Finance and Firewalls: Information Security and a Business’ Bottom Line

Charlene Oldham Executive Connection, Issue 16 - March/April 2015, Technology Leave a Comment

With a Business Administration degree and a background in computer science, G6 Hospitality’s Chief Information Security Officer Harvey Ewing sets his department’s strategy in line with the overall organizational objectives


Harvey Ewing is a forward leaning security leader who has been a great security partner for PhishMe. We are honored to help him achieve his strategic goals and change his employees’ security behavior, so they can act as an active line of defense and a source of new threat information.” – Allan Carey, Vice President, PhishMe

Harvey Ewing started college as a Computer Science major, so even though he eventually earned a bachelor’s in Business Administration from Texas A&M University, he was prepared to go straight from the frying pan to the fire—and firewall—when the time came.

Ewing was working for a financial services firm in Dallas that had recently turned over its entire information technology (IT) staff. The company was experiencing networking issues when he decided to tap into his past knowledge building computers and take a look. Ewing noticed that something seemed amiss with the rules governing the firewall, designed to block unauthorized access.

“I went to my boss and said, ‘I don’t know much about firewalls, but the rules don’t look right to me.’ So my boss at the time said, ‘Congratulations, you’re our new firewall administrator.’ And that’s how I got into the world of IT security.”

Today, Ewing serves as Chief Information Security Officer for G6 Hospitality, where he finds his degree in Business Administration and early experience in the finance industry come in handy—especially when it comes to translating what he does to the rest of the company, and balancing business sense with security concerns.

“Nowadays, much of the focus, especially in security, is centered around aligning the security strategy with business goals and objectives,” Ewing said. “So having that business background really helps, especially when you are communicating with people in different roles, from the board of directors to executives to employees throughout the entire organization.”

Critical Communication

Ewing spends as much, or more, time communicating as he does computing these days because of the increased importance of informational security. As recent data breaches at retailers including Home Depot and Target have shown, hackers lead to headlines. But information security professionals don’t have the time, resources or ability to address every potential threat equally because they evolve so quickly. Instead, they should communicate with executives to identify the most important areas of the business and focus on the biggest areas of risk to revenue, critical processes and essential systems.

“And that allows a security practitioner to focus directly on relating the security effort to protecting the most critical aspects of the business. This translates into quantifying the level of risk the company is willing to accept,” he said. “I think that it is a very important aspect of the job today. Instead of identifying potential threats, we can focus on what matters most to the business.”

New Problems, New Weapons

As parent company to Motel 6 and Studio 6 extended stay brands, G6 must be vigilant against any threat to its reservation system that might compromise customers’ sensitive information. And, because threats to information security are becoming more sophisticated, everyday protections must go beyond password-protected systems, anti-virus software, firewalls and other tools of the past. These days, security professionals are working harder to identify and minimize problems through next-generation systems and anomaly detection, in addition to developing tools that identify when data has been accessed outside the scope of normal operation.

“Prevention has been and will always be the goal,” Ewing said, “but it’s not realistic at this point in time based on the way the threats are evolving. The saying is true: It’s not if, it’s when. So you must be able to identify when you’ve had a potential breach. Compromise is going to happen at some point, and you must have the ability to identify, mitigate and remediate appropriately and timely. Therefore, the quicker you can do that, the more protection you are going to offer your organization.”


Collaboration & Education

Ewing must strike a constant balance between protection and practicality. It’s important for companies to be agile and quick to market with innovations that set them apart from competitors. The last thing top executives want is an IT staff that’s constantly telling them new ideas won’t work because they are too dangerous from a data security standpoint. The better approach is to be involved in the projects from the beginning, raising awareness regarding security concerns and finding ways to work around them collaboratively.

“The intent is not to delay projects by always saying no,” Ewing said. “Being transparent and collaborating with the business is imperative in today’s fast-paced environment.”

That’s getting easier as businesses are recognizing the increasing importance of information security and devoting more time, money and staff to safeguarding data. Additionally, corporations like G6 are hiring Chief Information Security Officers with diverse business backgrounds, elevating them to the executive boardroom and making them part of major business decisions from day one.

“Getting into the communications process early—working with the project team at inception—is very, very important,” Ewing said. “I also believe a key part of communication and collaboration is education. You must be proactive in reaching out to peers and executive management to help the business understand what the threat landscape is and how it could impact revenue or operations. Open dialogue is essential in aligning security initiatives to the business in addition to facilitating strategic initiatives. Ewing makes time to educate executives on new security threats and industry innovations. He also maintains an open door for anyone who has questions, concerns or suggested compromises.

“That helps tremendously because the business knows you are on board. You are a team player. You want to do what’s best for the company from a security and business standpoint,” he said. “You want to be an asset and an ally rather than an inhibitor.”

With data breaches increasingly making the news, consumers and federal regulatory agencies are taking notice. What’s more, the Federal Trade Commission can now sue companies it believes failed to use reasonable security practices to protect customers’ data. A good information security staff is a more valuable asset than ever.

“It’s not just the security guy saying the sky is falling,” Ewing said. “Breaches are impacting companies. It’s impacting their stock prices. It’s impacting their revenue streams. Brand and reputation is very important to any business. No organization wants to be in the news with a headline indicating their customers’ information has been compromised.”♦


Harvey Ewing on Servant Leadership

Ewing runs his staff as a democracy rather a dictatorship. In fact, he sees himself as a servant leader—as devoted to developing other talented leaders on his staff over the long term as he is to achieving everyday business goals.

“I believe that if you work hard for your employees, they are going to work twice as hard for you,” Ewing said. “When you care about your employees, they are going to go above and beyond to make sure the team succeeds.”

So, just as he does with the company as a whole, Ewing emphasizes communication and collaboration within his own staff. He takes time to gather input from the team when working on projects and encourages team members to ask questions and take chances that lead to personal career growth. Although it can take more time than simply passing down edicts from the top, it always leads to better outcomes.

“I typically build consensus and collaborate with my team instead of going through and saying, ‘I believe this is the best course and it’s my way or the highway.’”

After all, it’s often easy for talented IT professionals to take that highway toward another career opportunity. In nearly 20 years in the information security business, Ewing has worked in both authoritarian and democratic workplaces. As a result, he understands how important it is for every employee in the office to have a vote and a voice.

“An environment that is more nurturing, collaborative and values the team members is always more successful, happier and more productive,” Ewing said. “Experience has taught me that.”

Harvey's Key Partners:
 PhishMe (Spear Phishing auditing) |  SpearTip Security (Cyber and Counterintelligence) | FireEye (Real-Time Anti-Malware protection) | Computex Technology Solutions (IT Business Enablement)  

Charlene Oldham

Contributing Writer at Forefront Magazine
Charlene Oldham is a St. Louis-based teacher and freelancer.

Comments, thoughts, feedback?