As cyber threats increase, PartnerHero continues to innovate on security issues. In this blog post, Scott Morton, VP of IT and Security at PartnerHero, explains why security and IT are two sides of the same coin and how he plans to not only reach PartnerHero security goals but also help our partner's achieve theirs.
Scott, tell us about your new role.
My new title is VP of Information Technology and Security. At most companies you have a separation between IT and security which can sometimes lead to unresolved security issues and tension between the two teams. The fact that IT and Security will both report to me will ensure security is embedded in everything that we do and that the IT and security teams work constructively together.
How did you become interested in IT and security?
Like it must feel for many people, my career path seemed somewhat random at the time but looking back I can see how it was a natural progression through a lot of different roles.
I spent 10 years in the video game industry in an artistic and technical role as a sound designer. In game development, each product has its functional components tightly interwoven with aesthetics. The most valuable thing I brought with me from that part of my career is a well-developed understanding of how seemingly small changes can ripple outwards and affect the whole product. We weren’t just building software, we were creating entertainment by making games that engaged people on an emotional level. To be successful in that, every person on the project needs to understand how their work can impact the entire end-user experience.
In that role I worked closely with software engineers and other technical folks, utilized a wide variety of toolsets, and participated in complex project management, which served me well in future roles. The gaming industry is notoriously unstable and it’s normal to move every few years to where the work is. Once my kids got a little older, it just didn’t feel like the right lifestyle anymore so my wife and I eventually moved back to Boise.
I eventually joined the legal department at Clearwater Analytics, a company that builds investment accounting software, in a compliance role that rested between legal and information security. Our customers were big companies like Apple, Cisco, Facebook and Spotify, and also highly-regulated companies like insurance firms and banks. We were on the receiving end of their vendor security assessments and I was the one making sure our software met all the security requirements of these customers. Over a few years and through some trial by fire, I learned what should be present in a good information security program. By the time I came to PartnerHero, I was ready to help an organization build a proactive security program from the ground up.
When COVID hit at PartnerHero, we didn’t have a developed IT program yet. I was tasked with building a security and an IT department simultaneously. Now I’m stepping into a strategy and supervision role, helping people in each of those departments learn and grow.
What has changed at PartnerHero since you joined?
When I joined PartnerHero there were just over 300 employees - we were small enough that we were still kind of winging it. The biggest difference now is our systems and processes have become more formalized to account for the growth of the company. For example, we’re finalizing an ISO 27001 certification this year, which demonstrates that PartnerHero now has a security program that meets industry standard best practices. Some examples of those practices include more robust processes around granting access to apps and systems, more formal change management, and increasing education around security awareness (which we can never do too much of). As the company continues growing, we have to have more developed policy communication methods, ensuring information gets to everyone who needs it.
How do you see PartnerHero changing in the next 1-3 years in terms of security?
One of the biggest changes is tied to our ISO 27001 program efforts. The components of a program like this also sit at the core of a lot of other security compliance regulations like HIPAA and PCI-DSS. The more we can leverage a program that checks all those boxes, the better positioned we are to reduce security risks for PartnerHero. I’d eventually like to see us be able to pass that expertise and value to our partners through consultation, where we’re teaching partners how to be more secure within their own organizations.
As we partner with more companies who handle and process sensitive customer data, I see our information security program growing more robust in tandem, and our data protection processes continuing to evolve.
On the IT side, we were really lucky to already be so cloud-centric when COVID hit. All our tools and apps are in the cloud and this eases the lift considerably from an operational standpoint. I don’t see that cloud-centric model changing - this method allows us to maximize our flexibility around the world. I think the biggest challenge here is figuring out where our resource spend should go - it’s possible to pay a lot of money for tools that don’t truly give you a return on their value.
What do you love about working at PartnerHero?
I love the fact that even though we’re over 1,300 associates in over 30 countries around the world it still feels almost family-like. Somehow we’ve been able to maintain an attitude and culture of openness through all that growth, which is a rare and special thing. There is a willingness to learn and be humble. I don’t see a lot of ego in the leadership team. I’ve been at companies and in situations where there was a large amount of ego amongst management, and it can be incredibly destructive to a business. When that humility and willingness to learn is coming from the top of the organization, you can truly adapt and grow.
I’m really glad I had the opportunity to join PartnerHero when it was still fairly early. I got to play a role in laying the foundation for the security and IT program. At previous jobs I’ve had to adapt to what was already there, which is always a challenging dance. Those experiences gave me some insight into how things could potentially be done better.
Those experiences are also why I’m so passionate about running IT and information security as tightly knit teams. The fact that IT reports to information security at PartnerHero is purposeful, and less common in companies. There’s an interesting perspective shift when those artificial barriers are broken down. There is no better structure for a security-first organization.
What types of unique challenges does PartnerHero have from an IT and security perspective? How are we approaching these challenges in a unique way?
The fact that our associates interact with so many different partner teams, each with their own technology stack, is a unique challenge. There are different degrees of immersion in each partner’s apps and tools, and at the end of the day it’s basically a shared security model. Our partners secure their own platforms, but our associates still have to understand what those core data protection practices should be. I’d like to continue to develop this education aspect. One reality with security is that you can have the best systems in place and watch them break down when people aren’t educated about how to protect them and protect themselves. If someone doesn’t handle data the right way or understand the regulatory “why” behind things, that creates risk. I really enjoy teaching and plan to spend more time on the educational aspect in the coming months.
What kind of things do you like outside work?
I’m a huge gamer. I always will be, after working in that industry for over a decade. I know it will always be a part of my life. I love seeing what new capabilities and technologies are being used in games as the industry evolves.
COVID kicked off a new hobby for me - fitness. I was never really into working out but started running every day at lunch as a way to deal with the stress of being stuck inside most of the time. My wife and I both got into it - we’ve been running for over a year and now are getting into weightlifting. I’m in better shape than I’ve ever been in my life and I’m really happy about that.
I also love to travel. My kids are getting older which makes it easier (and more worthwhile) to take them on international trips. Japan was our favorite place that we’ve visited so far. We loved the food and the culture and there’s so much to see there.
Anything else you’d like to share?
If there’s a fundamental thing to remember about our businesses today, it's that nothing is totally secure. If we wanted to truly be secure the only option would be to bury our computers in cement and never use them again. The focus needs to be looking for the biggest risks to your business, and mitigating those. You need to answer the question: what are the resources that we have and where can we put them to reduce our risk as much as possible without making everyone’s lives too hard from a productivity standpoint? It's all about walking that line - how do we reduce risk and keep the wheels turning to stay innovative? Technology is always changing, and at the end of the day, when someone is coming after your business (from an information security perspective) you need to be sure there isn’t a low-hanging branch for them to grab.