups. So what we did is we said, Okay, well, let’s let’s get representation from all the different teams, let’s put them together and execute this in a in a collaborative way where we can get their input, we can help them to understand the importance, and not just the importance, but the reasoning behind, you know, a particular policy or a particular need for something. I remember the one of the discussions we had are in the security policies around password rotation. I mentioned earlier, you know, that’s a big topic, that most companies just kind of roll out and say, look, it’s every 90 days, or it’s every, you know, word or whatever it is. And we actually had a very, pretty long discussion back back and forth with the operations groups and the finance groups. And, and they wanted to dig in, and they wanted to understand why would you do password rotation? What does that mean? How does that, how does that interact with password complexity? Mm hmm. You know, how do these things go together. And we found that once we got people involved, you know, they weren’t necessarily interested in like, the very tiny implementation, technically, no interest, but you know, in the, in the broader impact and the business impact of that, that’s where they were involved. And that’s where they were, you know, really participatory. And so as part of our policies, we’ve now got a business impact section. So you have the security pieces, you have the kind of rules and the patterns and the policies, but then you have a business impact section, and you’ve got really just the feedback that we get from the different groups incorporated in there. And that sign off to make sure that we’re effectively taking into account their perspective.


Britt Erler

Right. Right. And I think that’s key, you know, it’s all about transparency and communication, if you’re going to change someone’s job, you know, whether it’s drastically or even in a small way, you have to give them some sort of reasoning. So they understand otherwise, they’re gonna go up, this is stupid.


Russ Felker

I don’t do that. reciate that, yeah.


Britt Erler

You know, the basic level of it, and what it’s actually doing for their job in the long run white, right, and you want them to appreciate it, you want them to be passionate about what they’re doing. So I think that’s really either what you mentioned, is really taking the time to make sure everyone understands you’re meeting with them. You’re educating them on the new technologies that you’re putting in place. And I think the next question to that would be now that you’ve decided to implement these new technologies, you know, you’re going to get your teams and your employees on board. Where do you start to getting it implemented? You know, what is the really the first step in that change management process for you?


Russ Felker

Yep. And the first step is really about just making visible to the company, that level of collaboration. So the first the first step is you’re going to establish that collaborative group, you reach out to the business units, you go, you pull in the resources, you give them an understanding, hey, here’s what we’re going to kind of need from you. We’re going to need this. And we only meet on a quarterly basis, review any new policies, any changes to policies, things like that, sometimes the meeting is 15 minutes, right? There just aren’t that many changes. But when you’ve got new policies coming into place, and you’ve got new pieces being put in, that is critical for understanding exactly what is going to be the impact to those groups. And so as you, as you go through this, and you pull in, they then can communicate back out to their groups, and you want to communicate out as a company to say, here’s everybody, we’ve got involved. Here’s the people that are in this council, here’s the people that are helping to shape policies and how we roll that out to you, the company. And that’s, that was a critical, really component and, and one of the first steps of needing to put this in place so that it’s, it’s effective collaboration, I call it


Britt Erler

exactly, No, exactly, it completely makes sense. And, you know, I think for me, I look at it where cybersecurity seems very technical, to for someone, like you said it and the need for it. But aside from that, it’s kind of out of my area of expertise. And I would assume it’s like that for a lot of people within an organization that may not have an IT, or cyber background. So as far as you know, needing access to these new technologies, these new programs, because I’m aware of how important it is, and I want to make sure that I’m utilizing it to its full potential. How do you create this accessibility for your teams?


