Frank Taylor: Better Processes Lead to Tighter SecurityIf the now-retired Air Force Brigadier General and first-ever GE CSO ever got the memo about career specialization and 'nichey' expertise, he apparently forgot to read it.
If Frank Taylor ever got the memo about career specialization and 'nichey' expertise, he apparently forgot to read it. Just look at his background: He's an expert in physical security and cybersecurity; a career military guy who also dove into the deep end of the private sector as General Electric's first CSO; and someone who's as comfortable talking process details as he is big-picture policy goals.
These complementary skill sets were more a by-product of opportunities presented than any kind of calculated career plan or time table, according to Taylor, officially retired from his title of Air Force Brigadier General but unofficially still working hard.
"I've been lucky enough to be assigned all these different kinds of places and, through them, was able to learn more of the secret sauce to developing my leadership philosophy," he says.
Taylor's diverse background ensures his insight and expertise are still sought out on security policy and process issues. He surfaced recently at the RSA Conference in February to speak about the need – and tremendous challenges – associated with information-sharing to protect and defend critical infrastructure such as the national electrical grid.
Information-sharing is a team sport, he said during a panel session. As such, it "takes team players, especially when our adversaries are very good at what they do," he added.
In other words, there's no going it alone, especially when critical infrastructure is at risk.
For Taylor, being part of the military was a lifelong passion; he was active in ROTC during his undergrad years at Notre Dame in the late '60s. Unsure what he wanted to do in active duty, Taylor applied for a position at the Air Force Office of Special Investigations (OSI), whose mission is to identify, investigate, and neutralize criminal, terrorist, and espionage threats to the Air Force and the Department of Defense (DoD).
Taylor was accepted as a trainee in 1970. (Of note, OSI is one of the most requested career choices for Air Force officers, second only to pilot training.) While he had no experience as an investigator, he did have a degree in international studies. "That started my career in counter-intelligence," Taylor says.
Photo: Francis X. Taylor
He describes his tenure at OSI as both formative and destiny shaping. OSI's Taylor served as head of assignments and learned the organization's development process. A subsequent role as executive assistant to the commander helped him with management and leadership skills.
And given it was the mid- to late '70s, Taylor became immersed in Total Quality Management (TQM) and the work of its high priest, Jonathan Deming. One cornerstone of TQM addresses standardizing processes for tasks, measuring outcomes, and ensuring continuous improvements. While he learned to test and refine his own approaches in the military, TQM proved pivotal for Taylor over the rest of his career. Long before the Internet was a gleam in Vint Cerf's eye, Taylor and his OSI colleagues accurately foresaw the need for cybersecurity investigators as computers were emerging as a new battleground for terrorism and war.
"I began working on cybersecurity in 1994, and we hired computer experts and taught them how to be investigators," Taylor explains.
While the FBI takes credit for uncovering the Moonlight Maze incident in 1999 – one of the first reported cyberattacks on the US by the Russians – it started as an OSI investigation in 1996. Taylor says the investigation helped establish processes to uncover how enemies exploited US computer systems – and how to prevent such infiltration.
"Issues, process, tools … that's how I've approached security in my career," Taylor says.
Taylor eventually became the commander of OSI; from there, he took a higher profile in counter-terrorism after 9/11 and subsequently joined the State Department to handle diplomatic security. As he was preparing to leave that job in 2004, his resumé made its way to General Electric. That same year, the Indonesian tsunami rocked the Asia-Pacific region and the international economy. The disaster also amped up concerns within GE that it lacked a proper global view of security, couldn't efficiently assess its risk, and lacked a crisis management strategy.
After four interviews, GE hired Taylor as its first chief security officer, and he immediately merged the physical and cybersecurity functions. He worked to identify risks, then mitigate or eliminate them. The tools and processes he added were tested soon enough with Hurricane Katrina (2005). Whereas just the year before, it took GE almost three weeks to measure the impact of disasters on its employees and businesses, Taylor reports the changes he spearheaded helped reduce that calculation to an hour.
His last federal appointment was Under Secretary for Intelligence and Analysis in the Department of Homeland Security, which he left in early 2017. Since then, he has worked part-time with Cambridge Global Associates as a senior adviser, advising the DoD and contractors around issues of security and policy. He has also written a few opinion pieces on 9/11 and cybersecurity and 5G's security problems.
"I also teach a course at Notre Dame; I go there once a week," he adds.
For Taylor, the ongoing challenge for security professionals of all stripes is how to continue to apply the basics of security and protect whatever you're trying to protect with the tools that are available.
"You're not Wyatt Earp anymore guarding Tombstone – the risks are global," he observes. "The world we operate in and the tools we use are new and require a certain degree of ingenuity. The bad guys understand the vulnerabilities as well as we do. Our job is to work hard to stay ahead of them."
Next Page: Taylor gets personal.
(Image: Adobe Stock)
Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio
1 of 2