AAA – The Auto Club Group (ACG) is the second largest Automobile Association of America (AAA) club in North America, serving more than 14 million members across 14 US states, the province of Quebec, Puerto Rico, and the US Virgin Islands.
Chief Information Security Officer, Gopal Padinjaruveetil, has been with ACG for nearly five years, on a mission to serve its members in the digital world. When its parent organisation AAA was founded in 1902, there were just 2,000 cars on the road and over 17 million horses. The automotive revolution took hold and the leadership and advocacy the organisation showed in developing road safety gave drivers the confidence to travel the highways of America. Today, Padinjaruveetil’s team is continuing that tradition of trust on the information superhighway.
Building trust in technology through cybersecurity
The role of Chief Information Security Officer (CISO) is a relatively new one and it’s inextricably linked to IT’s quest to enable business through technology. “I report to Shohreh Abedi, Chief Operating and Technology Officer on our cybersecurity posture at the board-level, and to other C-suite executives and technical people on the infrastructure side, with what I call ‘Top, Side and Down’ communication,” explains Padinjaruveetil. “The challenge is to understand the needs of a diverse set of stakeholders and speak to them in a language they understand… If I’m speaking with the CFO, how do I convert the cybersecurity problem into risk, and what is the cost of that risk for the organisation?
“Another perspective may be how a lack of security could impede growth. In the digital world, that can be a problem if the board and leaders are not fully aware of the risks that emerging technologies hold. Similarly, when I’m talking to my folks about security, I need to approach topics like Cyber Defence, Threat Intelligence and Digital Identity across the tech landscape in the right way… So, from a leadership, business enablement and technology implementation perspective, it’s not just one message that will matter to all of our stakeholders.”
To deliver that message, Padinjaruveetil believes a forward-thinking CISO needs to be a good psychologist to understand what motivates people, and to meet their expectations with the right leadership. “We are trying to make people’s jobs easier,” he reflects. “There is a notion that a CISO will say no to everything. I’m trying to build trust in the process, people and technology, and I like to use the analogy of a modern automobile.
“We don’t just have the brake to stop the automobile or to slow down. Instead, a good working brake can give us the confidence to go faster in good road conditions, and to slow down in difficult conditions. It’s important to evaluate, understand and communicate risk appropriately. Cybersecurity can be that brake on the digital information superhighway so a business can accelerate and build competitive advantage by having enterprise agility when needed, and slow down as required. This enables ACG to confidently accelerate change without putting the organisation and our members at risk.”
Padinjaruveetil notes the importance of explaining and bringing transparency in the way security decisions are made as a key factor in building trust. “For example, most organisations want to implement multifactor authentication, or zero trust access, because it is becoming the foundation in a modern digital world. Yes, it can be a drag on the user experience, but we need to be able to explain the rationale to the business and the users about why this mode of advanced digital identity authentication is critical and for the long-term good of the organisation. It’s the way a good CISO can look out for the speed bumps on the road ahead.”
AAA’s legacy of trust
AAA has more than 60 million members drawn from affiliate clubs – including ACG – across the US AAA. Membership, like getting your first car, is a rite of passage; something parents give their children to feel safe in the knowledge they’ll have support in the event of an emergency. “When someone becomes a AAA member, they often stay for life,” notes Padinjaruveetil. “Retention rates of 80% reflect that level of loyalty and trust across generations of the same family.”
It’s a diverse membership base, one that includes digital native early adopters and those used to a more traditional brand of customer service. Padinjaruveetil’s team is tasked with delivering an approach to solutions to manage both legacy and emerging technologies that are safe and secure for everyone as they seek to further digitalise the organisation.
The information revolution
The world is on the cusp of the fourth industrial revolution. While this has the potential to raise global income levels and improve the quality of life for populations around the world, it could also create greater inequality. That’s why Padinjaruveetil believes trusted institutions like ACG, along with a brand like AAA – which has played a significant role in promoting road safety and advocacy – will also have to play a role in developing the same level of trust and advocacy around cyber safety. They must also be a good partner for digital users wherever their journey takes them in the years ahead, both online in the virtual world and in our physical world.