Russ Felker

Yep. And that is, you know, through utilization of different types of communication, that different people are going to go out and look for information, they’re going to access information in different ways within a company. So we use different tools to do that. I mean, yeah, we send emails, I made fun of emails a little bit at the beginning. But yeah, we do it. So I can’t completely just say it’s not a good thing. But we also do other things, you know, we have, we have town halls, that we have, you know, different people speak. And that goes out to the whole company, we have our intranet, where we’re posting some of this information. And we’re, we’re getting that available to people, we have, you know, other small group type settings that we’ll set up and have just kind of almost like a, you know, kind of a one on one with our cybersecurity person for a department and just have people come in and not have an agenda necessarily, where we talk about a lot of things, but just have them ask questions. Like, why do you do passwords, you know, expiration? Why do you have the password be this complex? Why do you force us to store everything in this file location? Why can’t I use, you know, Dropbox over here? Why is that not allowed? And those are questions people have, but they don’t necessarily always have a forum to ask them it. Right. So having those different methods of interacting with the IT group, and understanding why we do certain things, and what the impact is, has been a real help and getting people to, I wouldn’t say, you know, love all of the policies, but but at least be accepting.


Britt Erler

Right? Accepting the inevitable, exactly. I, you know, I think you make the sound, in all honesty, very simple for an organization as a whole. And we know very much so it’s not an overnight process, obviously, global trans has really made an effort to make sure that the organization and their teams are all on board. But I’m going to assume that this may not have always been the case in the very beginning, right, there’s always trial and error and putting a process in place like this, walk me through a little bit of the history of global trends, you know, for example, when you did not have this collaborative approach, some of the obstacles you may have faced that you kind of wish you would have known maybe in the beginning.


Russ Felker

Well, I mean, a lot of the things come from, you know, the, the adoption of policies and things like that. I mean, when we first started, we had, you know, good cybersecurity policies, we had good practices, but the method of communication was very single stream, it was not bringing resources to where others would be and feel comfortable and, and be able to assimilate the information. It was just kind of this, like I said earlier, it’s kind of we were talking at people. And that’s a very standard practice. I mean, a lot of companies do that same type of approach. But it took some took some time, and it took effort to kind of expand that out. So it’s not like it went from okay, we’re just sending emails and talking at people to now we do all of these things. I mean, it was you know, kind of one step at a time. And, you know, that’s part of what the Security Council really brought to us. And one of the first meetings that we had was more about, how do we talk to people about this? What are you hearing? When we send out something like this? What are the reactions you get? Because we don’t get them directly all the work? You know, sometimes it’s people talking to their peers, or people talking to their manager saying, really, I got to do this now, are you? And of course, people were that was happening. Yeah. And so it was, I think, great to have that, again, you just start from that collaborative mindset, though, regardless of what specific initiative or, or what you change first, or don’t change whatever it is, just start with the collaboration, just start with getting the group together, helping them to understand why it’s important that they’re invested. And getting them even the recognition around that to say, hey, here are the people across all of these areas that are helping to make sure that we’re secure, and that we can continue to do business on a day to day basis.


Britt Erler

And now, once you have this group in place, you’ve made the final decision, we’re going to start implementing these technologies, I think my question for you is, there are so many different options out there to choose from, and they keep evolving daily, how do you not only make sure that you’re choosing the right tack the right cybersecurity protection for your company, but also that you have a program in place that’s going to evolve with the changing times. And it’s not something you know, two years down the road that’s already going to be back in


Russ Felker

the stone age. Yeah, absolutely. And so we have, we have three hours for this, right. Yeah. I thought that was about what we had. So no, I mean, designing a cybersecurity program is is definitely not a one size fits all. Sure. Um, which is really fancy way of saying it depends. But the the, I think what you have to look at is, you know, working with your your groups, and understanding what the impacts of different systems are to their work, that is a great place to start. Because as you think about, you know, things that have even happened in, you know, in the news and different systems that have been attacked and compromised and things like that, understanding which systems to focus on first, which areas to focus on first, maybe that’s a regulatory, depending on your industry, maybe that’s about operational work that needs to continue. And focusing from that perspective, or maybe you just simply focus from the kind of largest threat vector which today, even today, it’s email, email is the largest threat are just attacks are mind blowing. Amazing how many emails come in, that are just should not be let through? Get through. And so you can look at it in a couple of different ways. But those are some good kind of Bellwether ways to just kind of say, Okay, let me step back and look at the environment from this perspective. Right. And again, I’ll say it again, that’s where bringing your your business stakeholders, your business leaders, your department leaders in can help. Because you don’t necessarily I know, I don’t always have a clear ID view of what the day to day is, for any individual person in a different department. I know what my people’s day to day is, right? I don’t necessarily know what operation side or sales I do, what are they? What do they wake up in the morning and do on there? What’s the first thing I don’t necessarily know that so getting that information can help you to understand, oh, well, the first part of this person’s day they go here, and then here and then here. And they do that every time. That must be pretty critical. Operations and thinking about cybersecurity, in the narrow sense of kind of preventative measures, exploratory measures of looking around trying to find you know, different type of anomalous activity or weird stuff that’s going on on your network is is great. But you also have to think of it from that business continuity perspective, and making sure that people who are used to being able to go and do their job and access a certain system, access certain information, continue to have that even in the event of an incident or crime. Right. And so that’s a that’s a key part of the focus that is not always has not always been thought of as cybersecurity. But it is still important,


