Preparing for the Second Annual ACSC Collaborative Defense Simulation: A Conversation with John McKenna, former SVP and CISO, Libert Mutual

ACSC board member John McKenna is a co-lead for this year’s Collaborative Defense Simulation, which will take place on September 20, at the Federal Reserve Bank of Boston. The former Senior Vice President & Chief Information Security Officer at Liberty Mutual and now retired, John is returning with fellow ACSC Board member Rear Admiral Michael Brown (ret.) to provide his thought leadership and executive private sector experience in guiding this year’s exercise.

Recently, we sat down with John to hear what he believes is the value in engaging with the ACSC and participating in this event. We also got a sneak peak at how this year’s simulation exercise will be different from last year’s.

What drives you to be on the ACSC Board? Tell us about the role you’ve played, your contributions, goals, and interests.

I was with Liberty Mutual for 39 years and for the last nine years was the chief information security officer responsible for their cyber security organization. Although I had spent my entire career in IT, I knew very little about security.  I needed to learn how to take the Liberty Mutual cyber security program to the next level.

In 2009-2010, I was looking for resources and attended a few ACSC meetings. In 2011, I became a charter member and served on an advisory committee. I had realized that no one company can do this by themselves and was attracted to the ACSC mission of collaboration across public / private / educational institutions.

Since joining the ACSC, I helped grow the Liberty Mutual cyber security program from a back room operation into a credible program. In 2017, I was invited onto the ACSC Board. Liberty Mutual had established itself as a leader in the security space, and we’d been active in driving the ACSC core mission.

What benefits, in your opinion, does the ACSC bring to its members?

The ACSC fosters true collaboration in terms of ideas, strategies, best practices, sharing intelligence and operational data. As a member, you gain insights into the collaborative intellect of the region’s elite security professionals and can compare how your company to leaders like State Street, Fidelity, Blue Cross Blue Shield MA, and the Federal Reserve. It means a lot to have those insights and to bring value back to your program.

You and Mike Brown are helping plan the second ACSC Collaborative Defense Simulation. From your perspective, what is the value of this event?

The theme of the ACSC mission is collaborative defense; the upcoming simulation exercise in September is a part of that. All the planning and engagement leading up to this make up the backbone of ACSC operation.

The simulation exercise engages multiple constituents –  CISOs, legal, communications – whoever is involved throughout the year in a company’s cyber security program. The simulation should help each of them to better understand the threats and vulnerabilities that we need to test. Our overall goal is engage their full teams, to drive value back to the organization, and to generate new ideas. All participate together with other companies in the region to improve their programs and to understand how to respond to a cyber threat.

As participants in the simulation exercise, everyone helps design this process, to build the muscle memory of how we respond together.

What do you see as the integral components of the simulation exercise? How will the 2019 event differ from last year’s event?

Last year was the first ACSC simulation exercise with 100 participants from 20 member organizations. We had a lot of positive feedback, but we also tried to keep it simple. We built out very realistic scenarios, the facilitation was good. Members responded at their tables, then there was an open, member-driven discussion.

Mike Brown likes to say, “we’ve got to crawl, then walk, then run.” Last year we were in the crawl stage. We do not want to overreach, but to build this event slowly, gradually, effectively.

This year, participants have asked that they not be anchored to their tables all day with members of their teams. Instead, they would like to be able to collaborate with other participants at their role level. The other change this year will be on the communications front where we will continue to push at gaps with federal agencies and the Commonwealth.

Why should organizations participate in the collaborative defense exercise?

The likelihood that an event would impact multiple companies is growing. In fact, we’ve already seen this happen. The simulation exercise teaches organizations know how to effectively engage with other partners to defend their own company. It instructs them on what is the best way to react, to collaborate, to build informal networks, and trust with others, including the feds and the Commonwealth. There is great value in being open and sharing pain points, gaps and strengths.

How does the ACSC's cross-sector, public/private collaboration help a commercial organization with their preparation and response to advanced threats?

The cross section of public and private sectors introduces a commercial organization to everything from regulation to public policy. It’s also helpful to hear, from a supply chain point of view, what others are doing. For instance, Liberty Mutual may sell insurance to other members, so the cross section is important. The public / private participation is huge from the federal level on down.

Tell us what excites you the most in regards to the work being done by the ACSC?

The ACSC is becoming more sophisticated in beginning to formalize reputable engagement exercises. Participants in the simulation exercise know what a cyber threat response looks like. We’ve built our teams and know who to call. But we can’t stop. We all have to press forward and get the models and repeatable processes in place.

Although the ACSC is Boston-based, it is a model for effectively implementing regional collaborative programs. Eventually, Rhode Island, Connecticut, New Hampshire and Maine will be involved so that the ACSC truly has a regional base.

The quality of the ACSC board is impressive. Right now, it’s made up of big companies -- Boston’s Fortune 500 -- with the resources, funding and capacity to drive this. These are the professional elite of security. Yet threats are growing for mid-sized companies too. We have to ask, “what is that model going forward for them so they can grow their defenses too?”