VP & CISO AT PRINCIPAL FINANCIAL GROUP
Meg is the Chief Information Security Officer for Principal —a global financial investment management and insurance company headquartered in Des Moines, Iowa. A 30-year technology and security veteran of a global brand, Meg began working from Principal right out of college and never looked back. She's working to build a culture of “security by design” and has a passion for guiding girls and young women into technology careers.
Describe the path you took to where you are now.
I'm the Chief Information Security Officer for Principal and I also lead our Data Services team. June 1st was my 31st anniversary with the company, which is a long time! When I originally started, I was right out of college and graduated with an MIS degree from The University of Iowa. One of my instructors there said to "never work for an insurance company. All you'll be is a COBOL programmer." I knew I didn't want to be a COBOL programmer, but I also planned to live in Des Moines, and everything I knew about Principal at the time was that it was a great place to work. So, I was really conflicted about what my instructor said.
I was engaged when I graduated and thought"well, I'll work for a couple years as a COBOL programmer. Then I'll quit and be a stay-at-home mom." It never happened like that in reality. I had three job interviews in college. One was with Younkers for a buyer position. The second was with State Farm. My third interview was with Principal.
I quickly had a second round interview during spring break, and that evening of 1987 they called with an offer. This is when Principal was growing their IT department significantly. There are many of us who are still here. I can look around and see lots of people with whom I started. The camaraderie and collaboration that I've had since the beginning of my time at Principal is what's kept me here. It's cliche to say that it's all about the people, but it has been a great place to work.
At the time I started as a COBOL programmer—I wasn't particularly spectacular at it. I benefited from great training and a great trainer. We used to joke because you'd interview MIS and Computer Science students and they all wanted to be systems analysts. You had to be a programmer first, so eventually I worked my way up to a systems analyst position. I was leading projects and making sure the technical designs were appropriate and had appropriate integrations.
I worked in the health insurance area, which we no longer sell. As I progressed in my career, I was doing more challenging work and bigger projects that seemed to take forever. We were also subjected to regulatory issues like HIPAA and privacy laws, which were pretty significant to the health division. . At a certain point I asked to do something outside of application development and I led teams who interfaced with our infrastructure team: database administrators, data warehouse team, liaison areas, etc. That was interesting to me because I I got to learn more about what's underneath the application. Later, I began to see more and more systems being rewritten since I had been in the same area for 20 years. It was no longer challenging after a while, and I became the person who was always thinking "we tried that and it didn't work."
I used to give advice to my team—if you don't believe in the strategy of the business area that you work in, it's really hard to want to come in and do good work. I was starting to feel a little burned out in that area, so I told my boss "If something comes up, I'd like to be put on the rotation list. I'm interested in a new opportunity." A goal of ours is to make sure that people don't sit in the same chair for their whole career, so we try to move them around the company and put different perspectives in each business area, because all four of our business areas have their own culture. I think that was in July or August of 2007 when I asked to be rotated. I interviewed for and was selected for the CISO job in early 2008.
I tell a lot of people this, but I had no idea what was encompassed by a CISO role—there is a lot! As we move people into this area, they are always surprised by what's underneath the covers of information security. It's quite broad. I learned a ton and was very overwhelmed at first. I needed to rely on experts, fortunately I was surrounded by many. The team was very helpful. I remember one of my earlier days when someone came in with a bunch of paper manuals and was sort of going through them and I was thinking "I have no idea what he's telling me." There was so much to learn, and the thing about cyber security is that at around the same time in 2008, everyone started getting hacked. Everyone heard about it in the media, so the attention was growing.
I had to learn as things came up instead of understanding what could happen and being more preventative. This kept me on my toes, and was certainly very challenging. It was also very fun, to be honest. Cybersecurity is fascinating and you get into the minds of the bad people. You must try and figure out what their next move is and how to prevent it. It changes literally daily, so there's always something going on. Being able to make sure you're properly defending the assets of the company: our customer and employee data, our money, and our intellectual property. It's what makes my team enjoy their job, they get a charge out of that challenge. That's how I got here!
I've been the CISO for 10 years, which is a pretty long time for a CISO role at one company. It's been challenging throughout. The other thing that's been happening over the past few years is regulatory compliance and laws around businesses needing to protect data. I think that will continue into the near term where businesses will have a greater responsibility to prove that your data is protected.
Have you had any mentors along your path?
Every leader I’ve had has taught me something. I have had many mentors. I go to different people for different things. I have really broad peer groups in information security, so I know information security officers at many companies. In particular in the CISO job that I have now, I really relied on other people from other companies that I can bounce things off of. They do the same. It’s a very collegial atmosphere.
