SVP AND DIRECTOR OF SECURITY AND FRAUD OPERATIONS FOR PNC BANK
Original Interview, January 29, 2019
Original Interview, January 29, 2019
As Senior Vice President and Director of Security and Fraud Operations at PNC Bank, Susan Koski manages a team of 430 cyber and fraud professionals. She is driven by curiosity and a constant need to learn. “In cybersecurity,” she says, “You never have the same day twice.” Now juggling the demands of motherhood, Koski shares some of the lessons she has learned along the way.
How did you get interested in cybersecurity?
I always had an aptitude for math and analytical subjects. My senior year in college, I was exploring what I wanted to study. My mom and dad never told me there were limits. It was always, “Go do what you want.” I did think about law school but decided to pursue engineering as it fed my propensity for math and analytics. I received my electrical engineering degree from the University of Pittsburgh and spent the first part of my career in application development for nuclear control systems, performing software testing, validation, as well as coding.
During this time, I attended night school at Duquesne University, which had a great program for students who were also working full time. I received a Master of Business Administration (MBA) and took a job with a smaller firm, which fed my creative mindset. The company culture was similar to a start-up, and while I enjoyed it, I was searching for more. I attended a job fair and received two offers, taking a position with Mellon Financial in Pittsburgh in their information security department. It was my first job in information security, in an area I knew the least about.
Tell me about that job at Mellon and its subsequent merger with Bank of New York.
I was at Mellon Financial of Pittsburgh from 1998 to 2006 leading the Network and Perimeter Defense function. Here, I managed defensive operations, vulnerability management, digital forensics and network assessments. When the company merged with Bank of New York, I was brought in to work with senior leadership to merge the Technology Risk and Information Security functions. In that role, I learned about mergers of equals and the key methods to a larger integration, having worked on many mergers and divestitures previously.
How did you grow in the company?
The company allowed me to learn by expanding the capabilities of the processes, people and technology. The key items were continual improvement in the maturity of functions. The culture allowed expanding our capabilities but also encouraged questioning why and how to do things differently to achieve the best solution. These opportunities gave me the levers to be seen as a key leader who expanded capabilities and got things done.
Then when the merger happened, my boss’s boss came to me and said, “We want you to work on the merger, integrate both companies, and create best of breed.” This provided the ability to work with executive leaders and an expert project manager to meet the best of breed and synergy goals of the merger. That was pivotal and significantly helped me in my next roles. I am grateful for these leaders for seeing my potential and allowing me to flourish.
What do you consider one of your biggest successes there?
My biggest success was building an excellent team that worked incredibly well together. We were a lean, mean fighting machine with incredible collaboration and comradery. I’m still connected to them.
What is it that excites you about cybersecurity?
What I love about the field is the continual learning opportunities. I always ask myself, “How do I feed my curiosity?” That’s a large part of how I got where I am. In cybersecurity, you never have the same day twice, which is perfect for someone who doesn’t like to do the same thing over and over. Also, in cybersecurity, you have to question why and have the ability to consider various hypotheses, manage relationships, negotiate and influence for appropriate risk management.
The merger challenged you, not only to balance both responsibilities, but it also helped you segue into risk management.
It allowed me to learn something new. I pulled together all the data and analyzed how to combine it for maximum efficiency and then presented it at an executive level. Technologists tend to be detailed-oriented but that’s not how to communicate to management. This role helped me hone executive management presentation skills. From there, I was asked to take a more significant role in the firm, managing technology risk assessments globally. The focus was looking at risk but through a technology lens: infrastructure, applications, user-defined technologies and third parties. For me, it was something else to learn, much broader with a global lens, including regulations. After about four years, I decided it was time to search for opportunities outside of the firm.
How did you look for your next job?
Through my network, I began exploring opportunities for a larger role. A colleague on the Board of Directors at Synovus, a regional bank, indicated they were seeking a Chief Information Security Officer (CISO). She introduced me to the person who would be my new boss. Without that connection, I never would have had the opportunity.
As I was interviewed, the Chief Operating Officer and his staff really impressed me. The initial offer wasn’t enough to make the move to another state. However, I knew that taking this role would allow me to work with a leader with visionary skills about customer experience in banking, as well as take the next step to the C-Suite.
Did you turn down the job or negotiate for a better position?
I called a good friend and told her about the offer. She said, “Did you ask for more? You need to ask.” I called and asked for an increase and hadn’t even finished my sentence before the increase was approved.
As women, we don’t ask. We think if we put our heads down, someone will notice, someone will give us the opportunity. You must have the skills, but you also have to ask—for the project, for the opportunity, for the raise.
Did you regret not asking for more?
At first, I realized that I possibly could have received more, but what I took away from this was much more important—to ask. After being there six months, my boss rewarded me. He handed me a piece of paper and said, “You just got a raise. You’ve done such a great job, we’re recognizing you for that.”
Facebook COO Sheryl Sandberg refers to the Tiara Syndrome. Women are taught to keep their head down, work really hard and then someone will recognize it and place a crown on their head. Essentially, we’re told to wait for power to be offered rather than seize it.
