An Interview with Mike Kalac, Western Union CISO
One of my passions is to help organize and energize the Colorado information security community. I work on the Denver ISSA board, help organize some local security conferences – Rocky Mountain Information Security Conference (RMISC), and Denver B-Sides, and help put together some non-profit CISO events in the area. In my work in the community, I’ve been continually surprised at just how many fantastic individuals we have in the area and the wide variety of ways they contribute to the industry. So I set out to start meeting those people, and writing up those interviews for you, the loyal reader, to enjoy along with me. I am hopeful that one of these stories will inspire you to throw your own hat in the ring, or take a chance and try something new. Click the links below to read the previous interviews.
- Dave Navetta – Information Security Lawyer
- Chris Petersen – Co-founder of Boulder-based Log Rhythm
- Johan Hybinette – CISO for Hosting.com
- Jericho – Founder Attrition.org
- Dan Wilson – Co-founder of Denver-based Accuvant
In this installment I sat down with Mike Kalac, the CISO for Western Union. Not only is Mike a security leader for a Denver-based company that is a house-hold name, he’s also a genuinely nice guy. If you ever find yourself in the position to get to know him, I recommend you take advantage of it.
In this profile, we learn about Mr. Kalac’s path to security leadership, his vision for where security needs to go in the future, and what new-comers to the industry should do to break in and succeed. This interview took place during one of Denver’s February snow-storms, eating my favorite blizzard food – pho at Pho Saigon at County Line and Quebec.
My questions are in bold, with Mike’s responses paraphrased below.
What’s your background? How did you get into the security field?
I got an electrical engineering degree from Texas A&M. I took that degree and moved into the corporate world supporting telecommunication systems. In the early 90’s I got my first job as a telecom engineer for HP in the Bay Area. Back then everything was leased line, and I did work doing traffic analysis and the like. I was there for about a year.
After HP I moved to Octel for about four years, who was a big voicemail manufacturer at the time. At Octel I moved out of telecommunications and into the QA area. A bit of hardware QA, but primarily testing their software.
Out of the blue, my old boss from HP called me. He had moved out to Colorado for a position within McCaw Cellular, and asked me if I’d be willing to consider a position out in Colorado with him. Being a young professional in the Bay Area in the early 90’s wasn’t easy. The opportunity to get out of there and come to Colorado sounded great. I gladly accepted, and came out to Colorado to run McCaw Cellular’s internal networks , pretty much everything, servers, support and call center.
Were you there when AT&T acquired them?
Yes, when AT&T bought them it becames AT&T Wireless. As a part of that, I had an offer to stay on board and move to Seattle. I turned that down and joined First Data.
What was your role at First Data?
I ran much of their telecom and network engineering supporting their Denver data center. While I was there First Data bought a company called First Financial Management Corp (FFMC). The biggest holding of FFMC was Western Union. Western Union was in pretty dire financial straits at that point.
To bring this back to your initial question… how did I get to security. In 2006 First Data decided to spin Western Union off as a stand-alone organization. My boss at the time decided to move over to Western Union to fill the CIO position.
And you decided to go along with him?
Initially I had planned to stay with First Data. But I had a number of discussions with executives, and was offered the opportunity to join Western Union as their VP of Information Security. At the time leadership probably didn’t’ really know what security was all about. I assume some regulator had said they needed a position like this. This was fairly early on, and while the specifics of the position weren’t clear, the need was understood.
I accepted the role as the Western Union in early 2007. I probably didn’t clearly understand what it meant at that point. However, my strength is building high-performing technology organizations, and leading those groups.
As I started the team, I was able to take four of the security staff from the First Data team as the core of my new team. One of them left shortly after the move, but the other three are still around, and are cornerstones in the security organization we’ve built together.
I love getting to hear the story here. Unlike some of the other CISOs I’ve talked to, you didn’t come up through the hacking, or corporate security route. You were a successful leader in another part of the organization, and asked to lead the newly created group.
It gives me a different perspective for sure. When I read industry articles about how security programs must be focused on business and risk, and having good relationships with the CEO and key executives, I get it. I’m not the type of CISO who will be reverse engineering malware. My background helps me stay at the right level to ensure alignment of the program to the company.
My role is to put the right people in the right place at the right time.
So tell me about the reporting structure of security within Western Union. Where do you report?
I report into the CIO.
Reporting into IT is certainly a controversial thing. How do you feel about it?
Great question. When I first came into Western Union I was reporting to the CIO. A couple years later, they moved me under the Corporate Security group, which handled things like facilities and physical security. But when they did that they left security operations under the CIO. So I had things like security policies, engineering, architecture and risk, and the CIO had the security operations team.
This was a great opportunity to mature my team as we really got out of the day-to-day firefighting that comes along with production support. I used the time out of the firefighting arena to create and mature a risk management practice.
One of the goals I have always had within Western Union is to make sure that it’s clear throughout the company that there is one single CISO, and one security group. Especially with the large number of acquisitions we’ve done, it’s so easy to have small pockets of security appears throughout the organization. However, when I was moved over into the Corporate Security group, the executives started to have questions about which “security team” they should bring into on their projects. Between me and the security operations team under the CIO, it just wasn’t very clear who they should be involved.
So a couple years after I moved to Corporate Security we made the decision to move my group back under the CIO and bring security operations back under my purview.
So, in answer to your question, about where we sit, and what’s good: it’s a great thing to be where we are now. But it was really important for our program’s maturity to have had that time without operational responsibility. It was during that time without security operations that we were able to bring in things like Archer, develop a strong Vendor Risk Management program, and a solid risk assessment program.
What does your internal team look like now?
I have six direct reports, running numerous programs. I am a big proponent of plan/build/run. I have worked to create my team in a way that supports that segmentation.
- Director of Security Engineering and Advancement
- Director of Threat and Vulnerability Management
- Director of Governance, Risk Management Compliance (GRC)
- Director of Identity and Access Management (IAM)
- Senior Business Analyst – Responsible for organizational effectiveness, and communication.
- Director of End User Computing
End user computer? Desktops and laptops?
Yes, that reports into me. I know there’s a bit of a conflict of interest there, but I’ve found that there are great synergies on having this in my area. Not only are we able to get our patches and security tools pushed out quickly, but I immediately see the impact of my changes to the end-user environment.
You’ve mentioned your WISE program to me before. Care to expand on that a bit here?
Western Union Information Security Enablement (WISE) is a program we’ve created that is really focused on ensuring that our security initiatives not only help protect the company, but that they also make our users more effective. The alignment with End User computing helps ensure that we are making WISE choices.
Can you provide some examples of WISE choices?
Yeah… standardizing on one dropbox-type service. Standardizing and deploying a single sign-on service. These changes make our employees daily life simpler, while making the company more secure. A big key to enablement is communicating with the users why we are making these changes. The buy-in, the adoption and the impact the organization goes way up based on explaining the why.
My organizational effectiveness BA has really driven this methodology throughout both my department and the departments that support us.
What big initiatives are next on the horizon for Western Union?
I have a few things I plan to get into.
- Driving application security scans earlier into the SDLC, and getting them out of the security group and into the development and QA groups. Security flaws are really no different than any other bug. A security flaw that’s found in production is way more expensive than one found QA, which is more expensive than one found during development. We want to equip the developers and testers to find and remediate these issues without security needing to be involved.
- User behavioral analytics. I want to take user activity data from numerous systems like DLP, web activity, log data, and any other meaningful data I can get, and figure out a baseline of normal behavior. Having that effective baseline is something that’s talked and written about regularly, but not so easy to capture in reality.
- Advanced threat protection. I want to see a multi-layered system that communicates seamlessly from edge devices to end point, and sees east/west data center traffic. And I want those systems to share data to let us know where threats have moved in the organization.
- Evaluating leveraging cloud services, and managing the security of those services. In my role at End User Computing, we are looking at Microsoft’s Office 365 solution.
As you address the CISO community out there… what can we do better? Where are we getting it wrong?
When I look around the industry, I see that we are missing some very basic blocking and tackling. Rather than focusing on APT’s and the newest technologies, you need to ask the question, are you doing the basics right? Do you have an accurate and comprehensive asset database? Do you have a security baseline applied to all of your services and network devices? Have we successfully patched our systems? It’s not that the APT’s aren’t out there, it’s that you don’t need an advanced threat if the defender isn’t doing the simple things well.
And this question is for those looking to get into security. What recommendations do you have?
The most important thing to understand is not technology, it’s risk management. Security is not a binary function… we aren’t “secure.” We have a spectrum of risks that we will manage to the best of our abilities. Sometimes you will have a risk that management will choose not to address the way you see fit.
Also, don’t be intimidated by the technical aspects of security. There is a huge need for people who excel at the less technical things. Project management, facilitation, and other similar skills are needed. You can learn security-speak and become fairly competent technically.
What about those who are interested in getting involved with the more technical aspects of security? Any particular disciplines you recommend?
Forensics is a big need, and we can’t get enough good people. The other emerging skill-set are data analysts. Start to learn both data and security to understand how to use that data to improve security.
In my years in security, the biggest lesson I’ve learned is that our success is heavily dependent on other teams. We really don’t control our own destiny. We depend on the maturity and quality of the networks and systems our IT departments deploy, the code our developers write, and the decisions our management team makes. For that reason, the ability to work with other departments and other stakeholders is the most important skill for a security leader.
Thanks so much to Mike Kalac for making room in his calendar to grab lunch, and opening up about his Colorado success story. I look forward to continuing this series and shining a light on more interesting members of the Colorado security community. If there an individual or corner of the security spectrum you’d like to see spotlighted, drop me a note and I’ll see what I can do.