I have a mentor in senior management who has been great about getting in my face and telling me like it is. It’s been helpful to me. It’s a little bit like the coach on the sidelines. Thinking about my response to her questions often clarifies things for me. She’s in my head a little bit on the hard questions.
Do you see yourself as mentor?
Yes, we have a formal mentoring program, so I currently have a mentee. Others have asked me directly for a mentoring relationship as well. With one, we go to lunch on a monthly basis. I would say at this point we are friends, but we put on the mentor and mentee hat occasionally to bounce things off of one other. I value this relationship, it's very beneficial in my position to get feedback from many people across the organization.
Outside of work, I've had the opportunity to mentor some young women and young people in general. Harding Middle School has a career day and my neighbor happens to be the principal there. She's asked me to come talk about cyber security, so I've done that for three years. Recently I spoke to a group of girls visiting Principal. They were super shy the whole time but then when it was their turn to show us websites they made, they completely lit up. They were basic websites, but it was awesome to see such young girls being involved in tech.
Tell us about your role as VP-Chief Information Security Officer at Principal.
A lot of days are very different from one another. There is one thing in common, which is a lot of meetings. In some meetings, we learn about what's going on, new strategy, plans for the upcoming quarter, and things that are top of mind to our CEO. We have offices around the world so some meetings occasionally occur very early in my day or later in the evening.
I am also on the board of an external organization called FS-ISAC (Financial Services Information Sharing and Analysis Center). Today, we had a meeting by phone, then I had a governance group meeting where we approved projects and funding, and after that I had a one-on-one with a leader of our sourcing and supplier management area to talk about some things we have in common, as well as strategy going forward.
It's a mix of strategy and operations. In this role, sometimes my day gets completely planned for me, because maybe there is a cyber-attack going on externally or some sort of internal event. I need to make sure my phone is close by in case I get texts or alerts from my team. Most of the time my team can handle these things on their own, so I don't usually need to roll up my sleeves and defend against the cyber criminals myself. Lots of collaboration occurs.
How has your education helped you get to where you are today?
I have an MIS degree from Iowa. I would say that it definitely prepared me, generally speaking, to get the business skills. When I first started working, I had a COBOL class that I learned how to code COBOL, so that prepared me. Now as I look back, marketing and business courses helped put together the concepts, especially working for a financial services company.
Most of your learning in college is not necessarily always the content of the courses, it’s really how to get work done, how to have relationships with people, and practical experience. I have two kids in college, so I hear a lot about group projects. With a group project, you can’t just be responsible for yourself, you have to be responsible for the entire group outcome. That’s really what happens in the workplace. You have to rely on other people to get their work done. There certainly are no grades, but there are other rewards that you get for being a valuable member of the team.
One of my favorite memories was a project where we visited a small retail shop within the mall in Iowa City. We designed a system to automate and improve the receipt process for the shop owner. We probably used spreadsheets at the time, nothing too fancy. The experience of actually interviewing a business owner and talk a bit about the problem we were solving for her still resonates today.
Was there an “Aha!” moment as a child where you know tech was what you wanted to do with your career?
It was when I was in college and working for the University of Iowa office of Student Employment, where my job was to take a student ID card and stamp it through a 3-part carbonless form. Then I would split apart the paperwork, they would sign it, and I would stamp my boss’s name. Someone would come and pick these papers up and enter the data into their system somewhere.
About a year into that job we got a new mainframe-based system. It was fascinating to me, because it was so much better than the manual process we were using before. People were complaining about the bugs, but over time we all adapted to this new system. At that point, I decided it would be a really fun job to work as a Systems Analyst so I changed my major to MIS.
What’s the biggest risk you’ve taken in your career?
Jumping into this (CISO) role was probably the biggest risk that I’ve taken. It was a whole new world for me and I had no idea what I was getting into. In some ways, I was more anxious to move on from my prior job. I had sort of “been there, done that” for 20 years. It made it easier to take the risk and move, but I absolutely had no idea what I was doing. It was a great learning experience.
How has the world of cyber security transformed over your career at Principal?
There is a little bit of a recency effect here, but it's probably the attention that cyber gets from the board of directors. It's an aspect of IT that was sort of invisible to the rest of the company. When I was sitting in the business area, I knew that we needed to get access to certain things and that Information Security was the team who provided access, but I had no idea what else was there—policies, governance, monitoring, and cyber defense and operations.
I had no idea that cyber was so big. I think the volume has changed, the attackers are very organized, and the threat actors include organized crime. When you hear about nation states, you never really know if you are going to be targeted, and if you are targeted, what that will look like. And now we are on the cusp of the next transformation. [Principal] wants to be more digital and disruptive in the tech industry.