“Every time you see a stop sign, wear a seatbelt or drive through a school zone, it is because of the advocacy of AAA,” asserts Padinjaruveetil. “As we transition further to the virtual world, we want to leverage the convergence of social, mobile, analytics and cloud technologies as an engine for good in all of our digital transactions. We also want to show the same advocacy we have demonstrated on the physical highway within the information superhighway too. Obviously, the kind of rules you have in a cyber world versus the physical world are totally different, and we are trying to navigate those differences to not only bridge that gap, but to also provide advocacy to our affiliate clubs and the industry at large.”
What should ACG and AAA members, and indeed members of any organisation growing its digital footprint be concerned about? “The integrity of our digital identity is a major focus with identity theft and fake identities,” says Padinjaruveetil. “Safeguarding the security and privacy of personal data in addition to how organisations use sensitive data, such as social security numbers, driver’s licences, biometric and financial information, is crucial. On the flip side, when we collect this data from our members, how do we protect it from falling into the wrong hands? How do we manage the privacy of our members as custodians of their data? It’s a two-way discussion.
“Our members need to be vigilant, and so do we as an organisation. People trust us with their data when they’re buying insurance or taking out a credit card. We take the job of protecting that information and their privacy very seriously… In the same way that OEM’s make sure a car is safe for the road, as providers of technology solutions driven by innovation, we have a role to play in promoting the bimodal thinking that will help us build secure digital services while also encouraging safe digital behaviours.”
A Digital Transformation Journey
“From a digital perspective, we’re trying to make the lives of our members easier,” pledges Padinjaruveetil. “Our CEO Joseph J. Richardson Jr. has set forth this vision for the organisation: ‘We help members enjoy life’s journey with peace of mind by providing innovative solutions, advocacy and membership benefits wherever and whenever they need them.”
“When we approach the implementation of new innovative technologies, we also need to look at how we transform our existing legacy products and services to meet the needs of our members in an exponentially emerging digital world. Our overall technology strategy is to develop an omnichannel vision to support our customers, agents and employees, bringing all the constituents together via our experience and interaction layer.”
Padinjaruveetil stresses that his IT Architecture & Operations team is adopting industry standards in the move towards an API-first strategy of microservices and away from customisation and monolithic system architectures. “We’re simplifying our architectures so we can integrate with any of our external service providers. It’s a cautious but steady journey towards the cloud that needs to be carefully managed.
“We are adopting this API-first strategy and working with partners who can help us better transform and modernise our products and services with an emphasis on customer experience. We strongly believe the future will be decentralised via ‘collaborative, consensus-driven ecosystems’ powered by major industry technology leaders like Microsoft, Google, Amazon and Apple. This technology provides platforms that every organisation will leverage, which will allow us to interact with our members and deploy new technologies at scale.”
Prior to the pandemic, digital adoption was already moving at a steady pace, but the past 18 months has forced us all to move to a distributed work from home/work from anywhere environment, providing an opportunity for the world at large to accelerate digitalisation at unprecedented levels of speed and agility.
“This progress and the ability to move to a distributed and decentralised workforce has created new unintended consequences and unimagined threats,” warns Padinjaruveetil. “The world has seen a 79% increase in cyber-attacks over the past 18 months due to the sheer volume of increase in digital transactions. The attack surface is growing, giving further opportunities for a threat actor to leverage. While humans are good at solving certain problems tactically, we really don’t look into the unintended consequences of some of the actions that opens up and the potential for these to be exploited by the bad guys. The challenges we face at ACG are not unique, but have been amplified exponentially by the global crisis the pandemic has caused. What will be the new paradigm or the ‘new normal,’ and how will cyber defence look in the future? This is what preoccupies us and our partners…”
Meeting the cybercrime challenge
The world of cybercrime is a huge concern and throws up some troubling data points, warns Padinjaruveetil. “If cybercrime was a country whose wealth was measured through GDP, it would be the third richest country in the world. It’s now a ten trillion-dollar business that has overtaken the global drug trade. Meanwhile, organisations are investing just $150mn per year into cyber innovation. We as an industry need to do something to reduce this fast-increasing gap.
“We know who some of the key threat actors are, but cybercrime attribution and increasing digital disinformation campaigns are a huge challenge for the world, and there is no real deterrent right now… That’s where the policymakers, governments and organisations are looking for a viable solution framework, before the opportunities for cybercrime grow even further.”
It’s now a CISO’s job to navigate these troubled waters and tackle the increasing waves of threat… A standard-based approach to cybersecurity across critical infrastructure is being promoted by the National Institute of Standards and Technology (NIST), a non-profit US organisation. “We have adopted the NIST cybersecurity framework on our security journey and the MITRE ATT&CK framework for our cyber resilience to manage cyber risk, governance and compliance,” notes Padinjaruveetil.
Cybersecurity Workforce Alliance (CWA)
The war on talent for digital skills is something Padinjaruveetil is uniquely placed to manage. As the Emeritus Chairman and founding member of the Cybersecurity Workforce Alliance (CWA), he’s looking at ways it can have a positive impact to bring more talented and skilled people into the industry.
“We’re aiming to celebrate neurodiversity and tap into the talent that has too often been excluded from the mainstream,” he reveals. “Historically, and more so since the pandemic began, the number of open positions supporting cybersecurity (three million open jobs worldwide) has been rising. We are not able to create fresh talent as fast as the problems are evolving because every organisation is looking for cyber skills; it’s a classic case of supply and demand. At CWA, we’re trying to increase the supply side of the equation in two ways…
“We’re approaching universities and colleges and offering support to curriculums, while also providing virtual internship opportunities delivering the knowledge, skills and certifications to enter the cybersecurity workforce.”
Padinjaruveetil explains that CWA is also focusing on the industry as a whole to find pathways for neurodiverse talent – identified as those with autism spectrum disorder (ASD), a neurodivergent or neuroatypical condition that refers to a broad range of conditions characterised by challenges with social skills, repetitive behaviours, speech and nonverbal communication.
“The candidates on this spectrum possess strong attention to detail and great ability to focus. They also exhibit excellent problem-solving skills and pattern recognition. These advanced visual or process thinkers can bring new approaches to innovation and have great capability to memorise and learn information quickly. In addition, they have shown high work standards and a strong work ethic, but don’t necessarily get opportunities in the mainstream workforce.
“We believe organisations like ACG can actually tap into their unique skills to solve problems in the cybersecurity world. Allied to this, we’re looking at ways we can retrain people in existing jobs where they have related knowledge of information technology that we can reskill.”
The rise of the role of CISO
The role of a Chief Information Security Officer (CISO) initially saw IT leaders come from infrastructure and network security backgrounds. As the role evolved, they were joined by those from the world of auditing and compliance when technology transformed.
“That notion of testing and measuring the efficacy of IT controls marked out the second wave of cybersecurity leadership,” recalls Padinjaruveetil. “We’re seeing the evolution of a modern CISO’s role much more into an executive cyber risk advisory role, and as a future risk manager communicating at board level about emerging technologies, such as AI and biometrics. It’s focused on helping organisations protect and defend the business and promote secure cyber behaviours across their operations in a world where technology is fast becoming a weapon of mass destruction in a cyber war.”
If he could travel back in time, what advice would Padinjaruveetil give his younger self for the journey ahead in preparing for his role as a CISO?
“I would tell him to prepare himself for a new world where we will have data in abundance, and one where many facts and values he considered as inalienable truths will be questioned. It’s a new world where individual characters will play a great role alongside critical thinking, creativity, and communication via storytelling; where multi-disciplinary collaboration will define success in everything he will do. I would offer two quotes from Carrie Fisher and Alvin Toffler to inform him the world he will work in is one where ‘instant gratification will take too much time,’ and to be ready to ‘unlearn’ most of the things he previously learned and prepare to ‘relearn’ them.”
Ultimately, Padinjaruveetil sees it as his job to empower people. “We take the information that you, I and others know, and bring it together securely to fill the information gap and make sure we can take a safe journey together down the information superhighway.”