Passionately Paranoid
05 Jul 2007
Security Dream Team Redefining the Way Business Today Manages Threats
Rebecca Whitener, Al Decker and Dave Morrow imagine the unimaginable and prevent the unthinkable. They call themselves professional paranoids.
The security, privacy and risk experts have no idea how many IT catastrophes they’ve foiled, but that’s actually a measure of success. Known by some as the EDS Security Dream Team, the trio is leading a shift in the way IT service providers address security, privacy and risk issues.
Their closeness as friends mirrors the convergence they believe is required in their professional roles.
“Individually, we come from different career backgrounds but we are all concerned over the same issues and dedicated to the same end results. Our working relationship is sound,” said Whitener, EDS Chief Risk Officer. “There’s value in camaraderie – I can’t imagine working alongside anyone more like-minded in these roles. There is no competition between us. We give valid feedback to each other based on trust. We are friends and have been for a long time.
One month before the 2001 World Trade Center attack, the one-time entrepreneurs were recruited by EDS to establish a privacy and security consulting practice for clients. Since then, their roles have evolved – driven by circumstance, business strategy and demand – to drive the convergence of security, privacy and risk management.
This structure is a first in the IT industry.
“It’s about credibility. There’s no issue or concern our clients have that we ultimately don’t have for ourselves, for EDS, so we address them cohesively. We care about their risk issues as much as we care about our own,” Whitener said.
“Clients are driving convergence because they’re much more sensitive to these risk issues today. There was a time when clients took security and privacy protection from EDS for granted, Now, clients want more information about how EDS is protecting their information and more assurances about the reliability of the administrative and technical safeguards we have in place.”
It’s clear that the landscape is rapidly changing for these professional security, privacy and risk paranoids.
“We’re looking for ways to bring innovation to the way we deal with security, privacy and risk issues for EDS as well as for our clients. We’re looking to be ahead of the game from a standpoint of what we can offer to our clients,” Whitener stated.
“I guess you might call it the expectations curve Client’s expectations of security, privacy, and risk are going to change over time. That expectation curve is going to continue to change and we have to stay ahead of those expectations instead of always chasing them,” Morrow, EDS’ Chief Security and Privacy Officer, said.
Double Agents
Internally, the Security Dream Team leads and influences across organizational lines. They consult with executives to develop and implement visionary business continuity plans, understanding that unit executives maintain ownership of their individual risks.
”We aggregate risk information and integrate it into a reporting tool. We see our roles as collaborators with the business risk owners. We add value by reporting back to risk owners to keep them abreast of changes or new information,” Whitener said. “Our goal is to raise the level of confidence that the key issues are being addressed.”
This team serves as the heart for enterprise-wide security collaboration and cooperation. They bring executives together to share and compare.
They regularly meet with a broader group of stakeholders from EDS Legal, Security Service Line, Internal Audit, the Chief Information Officer’s organization, and other business unit managers for open discussion of key risk issues that impact EDS across the silos.. In follow-up, they make sure key issues are appropriately addressed and remain top-of-mind as needed.
Externally, the team is available for client visits, whether consulting or accompanying a sales team. They expertly explain how EDS manages its security and privacy risks. And just as they consult internally with executives, they are willing to advise clients about risks they need to address.
“Most clients today need to understand where we stand on these big issues. It’s table stakes – a prerequisite – that we’re able to articulate how we manage our risks – particularly security, privacy and business continuity,” Whitener said.
Paranoia At Your Service
Security has always been a hallmark of EDS. This team sharpened the EDS edge by successfully raising security, privacy and risk management from a micro-level technical discussion to the strategic level required by executives today.
“After 9/11, the whole security picture changed,” Morrow said. “Discussions turned to disaster recovery, business continuity, and for the first time it was at a strategic, not purely technical, level.”
