I’ve done several interviews about Cyber Security lately, but Chris is perhaps the most senior person I’ve spoken with on this subject. As Corporate Vice President of Cyber Incident Response at the New York Life Insurance company, as as Chief Information Officer previously at two separate companies, Chris has a very unique perspective. His story of switching from CIO to focus on cyber security, and about the incredible growth coming in this field is compelling for anyone even remotely interested in considering Cyber Security as a career path. We also talk about his experience in the Reserves and advice to other Veterans about considering staying in the Reserves.
About Chris Koc:
Chris Koc is the Corporate Vice President of Cyber Incident Response at the New York Life Insurance Company. He started out in the Army, where he served as a Communications Officer for over four years on Active Duty. Since his military service, he has worked at Accenture as a Technology Manager, at the Facility Group as their Chief Information Officer, LakePoint Sports as a Chief Information Officer, and more. He has served over 21 years in the Army Reserves, retiring at the rank of Colonel.
This episode is sponsored by Lockheed Martin. At Lockheed Martin, veterans are at the center of everything they do — in fact, one in five of their employees has served in uniform. Lockheed Martin is proud to help men and women like you successfully transition into civilian careers. Join Lockheed Martin and you will find opportunities to take on the same kind of long-term challenging assignments you tackled while in the military. Whether you’re on active duty, transitioning or already embarking on your civilian career, Lockheed Martin’s Military Connect is your online community for professional support. You can find out more at https://lockheedmartin.bravenew.com
StoryBox- People trust each other more than advertising. StoryBox provides the tools and supports businesses need to take the best things customers say about them, and use them to drive more sales and referrals. StoryBox offers a 10% discount to companies employing veterans of the US Armed Forces.
DOD Security Awareness Courses
SANS courses - can be expensive, so try to get employer to cover this cost. These are usually 5-day courses that are really high quality. The SANS website also has free components with primers about different aspects of sectors.
Transcript & Time Stamps:
Joining me today from Atlanta is Chris Koc. Chris is the Corporate Vice President of Cyber Incident Response at the New York Life Insurance Company. He started out in the Army, where he served as a Communications Officer for over four years on Active Duty. Since his military service, he has worked at Accenture as a Technology Manager, at the Facility Group as their Chief Information Officer, LakePoint Sports as a Chief Information Officer, and more. He has served over 21 years in the Army Reserves, retiring at the rank of Colonel.
Can you share more about your first transition out of the military?
I made the decision in 1995 to leave Army. At that time, the military was going through a significant reduction. The message from the Army was that there might not be a lot of opportunities for junior officers so we might want to consider looking elsewhere. I took that to heart and submitted my separation letter. I was stationed in Alaska at the time so interviewing and looking for jobs was difficult.
In 1996 my wife and I left Alaska on our way to Atlanta. What I wish I had known was how to evaluate the culture of a company during the interview process. Internet was not a part of daily life so access to information about companies was limited. During the interview process you’re interviewing them as much as you’re interviewing them.
My first job was at Accenture which was a great learning experience. But I was lucky that I ended up with a company with a good culture. It wasn’t a conscious decision. I wasn’t used to dealing with people that had been in the same position for ten years. In the military, because everyone is constantly moving around, you have to be a team player. So I had to make some adjustments to the civilian workforce.
What kind of a company is New York Life Insurance and Company?
New York Life is a 173 year old mutual insurance company. It’s on the Fortune 100 list and 12,000 corporate employees with 12,000 agents. Like any large company, they don’t necessarily move very fast but they have the capacity to succeed in many different initiatives at once.
You are the Corporate Vice President of Cyber Incident Response. Can you explain what you do in this position?
It really depends on the day. My primary responsibility is to direct investigations after a cyber incident. That could be relatively routine like someone in the company being affected by a phishing scam or advising a business unit that has been affected by a larger scale cyber incident. We do an investigation and make sure everything is looked after properly.
When not directly involved in an investigation, our team is engaged in fielding new software for our response program and planning tabletop cyber exercises. In a nutshell, I’m expected to be an expert on cyber security across our company.
What is your typical work lifestyle like?
I probably travel one weekend a month. The hours depend. If there’s nothing we’re actively investigating, it’s usually about a 40 hour week. But if we have something actively going on, the hours can be much longer.
Do you have any advice for veterans regarding cyber security?
I’m not a Facebook or Twitter account holder. I have a LinkedIn account for professional purposes. From an OpSec standpoint, social media activity does draw attention. I’ve seen a number of incidents now when someone’s online identity was stolen and it’s a nightmare. If you’re going to maintain an online presence, you need to protect yourself and educate your friends and family.
Why might someone be interested in going into the cybersecurity field?
People need to have an appetite for complex concepts and an understanding of technology. Once you understand when your interests lie, you can decide whether or not cyber security. Cyber security is a very fast-paced field. It’s exciting but it also comes at a price. The hours can be long. If you want a very predictable job this might not be the field for you.
How did your military experience prepare you for this?
There are all kinds of awareness courses that are available through the DOD that people can take if they are interested in this. These will give you an understanding of what this field looks like and what’s going on. There’s also a number of great blogs. It’s also good to get an understanding of what the big issues are right now in cybersecurity.
In the Army in the early 2000s, I was a cyber security officer. They created a new reserve cyber-security unit and I got into it. So I was bouncing back and forth between my military training and my civilian training. I became the expert in our office for cybersecurity.
What are some cyber security risks facing companies today?
Cloud security is big. As more information moves to the cloud, cloud security is becoming a huge part of the whole security field. A lot of it is working in conjunction with the infrastructure and application specialists who are moving their information to the cloud. They’re trying to fix some of the security vulnerabilities that they have. But they really need to understand how security in the cloud works in order to make this successful.
Software security is also very important. Until recently software engineers focused on just creating software the worked but wasn’t necessarily extremely secure. Now the security of software is becoming more of a primary aspect of development.
Do you have any advice for people on how to get their company on board with how important cyber security is?
I think a lot of people don’t understand the risks. You have to tailor your message to put it in terms that people understand. Make it relevant to your audience. You have to be intelligent about the discussion you have with executives, board members, and others.
Do you have any resources that you would recommend?
It depends on what aspect of the field you’re in. If you’re in the more technical side of the field, the SANS courses are very good. They are five day courses. The experts that present in these courses are at the pinnacle of the field. Start reading through online material that is available on the SANS website.
What are the different areas of cyber security?
There is everything from the technical aspects of the field to policy writing. The SANS courses I mentioned are good for learning about all the different components.
Most larger companies have policies and procedures that dictate how the technical components work together. This is a real expertise that doesn’t always get a lot of air time. But in reality if you don’t have good policies, it can be detrimental to the company.
You’ve served as a CIO at multiple companies. Can you talk about what this means?
I lead the technology in the firm I was at - infrastructure, applications, and data storage. I tried to balance my time between making sure the functions I mentioned were going in the direction we wanted as well as interfacing with executives to make sure we were meeting their needs. It was an awesome amount of fun.
As a CIO, a good team makes all the difference. Building these teams has been very rewarding for me. You want to stay ahead of the technology needs of the company. You have to read people and figure out what the need to do their jobs in terms of technology.
It seems like your role now is more specific than your previous positions as a CIO. How did you make this transition?
Back in the late 1990’s cyber security wasn’t a big thing. So the focus was on IT operations, getting technology infrastructure up and running. So the CIO roles were an outgrowth of that. What I learned on the security side was that I needed the operational experience to be good at security.
I got to live the early days of the internet and early computers. I got to experience first-hand all these different aspects of computing.
Security is a different take out of technology. When I was doing computer security with the Army in the early 2000s, I found it very interesting. Operations today are becoming much more automated. But security was a wide open hole in the 2000s. When I looked at this position, I wanted to move my focus to cybersecurity because I knew that it was really a growing field.
Why did you make the decision to stay in the reserves after your active duty time?
For me, it has been more difficult at times than I realized it was going to be. When I came off active duty in 1996, I had no idea what the reserves were going to be about.
But when I was out processing, I found out about a unit where I was going to be living. I ended up sticking around for a while to see if I liked it. As a civilian, I missed the camaraderie of the military so I decided to stay in the Reserves. After 9/11, the op-tempo picked up and that was challenging at times to balance both my civilian job and my Reserves duty.
In terms of technology, the military moves much more slowly than the civilian sector. So if you have that expertise, it’s valued.
What are common mistakes veterans make when leaving the military?
In reality both civilians and military members work equally as hard. From a civilian standpoint, one of the biggest mistakes I see veterans make is overstating their experience leaving the military. In my shop here at New York Life, I have five former military. They look at a veteran’s resume and they know whether or not you are being honest.
Is there anything else you’d like to share with our listeners?
Transitioning from the military is not that complex but it is a mindshift. There are some things you just don’t deal with in the military that will become very important in the civilian sector. One is budgeting. In the military, you really don’t have to fight for a budget for programming your department. But budgeting is a key part of almost all civilian job.