Spencer Wilcox first started his career in cybersecurity while in law enforcement in the Commonwealth of Virginia. With training in computer forensics and cyber investigations from the Federal Bureau of Investigation (FBI), Wilcox transitioned to the energy industry at Constellation Energy as a DFIR (Digital Forensics and Incident Response) investigator and has held positions in cyber and physical security leadership ever since.
Now, as Executive Director of Technology and Chief Security Officer (CSO) at PNM Resources, Wilcox oversees a highly-skilled and dynamic team of nearly two dozen security staff, where he has successfully managed and overseen various security projects. Beginning in 2018, Wilcox led a realignment of the organization to help ensure that both cyber and infrastructure teams would have a mutual stake in vulnerability management outcomes, and use similar tools and platforms for metrics identification, alerting and notifications, helping the organization to drive mutual accountability for the security process. He has developed the security program at the organization, with nearly 100% of cyber analysts achieving a nationally recognized certification in the past two years.
He led the organization’s critical staff, along with state, federal and local participants to collaboratively engage in the semi-annual GridEx exercise that simulates cyber and physical attacks on the electric grid and infrastructure. Previously the company engaged alone in the exercise. Under Wilcox’s influence, and with the collaboration of his federal, state and local colleagues, the 2019 exercise included New Mexico participants from the Department of Energy, Department of Defense, National Nuclear Security Administration, Federal Bureau of Investigation, Department of Homeland Security, State of New Mexico Department of Homeland Security and Emergency Management, and City and County Emergency Management participants.
In addition to delivering an enterprise-wide phishing awareness program that demonstrated a reduction in phishing susceptibility to below 1%, Wilcox developed a crisis management program that has been instrumental in managing business continuity through the pandemic, to include secure remote access and communications.
Wilcox also implemented S3R3 strategy for technology and security. S3R3 stands for Simplify, Standardize, and Secure by making Resilient, Redundant and Reliable (S3R3). The strategy uses the NIST cybersecurity framework, and focuses on recovery first, to ensure that the enterprise can recover from all hazards, and reduces complexity through the implementation of standard technologies and processes in a secure fashion. As Wilcox says, “we realized that we have to assume that we are breached, and continue to keep the lights on and the beer cold, every day, while living in this hostile and contested environment.”
Though there are many aspects of his extensive career Wilcox is proud of, one project that comes to mind is having the opportunity to build a communications paradigm for cyber and physical security that is easily reproducible and helps gets the message out.
“Several years ago, my team and I were having a difficult time explaining security issues. Our business customers regularly believed that cybersecurity was a James Bond problem. They thought that their information was not that valuable, so clearly there was no need to worry about it. They believed that cybersecurity was a matter of firewalls, anti-virus and background screens, just like physical security was about gates, guns and guards. They thought, “who would really want to break in and steal what we have or know?”
Wilcox discussed this with his team, and they tried several different mechanisms: a risk model approach, using heat maps; kill chains; and threat models. While they were successful for communications to boards of directors and/or technical teams, they were insufficient to spur action or acceptance from business users, he says.
One evening while working on a paper for the International Security Management Association’s security leadership course at Georgetown University, he says, “the answer became abundantly clear: We needed to communicate the Threat, the Impact to the business if the threat were actualized, our Response to the threat, and our Expectations of the business, in a simple easy to understand message. One that got to the heart of the issue without creating fear, uncertainty and doubt. One that explained the situation, the impact of the situation on the business, what we were already doing about it, and what we needed from them. Threat, Impact, Response, Expectations or TIRE. A simple paradigm for cybersecurity risk communication that gets action from the recipient.”
With the introduction of the TIRE methodology, his team began to communicate like a business partner. “We ceased to dump our expectations on the business, and instead focused on the outcome, not the cause," according to Wilcox. "We started to rethink our purpose and our style, and we began to evolve into a modern risk-based security organization. We were able to train our people to communicate a little more effectively, a little more proactively, and we could do so with one simple word: TIRE.”