Security speaks to Tracy Reinhold, Chief Security Officer (CSO) at Everbridge, about the importance of critical event management and enterprise resilience.

Security: What is your background, current role and responsibilities?

Reinhold: I received my BA in History from the University of Maryland after serving as a United States Marine. I then joined the Federal Bureau of Investigation (FBI), where I served for 22 years. During my tenure, I transitioned to working on National Security matters following the 9/11 attacks and was promoted into the Federal Government’s Senior Executive Service in 2004. In 2006, I served as the head of the FBI’s operations in  Kentucky and then was promoted into the Intelligence Division at FBI headquarters in Washington, D.C. Afterward, I became the Assistant Director of the Intelligence Division and finished my career as the Associate Executive Assistant Director for National Security. After retiring from the FBI, I served as a corporate officer for the Walmart Corporation and established their global investigations teams in the U.S., Asia, India, Africa and South America. In 2015, I became the first CSO for Fannie Mae and continued in that role until accepting the challenge of being the first CSO for Everbridge. As CSO, I am responsible for advancing the company’s enterprise-level security strategy, as well as working closely with customers and partners to optimize their organizational approach to managing and responding to critical events. I focus on providing strategic guidance and thought leadership by examining the industry and the organization to identify needs, risks and opportunities that will lead to a more resilient enterprise.  

Security: How can enterprises evaluate and benchmark enterprise resilience and preparedness?

Reinhold: While there are many metrics to consider, the ability to recover from a business disruption is the most critical. Organizations should prioritize having a comprehensive crisis management strategy that evaluates impacts from both the brand and reputation perspectives. If an organization cannot map a clear path to recovery, it will not be able to meet the needs of its customers. Detection and prevention are also critical. It’s not enough to be successful in business you also have to be successful in preparing and executing a defensive strategy for your network, customers and upstream and downstream dependencies, such as vendors. We find many companies will be very careful inside the four walls, but they can create vulnerabilities by not conducting due diligence on their upstream and downstream dependencies, whether they’re vendors, suppliers, or other stakeholders that they regularly interface with.

An often-overlooked part of security is the education of the employees of the organization. They are the first and best line of defense through the use of good information security practices. While harder to measure, the cross-functional ability of a company to enable enterprise resilience is a key indicator of an organization’s capacity to ensure a return to revenue quickly after a disruption.

Security: What are the benefits of evaluating and benchmarking enterprise resilience?

Reinhold: You can get ahead of threats by being informed and having the technological capabilities to actually take action on that intelligence once you’ve acquired it. So if you’re consistently in a reactive mode, you will eventually fail. By proactively reducing risk and vulnerability, we can create an environment that allows a company to be successful. At the end of the day, that’s our job. If a company is not successful, then we don’t have a job. If you can’t protect the organization and allow it to succeed from a revenue, brand and reputation perspective, the company ceases to exist, and everybody is looking for a new job. We’re finding now that security is integrating more into organizations and becoming a stakeholder in the success of a company. 

Security: How can a critical event management program help organizations make better strategic data-driven decisions?

Reinhold: Critical event management programs and technology are security functions that must be integrated into the core business. Preventative techniques such as this will go a long way in making organizations resilient and sustainable into the future. It’s imperative for organizations to have a critical event checklist: Do you know where your assets are? Do you have critical infrastructure backup out of the region? These things help you navigate through the crisis. Having situational awareness adds to your organization’s toolbox when you are actually faced with a critical event. Ask yourself, what are you doing as a team, whether it’s business continuity, resilience, security, whether digital security or physical security, to ensure that the company has the best opportunity to generate revenue and to be successful? This often means that the security professionals have evolved to become “students of the business,” understanding what’s critical to the company so that they know what they’re trying to protect. 

Additionally, security is slowly evolving from a cost center to a value center. This is a huge transformation most successfully completed by thinking and acting outside of the normal confines of security. Whether it’s identifying potential loss, risk and vulnerability, and then mitigating that in a way that resonates with the business, recognize how security adds value to the organization. In my previous roles, “left of boom” was super important. It does not negate your responsibilities when an event happens, but it’s so much better if you can prevent or mitigate the impact before the actual critical event. You can do that by leveraging intelligence, using that intelligence to inform your workforce about potential risk vulnerabilities so that you can position them to be more successful.