Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementPhysicalSecurity Leadership and ManagementPhysical Security

Managing Risk and Threats at the Exelon Corporation

Meet Mary Ludford, Vice President and Deputy Chief Security Officer for the Corporate and Information Security Services business unit at the Exelon Corporation.

By Diane Ritchey
SEC1019-profile1-Feat-slide1_900px
SEC1019-profile1-slide2_900px

“It’s not a matter of if, it’s a matter of when, and we just have to be on our guard to make sure that we are protecting the crown jewels  with everything we’ve got,” says Mary Ludford, Vice President and Deputy Chief Security Officer for the Corporate and Information Security Services (CISS) business unit at the Exelon Corporation.

Photo courtesy of Mary Ludford

SEC1019-profile1-Feat-slide1_900px
SEC1019-profile1-slide2_900px
October 3, 2019

An enterprise’s security and controls management program that mitigates risk is only as good as how it operates. Beyond establishing rules and standards, employing technology, educating employees, testing and more, what else can be done? What additional steps in an enterprise can be taken to deter fraud, misconduct, crime and other malicious activities?

Enter Mary Ludford, Vice President and Deputy Chief Security Officer for the Corporate and Information Security Services (CISS) business unit at the Exelon Corporation, the nation’s leading clean power provider. The global corporation has annual revenues of $36 billion and 34,000 employees. The company’s business is vast, complex and dynamic. And with that comes risk that must be mitigated and managed on a daily basis.

 

Controlling the Controls and Mitigating the Risk

Ludford has been with Exelon (and the companies that it has acquired) in various roles since graduating with a degree in Accounting and an MBA in Finance. Her first professional role was with ComEd in Chicago.

“I worked in finance for the first 15 years of my career,” she explains. “In order to strengthen my professional background, I segued into the customer operations area where I was responsible for aspects of the customer’s experience, everything from field services and billing to the call center. My next career progression was in the shared services organization where I ran HR operations, Accounts Payable and Payroll, which helped round out my experience before working in an executive role back in Finance. Before becoming the Deputy Chief Security Officer, I was the Chief Audit Executive for the company.” In addition to her day-to-day roles, Ludford has worked on numerous mergers and acquisitions, including the addition of multiple utility and gas companies and the trading arm of the corporation.

It was the role as a Chief Audit Executive where Ludford found her passion for mitigating risk with the use of a solid control framework. “The mitigation of risk through control implementation is crucial for the success of any organization. These activities ensure employees, vendors, and contractors follow the established protection playbook and keep the organization safe,” she says. The passion for keeping the company safe made it an easy decision when the role of Deputy Chief Security Officer opened.

 Exelon’s Corporate and Information Security Services (CISS) organization is comprised of four areas of protection: physical security, cybersecurity, security operations support and security governance and strategy. Exelon, as a corporation, subscribes to an enterprise, end-to-end security program, which includes both regulated and non-regulated assets. Security controls can be authored by a federal or state regulatory body or internally within the enterprise. Therefore, careful coordination and review of the control environment is essential to ensure compliance and conformance.

Ludford and her Security Governance and Strategic Analysis team manage all aspects of the security controls program. She worked with IT and Business Unit application and Control Owners throughout the organization to ensure that controls are in place and operating. This worked to guarantee that security related objectives were in place and ready to identify, protect, detect, respond and recover from security incidents.

For the last three years, the group focused on completing a Security Controls project to mature its security controls program. There were several improvements that Ludford and her team were seeking to achieve with the project:

  • Refresh the governance document architecture of policies, programs and procedures.
  • Institute a security risk-based approach, with the level (and number) of control expectations scaled to the level of security risk for that asset.
  • Redraft control language and challenge the understanding.
  • Update governance documents to address applicability of the control statements to different asset types and a risk-based approach to remedy exceptions.
  • Clearly articulate responsibility within each control statement and reinforce in the control catalog.
  • Define success as risk-based with the ability to implement and comply with the governance documents.
  • Designed to support a sustainable operating model that includes monitoring for compliance with security policies.
  • Expand tracking to all IT and business-supported applications with the appropriate security controls applied.

Ludford and her team created a certification process to understand how well the business units are following security guidance and requires Control Owners to “certify” that the controls they are accountable for have been performed, which helps provide assurance that the controls are operating. If the objectives are not met, Ludford and her team perform an analysis to determine the level of risk to the organization. The business is then required to either create a remediation plan or gain business approval to assume the risk.

 “The base foundational element of the Security Governance and Strategic Analysis team is to ensure Control Performers understand what they must do to meet the requirements of the control objectives, as well as ensure the controls are in place and operating,” Ludford explains.

“It comes down to the Control Performers, who are responsible for ensuring the controls are actually performed,” Ludford says. “That can be difficult to do in a large company with a significant footprint. Sometimes the control objective changes from feedback from the business units. It’s a two-way conversation and a disciplined approach to ensure that the people who help us protect the environment are aware, knowledgeable and performing.”

“Results show that a high percentage of people are performing their controls,” Ludford adds. “Typically, the people who are not meeting controls are new to their job and are not aware of the requirement to perform the control. Those are easy to adjust, and we often pursue better ways to on-board owners of the controls. But if they have a technical issue where they can’t perform the control, then we provide options to the business to either replace the asset or gain approval to assume low risk. It’s a way of ensuring a continued focus on our risk-based approach.”

A good example of how the program works can be seen in the Incident Response Program. “The most common  attacks come in through phishing emails, so we conduct monthly campaigns to educate and train in order to mitigate risk,” Ludford says. “We send emails to employes, asking them to open an attached invoice, for example. If they open the email, they go straight to a training screen. If they report it through our phishing process, they are congratulated on identifying the malicious email. We have seen great results in decreasing the number of “clicks” that occur in our phishing campaigns.”

Another program example involves Business Continuity Plans where plans are reviewed, and events are drilled in order to determine how the business would recover from an incident. “Finally, in our Asset Management Program it’s all about the assets we want to protect and the importance of the asset to the business. Controls are based on the importance of the asset,” she says. “If you are a billing system asset and counted on for revenue, it’s going to be protected with more controls. Our risk-based approach is effective in identifying what’s high, medium and low importance, so that we have more controls in higher valued areas and fewer controls in lower valued areas,” she says.

Ludford has enjoyed her roles within Exelon, particularly within CISS. “I love the problem statement around how we organize ourselves in a way that employees can adapt to what’s needed to help us protect the company from security incidents. Beginning with the leaders across the company, we have driven that mindset into the hearts of a lot of our employees and we continue to do that every day. It is rewarding to highlight a risk and show people in a manner that is not too invasive, but rather focuses on what’s needed to train, educate and drive performance to protect the company. We are a better company because of our security mindset.”

KEYWORDS: cybersecurity energy services risk management threat assessment

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Diane 2016 200

Diane Ritchey was former Editor, Communications and Content for Security magazine beginning in 2009. She has an experienced background in publishing, public relations, content creation and management, internal and external communications. Within her role at Security, Ritchey organized and executed the annual Security 500 conference, researched and wrote exclusive cover stories, managed social media, and authored the monthly Security Talk column.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • SEC0819-Cover-Feat-slide1_900px

    Ensuring Security and Safety at The State Street Corporation

    See More
  • Man with three globes

    Managing Risk on the Global Stage

    See More
  • SEC0820-Cover-Feat-slide1_900px

    Managing Risk, Business Continuity and Resiliency during a Pandemic

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing