Q&A with Mark Morrison, OCC's Chief Security Officer

October 05, 2017

By Mark J. Morrison ,Chief Security Officer

Mark Morrison joined OCC on May 1st as Senior Vice President and Chief Security Officer (CSO). As October is Cyber Security Awareness Month, he shares his insights on cyber security and the exchange-listed options industry, as well as his responsibilities at the world's largest equity derivatives clearing organization.

Given that the Chief Security Officer is a new position for OCC, what are some of your primary responsibilities?

The CSO position is a relatively new role at OCC, but it is really an expansion of the responsibilities and focus assigned to the prior Chief Information Security Officer (CISO). The most significant difference is the CSO now reports to John Fennell, OCC's Chief Risk Officer, and the Security Services department is no longer within the Information Technology organization under the Chief Information Officer (CIO). OCC is following a growing trend in many Fortune 500 corporations who are migrating toward using a CSO. The idea is that these two experts, the CSO and the CIO, represent different viewpoints: a CIO is naturally focused towards production, while a CSO is focused on security and defense. To meet a company's business needs at an acceptable cost and level of risk, the CIO and CSO must synergize their perspectives so that company leadership can choose the right balance of capability and security to meet its operational goals. My colleague, Dave Hoag, OCC's CIO, and I are working toward that goal.

The main responsibility of the CSO is to define and manage the enterprise-wide Information, Cyber, and Physical Security Program. Security Services at OCC partners with IT, our corporate offices, and business units to ensure the confidentiality, integrity and availability of corporate information assets. Security identifies and employs information and cyber security best practices supporting a risk-based methodology consistent with financial sector regulator cyber security policies, procedures and guidelines.

How has your past work at the White House, Department of Defense, and various defense intelligence agencies prepared you for your role at OCC?

The government and defense sectors are tremendous incubators for cutting-edge security technologies and practices because they are constantly under attack. My experience in working with 24/7 global cyber defense operations has afforded me valuable insight into those tactics, techniques, and technologies that work extremely well ... and those that simply aren't worth the effort. Even though OCC represents a different sort of target for hackers and criminals, the lessons I have learned from my time in government are immensely valuable in setting our strategic cyber defense priorities at OCC so we can better serve market participants. The CEO of IBM has said, "Cyber-crime is the greatest threat to every company in the world."

What do you see as the biggest challenge facing CSOs in the financial services sector?

The greatest challenge facing CSOs in 2017 is how our adversaries have changed their tactics to hit us where we are the most vulnerable. Back during the first dot.com boom (1996-2001), cybercrime defense focused primarily on engineering solutions: firewalls, intrusion detection, network monitoring, and other technological defenses. That is because systems in those days were more fragile and exploitable than users were. Over the last twenty years, our defense equipment has grown so mature and so stable that cybercriminals have come to downplay old-fashioned technical exploits in favor of trying to compromise people. Why invest hundreds of hours crafting a wickedly-complex virus when you can steal a user's network credentials with a phishing message that costs a fraction of a cent to send and only an hour to craft? That is why we as CSOs have to work harder than ever at raising security awareness and changing user behavior.

What do you and your peers see as some of the emerging cyber security threats and trends?

The rise of cost-effective cloud services has significantly changed how companies of all sizes conduct security operations. The cloud providers have made it easier than ever before to spin up new capabilities and services as business needs change. Cloud offerings can be great tools for cost-effectively managing demand. Cloud offerings can also pose a security nightmare depending on how each unique provider approaches the problem of protecting their clients' data, accounts, and services. When all of your IT equipment is safely locked up in your own data center, you have considerably more control over your information and services. When your IT "equipment" is actually a partner's equipment that you are renting from across the public Internet, you have to sacrifice some control and situational awareness. Contracts, monitoring, and cloud-aware security tools become crucial tools for getting what you want out of your cloud providers without unduly losing control of your critical information.

What would you say is the biggest challenge and/or opportunity facing you and your team at OCC?

Realignment and reorganization are the next vital opportunities that we are tackling inside Security Services. We have more than tripled the number of people in Security over the last five years, and we also have seen tremendous turnover. Many of our leaders and experts - people like Erin Collins, Joe Rebone, and Dru Taylor - were recognized for their tremendous achievements and potential, and left Security Services for higher-level opportunities, both inside and outside of OCC. We are proud of our people and wish them all the best. We have also hired a number of new industry experts to deliver new services that we have offered before - specifically in the areas of security engineering, resiliency, and testing. That means that now is the right time to restructure and re-balance our team to ensure that we have the right expertise in the right structure to accomplish our most critical functions. We are getting the team together at the kick-off of Cyber Security Awareness Month to re-set the Security Department into its optimal state so that we enter Fiscal Year 2018 stronger than ever and continue to safeguard the integrity of the exchange-listed options markets.