Changing times call for increased diligence: It comes as no surprise that COVID-19 has changed the way we think, work, and interact across many different parts of our lives. The security landscape is no different. With employees working remotely and the list of vendors and third-party partners that organizations are working with also changing based on new needs, this is the opportune time for bad actors to strike. Organizations must be even more thoughtful in monitoring for vulnerabilities during times of intense change like now because there’s an increased likelihood of new security exposures.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Doug Clare, Vice President of Fraud Protection and Security Solutions at FICO. In this role, Doug heads FICO’s fraud, financial crime, and risk businesses. With more than 25 years at FICO, he has deep expertise in helping banks and other businesses manage fraud, risk, compliance, and the customer experience. In previous roles, he led product management for FICO’s fraud prevention/detection software applications; managed FICO’s global relationships with payment card processors and other channel delivery partners; served as the line of business leader for FICO’s offerings to the retail market; and was both client partner and development team leader for key accounts. Doug has a bachelor’s degree in international relations from the University of Minnesota, Twin Cities.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Minnesota at what most people would probably consider the edge of the suburbs and the beginning of a rural community, with a list of farm-related chores to do every day. With full run of the woods and river around my family’s home, I can’t complain about my childhood and actually appreciate it even more now as the pandemic has moved many people indoors. I now call San Diego my home, but still try to spend time back in Minnesota when I can.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I like to say that my career in cybersecurity has definitely been an evolution, where I have put myself in situations to learn and solve new challenges. I started my career by taking an entry-level job at FICO with the intent of it helping support me through college. More than 30 years later, I’m still here at FICO, learning.
While this was initially a college job, I continued to find new opportunities over the course of my time here. After a long and non-linear path through various risk management-related roles, I am in FICO’s fraud detection and prevention space as what I like to call a financial crime fighter, helping to protect everyday people and organizations from bad actors out there.
Can you share the most interesting story that happened to you since you began this fascinating career?
After over 30 years, I definitely have a lot of interesting stories to tell, but one really continues to stick out to me as a great example of why what my team and I do here every day at FICO is important. In some of my early work in cyber risk, my team and I had done some early-stage proof of concept work for a potential customer ahead of a presentation.
When we were in the room presenting our results in-person, there was a lot of whispering at the back of the room and then at one point a bunch of people got up suddenly and darted out of the room. We were worried that our presentation was either very boring or that we’d totally missed the mark on our results. Memorably, when our presentation was over, the remaining people in the room told us that we’d pointed out something to them that was undoubtedly true, but they had not been aware of from a security perspective. It was something that they ended up needing to address right away! The response to our research really demonstrated to me the power that artificial intelligence can bring to helping organizations focus on the right risks and threats. It was certainly an exciting day for us!
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
To avoid going back too many decades into my career, the current endeavors in cybersecurity and fraud that I’ve been working on at FICO are really collaborations between FICO’s Chief Analytics Officer, Scott Zoldi, and myself. We have been working together very closely for over ten years now.
Given I come from more of a commercial and product management perspective, being able to work with him and hear his analytics-driven R&D perspective provides me with insights I might not have thought of before. We’ve learned a lot from each other over the years, but what really stays with me is how he discusses “the art of the possible,” helping me to create that connection between raw data and impactful analytic outcomes. Scott has been an asset to me during my tenure at FICO, helping me think differently to guide my team in driving our objectives. It is great when you’re able to invent things that fill a need the market doesn’t even know it has yet.
Are you working on any exciting new projects now? How do you think that will help people?
Over the past few months, I’ve seen the world dynamic change from a security perspective because of the pandemic. Organizations have had to rejigger their supply chains, stop working with certain vendors because they’re no longer in business, and start working with new vendors because they’ve needed new services to support the changes they’re experiencing.
There’s been a lot of churn in that regard on the business front. At the same time, there’s a lot of other changes in how actual people within these organizations are working. We’re working remotely from home, we’re using new software, and all these net new situations have drastically changed the cybersecurity landscape.
At FICO, we’ve been focused on watching the data to see what’s changing in the cybersecurity and fraud risk landscape. Whenever our habits change — whether at work or as a consumer, we become vulnerable to new avenues of exploitation by fraudsters and cyber crooks. So, we’re really looking at how more people in different places can affect fraud prevention and cybersecurity efforts. We’re taking the insights we discover and integrating them into our products and services like Falcon X, which is the next generation of our flagship product that provides services to thousands of banks worldwide helping them to prevent and detect fraud.
We’re focused on making Falcon X flexible and adaptive to changing needs. More than ever, banks need to ability to pivot to accommodate change — whether that’s changes in fraud patterns, changes in consumer behavior, or changes in priorities within the bank. We’re striving to create tomorrow’s fraud platform that will accommodate the flexibility and extensibility required to meet tomorrow’s unknowns. Anything we’ve been working on recently with COVID-19 is essentially to enhance this best in class fraud cloud solution and provide add-ons to any new threats in the fraud space.
