Driving Digital Transformation with Julie Talbot-Hubbard
Episode 8
December 19, 2023
“I always say, identity and data are now the two most critical things that you must protect. I think they go hand in hand because you’ve got to really understand what you’re giving access to. You’ve got to understand what’s going on in your organization and where it’s being stored.”
Julie Talbot-Hubbard President of Services and COO, Cyderes
Episode Highlights
Transcript
0:26 Introduction
Alberto Yepéz [AY]
Hello and welcome to the Forgecast. I’m Alberto Yepéz, Co-founder and Managing Director at Forgepoint Capital and I’m your host today. I’m delighted to have Julie Talbot-Hubbard as a speaker today to share her story and success, and to share some of the key experiences that led to her career progression.
Julie has done it all. You picked the hardest industries of all- regulated industries. You’ve gone from being an influencer of how the organization should be using technology, to leading those organizations, to becoming more of a vendor or a supplier to them. You have been recently promoted to President and COO of one of the largest managed security services in the world. Welcome. We’re very excited to have you here and thank you for taking the time.
Julie Talbot-Hubbard [JT]
I’m excited to be here today, Alberto.
1:26 Background
AY
How did you get started? You got a degree in finance and now you’re sitting in places that you probably didn’t think you were going to be sitting.
JT
I think like many people, when you’re younger, you don’t really know what you want be when you grow up. I think that most people probably still don’t know, Alberto. I actually started my career at Bank One which eventually became JPMorgan Chase. I started there as an auditor, auditing clients both financial and technical. It was right before 9 /11, a couple of years before that, when I got pulled into business resiliency crisis management within that firm, which was a tremendous opportunity for me. I got to move around the organization, every two years was promoted, and got to work in every facet of risk management to information security in one of the largest global banks in the world. I often say I grew up in financial services but I think, as a security professional, they were actually the most mature security-wise (alongside government agencies). I look at that experience as really what shaped me and gave me that foundation to grow my career.
AY
That’s outstanding. So as you progress and look back on the education you have, do you feel that it was what you learned in school that prepared you for what you’re doing, or did you have to augment and complement that? I know you also took some executive development programs as you progressed. For the audience of people saying “How do I get to be Julie?”, can you give a little more detail and reflect on that education?
JT
I took many different courses along the way depending on where I was in my career. Early on, I took more technology classes as I was looking at data storage and how we secure data, so I invested in those types of courses. I went through many security certification training classes and did that type of work. As I progressed in my career and was looking to see what where I wanted to go next, I took classes around executive presence. I’ve taken executive board work classes at Harvard. I’ve been a continuous learner. That’s why I stay in security, actually, because it’s continuously evolving and changing and you have to have that mindset to continue to go.
3:52 Regulation, Compliance, and Auditing
AY
As you reflect on your career- you’ve been primarily in regulated industries. How do you relate that and how it’s different than being in a non-regulated industry? You’ve been living in healthcare, financial services- maybe correlate a little bit of that. Why is it important not only to have a good business practice, but factor in how you’ll get regulated and how that regulation isn’t an option when getting things done. Today, people are finally paying attention given the SEC and everything else and saying, we better make investments in this area. Any thoughts for somebody planning their future career around regulated or non-regulated industries? You’ve driven your career- at least at the very beginning- in regulated industries.
JT
I would say I spent probably 90% of my career in a regulated industry. When you think about cybersecurity 15 or 20 years ago- I’m dating myself now- the regulated industries were the ones that had compliance requirements, so they really understood it and usually had the funding. Not always the funding, but they always felt the need and the pressure to comply with regulations and secure the environment. I started in financial services and have probably spent over 15 years in financial services in some capacity. Then going into healthcare, there are also regulations, but I would say from a maturity perspective it’s a lot less mature than a financial services organization. That’s just from a systems perspective.Think about medical hospitals. Those environments are typically very fragmented and very decentralized. They’re just more complex to manage. From a funding perspective, they didn’t have the funding that financial services did. Early on in my career, those two are the areas I sought after because I knew there would be support in the organization to really help improve security.
On the flip side, a lot of times security was driven by compliance. When you think about that, I always say I do security first to secure the organization, not for compliance sake. Sometimes, unfortunately, that’s not how the organization looks to fund it. You’ve really got to be creative, in my view, on how you pinpoint initiatives that are going to drive security most in the organization and also can tackle the compliance requirements.
