Managing Risk and Threats at the Exelon Corporation

An enterprise’s security and controls management program that mitigates risk is only as good as how it operates. Beyond establishing rules and standards, employing technology, educating employees, testing and more, what else can be done? What additional steps in an enterprise can be taken to deter fraud, misconduct, crime and other malicious activities?

Enter Mary Ludford, Vice President and Deputy Chief Security Officer for the Corporate and Information Security Services (CISS) business unit at the Exelon Corporation, the nation’s leading clean power provider. The global corporation has annual revenues of $36 billion and 34,000 employees. The company’s business is vast, complex and dynamic. And with that comes risk that must be mitigated and managed on a daily basis.

Controlling the Controls and Mitigating the Risk

Ludford has been with Exelon (and the companies that it has acquired) in various roles since graduating with a degree in Accounting and an MBA in Finance. Her first professional role was with ComEd in Chicago.

“I worked in finance for the first 15 years of my career,” she explains. “In order to strengthen my professional background, I segued into the customer operations area where I was responsible for aspects of the customer’s experience, everything from field services and billing to the call center. My next career progression was in the shared services organization where I ran HR operations, Accounts Payable and Payroll, which helped round out my experience before working in an executive role back in Finance. Before becoming the Deputy Chief Security Officer, I was the Chief Audit Executive for the company.” In addition to her day-to-day roles, Ludford has worked on numerous mergers and acquisitions, including the addition of multiple utility and gas companies and the trading arm of the corporation.

It was the role as a Chief Audit Executive where Ludford found her passion for mitigating risk with the use of a solid control framework. “The mitigation of risk through control implementation is crucial for the success of any organization. These activities ensure employees, vendors, and contractors follow the established protection playbook and keep the organization safe,” she says. The passion for keeping the company safe made it an easy decision when the role of Deputy Chief Security Officer opened.

Exelon’s Corporate and Information Security Services (CISS) organization is comprised of four areas of protection: physical security, cybersecurity, security operations support and security governance and strategy. Exelon, as a corporation, subscribes to an enterprise, end-to-end security program, which includes both regulated and non-regulated assets. Security controls can be authored by a federal or state regulatory body or internally within the enterprise. Therefore, careful coordination and review of the control environment is essential to ensure compliance and conformance.

Ludford and her Security Governance and Strategic Analysis team manage all aspects of the security controls program. She worked with IT and Business Unit application and Control Owners throughout the organization to ensure that controls are in place and operating. This worked to guarantee that security related objectives were in place and ready to identify, protect, detect, respond and recover from security incidents.

For the last three years, the group focused on completing a Security Controls project to mature its security controls program. There were several improvements that Ludford and her team were seeking to achieve with the project:

Refresh the governance document architecture of policies, programs and procedures.
Institute a security risk-based approach, with the level (and number) of control expectations scaled to the level of security risk for that asset.
Redraft control language and challenge the understanding.
Update governance documents to address applicability of the control statements to different asset types and a risk-based approach to remedy exceptions.
Clearly articulate responsibility within each control statement and reinforce in the control catalog.
Define success as risk-based with the ability to implement and comply with the governance documents.
Designed to support a sustainable operating model that includes monitoring for compliance with security policies.
Expand tracking to all IT and business-supported applications with the appropriate security controls applied.

Ludford and her team created a certification process to understand how well the business units are following security guidance and requires Control Owners to “certify” that the controls they are accountable for have been performed, which helps provide assurance that the controls are operating. If the objectives are not met, Ludford and her team perform an analysis to determine the level of risk to the organization. The business is then required to either create a remediation plan or gain business approval to assume the risk.

“The base foundational element of the Security Governance and Strategic Analysis team is to ensure Control Performers understand what they must do to meet the requirements of the control objectives, as well as ensure the controls are in place and operating,” Ludford explains.

“It comes down to the Control Performers, who are responsible for ensuring the controls are actually performed,” Ludford says. “That can be difficult to do in a large company with a significant footprint. Sometimes the control objective changes from feedback from the business units. It’s a two-way conversation and a disciplined approach to ensure that the people who help us protect the environment are aware, knowledgeable and performing.”

“Results show that a high percentage of people are performing their controls,” Ludford adds. “Typically, the people who are not meeting controls are new to their job and are not aware of the requirement to perform the control. Those are easy to adjust, and we often pursue better ways to on-board owners of the controls. But if they have a technical issue where they can’t perform the control, then we provide options to the business to either replace the asset or gain approval to assume low risk. It’s a way of ensuring a continued focus on our risk-based approach.”

A good example of how the program works can be seen in the Incident Response Program. “The most common attacks come in through phishing emails, so we conduct monthly campaigns to educate and train in order to mitigate risk,” Ludford says. “We send emails to employes, asking them to open an attached invoice, for example. If they open the email, they go straight to a training screen. If they report it through our phishing process, they are congratulated on identifying the malicious email. We have seen great results in decreasing the number of “clicks” that occur in our phishing campaigns.”

Another program example involves Business Continuity Plans where plans are reviewed, and events are drilled in order to determine how the business would recover from an incident. “Finally, in our Asset Management Program it’s all about the assets we want to protect and the importance of the asset to the business. Controls are based on the importance of the asset,” she says. “If you are a billing system asset and counted on for revenue, it’s going to be protected with more controls. Our risk-based approach is effective in identifying what’s high, medium and low importance, so that we have more controls in higher valued areas and fewer controls in lower valued areas,” she says.

Ludford has enjoyed her roles within Exelon, particularly within CISS. “I love the problem statement around how we organize ourselves in a way that employees can adapt to what’s needed to help us protect the company from security incidents. Beginning with the leaders across the company, we have driven that mindset into the hearts of a lot of our employees and we continue to do that every day. It is rewarding to highlight a risk and show people in a manner that is not too invasive, but rather focuses on what’s needed to train, educate and drive performance to protect the company. We are a better company because of our security mindset.”

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Employees don’t feel prepared to navigate an increasingly dangerous world, and they expect their employers to not only care about their personal safety, but to actively keep them safe.