I think you are spot on. As ladies we need to think about our marketability and our worth. I rarely see ladies come into the market who know exactly what they are worth. Men know all the time. Women must better understand what the market is bearing. For all jobs, I do my research. I talk to friends who are recruiters to identify the industry benchmarks. Those confidants provide input such as, “Don’t take another job unless you get X percent more.”
The other key piece is networking. I spend time getting out in the community, going to security meetings, showing people what I can do. This provides a family of people if I need advice on the job market and the industry, which is incredibly valuable.
What was your biggest challenge at the company and how did you want to make an impact?
Short answer: Rebranding and becoming a trusted adviser. As Chief Information Security Officer, I oversaw everything in cybersecurity: policy, governance, financials, architecture, engineering, response, vulnerability management, application security, regulatory compliance and business continuity. In this role, I was able to build the functions from inception.
I went through financials, and we found things we were paying for that we weren’t using. My thinking was, “How can we be creative in what we do with these funds in a TARP-funded band?” The other challenge we had was that people thought of us as the mystery team that did secret things and always said, “No.” You want the business to view the team as a trusted advisor to deliver in a safe and secure manner and to be able to say, “Yes, with the right operating conditions.”
Second, I rebranded my team. Rather than Information Security and Business Continuity, we modified the team name to Information Risk and Resiliency. This rebranding was the first step in changing the perception of the team and initiating the path to becoming a trusted advisor. For the first year and a half, it was a top-down, bottom-up approach to evangelize this new team. We made it cool to be involved in what we did by hosting all-day events to showcase our capabilities, having fireside chats, and garnering support through the organization.
In addition, we combined fraud, cyber and business continuity into one team with the inclusion of the Financial Intelligence unit where we also managed check fraud, bill-pay fraud, currency transaction reports and anti-money laundering reports. The most critical item which we converged first was incident response for financial fraud.
My theory and wealth of knowledge. We always have to be prepared for our adversaries’ next move, and I look at that in a couple of different ways, starting with executing new things we need to do. Talent management is also a passion, and I have a knack for bringing teams together and inspiring them to achieve their potential. My philosophy is: Make sure we are doing the basics really well, make smart investments, focus on our talent and allow our talent to innovate.
You’re now Senior Vice President and Director of Security Operations at PNC. What are the challenges?
My team is about 430 people, covering both cybersecurity and fraud. Having the fraud background was a key driver for attaining this role as PNC has aligned cyber, fraud and physical. The key opportunity is fully converging the functions and fusing key capabilities in fraud and cyber, beyond just a reporting structure, creating something new and exciting. We have completed this within Intelligence, Incident Management and Insider Threat.
What role did women play, positive or negative, throughout your career?
In my journey, there aren’t a lot of ladies. A good friend of mine grew up in technology and security roles, twenty years ahead of me, and her lifelong learnings have played a pivotal role as a coach, mentor, friend, and someone I call for counsel. Second, the lady on the board of directors who introduced me to this new opportunity. These ladies are inspirational game-changers and leaders.
We ladies are not always supportive of one another, but we need to be. Some won’t support you because they don’t want you to get ahead of them, and I experienced that once in my career. At the time, I asked if I could make a difference in that organization. Despite years of trying, I determined I had to leave that organization.
The positive experiences, however, outweigh the negative. My boss at PNC is exceptional at assessing information and guiding teams to follow a logical path. She will hold you accountable, but she also lets you try things. Often, we learn more from the things that don’t go well, compared to the things that do go well.
What about the men you have worked with?
In a career of almost thirty years, I have had incredibly supportive male leaders. At Mellon, a gentleman was hired who brought a whole different professionalism and learning opportunities. He coached me on the culture of the company and how to present myself to showcase what I could bring to the organization. Men are often very supportive of women. If there were undertones of lack of support, I never let that stop me. If you’re going to be a blocker, I’ll find an enabler.
Cybersecurity, how have you seen it evolve since you got into the field?
Where we all started, it’s identifying patterns and assessing behavior. It’s how do we defend against it and how does the adversary change? I’m looking for indicators in the digital space - an application that is not acting right. It’s very pattern-oriented. Adversaries figure that out. Where we have evolved as an industry: My information is out there. Yours is out there. So, who is trying to use your credit? It now must evolve past password and similar binary information.
Our experience is how I intersect with technology and what I do with that: behavioral risk. With someone who might inbox inside a network, all of a sudden, they are trying to access something they’ve never done before; their behavior changes. As adversaries evolve, like a cat and mouse game, everything will be behavioral. How do I know who you are? Do I know how Susan types or Susan’s actions on our mobile website? Because of the behavior, I have a higher degree of confidence that it’s Susan. Data science and pattern analysis are more at the forefront of cybersecurity.
You have now expanded your role to “New Mother.” How does that impact what you do?
It changes you so much. Until you are a mother, you don’t know the joys and the priority focus. It has made me much more conscious of my time. I have 430 people working for me, and I can delegate and enable their learning potential with meetings and opportunities. I’m much more selective on the meetings that I attend, focusing on the value add. I have great balance, a great husband, and a great nanny. It is about time management. Having a child requires you to be more selective about how you spend the time you have.
What is your overall advice to women?
A-S-K. N-E-T-W-O-R-K. It is acceptable to ask for what you want. Take your power and change the situation or the story.