Q&A with Guillermo Guerra, Prudential’s Group Chief Information Security Officer

We recently caught up with Prudential’s Guillermo Guerra,  Group Chief Information Security Officer, to discuss security and identity management. Guillermo began his career at Prudential as chief information security officer at Jackson National Life Insurance Company, or Jackson, a Prudential subsidiary. In this conversation, we discuss Guillermo’s fascinating start to his information-security and identity-management career and his current views on security and identity management.

As Group Chief Information Security Officer, Guillermo oversees the global group information security program, including Africa, Asia, Europe and North America for Prudential. Guillermo is responsible for centralizing Prudential’s cybersecurity disciplines and bringing consistency to protecting its information assets regarding more than 26 million customers and over $850 billion under management.

Here’s our conversation:

Could you tell us a little bit about how you got started professionally in cybersecurity?

Yes. It’s a very interesting story. My bachelor’s degree is in mechanical engineering and my master’s degree is in industrial engineering.  These degrees don’t have anything to do with computers. They are more of a study of process optimizations and simulations — very technical but nothing to do with technology.

Then, following college, I was offered a job at Citi Group. They placed me into a global leadership program designed for people who had just graduated from certain programs. It was a rotation program in different areas across the operations and technology groups within Citi Group and each rotation lasted eight months.

This job was going to be in Florida. Life was looking good, I had a great job and was going to live in Florida. Then I was told I needed to report to a certain person at a certain office. I looked at his title: director of network engineering. I never thought in my life I was going to be working with an actual physical computer network that involved routers, switches, and all this other stuff.

I wasn’t sure about this move at all. They didn’t agree. “Don’t worry about it. Use your skills. You should be able to do it fine,” they said. I grabbed the attention of one of the engineers. He took me into a data center and began breaking down the basics for me: This is a router. This is a switch.

How did you successfully make the leap from a mechanical engineer to a security professional?

I realized that networking is nothing different, essentially, from mechanical engineering. This is a plumbing system with pipes. The difference is that the fluid is a digital fluid, but it’s still a fluid and it still needs to have certain thresholds. That’s how I viewed it so that I was able to pivot into technology. That was my introduction into technology. I did it. I did a good job there and was actually able to use a lot the optimization techniques that I was taught and apply them to the digital world.

That’s how I end up in technology.

The second rotation was in the compliance department. That’s where I started learning a lot about technical controls and processes. At that time in security, compliance was not really that separate from security. This was around 2001 when security was more of a compliance activity with standards — don’t share your passwords and stuff like that. Security was not really a big thing yet.

My third rotation was my first move specifically into information security. It was a position focused on managing the program: are you doing self-assessments? How are you monitoring logs? Are you managing identity? Are you providing security updates? This got me hooked into information security. And my first formal job started as an information security professional in Latin America.

Why did you decide to stay in information security?

I believe that information security has grown by its defining moments. What I call defining moments are those things that happen that produce change. The first defining moment that really hooked me into this security career was the SQL Slammer worm. I still remember it. That thing came in and hit a lot of major financial companies hard. It happened over the weekend. We worked all weekend and were very close to not opening on Monday for trading. I took the lead and I started calling countries, taking servers offline. We couldn’t communicate through email, so we were recovering and restoring everything over the phone and fax machine.

I believe that was when I became really hooked, and I believe when I became good at security. The company then asked me to create a threat-monitoring program. I developed that for Latin America and worked with the global team on threat monitoring as well. We soon implemented a mature program that reduced and managed risk.

What’s your view on cybersecurity today?

Cybersecurity is an arms race. Criminals are always trying to steal or disrupt, and they simply follow the money or follow the weaknesses where they can cause disruption. There have always been these defining moments that increased the prevalence of cybersecurity within organizations. Prior to big worm outbreaks, no one worried about worms. Just as prior to a number of substantial distributed denial-of-service attacks, nobody really thought much about these types of attacks.

We’ve always had data breaches, but we didn’t have a big wave of data breaches until more recently. The first waves of breaches rushed through retail before expanding to other industries. Today, it’s across the board: retail, financial services, healthcare, insurance. Attacks are just so prevalent today that this job never gets boring.

What are your thoughts on the role of identity management and security?

In terms of governance, identity is critical. And that is what I believe SailPoint brings to the table — to make it easier for enterprises success at identity governance. I think it’s very important because identity links to everything. Identity links to your privileged access, to your vaults, to every system. It’s why identity governance is one of our primary goals today.

Identity also helps us with all of our automation efforts. A problem with people is they forget to do things. If something is automated, it always gets done. We used to manage identity here at Jackson within silos. Now we are using SailPoint to improve this identity lifecycle management. It’s a long process, but we are better now because we are constantly improving. We continue to invest in our identity program and add more applications to automated workflows.

I also see identity as a central part of the information security program. It’s one of the main pillars. I always say I can’t secure anything if I don’t know who has access to what. When people question why something is important or relate identity management to a pen-testing perspective, they will understand that we can’t detect bad activity if we can’t see who has access to what resources.

When it comes to identity management, what will your focus be in the near-term?

Our focus will increase on the data side. We are moving to more of a data-centric security model and trying to not rely too much on perimeter security anymore. A lot of this is cloud-driven. With cloud you can’t focus on a network perimeter; instead, you focus on data and who has access to it. This makes toolsets like SecurityIQ more and more of a necessity. A requirement. We need to understand who has access to what data; not only to the share drives, but to specific files.

Just like cybersecurity, identity management is always changing and never boring. And because of the growing amount of data stored out in the cloud we are going to have to increasingly focus on the security of that data.