At the Oktane18 conference in Las Vegas, Eleanor Dallaway met Brown Forman’s global director of IT security, Elias Oxendine, to talk all things threats, challenges and choosing security products in an industry filled with snake-oil
Brown Forman is a global operation with more than 25 spirits and wines brands in its portfolio. When you joined the company in 2015, what was your first role?
We had just finished a phishing exercise and I could see we had work to do. Our door was wide open. We did not have two-authentication at play. So we entered into discussions with Okta and deployed its tools and services.
At Oktane18 there has been a lot of discussion around the elimination of passwords. What are your thoughts on that?
Users are not a fan of passwords. you can see that based on the ones they use and the fact that they write them down. It’s all about two-factor for us and once we have rolled it out for the virtual private network, I am thinking about relaxing our password policy. Okta’s announcement today about possibly removing the password by using threat intelligence is huge. It’s a game changer.
One of the things I want to do at Brown Forman is change the image of IT and show people we’re the good guys by removing friction.
What are the biggest challenges facing you as global director of IT security?
Identity is my greatest challenge. Identity is the key to the kingdom if people can gain credential access. The threat landscape changes all the time and we need to make smart security decisions to reflect those changes. Security awareness was a real big challenge and huge area of focus for us. Hackers are good so our users need to be educated. Finally, I’m still focused on data loss prevention.
We phish our staff once a quarter and increase the severity and complexity of the phish. People do get upset about being tested, but I believe that if you’re not p*ssing people off, you’re not doing your job
When searching for cybersecurity products to improve your security posture, how do you identify the best vendors and products for your requirements?
I get an enormous amount of calls and emails every day trying to sell to me, it’s overwhelming. We have a subscription service with Gartner and we use peer connect to find out who is using products and review feedback from peers. We need to be more strategic about how we spend our budgets.
On the security awareness piece, what methods do you find most effective for capturing the attention of your users?
We use technology the best we can and every other month we put communications out. We make the messaging personal, not just work related. We add alerts in emails to help people understand phishing techniques to try and take the guess work out of it. We phish our staff once a quarter and increase the severity and complexity of the phish. People do get upset about being tested, but I believe that if you’re not p*ssing people off, you’re not doing your job. When people get passionate, I know I’ve done my job.
You report into the CIO. What are the Board’s main information security worries?
We are lucky to have support of the board. They are very supportive of us. The Boards main concerns are financial risk, reputation risk and GDPR. We ran our first incident response exercise this year because the Board wanted to understand what it looked like. With simulations, there were a lot of lessons learned.
How difficult is it to recruit a talented security team?
It’s tough to recruit the right people in Louisville, it’s not a huge tech city so it’s somewhat of a challenge. We source talent from other companies in the local area. Attracting the talent is one thing, but then you have to keep it. Because of the high need for security professionals, they are able to make demands. You have to show them how they could make a difference so we try to line people up with things they would be excited about.
What is your main objective in your role at Brown Forman?
Maturing the security program and taking it to the next level. My job is not to close all the doors and windows, but just to close as many as possible. We judge our success using the Gartner maturity scale.