Building technology, teams and trust
02
IPG: building technology, teams and trust
DECEMBER 2019
03
w w w.i nte rpublic. com
INTERPUBLIC GROUP
Chris White, Deputy CISO at Interpublic Group, talks about the talent shortage, automation, and how to ensure that cybersecurity is an enabler of creative freedom and business operations
W
e live in an era of unsurpassed connectivity. The ongoing digital transformation of the global business landscape is bringing
everything from robotic process automation (RPA) to artificial intelligence (AI) out of the pages of science fiction and into the homes and workplaces of billions 04
of people. Nearly every person walks around with a rectangle of glass, plastic and silicon in their pocket that can access nearly the sum of human knowledge, and possesses about 100,000 times the computing power of the thinking machines that put man on the Moon. In seconds, we can convey information, opinions and our innermost thoughts to an audience of millions. We can share memes using a refrigerator now. Never before has information, interaction and human connection been so readily available, but this new world is not without its challenges. “What I don’t think a lot of people understand is that every single person that owns a smartphone, tablet, smart watch, even a smart fridge, is under attack, every minute of every day,” explains Chris White, Deputy Chief Information Security Officer at Interpublic Group (IPG).
Below: IPG Chairman and CEO Michael Roth and Chief Diversity & Inclusion Officer Heide Gardner
05
1961
Year founded
$9.7bn
Revenue in dollars (2018)
54,000 Number of employees
w w w.i nte rpublic. com
INTERPUBLIC GROUP
06
“ Every single person that owns a smartphone, tablet, smart watch, even a smart fridge, is under attack, every minute of every day” — Chris White, Deputy Chief Information Security Officer, Interpublic Group (IPG)
“There is a global war going on in cyberspace. There are criminal elements, state-sponsored elements – that classic idea of the kid in the hoodie in his mom’s basement doesn’t even scrape the surface.” Far from attempting to instill mass panic, White’s tone is one of reassurance. “Inevitably people hear that and say ‘well now I’m afraid to go outside’, so to speak. What do we do now? The answer is just to behave normally. There’s no sense in becoming a doomsday prepper, living in a bunker with the phone lines cut, because all the companies that make and support everything you do at home and for work, they understand that cybersecurity is critical to doing business. That’s why they have guys like me who are doing our absolute best to protect you.” White’s career in cybersecurity started in the US Air Force, working as a signals intelligence operative around the dawn of the internet. Over the course of a 30 year career on the front lines of cybersecurity, he has developed a wide breadth of experience in security automation and telecommunications. He took on his current
CLICK TO WATCH : ‘IPG HOSTS INAUGURAL – FASTFW: AN IPG INNOVATION SUMMIT’ 07 role at Interpublic Group in April 2019,
cybersecurity, to our portfolio of com-
working to support and execute the
panies, which all operate in a culture
security vision of IPG’s CISO, Patricia
of consensus. I’m responsible for
Hinerman, who moved over from her
more than 100,000 endpoints, tens of
role of Corporate CIO in March.
thousands of users across hundreds
Interpublic Group is one of the
of companies supporting thousands
foremost advertising and marketing
of downstream clients. My security
holding companies in the world. With
team is 30 people,” White explains.
offices across the globe, the company
Along with Hinerman, White and his
employs more than 54,000 people
team are facing up to the challenges
specialising in advertising, digital
before them and executing an intel-
marketing, communications planning,
ligent, modern cybersecurity strategy
media and public relations. “Because
that balances the challenges of a con-
IPG is a holding company, my job
stantly evolving threat landscape with
is to provide IT services, including
the unique demands of IPG. w w w.i nte rpublic. com
INTERPUBLIC GROUP
08
Across global companies, opera-
clients with a marketing campaign
tional functions and departments are
that’s intelligent, appealing – all those
transforming their operations to ensure
things. The upshot is that I can’t just
they not only perform those functions
mandate that people use particular
but also enable, support and add value
tools or software. I need to enhance
to the enterprise as a whole. As IPG, a
my agency’s function, and that means
business fueled by creatives working in
creating an environment that is secure,
the world’s best advertising agencies,
but also not restrictive to the creative
this is vitally important. “We’re ensuring
process.” Constantly finding the solutions
that we’re never, ever ‘the office of no,’”
that provide security, without restricting
says White. “IPG has a creative culture.
freedom or disrupting operations is
The people here are working on how
a core element of White’s role.
