In the fourth episode of ASUG Talks, we sat down with David McClure, Chief Information Security Officer at CONA Services - A Coca-Cola System IT Services Company. He discussed how he got into the IT field and the ever-changing landscape of cybersecurity.
Jim:
Hello and welcome to ASUG Talks, a podcast series featuring Candid Career Conversations with ASUG members who lead or work on SAP teams across the United States and Canada. My name is Jim Lichtenwalter. I am the ASUG content manager and the host of ASUG Talks host. In this episode, I’m joined by David McClure, Chief Information Security Officer at CONA Services - A Coca-Cola System IT Services Company. David, thanks for joining me.
David McClure:
Thanks for having me.
Jim:
It really couldn't have. Well, great. I had to touch on that before we dove into the other things we got going on. So just to start things of, David, what would you consider your first job?
David McClure:
So the answer to that to me would be a consulting firm that I went to coming out of college. Protiviti is the name of the firm, so they're internal audit and management consulting firm. I had the opportunity to do a number of different IT general computing controls audits whether it be for SOX clients at that time. So this was 2007 I was coming out. Docs had just been adopted two years before, so it was really exploding from an internal audit perspective. All these companies were having to go out and actually do SOX IT compliance for the first time ever.
So ton of good opportunity there. And honestly for those that are thinking about a career I would tell you getting to start off doing something audit-related is fantastic because you just get to see so much of the fore print of the IT environment at a company. And you start to really understand how the controls are important to actually having safeguards and into what would be the financial processes that are downstream. And while I was there, I also had the opportunity to do some things in the security space. So I did a handful application security assessments, got the chance to do a little bit of data and analytics, which is something that I think everyone uses day in and day out whether they realize it or not. So it was a great first job for me.
Jim:
So after UGA paint me in picture, where did you go after that? What happened after graduation?
David McClure:
Yeah, so like I mentioned, went to Protiviti. I was actually lucky enough to be able to continue into my next career moves being more security-focused and that was probably still even before so this is what 2009, '10-ish timeframe. Cybersecurity was known, it was important, but it wasn't what it is today which is like the end all be all and can be quite stressful at times, honestly.
So I think I was very thankful that I able to make that pivot into security at that time it was very much an application security and also an access controls type of role. But I think it was a good foundation to continuing to expand from there into Identity and Access Management where I was getting a little bit more hands on from a platform and a technology perspective. And then from there adopting more general risk-based principles and to where I am today which is having a much broader purview of all things, cyber identity and risk and compliance-related.
Jim:
Yeah. That leads us into your early days at Coca-Cola Refreshments. Tell us a little about what you were doing there and how your time at Coca-Cola Enterprises has helped you in your current role right now.
David McClure:
Yeah, of course. So Coca-Cola Enterprises, and actually funny story as I joined there. So I think I joined in January of 2010 and that role was an access controls role focused on SAP. And not two months after I'd been announced, Coca-Cola Enterprises announced a massive merger with the parent company Coca-Cola Company which I won't get into all the complexities of franchise of agreements with them. But basically probably wasn't aware of how big a transformation was coming ahead of me, but I was thankful enough to be able to remain in a very similar role as they transitioned from Coca-Cola Enterprises to Coca-Cola Refreshments.
But all that history aside, like I said, the job was an access design specialist role, so basically at the time Coca-Cola Enterprises was venturing on a journey to shore up some of their more sensitive access issues that they had over time. So as you can imagine for entities as they're coming into SAP for the time, a lot of them are dealing with two problems. One is what is the right access to give to people doing different job functions? As massive as the amount of capability you can get out of SAP. The authorization structure is equally as daunting. So understanding what to grant to people to not give them too much access, but just enough to do what their job is was a fine art and still is today.
So we came in and it had been for five, six years was a lot of the access that had been granted to a lot of individuals at that time. We did a slight redesign project with a consulting partner and we actually put in place a role-based access control methodology where we were taking people's job or position or department or location and are using some of those variables to try and define what access should be granted. Bumping those up against segregations of duties rules using the SAP GRC product and we over the course of at then Coca-Cola Refreshments over another two, three years, the entire workforce was rolled out onto this access design model which they still had in place until we transitioned to the entity that I'm now running.
Jim:
Since you've been in this particular work, how would you say the role and importance of cybersecurity has shifted over the years?