Britt Erler

right? At a baseline. It’s getting to know your organization as a whole really getting to know it from the inside out, not just picking you know the first shiny apple one The tree that you think is the most expensive is going to be the best, that may not be the case. Right? If it doesn’t work with the certain processes or the teams that you have in place. So I think that’s fantastic advice. And to wrap up our conversation today, you know, I don’t believe anyone has a roadmap in place for the next five years are going to look like just based on how the past year and a half has already been for a majority of the world. But in your opinion, and based on what you’ve seen so far, what do you what do you foresee for cybersecurity in the years to come?


Russ Felker

I mean, in the end, cybersecurity is constantly evolving, because we’re constantly evolving and technology. If you look at the last couple years, and the amount of digital transformation around different processes, that has happened, some as a result of the last, you know, year, and what we went through with that, that necessitated some of those changes, some are just companies that have wanted to go through digital transformation and, and get things more digital and more system driven, for efficiency or for, you know, continuity or consistency. And that’s great. But every single one of those digital transformations that a company does, is a security incident. Sure. Not that it meant that somebody broke in because of it. But it changed the way that the systems are used, the way they’re connected, and the way they have to be looked at. And so companies that are going through these massive digital transformations, which is not stopping, it didn’t, it didn’t like oh, COVID here, we’re all at home, let’s do some digital transformation. Oh, we’re back. It’s okay. We’re cool. Now, I don’t need you anymore. It’s continuing forward. And so every time you look and they say, Oh, we’re gonna we’re gonna put this into a system right there. That’s a instant. Oh, that is a that’s a cybersecurity incident now have a different way. We need to think about our systems and approach, how we monitor them and how we how we look to make sure that they’re there in the event of a successful attack, because you know, it’s not it’s not if you’re going to get tech, that’s when when Sure, and the likelihood that at some point, a breach will occur, is extremely high. Because no matter how good you are at hygiene, no matter how good you are, in your system, hygiene, no matter how good you are at putting the different security pieces in place. There are just plain things that the companies you brought stuff from have missed. And now you put it in years, and you’ve done everything you’re supposed to. But that doesn’t mean this little door is over here waiting to be opened. And that’s the other thing you have to prepare for.


Britt Erler

Right? It’s not something you can just put on the backburner. Say, Okay, I put a system in place. We’re good to go.


Russ Felker

Yeah, I’ll get to that later.


Britt Erler

Yeah, I mean, it’s really it’s a revolving door. It’s never ending. You know, it’s something that companies no matter how much digital transformation they’re doing right now, we’re going to always have to keep in mind when they’re putting this in place. So I think this is not only a great starting point for companies that are just beginning to say, hey, we need to do this. And also companies that are kind of in the middle and thinking to themselves, okay, where do we go from here to make sure that we’re on track? So, Russ, fantastic advice is incredibly eye opening, and I think is going to be really helpful for companies during this time. So thank you so much for joining us. And thank you to everyone who has tuned in as well. I’m sure you will have further questions for us not to worry. We do have a discussion forum underneath this presentation. Please be safe, be healthy and enjoy the rest of the CIO and see CIO VISIONS Leadership Virtual Summit. Thank you.


Get full Q/N Access

Sign up to Q/N with a few details to watch this presentation.

  • Hidden
  • Hidden