When Rachel Wilson was a child, her father would tuck her into bed at night, but he wasn’t reading her “Cinderella” or Where the Wild Things Are. “My dad is an amateur military historian” she says. “And he was particularly interested in times when intelligence changed the course of a battle. So his idea of a bedtime story was, 'Let’s talk about the purple code and the Battle of Midway, because by breaking that code the U.S. knew the Japanese were coming.' ” So it follows that Wilson knew even at age five what the National Security Agency was and that one day she’d work there. “I finished graduate school on a Friday and literally started work at the NSA the following Monday.”
Eventually, Wilson rose to run the NSA’s counter terrorism operations mission, tracking down terrorists around the world. She next spent a few years at the American Embassy in London, helping the British ready for the 2012 Summer Olympics. She returned to NSA headquarters in Maryland and for five years she ran cyber-exploitation missions against “our adversaries to keep the U.S. and her allies safe.” Today, she leverages that experience to look at Morgan Stanley’s networks, systems and applications “through the lens of an adversary.” Wilson shares her insights on Cyber Resiliency in the Morgan Stanley Minute.
After I’d achieved success at my two dream jobs, running counter terrorism and cyber exploitation at the NSA, it was time to do something else. And I had already decided that I wanted to come to the financial sector next. If you’ll remember, in December of 2012, the Iranians took the NASDAQ offline. They recognized that cyber was an asymmetric advantage–that they could put forty guys in a basement in Tehran and wreak havoc on Wall Street, and that's exactly what they did. For those of us in government, this was an incredibly frustrating time, watching what was happening and feeling hamstrung. That’s when I decided, “When I leave government, I want to go help defend that key piece of critical infrastructure.”
The reason I came to Morgan Stanley was because of the conviction I saw here. There is real thought leadership in terms of cybersecurity and the commitment to being not just protected but also resilient. And that conviction starts with James Gorman and the board of directors. They get it. They see this is their top operational risk, and that has cascaded through every layer of management. The attitude isn’t, “Oh, these cyber guys over here in the corner will fix things,” there is a proactive posture across all the lines of business.
I’m the head of cybersecurity for Wealth Management. My team focuses on the defense of the Morgan Stanley Wealth Management technology stack: the physical layer, the network layer, the application layer, and the physical desktops—along with everything that the firm is providing to our clients though our digital offerings. We have six hundred branches and nearly seventeen thousand advisors and the teams that support them, who serve seven million clients all over the country. This is a true challenge since Wealth Management has become much more internet-facing. If you think about the business traditionally as being two people sitting at a table, it will always be that, but now everyone wants to be able to see all of their balances, all of their positions, all the time and from anywhere. That means putting more and more functionality into our digital offerings, like online banking and the Morgan Stanley mobile app, which–in turn–increases our cyber risk as a firm, and increases the cyber risk to our clients.
There are many things that keep me up at night. At the top of the list are nation state cyber actors. Some countries are hacking into banks with the goal of stealing money to fund their governments. Others are hacking banks as a means of retaliating against international sanctions. This government hacking is well-resourced and sophisticated, but the threat doesn’t only come from nation states. There are also criminal syndicates and traditional fraudsters who now use cyber means to conduct their nefarious activities at a scope, scale and velocity that was unimaginable just a few years ago.
It’s a lot of fire-fighting. If something goes wrong, we have to figure out how to respond. Let’s say a new software patch comes out and it breaks one of our applications: How are we going to fix it? It also involves implementing new controls. Every time we bring in a new cybersecurity technology, the challenge for the team is that all of these technologies are only as good as their implementation. For me it's always a question of, “How do I maximize the efficacy of what we've spent to maximize security for the firm and our clients?” My team and I also spend a lot of time in the field on education, helping Financial Advisors understand their responsibilities in terms of protecting the firm and our clients, and helping clients understand how to be cyber savvy so they don’t put themselves and their assets at risk.
Cybersecurity begins with education. Today’s cyber criminals use simple but effective methods to acquire personal information. Malware can be delivered to devices via phishing emails, suspect websites, Wi-Fi networks, and public charging stations, presenting common hazards that can be avoided if you know how to protect yourself. We are talking to clients about best practices for online security, tools and software, and strategies they can implement in their personal and professional lives.
It’s not changing nearly as much or as quickly as I had hoped. I have often felt that there are many meetings where I am the only woman in the meeting; I guess you get used to that over time. But part of what keeps me at Morgan Stanley, is that I see that that is recognized here, and that there's a lot of conviction around moving that needle. I mean, you look at female Managing Directors at Morgan Stanley, that ratio of women in technology leadership roles is growing every year. It's been more than lip service. I think you see the lip service everywhere, but here [CEO] James [Gorman] is actually changing things.
This may sound funny, but a lot of it was about finding the right partner who was willing to support me throughout my career. I went through periods of my life when my husband was dropping me off at the unmarked terminal at Dulles and I couldn't tell him where I was going or when I was coming back, because I didn’t know. I spent eighteen months in a status that in government we call “worldwide ready,” taking malaria pills all the time, so that within twenty-four hours' notice I could get on a plane to anywhere. And then when I came back I said, “Okay, now I'm going to go run the counter-terrorism mission,” which meant often working forty days straight. We had cots set up at the facility and there were days when my husband would put the kids in the minivan, pick up a pizza, drive to the NSA parking lot, and I would come out and have dinner with them in the minivan and go right back into work. He made all of that happen.