David McClure:
Great question. And it certainly grows if I think about how interconnected everything and all of us are now. I think cyber security while everyone knows so much more about it, it's probably because there's been so many more incidents and there's so much more prevalent in the reasoning for that which is not a great thing. But in my current role, you can't always talk about cybersecurity without really trying to understand what is the purpose of what you're trying to secure and what's the risk that you have to try and manage when it comes to the data and the platforms that you're operating.
So as who I am today, which is a chief information security officer. You're wearing a risk hat more than you almost are a pure technical security evangelical hat. And what I mean by that is if we take SAPs, since that's the purpose of this podcast here for ASUG. SAP has a number of different flavors now from we're running the traditional on-premise ERP to you've also got the cloud-based success factors or Rebars that many entities that have individuals listening as podcasts might be running. And how you approach security of all kinds and especially cyber security for each of those different platforms is vastly different.
So five years ago, thinking about our ERP solution, I was more worried about what people inside the company could do in that platform than I was worried about what people outside the company would try and do in that platform. Today, they're almost equal risk to me and looking for vulnerabilities, doing things like patching applying notes is just as important as some of those access control things I talked about earlier in the podcast. So there's a lot of effort we've been putting into looking at what's the external threat of our SAP environments.
And then if you pivot and you think about all those cloud solutions, just inherently, most security per professionals say, "I want to control everything." But it may not make sense from a cost to operate or from a... Let's say product capability perspective. I can't go build something and host it maybe as efficiently and have the same type of quality as SAP could go off and do so. So knowing that we've got a weigh that risk versus reward and say, "What are the things that matter most about how a cloud system operates?" And obviously have some faith in the partnership with SAP which the good news is I've got the chance to connect with their CISO and their security advisory board quite a bit.
A lot of the things we are talking about is, "Hey, how can we foster transparency? SAP what are you doing? Here's what worked for us as private entities, as public entities and just try and have that collaboration." But at the end of the day, almost everyone now has an understanding of what cybersecurity is. If you're in the boardroom, if you're talking to someone that's just a developer, there is no getting around it. You know exactly what is the impact of not doing something from a... Let's say security hygiene. And if I code something incorrectly, I've probably got an understanding that it might result in someone hacking into my system down the road.
Jim:
You talked about testing your ecosystem for external facing for threats. What goes into that process? How do you all go about kicking the tires for lack of a better term?
David McClure:
There's a lot of different methodologies as the short answer but I think most of the security professionals that might be listening to podcast have some type of what we call vulnerability management program. So that's going to take a number of different look and feels from a traditional product that's just going to be able to go out and connect all your systems and say, "Tell me what patch levels you're running. Tell me, do you have configurations that don't line up with what I expect them to have." And that works great for systems that you own and operate. And then you've got moving a little bit more into an application layer capability.
Typically, there're products that do scans of web applications, I'll say niche products that will do more like mobile app scanning or security vulnerabilities and in the case of SAP, both SAP has their own products and there are partner products that SAP collaborates with those vendors to be able to release things that can do very similar things. You can connect to your SAP system scan it for known vulnerabilities. You can connect to it and scan for configurations that might be risky depending on how you operate the system. And that's a lot of the visibility we get.
So we try and couple those things that are more, let's say, frequent actions and opportunities with more targeted less frequent opportunities where you might bring in a specialist that is like a pen testing firm, or you've got someone that you're going to do a red team versus blue team exercise where they're going to try and simulate an attempt to hack in your environment and the blue team being your own internal team's going to try and see how well they do and trying to identify and push out the adversary in that case.
And you just bounce a few of those things and something that I think's been becoming a lot more prevalent lately is embedding security in the system development life cycle.
Jim:
Yeah. Moving now, you mentioned your current role and your current responsibilities. Tell us a bit about CONA Services and your current role right now. And what does your day-to-day look like?
David McClure:
We are an IT services entity that really is part of the Coca-Cola system and Coca-Cola has a lot of entities they actually franchise out. Bottling and distribution in the majority of the territories as I mentioned earlier on in the podcast. So here in North America, the decision was made to take what was a much larger entity, that was actually Coca-Cola Refreshments we were talking about before and split it into a number of other independently owned and operated bottling companies. Some of which previously existed prior to that, but some others are actually brand new companies.