AY
I love the fact that you come at it from an auditing perspective. I worked in IT in the beginning of my career, and some people are afraid of having to deal with auditing. I think internal auditors can be your best champion, especially when you’re saying “Here are the exposures, and before we go to the real audit these are the things we need to fix or get funding for.” I think that background gives you a very interesting perspective in an organization to say “We need to be prepared.” Nobody’s going to be 100%, but there are more urgent things that need to to be fixed right away. I think that probably gave you an advantage over those who don’t have a background in doing both internal audits and dealing with external auditors.
JT
It definitely did. I think that they’ve always been my biggest allies, Alberto, in any CISO role- auditors, both internal and external. I’ve got a lot of experience working with financial regulators because there were MRAs across different companies I worked for, and I had to present evidence and work with them. I also use them to help champion my initiatives and get the business’ attention. Often times people think IT is driving the priorities of an organization, but it’s the business. You’ve got to get the business to have a stake in your security program and the outcomes or you’re never going to be successful.
AY
You said a code word many people will not understand- what is an MRA and what is an urgent MRA? It’s pretty unique to financial services, right?
JT
It is. There are typically audits that go across banks of different sizes. There are different names for the types of audits that they do. Typically they’ll choose different security capabilities they want to evaluate across regional banks, large banks. Through those audits, depending on the outcome and findings, you could have what they call a matter requiring attention (MRA). Then you’ve got to set dates on when they will be remediated. You’ve got to show progress that you’re working to close them throughout whole life cycle of the MRA.
AY
What is an MRIA, for people that do not have that lingo?
JT
Matter requiring immediate attention.
AY
Immediate attention.
JT
Luckily, I have never had to remediate one of those. However, I felt plenty of urgency in the ones that I did have to remediate across large-scale banks.
AY
People pay attention when they have the MRIA because it needs to be fixed. Otherwise, you’re going to face a fine. So there’s some new lingo- you lived it, I lived it, but often people don’t know what an MRA is. With an MRA, suppliers may start to doubt you: which MRIAs do you have and how can I help you get there? Because typically, from an external perspective, those take priority in protecting the business and have to be fixed. It’s an interesting perspective. An MRA is something that probably every industry should have. Thank you for sharing that. That’s unique. I think the audience will appreciate it.
9:54 Digital Transformation During the Pandemic
During the pandemic, you had been making the shift to healthcare, right? Any lessons learned? I know you say it’s a little bit of a lagger, not an early adopter, but were there things that needed to get done quickly and accelerated digital transformation? Any thoughts about that period of time during the pandemic, either as a practitioner and or supplier to those organizations?
JT
Like I said earlier, the business really drives the priorities of an organization. Through the pandemic, what I saw through helping service organizations was priorities depended on what industry they were in. If you were a hospital, there were just tons of changes being made to the hospital system with people working remotely but having to give care. That drove a lot of different technology needs and advances, and then security as pieces of it. Some organizations were better prepared than others on planning for those types of things. I saw organizations having to flex pretty quickly to make that happen and support their customers. I don’t want to say security was always an afterthought, but I did feel like we ran to help operate the business and then were kind of stepping back in to add additional controls around it.
It was really all around working remotely. But, I think you have some businesses that have changed forever. That also opened people’s eyes from a consumer perspective- even individuals buying groceries and everything and having it delivered. Everything had changed due to that experience. Organizations have had to change their IT strategy as well as their security to compete.
11:55 Identity Access Management and Organizational Change Management
AY
Throughout that, you also decided to focus on identity. At the end of the day, we do the things we do because we want to have situational awareness of what to measure and the appropriate controls to put in. in. You develop an innate ability to understand that identity is critical to an organization. That’s probably when you made the transition to work at Optiv as one of the leaders in identity and access management. It was probably because you brought a practitioner perspective to a vendor. Any thoughts about that focus on identity and, when it comes to identity access management, how people need to think through investments? These are not a one-time thing, it’s a whole program, right? People understand that it’s a huge transformation. Any thoughts in that area?
JT
If you think about digital transformations, a lot of organizations moved to the cloud. We’ve been talking about the cloud for many years but organizations were very slow to move to the cloud because of security risk and change. In some organizations I was part of, it took us longer to move to the cloud because we were in our own way. People were very concerned about change and what it meant to their jobs. But we saw a rush into the cloud. Think about how organizations previously had their perimeters and firewalls in place- that all changed drastically. From an identity and authentication perspective, there was now privileged access management, the machine identity, spinning up, spinning down- people’s environments became very complex very quickly. I always say identity and data are now the two most critical things that you must protect. They go hand in hand because you’ve got to understand what you’re giving access to. You’ve got to understand what’s going on in your organization and where it’s being stored.