Everybody is using the Cloud and mobile apps, and we are doing our work completely different. In cybersecurity, we say that this is an “expanding attack surface.” It’s just like if you have a house and you put on an addition, such as another way to get into the house, you have to secure that. If you think about that in terms of an organization, you’re always finding new ways to connect with new partners. These things are coming at us with a much higher velocity than in the past, and I expect that to continue. The attackers are doing the same thing, They’re running their criminal businesses just like we run our business. One of the differences is that they have a lot of funding, not that we are underfunded, but they are making money illegally. Then they are using it for criminal purposes. Before I was in this role, I had no idea of the extent of cybercrime.
How does governance and compliance requirements impact your work?
I think it’s generally a good thing that governments understand the impact of cyber attacks to businesses. It’s a significant problem. What I like to remind people is that if you’re already secure, being compliant with these things isn’t a problem.
We are a publicly traded company, so we need to protect shareholder value. We have to protect customer information for our reputation, and we don’t want our stock to sink because we were breached and on the front page. It’s critically important that you comply.
There’s a new compliance regulation called the General Data Protection Regulation from the EU, so everyone is getting a lot of privacy notices. It’s huge, because the fine is up to four percent of your global revenue, which is a lot of money. That has made a lot of global companies scrambling to make sure they are compliant and adequately protecting data. It provides consumers with the right to be forgotten. If you want to be forgotten, we can give you back your data as needed. That one has been really tough.
There are quite a few others that impact financial services. We are used to it because we are a very highly regulated type of business anyway. Probably the downside of the regulation is that it can become a “check the box” process instead of actually doing the right thing for the organization. You don’t want to comply just to comply, you want to do something that makes the organization more secure.
You’re involved in the Women in IT group at Principal. What types of activities does the group do and what outcomes do you hope to achieve?
We have done a lot of networking activities for women in IT to really encourage the women at Principal to connect with one another and work on STEM related initiatives. Last year there was a STEM conference with Governor Kim Reynolds, Sarah Derry, a member of the Governor’s STEM Advisory Council and and Lora Leigh Chrystal, Director, Iowa State University Program for Women in Science & Engineering We’ve worked to put STEM front and center for employees and to help them understand the trends with women in STEM. We also have quarterly breakfasts where our sponsors meet with a dozen women in IT. The women can ask any question they want, run things buy us and it’s very casual. We are always trying to make those connections.
What are the business benefits of building diverse cyber security teams?
I mentioned the Des Moines Register’s storytellers event; there was a speaker there that talked about the word ‘diversity,’ she thinks that it should be replaced with ‘community’ because diversity draws attention to our differences and community can bring us together. When I think of diversity, I don’t necessarily see the physical differences, I see the thought differences. I think that has huge business value, in particular for cyber security.
We talk about the tactics, techniques, and procedures of attackers. We have to get into the heads of the attacker, and everyone doesn’t think alike when they do that. So when you think about what could come next, you’re colleague might be thinking about something completely different. Just the diversity of thought is probably the nubmer one benefit that I see.
The other thing is that as a female CISO, there are often times where I may be one or one of two females in the room. Many of the female CISOs around the world know each other because there aren’t many of us. Actually having conversations like this help other people see that females can aspire to these roles. That is really important. If you don’t see anyone doing what you want to do that looks like you, you might not think it’s possible. Especially if you are younger. I think it’s really important to have all different types of people performing lots of different roles. It doesn’t matter who you are, what you look like, how you think or how you behave. You fit in somewhere.
The data is out there that younger generations aren’t staying in their jobs for 20 or 30 years, it’s more like 2 or 3. What is it like to work at Principal for 30 years and what has kept you here so long?
There have been times during my career where I have felt less challenged, which has made me think whether I want to find more challenge at Principal or more challenge elsewhere. Principal has always won. For me the important thing is that you’re continuously learning. If you can learn at a company that is great to work for, it’s not necessarily a bad thing. I really value having a continuous learning experience. It’s much better to be busy than bored.
What advice would you give a young woman who’s just starting out in IT that you wish someone would have given to you?
The first thing I would tell her is not to be intimidated. It’s really important for young women to understand what they want to do and sort of go for it, because sometimes we put up artificial barriers for ourselves. Just because you try something doesn’t mean you’re locked into doing it forever.
The other thing about cyber and technology is that it’s all about problem solving. Many people like to solve problems and enjoy the strategy behind thinking about a problem differently. People get excited about the idea of being the first to solve a problem. When I talk to women I emphasize how important problem solving is. Sometimes I even talk about how I never wanted to be a programmer and that I used to be intimidated by it, but there are so many ways to apply technical skills to the world. A technical background can take you many places.
How does creativity and problem solving integrate into your current role?Sometimes in information security, things can feel pretty black and white. Especially now when we are trying to embrace innovation and enable our business to move quickly. Sometimes you can’t apply policies and standards to information security problems. You have to be creative and understand the business value of a particular thing, and the risk included in that choice .
