Driving a culture of security at Liveops
A Q&A with Paul Leavens, Liveops’ Senior Vice President of IT & Security
In a world plagued by increasing—and increasingly dangerous—threats, how do you safeguard your company, your customers and your own devices?
Paul Leavens thinks about questions like these every day. For him, the answer isn’t found in the “shiny” new cybersecurity products, but in digital literacy, smart governance and other “common sense” tactics that are all-too-uncommon in 2019. Paul recently joined Liveops as our SVP of Technology & Security, bringing along more than 20 years of IT and security expertise. We sat down with Paul to discuss his career, his new position at Liveops, his security advice for individuals and businesses and why he believes “a false sense of security is worse than no security at all.”
What brought Paul Leavens to Liveops?
This interview has been edited and condensed.
LIVEOPS: Tell us about your background. What were you doing before you joined the team?
PAUL LEAVENS: Cybersecurity is always an aspect of IT, and I’ve been in IT now for over 20 years. In my previous role with Progressive Financial Services, I undertook the information security role for them and established governance to meet federal standards. That was the significant advancement in my career to a dedicated security role. I then got my CISSP (Certified Information Systems Security Professional) certification, which is considered the gold standard in the security industry.
Progressive Financial Services is a federal contractor. I came in and built out their security program to be compliant with federal NIST (National Institute of Standards and Technology) standards. I took them to a strong position of governance, where we were passing our annual assessments with no findings. We were one of only two agencies to receive an unconditional authorization to operate from the federal government.
After we achieved a mature security program which was routinely passing audits with no findings, the opportunity with Liveops came knocking on my door.
What do you like most about the information security field?
I like the fact that every day can be different and that the challenges are continual. Maybe I’m a glutton for punishment, but I do like the ever-changing landscape of IT and security, specifically. There’s always something new to learn.
What led you to join Liveops?
What really attracted me to Liveops was the company’s platform and capacity to provide opportunities for people who need a flexible work model. For example, they may live in a rural environment where office opportunities may not be readily available, or they need the flexibility to work from home and take care of their family
I’m also really interested in the independent contractor model and how that specifically impacts security as well. There are a lot of challenges around that, and the fun thing about it is that it creates a need for us to innovate.
Can you tell us about some of those challenges? Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS) compliance come to mind.
Yes, those are indeed two challenges we’re looking at always. We’ve implemented solutions that meet those requirements, and our solutions will continue to evolve over time.
Do standards like those change often in line with new technologies and societal shifts? How much of your job is navigating change?
Yes, absolutely. There are two components to that. First, there’s the governance that changes—different revisions come out. PCI, HIPAA, and NIST are always evolving. I wouldn’t say that it’s rapid—it’s very methodical from a regulator’s perspective—but it’s iterative and builds upon itself.
And then there’s the technology side. Technology is progressing much faster than regulations due to two factors: to address ever-changing security threats and also make the process easier for the end user.
Security is always in tension with production. There’s a natural, healthy tension there, and the challenge is to implement a security model that is effective but doesn’t cause unnecessary burdens.
Security throughout customer service and the distributed workforce:
What are some of the greatest cybersecurity risks in terms of customer support? Does Liveops face unique risks in this industry?
On the surface it would appear that the most significant risk we have is the work-from-home model, meaning we don’t have agents sitting in a brick-and-mortar location. Statistically, that doesn’t hold up. The statistics show that, in the United States, brick-and-mortar is actually more prone to agent fraud and other security issues than a work-from-home model. That’s a surprise to most people.
Why do you think remote teams have statistically shown to be more secure?
That’s a great question. From a security standpoint, this comes down to longevity. When agents join Liveops they see the value of the model. In terms of experience and career goals, this differs from some brick-and-mortar call centers where turnover is high. Liveops agents might be work-from-home parents, for instance. They’re people who are readily looking for this type of self-driven work opportunity, and they have a heightened sense of responsibility and integrity.
I think the Liveops model succeeds because independent agents are invested in the process. This isn’t just a job to them—it’s a lifestyle and a business.
What advice do you have for people who are looking to secure their data on their personal devices or ones they might use for independent work?