AY
At the end of the day we’re trying to protect information. Information is derived from data, which is processed by applications sitting on a device connected to a network- an individual is the one driving that. To your point- and this is part of our current investment focus as well- it’s about next generation identity given multi-cloud environments and data that’s propagated without knowing where it is. With all of the backups and everything else, the lack of understanding around how data is processed and where it resides becomes a huge priority to drive resilience. You were tasked to build a practice when there were lots of practices by big integrators. You came into what effectively was a reseller business. They wanted to be more of a value-added reseller. How did you shape that program for both identity and data?
JT
Being a practitioner helped me tremendously going into it because not only did I understand the mindset of the buyer that we were selling to, but I had also worked across many enterprises and many industries, abd really understood the challenges that customers faced. Identity is a program but many organizations think, “If I buy a technology, that’s going to fix everything.” Typically, it’s a series of technologies. There are a lot of platforms being built but I haven’t seen wide adoption of them yet, so you’ve got best-of-breed technologies across your identity stack.
The largest thing I see is organizational change management. You’ve got to understand your systems and have adoption across the program. It’s typically around identity governance. Understanding your identities is a multi-year effort. Some organizations get frustrated after year one because they’re not progressing quickly and they give up. Then they’ll get an audit and face a finding and come back around to do it again. The practice that I focused on was the full identity, from identity strategy, advisory, privileged access management, identity governance,, MFA, and SSO. This has started to grow for both the workforce and the consumer sides. That’s based on the consumerization of IT and the frictionless access that people want to experience. That’s something that I built around. I tried to be agnostic to technologies because they’re changing rapidly. You’ve got to have the fundamentals down across your organization. While I was at Optiv, we more than tripled the practice. That shows you the growth and the importance of identity across all organizations. It’s every industry, from retail to the regulated industries. You’re seeing it everywhere.
AY
Especially retail because now, who’s your customer, how are you going to protect their identity with current privacy issues and all of these regulations? People are saying “Whoa, what am I going to do?” I’ve been in the identity industry since ’95, ’97 when I started my first company enCommerce- we had single sign on and got acquired by Entrust. I also worked with Thor Technologies on identity provision and governance, which got acquired by Oracle. To your point, the platforms change. It’s not like one identity vendor is always going to be prevalent. You have to figure it out architecturally in a highly distributed environment. You need to be able to operate and have visibility in a multiple environments, working with multiple vendors who have multiple environments of their own. I think the next generation in identity will more analytics. People are talking about posture management- with identity posture, where are your identities? Who has privileges? Other vendors have done it for certain environments, but I think there’s a bigger picture now and people are going to say “I have to get a handle on the multitude of products, vendors, and information systems.” Sometimes you run it yourself, sometimes you acquire it in a SaaS offering.
JT
I couldn’t agree more about the analytics. The clients I’ve worked with are asking for that and it’s something that we built in. Some products have it and some don’t. The other key technology is machine learning and AI, which has been embedded in a lot of identity platforms for a while but we’re seeing it pick up more. That’s useful for behavior analytics, which previously involved monitoring identity logs in a SIEM or other tools that looked at behaviors. Now, the need for it is increasing because of the sheer volume individuals monitor to pick out anomalies.
19:32 The Innovation Economy, Advisory Councils and Boards, and Giving Back
AY
We’re always amazed at the time you dedicate not only to your job responsibilities but also keeping up with the innovation economy. I know you are a member of our advisory council and also work with Cyberstarts and other groups that are nurturing the next generation of vendors. Any thoughts on the importance of doing that for fellow practitioners?
JT
That’s something I really enjoy doing for two reasons, Alberto. One, I do it because I want to continuously learn, grow, and share my experiences to build solutions that protect organizations. The second piece is related to my career perspective. Like the trainings and classes I’ve taken, I also want to become a corporate board member. When I’m on these advisory boards, I’m always looking to see how I am gaining experience and what type of experience I need to prepare for the next level. It’s also a great opportunity to network with CEOs of security technology companies and other security practitioners. You learn a tremendous amount from those individuals and you can give back as well.
