Same Battle, Different Field: A Conversation With Our Chief Information Security Officer

As a former security expert in the U.S. Air Force, Dannie Combs understands the need to prepare for — and respond quickly to — a wide range of cybersecurity pressures.

Dannie Combs headshot

For almost a decade, Dannie Combs’ day-to-day decisions had life-or-death implications. In his role with the United States Air Force, Combs managed cybersecurity operations and information risk activities for military and governmental organizations as a member of the North American Aerospace Defense Command, National Security Agency, Air Intelligence Agency, and more, participating in missions ranging from homeland defense to offensive operations around the world. 

He served in the Balkans during the Yugoslav conflict, assisted with national defense efforts in South Korea and supported intelligence and counterterrorism missions around the globe, including working in conflict zones such as Iraq and post-9/11 Afghanistan.

Now, having shifted into civilian life, Combs is the chief information security officer for DFIN, where he says the security requirements are less dramatic but equally challenging.

“I have been at the forefront, or the tip of the sword, in a similar battle — one that is equally complex and challenging,” he says. He adds that his transition into civil cybersecurity occurred at a time when widespread access to the internet truly took off, drastically changing the way people live, work and communicate.

After spending several years as the director of national network security for one of North America’s largest wireless telecommunications providers, Combs joined DFIN in September 2016.

In this interview, Combs reflects on the success stories he’s witnessed — and orchestrated — at DFIN. He also highlights some of the unique security challenges faced by financial companies and addresses common misconceptions about his role.

He spoke with us from his office in Chicago.

When you started at DFIN, what were some of your first impressions?

I realized that while cybersecurity was very important here, they took a different approach — one that was positioned around global solutions that span multiple industries and a complex regulatory landscape. 

I felt that we needed to adopt a different strategy. I’ll tell you why.

Our entire business is based on building and offering software products and services to our clients. We are effectively a product and a Software-as-a-Service company. We house millions of records that are uniquely valuable.

In 2016, Uber had a data breach that affected more than 50 million clients and drivers. Like most organizations — when they think about a breach — the impact was determined by how many people are affected. That number drives the negative value of that breach.

But for us, we may feel a significant impact with only one affected record.

For example, we recently helped a major client through the IPO process. If even one record were to be compromised prior to their IPO, that could have had a negative value equal to 50 million Uber records having been breached.

Our business warrants a much, much more focused effort on understanding who does what, where, when and why on our network.

What were your top priorities after taking the security helm?

We needed to build strong security, governance and privacy teams comprised of top talent. This wasn’t easy to do given today’s demand for these skill sets.

We had to establish a mature governance risk and compliance program to ensure that we were not going to fall short of our regulatory and/or contractual obligations.

We also had to build a technical security capability and infrastructure, with a strong emphasis on security monitoring capable of combating advanced, persistent threats from bad actors around the globe. 

Finally, we had to ensure that we had appropriate data privacy programs in place to align with the European Union and other privacy laws and regulations that exist across the globe.

How successful do you believe you and your team have been?

We’re pretty proud, to be candid about it.

We were recently nominated — it’s my name, but really, it’s a recognition of “we” — for the Information Security Executive North America Award. My competitors were with giants like U.S. Bank, Bank of America and some other incredibly impressive organizations.

I didn’t win, but what matters is that we were nominated. The trajectory of change that we had to apply as a team was very steep — in terms of technology deployment, but also from a business process perspective. We’re building a leading security system while ensuring that we don’t negatively impact the business’s growth or revenue.

What’s been the most rewarding part of your career in civil cybersecurity?

Earlier this year, there was a large phishing campaign that was highly effective. It targeted thousands of companies, including hundreds of employees and users, and made international news. The DFIN cybersecurity team was one of eight organizations that helped bring its command and control server down.

Do you think people you meet — say, at a dinner party — have a good understanding of what you do? Or have you heard many misconceptions?

The initial assumption is that a person in my role is sitting in a dark office, with the lights off and a hoodie on. There’s this belief that we’re behind the keyboard, that we’re a hacker hiding in the corner of some IT organization’s basement.

Sure, we have highly capable security engineers, and years ago we were less known across the company. However, the reality is, we’re now at the board level. We’re in the strategy sessions helping to define requirements for the products and services that we offer to our clients.

Because cybersecurity has become so important — privacy is now the law in most of the world — we’ve moved out of IT and have really taken a seat at the table for business conversations.

We’re certainly on the front lines of the cyber warfare battlefield each and every day. Our team is comprised of some of the sharpest minds in the industry and I’m confident in our abilities to protect both DFIN’s and our clients’ data. That said, it takes everyone in the entire company to be secure. Whether it is those who are writing code and are cognizant of security use cases, those in client services who are handling our clients’ information or those in HR, the whole company must be intensely focused on security. As the great General Patton said, “you fight like you train,” and we train very well.