When it comes to helping people, the richness of the dialogue we’ve had with customers at FICO since COVID-19 started is incredible. Conversations have always been good, but with the pandemic creating a whole new set of challenges, these conversations have taken on a different dimension and are even more engaging as risk mitigation is ever-present for these customers now given risks are constantly changing in this environment.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
It’s hard to not burn out these days. I know from my personal experience that I used to rarely have a conference call before 7:30 a.m., and now, calls seem to start at 6 a.m. every day and last into the evening. This isn’t exclusive to me in this pandemic environment. COVID-19 has changed the way we work, making burnout much more real to many.
What’s important when we’re under this kind of stress is to remember the mission. One of the things that has always helped to motivate me is to take a step back and look at the end goal. Everyone has the days where they get bogged down in meetings, and get stuck working on what seem like minor or mundane tasks; but you need to take a step back to ask yourself, “what am I really doing here?” For me, the mission is about stamping out the evils that come out of financial crime and fraud. On any given day, it’s easy to forget that. When I look at the successes my team has had with some customers, it reignites my passion and reminds me that at the end of the day, we’re crime fighters.
The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
One of the more compelling things I’m seeing today is that companies have an appetite for breaking down silos to monitor for risk together across an organization. Businesses are beginning to embrace this idea that to effectively manage cybersecurity, fraud, compliance, and even financial crime in the case of FICO customers, that all of this risk management can be done better together.
Looking at these aspects of risk management together can be more complicated and cumbersome at times because like all of us know, it can be difficult to get two people — let alone two teams or departments — to align on a set of objectives or technologies to drive those objectives.
I’m also seeing that more consistently organizations are becoming interested in finding synergies between multiple departments that touch cyber and other aspects of risk management for more than just cost-saving reasons. Organizations are really seeing the benefits of having a single unified platform or set of coordinating technologies to use for monitoring because it also allows them to discover insights from one line of business and apply them to another line of business, or from one risk management discipline to the next. What you learn by looking at data patterns or behaviors within one line of business or discipline can help detect problems in another. We like to say that today’s cyber breach is tomorrow’s fraud. The correlation between individual cases of fraud and larger financial crime schemes is pretty self-explanatory. It pays to work these problems together.
The final trend within this space that really excites me is in the world of compliance. That piece of the risk management pie has always been heavily rules-driven, meaning if a company does “X” then it’s compliant. Now, I’m starting to see that “X” is no longer good enough for regulators as they’re trying to push organizations to not only be within the letter of the rules but the spirit of the rules as well. In regulated industries like financial services, we’re seeing regulators push companies to find what’s findable.
Speaking from a FICO perspective, we’re excited about these changes given our footprint in compliance, flexibility of platform offering and overall convergence of these areas. We’re ready to enable that convergence for customers at their pace.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
The world had changed since COVID-19, so it’s important for companies to think about what has changed. Everybody had their list of pre-COVID activities that were risky from a cybersecurity perspective, but that list might not be as applicable anymore. If you really think about the way consumer habits and preferences have shifted, there’s a lot of new pieces to consider.
For example, within financial services, the shifts in how people shop and actually make purchases during COVID-19 are important to think about in the context of identifying and preventing fraudulent transactions. If the activity patterns in the data have shifted, what was once flagged as fraud might not be anymore.
From a broader organizational perspective, the way we work, how we access company resources online, and the new suppliers/partners/vendors we have may have all changed over the past few months. Anytime we see changes, but particularly changes of this size and frequency, the bad actors come out to take advantage. They know that organizations might not have quite figured out where their new vulnerabilities are yet making it the opportune time for bad actors to do bad things.
The biggest takeaway for companies right now is recognizing that it’s the time for more diligence and thoughtfulness about what new exposures have been created.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
The one that really opened my eyes to the impact cybersecurity risk can have is the one I mentioned previously about presenting to a new customer with some proof of concept content and their teams having to leave the room mid-presentation to go fix the hole we’d discovered. I’d say this experience showed me the importance of having a third-party vendor or just any outsider really taking a look at the potential cybersecurity risks of your system. It’s surprising how much we can have blinders on sometimes and miss things that are right in front of us, so having another perspective can be incredibly important.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
My role at FICO is really about creating tools that others use to detect cyber risk, fraud and financial crimes. Our flagship product in this area is Falcon, and the next-generation version, Falcon X, which as mentioned, supports thousands of banks or financial institutions across the globe in detecting and preventing fraud and financial crime.
This single platform product allows organizations to design rules, execute machine learning models, orchestrate workflows, and manage investigations across an array of fraud, compliance, and security risks. Generally, we see it as most useful for organizations looking to create unified operations at scale that quickly prevent or stop crimes that are happening.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
It’s important to start somewhere, and clearly small organizations can’t tackle the problem in the same way that large organizations can. I think it’s important that organizations make sure they develop a culture where everyone is responsible for security, but it’s also important that organizations establish clear roles and accountabilities for risk management. Even small organizations need to earmark the individuals responsible for security and other related risk management tasks.