AY
Absolutely. We’re beneficiaries of a lot of that wisdom. You help 1Kosmos, SPHERE, and our portfolio companies in general that are trying to define and refine their offerings and hit their stride rather than trying to come into a market that is noisy, crowded, and not very differentiated. I really appreciate the time you spend with them. Thank you for that.
You always make time to give back. I know you’ve been very involved with certain non-profits championing diversity and supporting the next generation. What are the organizations you are involved in and excited about?
JT
Yes, as you reflect on your own career, you can notice what you’ve pushed through to get where you are. I always want to encourage people and help them with confidence to achieve what they seek out to achieve. I’ve become the champion or the exec sponsor of the women’s network in every organization I’ve been a part of. In the last organization I was at, we started with maybe five members. When I left, we had around 300. We were doing events, conferences, and bringing in speakers both in-person and on the web; we did mentoring sessions, lean-in circles. It was all to help encourage individuals to pursue their dreams and have confidence in themselves.
From an external perspective, I’m on the advisory board of the Women and Technology Group here in Atlanta. There are programs for entry-age children all the way through colleges and professional development. We’ve got different programs. I’ve been a part a single mother’s program where we created education curriculum material and took 15 women per year through a cybersecurity course. Then we would help get them interviews and get them placed in a job. That was very transformative for many women that were single mothers.
There is also a college program there. That is something I’ve worked very closely with sponsoring hackathons. I did that two years in a row, prior to coming to where I’m now, sponsoring hackathons with 16 colleges. It was all for young women in college. The first year we had about 130 women participate. The second year it was over 200. The most rewarding thing for me is helping others in that regard. One of my favorite sayings that I learned it from another female chief product officer at an identity company is “You’ve got to learn to sprinkle joy across your days.” We manage tough situations at work every day. It’s important to find what gives you joy and energy and make sure that you’re experiencing that as well.
When I grew up, I didn’t know what I wanted to be. In my first job, I walked around the office building and peeked in people’s offices looking for pictures of children and pictures of women. I knew one day I wanted to have a family, but I had never really been around that. I think the more individuals can see people like them in roles, the more it opens ideas and gives them confidence to pursue their dreams.
24:51
AY
I love hearing the passion when you speak on that. At the end of the day, there have been people that made a difference in our careers. There’s the mentor, the sponsor, the advocate. Any reflections- you don’t have to name them specifically- on the importance of having those in an organization? When you were looking around, you were looking for somebody that looks like you and somebody that may be willing to help you understand how to navigate and network. I remember when I started my career at Apple, I was just inside my cube and somebody said “No, you need to go out and meet a lot of people for lunch, otherwise you’re never going to get your career going here.” Any reflections on relationships or people that have made an impact on your career?
JT
I think there were a ton. Looking back now, years ago I didn’t know the difference between a sponsor and a mentor. But after my second job out of college, I figured it out pretty quickly. There are several individuals. One that I met in my first job out of college at JPMorgan Chase- I’m still connected to him, even on Facebook. He was one that really believed in me and promoted me and pulled me along. Maybe I wouldn’t want to take the job, but he would encourage me to do it. I’ve got several of those individuals that I stay in contact with. I might have met them 15-20 years ago, but I always keep them on my speed dial for when I’m needing guidance and I’m in a tough situation. They’ve also built that relationship with me and probably know me better than I know myself sometimes. I think having sponsors and investing that time… it will help you just navigate an organization because I think we all need that in large enterprises.
AY
I also didn’t have a clue what a mentor or a sponsor was, until later in my career. Looking back, I can see the difference they made and see who my mentors and sponsors were. Now, there’s a new definition role of an advocate that always says, “Julie is great, she’s made a difference.” It is all situational awareness we need to have wherever we work.
27:26 Networking and Finding a Community
You mentioned Chief- I don’t think a lot of people know what Chief is. I think it’s important to highlight it because, to your point, the community gathers around common values and trying to make a difference. You’ve probably been there for a couple of years now, right?
JT
Yeah, and it’s been a great community of executive women, not just from security or technology but from all facets. I think that’s great because I’ve really evolved my career- I went from managing security and enterprise to managing a practice and now am running part of a business. Having exposure to different females in those areas, you understand more about the day in a life and what skills you need to get into different fields, so that’s helped me in that way. One, it’s a big support network. There are regular meetings and we’ve got core groups. There are also networking activities in every major city. 10 years ago, I wished I could have that, but I didn’t. Now, with technology you can just get on chat and talk to anybody, anywhere. It’s really great to have that that network of executive women to go to. There are even job boards and other resources. We all know as you grow in your career, the best chance of getting a role is usually through networking and jobs aren’t posted everywhere. If you form those connections and build that mutual respect, that will open doors for you in your career as well.