When thinking about security, most people think of a firewall, antivirus, or another kind of physical control. Let’s call these the “shiny things.” People want to focus on these things. But what happens is when someone thinks about security, they go out, and they get an antivirus suite and hopefully install some type of firewall, and then the concept of security pretty much stops.
The reality is that most security breaches are caused by social engineering. Neither firewalls nor endpoint security can necessarily save you. Instead, it’s about a common sense approach to understanding threats. When you do get that phishing email, and it looks slightly suspicious, it means taking the time to stop, evaluate and figure out whether this is legitimate or not, versus just clicking on the link and hoping your security controls will protect you.
Human curiosity is one of the enemies of security.
What gets in the way of people practicing good security with phishing attempts and with other social engineering-based attacks?
Overall, the phishing landscape is changing dramatically. These threats are getting much more sophisticated.
One piece of advice that anyone can follow: If you don’t know the person who sent the message or if it’s unsolicited, don’t open it. Don’t even be curious about it. I think human curiosity is one of the enemies of security. We all want to know, right? Say you get an email from the IRS with an attachment. That’s going to really push your anxiety level up, and you’re going to want to look even if it’s fraud or not. Just opening it and looking at it exposes people to bad things.
There certainly is a generational aspect to it, too. Some people grew up with computers and others did not. That could indicate a lack of savviness when it comes to what could be a threat and what might not be a threat.
But ultimately, stress is a huge factor. One social engineering tactic you might see in phishing is to actually do a multi-front attack where you create a stressful situation by one attack and then it’s followed by another backend attack, which is much less likely to be intercepted because all the focus is on the first attack.
Let’s talk about security at Liveops. If I were a Liveops agent, what should I know about conducting myself and using my devices? What are some of the worst mistakes I could make?
Before they can start taking calls, each Liveops agent learns about security best practices as a part of their certification—this isn’t just general advice, this is how to protect something you’re fiduciarily responsible for as a home business owner.
The worst unintentional mistake would be neglecting to maintain your devices. You don’t patch them. You don’t maintain an antivirus, and you open every attachment that comes in. You’re not really security conscious, and you’re making bad choices. However, Liveops plans for this by having a system in place that actively vets devices. It checks it for patching, antivirus software, location, et cetera before an agent is allowed to authenticate to us. That’s a step from our end that protects our data.
Lessons security teams can take away from larger industry breaches:
We’ve all seen headlines about the Equifax breach, the Target breach, and any number of cybersecurity incidents that involve millions of dollars and millions of accounts. Do these incidents keep you up at night?
They don’t keep me up at night, but they certainly are learning opportunities. Much is still unknown, but my understanding is Equifax was a failure of governance and Target was, similarly, a human error. Neither company could move quickly enough to catch or counteract the attack even though they had the right tools in place. Without proper implementation, they had a false sense of security
It doesn’t necessarily matter how much money you spend on security; it matters where you spend it.
It sounds like there’s always a human element to it. Can you think of a story recently where the vulnerability was purely technological?
No, not that I can think of. It doesn’t necessarily matter how much money you spend on security; it matters where you spend it. Companies can spend a significant amount on their security program and implement state-of-the-art tools, but, if they don’t configure it correctly, the human element won’t be able to handle the amount of data coming in. If you take a million events, a small percentage may end up being a real threat, and you have to come up with a way to make that actionable information readily apparent to the people who are monitoring it, or it’s useless.
Final thoughts and tips from Paul on how to improve security:
Can you leave us with some practical ways companies can be safer about security starting today?
From an organizational standpoint, governance is critical. Without governance, you can’t measure your security. If you haven’t established what your risks are, then you don’t understand your risks, so how can you possibly protect yourself? Governance is the roadmap for what your security is supposed to look like, what it’s supposed to do. It tells you if you’re measuring up or not. It’s also about accountability—if we say we do something, we’re held accountable for that.
What about for individuals?
From a personal standpoint, just educate yourself around security and good judgment. The tools that you have are important, but more important is the judgment used to decipher what threats you’re up against—those attachments, those phishing attempts. If things don’t look right, typically they aren’t right.