Elias Oxendine – Brown-Forman

During his 11 years as an intelligence officer in the United States Navy, Elias Oxendine was made to understand the enemy—not only the what and who, but the how and why. Intelligence Preparation for the Battlefield, they called it. Stated simply, it means knowing all the ways in which a potential “actor” can disrupt the mission.

While the stakes might seem very different in his current role with the Kentucky-based spirits purveyor, Brown-Forman—which owns brands including Jack Daniel’s—the veteran IT security expert says the training has proven more than handy.

“In the cybersecurity space, most are reactive, as opposed to proactive,” says the global director of IT security. “What we’re trying to do is secure as many openings and channels as possible before hackers can exploit them.”

Today, three years after he joined Brown-Forman, Oxendine is proud of how the company’s security awareness has grown. Getting there, however, was a mission that required a different brand of basic training.

Critical assessment

A month or so into his new role, during one of his regular conversations with Tim Nall, Brown-Forman SVP and CIO, Oxendine began to realize the urgency of the task at hand. With companies in health care and finance garnering plenty of press for their cybersecurity breaches, the food and beverage industry might not seem particularly vulnerable. In a sea of white whales, why bother going fishing?

This, Oxendine says, is one of the biggest mistakes a business can make: believing they’re not actually a target.

“When you look at the kind of data that’s being compromised, most of it falls under the category of personally identifiable information,” Oxendine explains. “We have names and credit card numbers. We have company data. Fortunately, Brown-Forman realized everyone was a target right away and viewed security as a priority.”

During his first 90 days, Oxendine conducted a qualitative assessment of Brown-Forman’s security posture, followed by a quantitative assessment conducted by Ernst & Young (E&Y). E&Y generated an IT security maturity assessment for Brown-Forman’s security posture based on Gartner’s security maturity model, a one-to-five scale used by companies to continuously assess and improve the maturity of their security processes: data security, application security, patch management and the like.

One of the first measures to result from this assessment—and an ongoing one—was a targeted phishing campaign. Mimicking tactics used by modern hackers, Oxendine and his team created emails and other prompts designed to lure employees into dispensing sensitive information.

After each campaign, the results were shared with the company. According to Oxendine, his department treats these dispatches as an educational opportunity, using examples of employee missteps to highlight the ways in which real hackers aim to gain a foothold.

“If you’re not showing people what to watch out for, no amount of information is going to prevent a real-world attack,” Oxendine says. “We’re seeing heightened awareness across the board.”

Still, Oxendine is quick to stress the critical importance of making cybersecurity a year-round effort—just like profits, product-development or any other business-growing measure. To that end, he’s made security communications a pillar of his campaign, using headline-grabbing stories of security breaches to help underscore the issue’s importance.

Chain of command

Although phishing exercises had been a staple of Oxendine’s tenure at General Electric, where he held IT-related roles between 2006 and 2015, Brown-Forman offered him an opportunity, above and beyond security remediation: a chance to helm his own department.

Working closely with Nall, an 18-year Brown-Forman veteran and its current CIO, Oxendine helped create a three-year roadmap to bolster the company’s cybersecurity.

“Our goal was to identify where we had gaps, target those gaps, then mature those efforts in such a way that we could provide regular updates to the board,” Oxendine explains. “It’s important that everyone be on the same page.”

Oxendine and Nall identified three areas in particular that needed to be addressed. The first was security awareness, where the company’s phishing campaigns came into play—and what Oxendine calls “the first line of defense.”

The second involved establishing a patch-management program: identifying critical vulnerabilities, and then patching them to “wall off” any would-be intruders. The third entails making sure the company’s most sensitive data is properly encrypted—and distributed only to those who meet company criteria.

So far, the results have been encouraging, with Brown-Forman showing marked improvements across the board.

Still, given the ever-changing landscape of data security, Oxendine says the goalposts for success are bound to change. One area he’s particularly excited to explore is machine learning and artificial intelligence (AI), which have the potential to “quickly identify indicators of compromise and take immediate, automated action to mitigate that risk.”

Of course, hackers and other bad actors are hot on the AI trail as well, creating the kind of cat-and-mouse scenario well known in the world of military intelligence.

No matter how intelligent the tools become, Oxendine believes the best chance companies have to protect themselves, exists not in some high-tech protocol, but the people behind it.

“I feel really good about where we are and how far we’ve come,” Oxendine says. “Like any major program, it’s an ongoing effort, and everyone recognizes the importance of not letting our guard down. But when you give people a stake in the solution, amazing things can happen.”