AY
Especially board roles, which are not often published. On a board, the first question is usually about who we know that has the following skills and often times the first referrals are from the board members. While there are firms that specialize in searches, a lot of it is through the knowledge and the network. The importance of networking is critical to advance our careers, so that’s really good advice.
29:48 Generative AI
There’s a lot of news, effort, and investment going on around next generation AI with generative AI and ML. While it’s not something new, how do you think it’s going to change what we do in business, in general and for cybersecurity? What are your thoughts on AI and ML, and the role that they are going to play in our society?
JT
I think it’ll play a big role. Even in the past two or three years, there’s been adoption around routine tasks and other things from an efficiency and a cost perspective. What we’re starting to see now is the fidelity and what things it can do is exponentially better sometimes than what we can do as humans. I do see that shifting, but I still think we’re in a state looking at how we are processing more, how we are really streamlining things, and how we are being more efficient. That’s where I see it being used today.
On the security side, I do think that it has great capability to identify anomalies, and it might build in a response technology as well. With technology, we always look at it to drive goodness- whether that’s security protection, healthcare, delivering better products to clients. But the bad actors, we have to remember, have the same technology and are working on it all day long for their reasons. As we’re looking at how to leverage and enhance our security protections or businesses, we have to be mindful of the bad actors that are also using AI. How are we keeping pace? If we’re not, I get really concerned.
AY
I’m with you. I’m getting so many perfect spams, like DocuSign’s. Do you need to sign these? It’s like, wait a minute, we’re not doing a transaction and why am I doing that? We’re a small organization but they’re getting so sophisticated and there’s so much volume. To your point, there’s a high fidelity in how they’re using the technology to get you to click a link, to compromise you. More importantly, there’s the contextual stuff that makes you think “I better call my CFO, I better call somebody because this doesn’t seem out of the question.” I think the most vulnerable population is the aging population that is not familiar with technology like kids. We need to be very vigilant because this is here to stay and it’s only going to increase. We all need to take responsibility. As vendors, how do we help enterprises deal with consumers to make sure that they take responsibility, right?
JT
Back to your point, whether it’s social engineering like phishing or anything else like ransomware-as-a-service, all of these things are built on technology. What you find, I think, is individuals don’t need as much skill to deploy and use these tactics.
33:23 Final Thoughts
AY
This has been great. I appreciate you sharing all your insights and guidance for our audience. Any departing thoughts on what you’d like to see change, some of your objectives, how the industry will evolve, or the role we need to play?
JT
For the industry, I’ll break it down into a vendor or partner perspective, and then what we can do as security leaders. When I think about partners, technology, and what organizations are going through to secure themselves, it’s really complex for them. Everybody thinks “Security budgets are going up or they’re not going down.” I would argue that they’re not going up because the environment that a CISO has to protect is getting larger. With that, there are increased technology costs and increased integration costs. As practitioners or security partners, we should think of anything we can do to remove some of the complexity. Speed is another key piece. We know from a competitive perspective that things are increasing in speed for organizations, which again is driving complexity. That’s one thing I’m focusing on: whether it’s in our technologies, our platforms, or our services, how do we help remove that complexity? From an individual perspective, I always go back into my passion for giving back. You’ll see still that in security, there are still many open jobs. I challenge everybody to give back and to help mentor somebody that maybe isn’t even in security or in technology. Help bring along that younger generation.
Give people chances. Traditionally people think you need to have a technology degree, or you have to be in the armed forces. I would tell you that the highest performance teams I’ve managed have been ones with unique backgrounds. They bring different skill sets- you need that for a security organization. Those are the two areas that I would focus on.
AY
Great points. This morning as I was getting ready for our talk, I saw that you just got promoted to President of Services and Chief Operating Officer at Cyderes. Our most sincere congratulations for that. It’s recognition of the work and your ability to manage complex situations in a global environment. We wish you continued success. We’d love to continue our close relationship and really appreciate you taking the time to share your perspective.
JT
It was wonderful to join you here today, Alberto. I’ve really enjoyed really working with the Forgepoint Capital family. It’s been great.
AY
Thank you again, Julie. I appreciate it.