“Rebecca, Al and I had only been with EDS about a month when that happened,” he said. “Since then, Homeland Security, virus threats, identity theft and the perils of lost data have kept us on-call to assist our clients’ CIOs and other executives.”
Whitener, Morrow and Decker remember when, earlier in their careers, they called for convergence of security, privacy and risk management disciplines. While it makes absolute sense today, the suggestion drew many blank stares before its time.
“We are paid professional paranoids,” Decker said. “We think about anything bad that can happen. That’s our mindset. Some people may go through life getting sucker-punched by things. That’s not us. We are always scanning the horizon. When you’re constantly on your guard, nothing surprises you.”
EDS' Security Dream Team Bios
Rebecca Whitener, Dave Morrow and Al Decker – EDS’ Security Dream Team – joined the company in 2001 with the acquisition of Fiderus, their North Carolina-based company. Fiderus was a professional services company that focused on solutions for security and privacy.
- Rebecca Whitener
Rebecca Whitener is vice president, EDS Enterprise Risk Management, chief risk officer, and an EDS Fellow. The title of EDS Fellow is awarded to the corporation’s most innovative thought leaders for their proven track record of creating world-class solutions for our clients. - Whitener is a recognized authority in security and privacy solutions with more than 25 years of varied experience in a wide range of industries. She has worked with major companies around the world to help develop solutions for the management of information assets. At EDS, Whitener works with leaders in developing and supporting cross-functional operational risk management solutions.
- In the early ’90s, Whitener was among the first in the industry to introduce privacy concepts at security conferences, clarifying the differences between confidentiality and privacy. A recognized authority in security and privacy solutions, Whitener was appointed in 2000 to the Federal Trade Commission Advisory Committee for Online Access and Security. On September 24, 2002, she testified before a House Subcommittee HR 4678, “The Consumer Privacy Protection Act of 2002.”
- Dave Morrow
Dave Morrow is the EDS Chief Security and Privacy Officer. With 30 years of experience in the security industry, Morrow is a recognized leader in the security discipline. Throughout Morrow’s career, he has had direct involvement in various security matters, computer forensics and technology related criminal investigations. - Drawing from his managerial and forensics background, Morrow is a specialist in integrating security with business strategy. The Alliance for Enterprise Security Risk Management (AESRM) recognized Morrow in October 2006 for his leadership in security convergence, the essential shift toward the integration of traditional and information.
- Morrow is a retired Lieutenant Colonel in the U.S. Air Force, where he served as Chief of Computer Crime Investigations and Information Warfare as a Special Agent for the Air Force Office of Special Investigations (OSI).
- In this role, Morrow supervised all computer-related investigations, oversaw a team of investigators and technicians worldwide and managed a multi-million-dollar budget funding worldwide operations. Morrow led several breakthrough investigations and coordinated multiple security and counterintelligence matters for Air Force bases both in the United States and Europe.
- Al Decker
Al Decker is director of Enterprise Risk Management for EDS. He is recognized as an authority on information security, privacy and risk, with more than 25 years of experience in computer security and information technology (IT) auditing, both in private industry and public accounting. He has delivered and managed services for companies worldwide in areas such as risk management, internal controls, security implementation, security audits and training. Over the past 25 years, he has inspired and built four multifaceted, professional security-service organizations.- At EDS he has been responsible for the development of security and privacy professional services, as well as overseeing the embedding of security features and components into EDS outsourcing services. Now as Director of Enterprise Risk Management, he is responsible for ensuring business risk are identified and mitigated to help reduce uncertainty in business decision.
- An author, speaker and security pundit, Decker is often quoted in leading business and trade publications, including Business Week, Information Week and The New York Times. He also has appeared on U.S. national TV as an expert on the topic. He lectures frequently on network security, computer fraud, computer viruses, and other security and audit-related subjects for groups such as the American Institute of Certified Public Accountants (AICPA), Financial Executive International, EDP Auditors Association, the Computer Security Institute, the Institute of Internal Auditors and various industry associations.