to make the next great Superbowl commercial, how to really support their
Even as businesses’ operations become increasingly digital, the
industry-wide emphasis on the human
In addition to a shrinking pool of cyber-
element is only growing more pro-
security professionals, the amount of
nounced, something made even more
data that a modern team handles is
apparent by demand for security per-
growing exponentially, something that
sonnel that outstrips the current supply.
is transforming the way teams like the
“There’s a dire need for cybersecurity
one at IPG function. “The talent short-
professionals. If you can hire them, it’s
age combined with this data increase
hard to hang onto them,” says White.
means there’s no way that you can
“I have to find the talent that’s right for
follow traditional security practices
me in my environment, in my culture,
of identifying a problem, sounding an
and work with them to give them the
alert, prioritizing it through as critical,
things that they need to get their job
high, medium or low, and then tackling
done the way they want to do it. I have
it,” he says. “If you do that, you’re going
to think of creative methodologies.”
to get buried in data.” The answer, in
E XE CU T I VE PRO FI LE
Chris White Chris White is a 30 year cyber professional. He spent 25 years working inside and with the DoD on the design, deployment and operation of cyber offensive and defensive platforms. He then spent four years working for EY supporting clients across the media & technology, retailing, and manufacturing verticals to establish and operate their security functions. He currently serves as the Deputy CISO/Director of Security Operations for Interpublic Group. When not defending the enterprise he likes to ride motorcycles, play guitar, and enjoy life.
w w w.i nte rpublic. com
09
Interpublic Group Adds Business Value to its Companies Through Security Proofpoint protects users and delivers unmatched insight for continuously maturing security effectiveness. THE COMPANY Interpublic Group (IPG) is a premier global advertising and marketing services enterprise. Its companies specialize in advertising, digital marketing, communications, media, and public relations—creating customized marketing programs for clients of all sizes. IPG support its agencies with a range of services, including IT and cybersecurity services. But reducing risk and protecting users across a large and complex global federated enterprise is a tall order. Proofpoint plays an integral role in the security team’s success.
THE CHALLENGE IPG and its companies deliver award-winning campaigns for many of today’s world-leading brands. Marketing and advertising strategies, creative work, and brand equity can represent billions of dollars of corporate value to each client. Security is important to win agency clients; therefore, it’s essential for IPG to protect its companies and employees in order to attract new agencies. “Our mission is reducing business risk,” said Chris White, director of security operations and deputy chief information security officer for IPG. “That’s not easy with massive scope and complexity. We can’t possibly hire enough cybersecurity experts—they simply don’t exist—so we must find other methods to achieve our goals.” The IPG security team manages more than 100 agency tenants in Microsoft Azure-based Office 365 email. Among tenants, there are huge differences in office size, ownership and work style. The goal is to move the hundreds of IPG companies to Office 365, but meanwhile, the team needs a way to defend multiple email platforms against crimeware, email fraud, imposters, and nonstop phishing campaigns. “I knew Proofpoint could arm us with the tools and information that enable us to defend our companies and give us the data, automated capabilities, and vendor expertise we needed,” said White. “We chose Proofpoint as our primary tool to support security for one of our most critical business systems.”
THE SOLUTION Building on strength The IPG team built its defenses on Proofpoint Email Protection. With multi-layer threat protection and analysis, it defends IPG employees against spam, bulk email, malware and viruses. It also evolves impostor email and phishing attacks. And by using Proofpoint Targeted Attack Protection (TAP), the IPG team can detect, analyze and block advanced threats delivered through malicious attachments and URLs before they reach employees. TAP also detects polymorphic malware, weaponized documents, and credential theft attacks across cloud and premises-based email systems. For example, IPG exchanges email with its companies, and each company also exchanges email with external clients. Once, a client’s email was co-opted by a threat actor who inserted a malicious URL—unbeknownst to the client. Proofpoint detected and blocked the email, which enabled IPG to provide the agency’s client with the important data needed for remediation. “Proofpoint enables us to add value to our companies,” said White. “In turn, they can demonstrate security assurance to their clients. Proofpoint supports our trusted relationships, which are critical to delivering great work.” Besides detecting advanced threats, the IPG team can automatically remove them from mailboxes with Proofpoint Threat Response Auto-Pull (TRAP). This automation has been a game-changer for IPG. White’s team plans to extend Proofpoint Threat Response automation to other use cases, such as automatically isolating endpoints or correlating data with other security controls.