So knowing that there was a pitch made to have a common IT platform that would allow them to be able to move at speed and have comfort that you can have the same foundation for how to do something from an IT perspective and go off and do the things that really matter most which is connecting with the customer, how can you get product onto trucks and onto shelves quicker? So given all of that, all I do day in and day out is worry about this platform that is largely an SAP-based platform and what we have to do to secure it to make sure that we keep those millions of cases of Coca-Cola that run through our system every year secure.
So to pivot into your direct question which is what does the day-to-day look like for me? No day is the same for sure. So as timing of when this podcast comes out, I'm sure that we will still be talking about a lot of geopolitical issues that are currently ongoing. So there is quite a bit of my day, these days that's just consumed with keeping up with threat intelligence reports. Trying to understand are there any new risks that are coming towards any entities that might be operating in the European Union, which is not the case for mine but obviously knowing that the U.S. is taking part in a lot of the sanctions that are being levied, there are a lot of U.S. based companies that we do expect to be targeted here in the near future. So I would say that's first and foremost these days for me.
Jim:
Yeah. I can imagine.
David McClure:
But yeah, yeah. It's interesting times. Yeah.
Jim:
We're obviously talking about the situation going on in Ukraine, with Russia invading Ukraine and potential blow back from bad actors sponsored by Russian intelligence agencies or the Russian government. Are bad actors always trying to find new ways into systems? How do you all stay ahead of the curve?
David McClure:
Yeah, no secrets, honestly. I think everyone's doing a lot of the same things which is there are a lot of great entities doing a lot of great things around tracking what are the common we call them TTPs, so tactics techniques and let's say protocols or processes that are used by a lot of these attack agencies. The reality is a lot of the most effective ones are nation state-backed. So in this case, Russia as we're talking about here. They will still use a lot of the same common tactics that you might think about for someone that's a hacker sitting in the basement if I use the poorly bread analogy but they're going to look to the things that are already open and available. And most of the companies that have the biggest problems are the ones that are not staying on top of the basics like patching their environment, making sure you don't have common holes in your firewalls and other things like that.
And people that aren't spending enough time in awareness training and phishing training for their personnel. Because so many of the things we're seeing that are letting these bad actors get in the front door is as simple as sending a phishing email, someone clicks on a link, they've got malware installed, someone clicking on email thinking that it's from their IT department and they put in their credentials and all of a sudden that person can go do whatever they want with this credentials. Not having things like multifactor authentication turned on, you having a port wide open on the internet. I could go on and on it's basically a lot of the really simple things and there's just a lot of them and you have to do them over and over and over again to try and stay ahead of what's going on.
Jim:
It's like overseeing a sea of checklists. It sounds like making sure that this box is crossed and this box is crossed.
David McClure:
Yep. Yep. Very well said. Couldn't have said it better. Yeah.
Jim:
Great. So I didn't mean to interject but obviously with what's going on right now, I definitely wanted to have at least somewhat of a conversation about that. So let's continue our conversation about what you do at CONA and what's your day-to-day looks like.
David McClure:
Yeah. So cyber aside, just talk about that all day long. My team also is responsible for application security, identity access management, IT risk compliance. And we've created a structure from our board of directors that we call the risk committee so that's a quarterly meeting that we hold and we just give them general state of affairs about all things risk-related to both our company and the platform that we operate on behalf of those individuals that operate the board.
So most of my day-to-day activity honestly, is just trying to stay on top of what it is we have to mitigate from a risk perspective. Like I said, I think earlier in the podcast as well. To me, it all comes back to risk. Why are we doing anything from a security perspective is because we think there is a risk to be mitigated. We're trying to refine some of our things around having risk registers, how we check in with different stakeholders about how we're mitigating different risks across the board.
And I've got a team that does a lot of very tactical things around keeping up with, let's say different day-to-day operational controls, and actually building enhancements into our identity platform. And what's a little bit interesting in our environment putting an SAP spin on it. We actually have 12 different legal entities that operate on our platform.
Jim:
Wow.
David McClure:
And in the case of our SAP instance, it is the exact same SAP instance. So we have to figure out how to... If I use air quotes, firewall off the data from one legal entity from another and still let them operate in the same place. So we put a huge focus into what we call our multi-tenancy controls at the application layer.
Jim:
Great. Let's now talk a little bit about SAP. We've been hinting at SAP for much the podcast. You mentioned that you first encountered the software and it's early in your career. How would you say that SAP's in organization has changed since you've been a customer and a user?
