Security Q&A: Mark Morrison, CSO at Options Clearing Corporation

Mark Morrison is the Chief Security Officer for The Options Clearing Corporation (OCC), the largest equity derivatives clearing organization globally. In this Q&A, we discuss his career journey and many of the challenges he sees within cybersecurity today.

Before joining OCC, Mark served as SVP and Chief Information Security Officer at State Street Corporation. There he provided strategic direction and oversight of the company’s information security program, concentrating on cybersecurity defense, identity, access management, cyber threat intelligence, cloud and virtualization security technologies, and he managed a risk-based information security architecture. He also held security leadership positions at the United States Department of Defense and the Defense Intelligence Agency.

Here is a lightly edited version of our conversation:

Thank you for taking the time with us, Mark. Can you tell us a little about your background and what led you into a career in security?

While an undergrad at the University of Massachusetts in Amherst, I was recruited to join the National Security Agency. When I got there, they were creating a new organization. This is back in the early 1980s. It was called the National Computer Security Center. At that point, they asked me if I would be willing to join that organization as it was just getting off the ground, and I agreed.

I think, like a lot of folks my age, I got started without having to be a computer science major, an electronics engineer, a statistics major or something like that. It’s not like that today because there are established information assurance or cybersecurity programs as majors. I’ve been in cybersecurity practically my entire career. I’ve seen a lot of different changes over that time.

After working in government for a while, I then went to work for MITRE Corporation performing cybersecurity and support of, mostly, the intelligence community and the Department of Defense. I then went back into government, working primarily for the Defense Intelligence Agency, and I eventually became the Chief Information Security Officer there. I was later selected to become the Chief Information Security Officer for the Office of the Director of National Intelligence. Following that, before I retired from the government, I was the Deputy Chief Information Security Officer for the Department of Defense.

Then I left to become the CISO at State Street Corporation in Boston and was there for four years. Now I’m at OCC, and I’ve been here for three and a half years. It’s been a constant job in cybersecurity for close to 40 years now.

That’s really cool, Mark. Was that military in the 80s and mid-90s? What was your focus during those years?

I’ve worked with the military my entire career but never been in the service. I’m always a civilian, mostly on cyber defense, protecting the Department of Defense and intelligence systems from attack from foreign intelligence services, other countries, and cybercriminals. We’ve seen many changes in the level of threats, from the general hacker to nation-states. Then there are more affiliated and unaffiliated criminal elements that attack for more monetary gain.

There’s a lot more sophistication today when it comes to cyber adversaries. They are more structured, more focused and have more resources than they’ve ever had before. They have been remarkably successful for a lot of reasons.

Over the years, I also had a hand in writing many cyber policies for the government and then taking over as CISO at State Street and subsequently at OCC, helping to transform those two security organizations by bringing more resources and stabilizing the security program. It’s been quite a journey.

It certainly sounds fascinating. What attracted you to security as a career in the early 1980s? I’ll bet you witnessed quite a bit of transformation during your career.

Well, it was a job, I liked it and I was somewhat good at it. I stayed with it and never really ventured outside of security. There was always more work to be done, and as the government became more digitized and more reliant on computer technology and networks to perform critical missions, cybersecurity became even more critical. Then, as reliance grew on information systems in the Department of Defense, that drew interest from cyber criminals and increased the variation of attack patterns. It made the Department of Defense more interesting for our adversaries to attack.

I think a lot of it had to do with the explosive growth of the Internet, as well. As someone who was on one of the original ARPANET nodes when it was first developed, it was clear that for many of the protocols and a lot of the networking, security was never built in. After he was asked years later, one of the founders of the ARPANET said that they never really thought about security because they knew everybody that was connected and there were only 20 nodes.

So, no one anticipated the commercial takeoff of the Internet back then. It was expected to be more of a government resource, but, obviously, it took off. Security, as someone said, has been swimming after the boat, trying to catch it for a long time now, and we don’t seem to get much closer, but the boat keeps going faster.

That boat keeps moving. What did you appreciate most about those earlier years working in the government with security?

Well, it was like a free education. The adversaries were more well-known, and there were much fewer of them, I’ll put it that way. Their objectives were more easily defined. In many ways, other than just from a pure technology standpoint, it was somewhat easier to defend. But as the proliferation of technology occurred, so did more avenues of attack.

Now the attacks span pretty much all of the OSI layers, from layer one to layer seven. To succeed, you have to operate across multiple domains. You have to understand a lot more of the dependencies than you did in the past. I think as the technology evolved, cybersecurity did as well.

The most significant change was how security was applied at that time. Often, a system would be built, or a capability would be developed; whether it was a radar system, command and control, or whatever the system would be, they would get close to the end of development. They would come to the security group and ask: “Okay, now that we’ve built this, how do we secure it?”

That always makes security more difficult because you can never go back. As the saying goes, it’s more challenging to bolt-on security than to build it in because there are many design assumptions made, and there is a lot more risk that way than if new systems or capabilities are built with security in mind. I think there’s been a significant shift today, and now most systems are built with security in mind as we realize that cyber is more of an integral part of an end product.

I think that’s why we’re seeing many catchups, as we see with many of the industrial systems built years ago without security being part of the process. They’re finding out now that it’s undoubtedly beneficial from an operational standpoint because of the remote monitoring and management. From a cybersecurity perspective, you’ve introduced an entirely new realm of risk associated with interconnecting all of these components.

Identity management is another area where we have seen a lot of change. I think, broadly, the Verizon Databreach Investigations Report finds 70 percent or so of attacks driven by hacking involve stolen credentials.

Yes. It’s so much easier if you can steal a credential, especially one that has privilege. It’s interesting that, with the onset of ransomware and other attacks, these are money-making endeavors. What they want, like any for-profit effort, is to reduce costs and maximize their time.

So they look for the targets of opportunity that allow them the easiest access, and one of the easiest access patterns is to be able to suborn credentials. That enables them to access and move laterally within systems to either execute their ransomware or execute whatever exfiltration of data or conduct fraud. They try to get in and out and make as much money in as short of a time as they can.

A lot of the aspects of cybersecurity involve increasing the cost of the attack to the attackers. So it goes back to the classic, “You don’t have to be faster than the bear. You just have to be faster than the next guy.” The attackers will likely pick an easier target.


Discussion