‘Our profession has a high burnout’: A day in the life of Paul Tucker, chief security and privacy officer at BOK Financial
- Paul Tucker started out in marketing before transitioning to IT and information security.
- This is a day in Tucker’s life as he leads a team of cyber defenders against the world’s hackers.
Paul Tucker is the senior vice president and chief information security and privacy officer at Bank of Oklamoma (BOK) Financial. In this role, Tucker leads the cybersecurity team responsible for the bank’s efforts to protect information important to the bank’s operations while ensuring the bank’s overall cyber resiliency and its customers’ privacy.
Tucker’s a native Oklahoma boy -- his kids are fourth-generation Oklahomans, and Tucker’s pretty deeply invested in the community, having run the local youth club for a decade as one of his community interests. Though he graduated with a marketing degree, he didn’t feel like that kind of work was a good fit for him. His best friend, on the other hand, worked in technology and helped him transition to working with computers and IT. Tucker eventually worked his way into multiple security positions, and ultimately into management.
As chief information security and privacy officer, Tucker oversees cybersecurity, risk management, data privacy and online digital security solutions for ten markets -- but all of that can be a mouthful. If you ask Tucker, he sees himself as a hero in a good-versus-evil, hero-versus-villain epic.
“I tell people that I lead a group of cyber defenders who protect consumer money and data from hackers,” says Tucker.
Tucker is usually awake by six in the morning. He spends the first hour of his day consuming a breakfast of eggs and turkey while mulling over research articles that help him become a better leader. On his 25 minute commute to work, Tucker sometimes listens to music, TED Talks or podcasts on topics he knows nothing about. Sometimes it will be on something as benign and inconsequential a subject as gardening. Other times, he’ll find himself diving headfirst into a subject that’s in direct opposition to his personal positions.
“That way, it’s not about cybersecurity,” says Tucker. “As passionate as I am about this profession, it can start to wear on you.”
About the time everyone gets into the office, they have what is called a ‘common operational picture’ meeting.
“It’s a military term,” says Tucker. “Generals used it as a concept to collaborate and give situational awareness to their teams.”
Tucker very much sees himself as a general, his team as his soldiers and the meeting as an exercise in cybersecurity war games. Between 8:30 am and 9 am for the past 15 years, Tucker holds these meetings to go over attacks that BOK Financial experiences or fends off over the past 24 hours. They also dissect attacks experienced by other companies to make sure those don’t happen to BOK.
The rest of his day can be divided into three buckets -- meetings, emails, and phone calls and powerpoints.
Tucker receives a ‘tremendous amount of threat intelligence’ in his inbox from firms like The Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium dedicated to reducing cyber risk in the global financial system.
Growing up in sports, Tucker developed a harsh competitive streak and he’s carried that competition to the workplace. He says it’s really helped him develop ‘tremendous grit’ in this job.
“Attacks can come millions of times a day. We have to be right millions of times,” says Tucker. “The hacker just needs to be right one time.”
He says that when he was working in IT, his adversary would have been whatever technological challenges the hardware or software would throw at him -- which he found pretty monotonous and safe. Now that he works in information security, he’s directly interacting with someone who’s trying to do him and his company harm.
“[In cybersecurity] there’s a human on the other side who’s my adversary who’s trying to get something that I have that I don’t want them to have,” says Tucker.
Tucker is also often fielding calls from project leaders and working on a digital roadmap for these projects that need a level of cybersecurity. So when a new product is deployed, it is a secure product. Similarly, he’s also tasked with several managerial responsibilities that include governance meetings to comply with regulators as well as internal and external audits. He’s also often dealing with customers or clients who’ve read the news on ransomware and want to know how the bank is mitigating privacy and security risks.
Tucker admits the job is extremely stressful.
“If you don’t manage it appropriately, it can definitely consume you,” says Tucker. “Our profession has a high burnout.”
To keep himself grounded, Tucker visits the local YMCA four nights a week to take exercise classes with friends who promise to hold each other accountable. Three of those four nights he does yoga. In his spare time, often on the weekends, Tucker will gather the wife and kids and take their newly bought camper to a nearby lake -- a great way to disconnect, considering there’s usually no cell phone coverage in those areas. He and his family have gone on these getaways 10 times during the spring.
Despite the high pressure, there’s little Tucker would change about his job.
“I’ve been doing this for 23 years and I can’t imagine myself doing anything else,” says Tucker.