Security 7 award winner Larry Brock:
DuPont CISO Larry Brock knows that protecting a complex global organization isn't a one-man job--and that's one...
of the traits that make him a singular information security leader.
"It's one thing to come up with policies, but it's much more important to have influence capability," says Brock, whose drawl gives away his Jackson, Tenn., roots. "So as a new threat emerges, I can convince leadership to invest in mitigating and controlling that risk."
Brock brings a blend of business and security savvy to the CISO position, which he's held for about five of his 27 years at DuPont. He's held jobs in corporate IT and several of the company's business units, and has continued to have a role at NSA through 26 years in the Air Force Reserve, from which he retired as a lieutenant colonel.
"The culture, for me, shifted from security briefings to safety briefings," says Brock, who still devotes some of his time to the NSA. "In the military, security was the No.1 core value. At DuPont, safety is a real core value--we may be unique."
Security and safety are joined at the hip at the vast Wilmington, Del.-based company. DuPont encompasses a large number of process-control environments that manage sensitive chemical processes; if those are tampered with, safety could be compromised.
DuPont's global presence--some 150 companies in 70 countries--also weighs heavily on these tightly linked safety-security concerns. "We take environmental and safety requirements very seriously, including the computer systems that control our processes. If we don't take our stewardship in the countries we operate in very seriously, we can lose our right to operate there."
Brock's talent for working with people goes beyond influencing business leaders at DuPont. He's developed productive relationships with security leaders at other corporate giants.
"He's willing to help support what you are trying to do without asking for anything in return," says Richard Jackson, Chevron's chief information protection officer. "What I've learned from Larry is that in the terrible battle going on between people who are trying to protect assets and those who threaten them, the path to success can't be taken by yourself--you need friends you can confide in."
"Larry builds incredible teams and loyalty," says John Puckett, CTO of DuPont's Information Technology Division. "He recognizes individuals' contributions--it's all about recognition."
In his years at DuPont, Brock has seen information security move from computer and network security and become integrated into all IT processes and many business processes.
It's no surprise, therefore, that Brock says the CISO is more of an information risk officer. His organization touches many cross-functional operations including disaster recovery, risk management, and records management--the critically important ability to classify, retain and properly dispose of records.
"Larry's much broader than security," says Jackson. "A CISO has to be not only a good security practitioner but part lawyer, part salesman, part marketer, part negotiator and part facilitator."
Brock can trace part of that ability to his role as CIO of one of DuPont's business units for a number of years. There, he honed his management skills to work with business leadership and learned how to collaborate with members across multiple functions.
That's critical, he says, as security has become "almost a board-level issue" because of the importance of protecting critical intellectual property potentially worth billions to DuPont. The global nature of the markets in which the company does business requires that DuPont collaborate with partners. Brock's contemporaries say securing those relationships is a challenge he's well equipped to meet.
"Larry has the unique ability to think globally and execute locally," says Puckett.
"He has a vision of what he's trying to accomplish," says Jackson. "He's data driven, asking, 'What are the facts?' And, he surrounds himself with good people. He gets results."
This story was originally published by Information Security Magazine, part of the TechTarget network.