We don’t want to overwhelm our business people or slow them down. It’s really important for me to be side by side with our business partners so we don’t slow down initiatives. In the end, those initiatives are what make us money. So we need to think creatively as opposed to using a rulebook. I think we need to collaborate along the way and make sure we’re thinking critically. Always problem solving, all day long. Trying to figure out what’s next and prioritizing tasks.
Can you tell us about an exciting project you are working on right now?
I’ve been a CISO for 10 years, and that entire time was full of very fast growth. We’re adding technology, growing the program, and adding people. We realize that this growth isn’t going to last forever. Something I ask from time to time is ‘What are our top risks? Why should I fund this project rather than that project?’ I’m working with others to figure out how to approach quantifying our cyber risk. How we want to look at the probability of different events happening. The various amounts of money that we would lose if a certain event occurred. Sort of putting all those things together and quantifying cyber risk. That’s really exciting for me because it’s a practical tool we can use, and our investors will understand why they are investing in us.
How do you prepare your teams to anticipate unknown threats?
I think that there’s definitely ‘unknown unknowns.’ Trying to be prepared for the worst and hoping for the best is part of this job. I think the more exciting thing that’s coming is all the technology that is being used in all facets of our lives. The applications that we have on our phone that control our home appliances, Amazon Alexa, connected cars, etc. The world is changing so quickly, and all those things have an opportunity for something to go wrong. That’s probably one of the biggest transformations that’s happening, one of the biggest challenges moving forward. How are we going to make sure all of this is secure?
The other component is all the laws and regulations that’s happening around the world regarding personal data, including some of the Facebook press. It hasn’t been very positive with regard to how they use our data and how they sell our data to third parties. I think that there’s more to come around data. Back in my job in Iowa City, those student ID cards had social security numbers printed on them. That social security number wasn’t the key to unlock anything because nothing was electronic at the time. We would never do that now.
What changes do you hope to see in the tech industry in the next 5 - 10 years?
Specifically with my CISO hat on, one of the initiatives we have at Principal is that we want to build security in, or have “security by design.” You’ll also hear it called “shifting left.” We really want the people on the frontlines to understand the aspects of their project or initiative relating to security. How they can think about security from the front end. I think we have an engineering culture at Principal. When you think about an engineer, they think broadly about what they want to create. They don’t have gates or guidance along the way. If we could really get people thinking about security upfront, it would be a game changer because there would be a lot less for us to do at the end of the project.
What do you envision for the future of tech in the state of Iowa?
I see a lot of cities who are creating marketing campaigns around technology. I think it could be really interesting for us to understand how we connect our rural communities better than we have in the past; how we exploit technology to increase the population of Iowa. I'm a transplant to Iowa and I think it's a great place to live, but there is a lot of opportunity for more people to live here rather than people leaving upon graduation.
What kind of groups or activities are you active in outside of your job?
I'm on the board of the FS-ISAC. I'm on the Technology Association of Iowa CISO Roundtable. I also like to play bunko with my neighbors!
What do you to unwind?
I'm tightly wound. I like to read a lot. I read everything; I have a library on my end table as my husband calls my stack of books. Right now, I have several books open, which is a little unusual for me. One book I'm reading is How to Measure Everything in Cybersecurity. I also have a Leonardo Da Vinci book open. I have a fiction book going as well. I have about 15 books on my nightstand that I need to read.
I don't mind watching reality TV to unwind as well, such as House Hunters tropical shows. I love Hawaii. Occasionally I binge Netflix too. Right now, I'm watching “The Crown”. I like to travel as well. I love to go anywhere, and my husband likes to go to Hawaii, so I go to Hawaii a lot. I travel for work a little bit so that's how I see the world.
What music are you into right now?
I like anything except country. Some country is okay, but I don't like The Voice. Not a fan of Blake Shelton.
Do you have a go-to food item?
I love sweets. Rice crispy treats are really good.
Do you have any favorite TV shows or movies?
I'm looking forward to Season 2 of the Ozarks coming back to Netflix
What kind of impact do want to leave in your field, or what kind of legacy do you want to leave?
One of the things I've been thinking about lately is my 10-year anniversary in this role. How am I developing successors? How am I helping people understand our strategy? Part of our job is to secure Principal, but we also need to help the business grow. We need to enable Principal to move quickly. While we're in the background keeping things secure, we really need to help the business grow. Outside of the company, in my interactions with peer groups, we talk about creating that next level of leaders. We are always relying on each other, because it's all of us against the cyber criminals.
I always want to have fun at work. Accomplish your goals but also make time to have fun. Make sure there's some work and some play.