That said, look for support from vendors and suppliers. They are specialists, and it’s good to lean on them for what they’re good at. And, as I said earlier, sometimes when you’re in an organization it can be hard to see the forest for the trees, so getting an outside perspective can help you find what you may otherwise miss from a risk or vulnerability perspective.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
If something seems amiss, check into it. If you’re asked for credentials you have not been asked for before, find out if the system has been deliberately changed before you click enter. If a workflow has been altered, take a minute to double check that it is the result of an intentional change. In short, be suspicious as a rule. It’s easy to get tricked by people who spend all day everyday trying to invent ways to fool you, so be on guard whether it’s your work life or your personal life.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
For future protection, the opportunity is really in the convergence of multiple disciplines — like authentication, fraud, compliance, etc. — within an organization. All these disciplines largely rely on the same or similar data, so to tackle those challenges more effectively, organizations can leverage the infrastructure they have to look across problems in these areas instead of looking at them in a siloed fashion. While there may still be some necessary separateness within these disciplines, leading edge organizations are those that recognize and act on the opportunity for tighter coordination amongst them. Oftentimes this means a common set of infrastructure and tooling around decision management and analytics so departments can cross-share insights to better protect the organization’s or customer’s assets.
This convergence is really what drives investment strategy at some organizations like FICO that provide these types of tools. For example, FICO leverages its decision management platform to build a common infrastructure across fraud, customer authentication, and financial crimes compliance on a single unified platform to allow customers to act on the convergence appetite that best suits them. Some have a little and some have a lot. Most will drive to greater levels of coordination in the future. It really just depends on the organization, but overall this convergence will continue to be a trend in identifying all the pieces that go into strong security risk management, including fraud and compliance in some cases.
What are the most common data security and cybersecurity mistakes you have seen companies make?
A big mistake that I have seen companies make repeatedly is not knowing the scope of their own network. Many companies — or at least the primary security team within those companies — don’t have a full and complete handle on the edges of their network. They may be unaware of some skunk-works projects, un-inventoried servers, cloud services spun-up by a development team, or the IP address space of a long-forgotten acquisition. It’s easy to imagine how this could happen, and trust me — we’ve seen it happen to many of our clients.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
One thing we have seen, through the scanning that we perform as part of our cyber risk quantification is an explosion in misconfigured remote access software. Everyone scrambled to better enable remote access in the early days of the pandemic, but not everyone deployed it smartly or correctly.
What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each, if possible.)
- Take a risk-based approach to cyber-related challenges: Organizations need to continuously evaluate cybersecurity prevention measures they’re taking. It’s not unusual for organizations to burn through all resources being busy with day-to-day security activities, but the important part is to take a step back to evaluate the most important assets, ensuring that those have the appropriate protection. Organizations need to expand their thinking and make sure that they’re engaging in a risk-based approach to protection, which means understanding where the high-risk areas are and focusing more activity on those areas.
- Avoid a “checklist” mentality: It can be easy for organizations to fall into a “checklist” mentality. One of the key challenges that organizations have faced in cybersecurity is that they’ve allowed activity or “being busy” to be a surrogate for effectiveness. Some cyber teams are doing everything — they’re driving all the patches, they’re updating all the certificates, they’re responding to all the vulnerabilities, etc. However, they are not stepping back from these activities to find out where they really have the risk, so that they can double down on those high-risk areas.
- Changing times call for increased diligence: It comes as no surprise that COVID-19 has changed the way we think, work, and interact across many different parts of our lives. The security landscape is no different. With employees working remotely and the list of vendors and third-party partners that organizations are working with also changing based on new needs, this is the opportune time for bad actors to strike. Organizations must be even more thoughtful in monitoring for vulnerabilities during times of intense change like now because there’s an increased likelihood of new security exposures.
- Convergence is king: Risk can mean different things to different organizations, but in general there’s been a move towards convergence of key areas within an organization that can experience breaches or crime. This includes areas like cyber risk, fraud, compliance, and where applicable, financial crime. This trend is certainly something for key decisionmakers to consider as there is real benefit in cross-sharing insights within these departments that can prevent breaches and fraud.
- Know your network. Make sure you’re accounting for all you’re meant to be accountable for. This goes beyond cyber risk and network security — it can also be a problem in securing product or customer portfolios as well. We find, and we hear plenty of stories about, organizations that are frequently taken advantage of in the one area they’re not minding…the bit that was forgotten. A well-researched risk inventory can be an important asset, as the chain is only as strong as the weakest link.
If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be?
Think in terms of risk. Tactics involve process — and you need to be good at your tactics through the development of well documented and thorough processes, but strategy needs to remain focused at a level higher, which requires a bit of risk management discipline.
How can our readers further follow your work online?
The best way to connect with me is via LinkedIn, which readers can find here. Always a pleasure to connect with fellow crime fighters!
This was very inspiring and informative. Thank you so much for the time you spent with this interview!