Published: 01 Feb 2019
Thomas Hill, CISO at Live Oak Bank, a direct bank with no local branches, oversaw a reorientation to the cloud that transformed the bank's security, adding features such as real-time big data event log storage and AI security analysis, all while maintaining a stable headcount. Hill is a graduate of Saint Leo University in Tampa, Fla., with a Bachelor of Science in business administration and an MBA with a specialty focus in management of information systems and security. He also holds several industry information technology and security certifications, including CISSP and Certified Information Security Manager. We talked to him about banking cybersecurity and the insights his various security roles have given him.
You wrote recently on LinkedIn about the difference between being a leader and being a manager -- and the key traits of a leader. How did you progress in your career from management to leadership?
Thomas Hill: Anybody can manage. Not everybody can lead. I joined the Air Force when I was 18, and we had a motto: Lead, follow or get out of the way. Leadership is all about leading. Accountability, integrity and motivation: Those are the three things I live and breathe. An example is that a lot of people in business don't really understand what it means to be attacked or what cybersecurity is really all about. In my role, you talk to board members and executives who admit they don't fully understand cybersecurity. You could simply manage those expectations, and some CISOs do that, but a leader should drive that process to make sure those decision-makers get it. I would hate to come in after a data breach and give them the information I should have given them before. I would rather lead them and give them the information they need to make sound decisions. I take that to heart, and every day I try to practice that; it just becomes a foundation point for me.
You have had a succession of banking cybersecurity positions, and you have also served as a CIO. What did you learn as a security pro transitioning to the CIO role?
Hill: Transitioning into the CIO role was a natural progression for me. When you're a security person and you have that mindset, you're always a security person. It is the way you think. At the start of my career in the military, I was in IT, and you get security ingrained, including role-based access and the rank structure of classification for data and documents; it was part of the DNA of every person. I took that into what I did in IT in the early days. I led a data center and was also a security officer. I focused on cybersecurity when there wasn't any such thing as a CSO role. … I was passionate and decided to focus on that area because it was part of my mindset from being in the military. I always thought it would be a really fun and satisfying thing to protect people and to do something for the greater good.
When I came back to IT in the CIO role here at Live Oak, I found it a blessing and a curse. A person like me with IT experience wants to lead IT and enable the business, but also having that security hat on, I know I have to do it in a secure way. I need to say no when I can say no, instead of just yes to enable the business. It was a blessing to wear both hats and roll out a number of programs to enable business and also to protect it. To me, what was a blessing and the curse was that you always wonder if you're doing enough to protect the company. As a CISO or CSO, your job is to protect the company from itself.
Many organizations have separated the cybersecurity operation from the IT operation. What is the status of that separation in banking cybersecurity, and why is it important?
Thomas HillCISO at Live Oak Bank
Hill: When external audiences and regulators come in to look at us, they have that question: Are you truly protecting the bank or just pushing things along to enable the business? Having a separation of those duties is especially important these days when cybersecurity is so important. It takes a dedicated focus to bring value to an organization by managing risk, and so it is really tough for one person to wear both hats. I do believe a lot of organizations put the CISO or CSO under the CIO, and I think that's bad practice. What I've seen is, if you are still under IT, you will be focused on enabling the business first. That's the path of a CIO. When CISO and CIO are equal and you are partnered, it gets very powerful.
Our industry is regulated by the FDIC [Federal Deposit Insurance Corporation], the Federal Financial Institutions Examination Council and the Federal Reserve. They're all saying you have to separate the responsibilities so you can make decisions and solve problems the right way. There needs to be a healthy conflict and a proper governance structure. I think every organization will find it needs both a CIO's voice and a CSO's voice.
In my organization, with today's threats that involve hackers using social attacks to do account takeovers, my interest is now focused on bringing the cybersecurity and fraud organizations together. We're already seeing an overlap in concerns. The two haven't always been talking but, if we could put them together, we could manage risk better together. That is a vision for my organization, to bring them together to be more proactive instead of reactive. They need to be partners in their work.
What specific programs have you implemented at Live Oak?
Hill: We're based on the coast in Wilmington, N.C., where we're highly susceptible to hurricanes. We were already a very cloud-oriented organization, so we decided to pick things up and put them in the cloud and be a completely cloud-defined financial institution. Today, we are that, and that was the big project that won us recognition from Bank Administration Institute (BAI), a nonprofit organization for the financial services industry. We received the 2018 BAI Global Innovation Award for internal process innovation.
I mentioned that we have a cloud strategy and an API strategy. We work with both public and private cloud. We choose some of the best of the major cloud providers. A lot of the projects we have done have focused on picking the right vendors. Not all of them are created equal. Some say they are cloud ready when they aren't.
We have been protecting devices and users as they float in and out of the cloud. We try to do that in a controlled manner, without letting it seem controlling to the users. We think of every employee of our institution as a mobile branch so they can perform services for every customer as if they were our only customer. Our CEO's motto is "Treat every customer like they're the only one." That had its test in September, when we had Hurricane Florence hover over us for two days. By then, we had all our employees dispersed all over the East Coast at homes and hotels, and they continued to take customer calls and do their work. We never missed a beat. It was great and a real validation of the effort that we put in and the reason we won the award -- and we had a nice party to celebrate.