“There will always be more threat and attack data than security analysts,” said White. “With Proofpoint Threat Response, we can automatically enable protections further down the kill chain. This is extraordinarily beneficial.”
Maturing front-line defenses Knowledgeable employees are powerful front-line defenses. Proofpoint Security Awareness Training with PhishAlarm makes it easy for IPG users to report phishing emails. PhishAlarm Analyzer ranks reported emails in real time by their threat potential, which saves time for the security team. The Proofpoint Attack Index within the TAP Dashboard provides data on IPG’s most attacked people. And it gives them instant visibility into these targeted users and the threats that attack them. With this insight, White’s team can track changes in the attack landscape over time, as well as improvements in user awareness. “We can measure how well users recognize phishing attacks and if they take action when they see something suspicious,” said White. “Having users report suspicious emails is a huge step forward in security maturity.”
THE RESULTS Proofpoint enables the team to focus its time on “true positive” alerts and issues with potentially high impact. Now they’re spending their time on the security measures that matter most to their enterprise and its companies.
LEARN MORE For more information visit proofpoint.com
“By improving our companies’ security, we provide a distinct benefit to their businesses and their clients. Proofpoint enables us to bring more value to these relationships and plays a key role in making us attractive to new agencies.” Chris White Director Of Security Operations and Deputy Chief Information Security Officer Interpublic Group
INTERPUBLIC GROUP
addition to careful cultivation of an existing security team, is to harness cutting edge automation technology. “You have to apply automation to help direct people’s brains to where they need to be focused. This is one of the reasons why I am very excited about our new companies, Acxiom and Kinesso. When IPG acquired one of the world’s leading data solution companies in 2018, it afforded my team the chance to partner with the incredible expertise they have around the under12
standing and use of data to support automation,” says White, “because the most important tool in your toolbox is people. Period.” In a world of talent shortages and increased digitalisation, expert help is an essential commodity for White. “I couldn’t do my job without having supportive partners,” he says, “and I use the word partner intentionally. A partner is someone you trust implicitly and who is going to do what is right for you. A good partner in business brings new insight and new ways of thinking about what you do.” Early thinking about cybersecurity methodology centred around the maintenance and
“ I couldn’t do my job without having supportive partners” — Chris White, Deputy Chief Information Security Officer, Interpublic Group (IPG)
development of an effective firewall. Then, in the 2000s, applications added an additional dimension. “Not only do I have to have the network protected, but every application needs its own individual defense in-depth stack,” says White. “Proofpoint exposed me to a new dimension of thinking – a whole new axis. We need to be thinking about identity as a third dimension that needs its own levels of protection.” Today, as digital identity becomes more dispersed, both inside and outside the enterprise – across a host of different applications – IPG is working to protect its employees’ identities beyond the standard provided by normal identity access management solutions. “That’s something that Proofpoint brings to the table, because digital identity is w w w.i nte rpublic. com
13
INTERPUBLIC GROUP
14
IPG Chairman and CEO Michael Roth opens the annual IPG Breakfast in Cannes at Cannes Lions Festival 2019
“ Proofpoint exposed me to a new dimension of thinking – a whole new axis” — Chris White, Deputy Chief Information Security Officer, Interpublic Group (IPG)
primarily controlled through email, and they showed us how to harness our data to start protecting the identities of our users more effectively,” says White. Reflecting on the first few months at IPG, White and Hinerman are still putting their stamp on the department and the team. “With both of us being new to the role, I think our short-tomedium term goal is to ensure that our agencies are confident in us to do the job that they’ve asked us to do, and that comes through in good production results that are based
15
upon good data analysis, and that’s
for a Fortune 300 company. Never. Not
impactful,” he explains. Looking for-
five years earlier I was working with
ward to the new year, the IPG team
the Department of Defense, and then
has internally branded 2020 The Year
15 years before that I got out of the Air
of Data Quality. In both the short and
Force as a lower-level enlisted member.
long term, though, the most important
This is kind of like being a kid, hitting a
thing that White is working to build
home run and all of a sudden I’m playing
is trust. “I need to increase services
in the Major Leagues.”
efficiently, build trust, and continue to make IPG’s operations more secure without incurring a cost to its ability to do business. I’m really very grateful to IPG for this chance. I never, ever, in my life thought I would be deputy CISO w w w.i nte rpublic. com
Interpublic Group www.interpublic.com