David McClure:
That's a really, really good question. And I do absolutely think SAP as an entity has changed substantially in my opinion. So when I first started touching SAP, it was all about the ERP. It was all about how you could implement this big system that gave you all of your inventory, all of your supply to chain controls. And it was so tightly coupled with how you do things from a financial perspective, you've got the GL that's sitting there right tightly in line with the inventory. You can create all these configurable application controls and you don't have to worry about having all these different people that have to be responsible for following up to things.
Well, building all of that in a central system didn't come without some drawbacks. So from an IT perspective, again, keeping my system hat on, every change we make to that system could have an impact to another functional area. So if I want to go change how the inventory team is doing something, the amount of testing and rigor you have to put into that can be pretty impressive and there's a chance you could touch something else. And for those listening that have gone through all the many what we call releases back in the day where you're putting in support packs and kernel upgrades and you're bundling together all these different pieces of functionality and doing this massive water or fall change management effort.
There's a lot of risk in that. So I've seen SAP start to try and think about how they can decouple from that massive ERP core. A lot of that, I feel like has been for them strategically trying to think about, "Is it a cloud first mentality, or is there a different platform that we think we can build? And in a lot of cases, is it a different platform that we think someone else is already doing very well?" So I'm just going to bring them under my umbrella as SAP. If you think about success factors, a Rebar, both of those are products that we are using or soon to be using here at CONA Services. Those were not SAP developed from the get-go and they bought them and are bringing them under their umbrella.
So I am seeing a lot more and more of the cloud push. I'm seeing a lot more and more of the... How can we get something in the door that already has some legs under it versus us trying to build it from scratch. And I think all that makes sense and if there is anyone from SAP listening to the podcast that they think the thing that I continue to try and talk about time and time again is a lot of us as customers are still having to run that core. So as much as we can try and put integrations first, maybe as much as the user experience that's really important for us because we do find some of the bot products may not have the same type of out of the box integration that something that SAP may have custom-built from the ground up.
Jim:
David, last question for you. I think through our conversation and I think anyone who's been paying attention to the IT industry knows that cybersecurity is only going to become more and more important. Again, especially as we move the cloud, it's only going to be accelerate. What advice would you give to IT professionals who are interested in cybersecurity and are either early on in their career in the first few years or about ready to enter the workforce?
David McClure:
There are so many different ways to get hands-on experience and to really be able to dive into topics and I'll say technologies than when I was first coming out of college. So first and foremost, I would tell anyone that has any interest in doing anything around cloud computing security, just go out and take some training courses. And I can tell you from a cloud security perspective, Microsoft for their Azure platform, AWS for their platform, even Google for their Google Cloud platform. You can take so many trainings free of costs from them because they want you learning their products to be able to then go buy more of them in the future.
So do the trainings get the chance to do some test trials, try your own things. I think that to me would be the thing that I would try and do more earlier in my career. Thinking about certifications a lot. I think there's a great bit of value that goes into certifications as well, but a lot of them actually have requirements that you have to actually be in the job doing them for a period of time. So I would say if you're at a point where you're trying to make a decision about doing something, I probably wouldn't jump head first into a certification, but as you are starting your journey and saying, "Hey, I really enjoy this. How can I get to the next level?"
David McClure:
I would definitely point people towards certifications. And maybe just the only other thing I'd say is just create a connection group, a collaboration group. So I think the more people you know, the reality is a lot of times good opportunities come up because you had a connection with someone else. Maybe not necessarily because you had the right resume. So I think ASUG being a fantastic example, the more that you can try and go to some of these events, the more that you can try and connect with people. I think the more experience you'll be able to naturally gain because you have seen what others have had to go through. You've got that many more or people that can help open other doors for you.
Jim:
Great. I think that is an awesome place for us to stop, David. Thank you so much for joining me today. Really enjoyed our conversation.
David McClure:
Yep. Thanks. I did as well.
Jim:
Ok and that will bring this episode of ASUG Talk to an end. I just want to put this out there, if you are an ASUG member and want to share your story with me on this podcast, talk a little bit about some of the hurdles you’ve overcome, how you got into your career, some of your early victories, we’d love to hear your story. So please reach out to me—again, Jim Lichtenwalter—or you can email us at asugnews@asug.com. Be sure to join me for the next ASUG Talks. And remember to generously share these compelling conversations with other ASUG members, your professional community and industry networks. And just a friendly reminder, you can also find this podcast series on both Spotify and Apple Podcasts. Simply search “ASUG Talks.”