CTO Works To Help Customers Identify Vulnerabilities
By Roy Urrico
Finopotamus presents InfoSec People Profiles, a series spotlighting individuals working in information security (infosec), cybersecurity and/or information governance to protect data and transactions at credit unions and other financial institutions.
Michael Gray, CTO at Foxborough, Mass.-based Thrive, a merchant service provider (MSP) and managed security service provider (MSSP), works to protect organizations across business sectors and of various sizes – including credit unions and other financial institutions. Thrive works with 2,500 organizations globally, with more than 500 of those in the financial sector.
“With a wide customer base spanning a variety of industries, from the financial sector to education organizations and healthcare entities, Thrive has consistent exposure to all different types of systems and attacks and is well-equipped to handle them all,” Gray told Finopotamus. “A steady stream of offerings and updates are consistently being developed, such as our recently released incident response and remediation offering and dark web monitoring offering.”
Gray sat down with Finopotamus to provide some personal, business and cybersecurity background. He also offered some perspective on where he sees organizations being most vulnerable, the best practices for training staff, and steps financial organizations can take to improve their cybersecurity position.
Growing into Technology
Gray grew up in what he calls “the great state of New Hampshire with an interest in technology from an early age. I built my first computer in eighth grade.” Later, he attended Northeastern University (1998-2002) in Boston. There he earned a Bachelor of Arts in business administration and took advantage of the school’s “well-known co-op program” to gain entry into the technology sector.
He had the opportunity to hold network administrator positions at Bizland, Inc. (acquired by Constant Contact) from 2000-2001, and Dove Consulting (acquired by Hitachi) from 2001-2002. After graduation, Gray spent five years (2002-2007) at Praecis as a system administrator. In 2007, GlaxoSmithKline acquired Praecis.
Shortly after, in 2007, he started at Thrive as a consultant. “In my career prior to Thrive, I was able to experience how IT needs to scale with businesses as they change and grow, and it was a unique opportunity to be a part of so many enterprise acquisitions so early on.”
Thriving in Information Security
Gray recalled when he came to Thrive, he started as the director of network operations and worked his way up to the position he now holds, chief technology officer. “My experiences at Thrive over the past 17 years have further shaped my views of how different businesses interact with technology and security to suit their core needs,” he said.
“In this role (as CTO), I get to talk with our customers on an ongoing basis, giving me great insight into what is working and what is not. These conversations help me determine what is next for Thrive’s product development strategy to make sure we are addressing our customers’ needs and giving them the best tools possible.”
Gray noted Thrive’s mission as an organization “is to provide a robust technology platform with great service at a manageable cost, so enterprises, the mid-market, and SMBs (small and medium businesses) don’t have to overpay or be underserved to have world-class IT infrastructure.” He pointed out Thrive offers a comprehensive list of services across cybersecurity, cloud, and managed services to protect businesses from various types of threats.
“My job is to help our customers identify where vulnerabilities might be and make sure we recommend and deliver the right mix of technologies and solutions that allow them to operate without disruption,” Gray told Finopotamus. “We take care of the security stuff so they can focus on what they do best – running their business and serving their customers.”
Threats from Within
When Finopotamus asked, “What threats keep you up at night?” Gray responded, “To be honest, it is not a specific threat that keeps me up at night. It is when we identify vulnerabilities in a certain company and they decide to not do anything about it. At that point, it is a waiting game – something will happen; we just do not know when.”
He explained further, “The reality with cybersecurity is that if you do not invest now to patch up vulnerabilities and protect yourself against threats, you will pay later. We have seen this play out time and again.”
Gray acknowledged when looking to cut spending, many organizations think as long as they have standard cybersecurity protocols in place they are covered – and see cybersecurity as “just another cost.” However, he disagrees with that assessment.
“It is not just another cost. According to IBM, the global average cost of a data breach in 2023 was $4.45 million. That is enough money to put a small business, credit union or other organization into financial ruin, yet it still does not seem to be enough to take cybersecurity seriously – which is a problem. If MGM, Change Healthcare, Christie’s, and other major organizations are vulnerable, so is every small to mid-sized business, and organizations have to take that threat seriously.”
Top Cybersecurity Dangers to Credit Unions and Other FIs
Gray admitted Thrive currently sees an increase in ransomware and phishing schemes across industries. Bad actors use generative AI to mass produce emails, inquiries and even video deepfakes to initiate and carry out these attacks. “As always, properly training staff and making sure the right tools are in place can go a long way to reducing the likelihood of these attacks being successful.”
For financial organizations, specifically, Gray suggested they need to look out for third-party risks. “As business systems grow in complexity, so does the risk of vulnerabilities, exploits, and security breaches.”
Said Gray, “Software you use every day to conduct business can have vulnerabilities that you don’t realize, meaning that the credit union’s data – and more importantly, (member) data – can be put at risk.” He explained short term, this can be a serious compliance headache, but long term a breach of data usually results in a breach of trust – and can have serious impact on people willing to do business with your organization.
“Finally, especially smaller banks and credit unions tend to face resource constraints, meaning that cybersecurity initiatives are probably not getting the attention or investment they need,” held Gray. In addition to budget shortfalls, some organizations typically suffer from a dearth of qualified individuals to help identify, monitor, and mitigate threats. “A lack of IT talent and tools can be a cybersecurity disaster in the making – and is often why companies will look to outsourcing IT and security to make sure their bases are covered.”
Thrive’s Cybersecurity Operations
Gray pointed out Thrive, has a comprehensive list of cybersecurity solutions, with offerings called Automated Penetration Testing, the newly released Incident Response and Remediation, Managed Detection and Response, Managed NextGen Firewall and UTM (unified threat management), Vulnerability Management, End User and Workstation Security, Real-Time Managed Endpoint Detection and Response Service, Cybersecurity Mesh Architecture, and a Cybersecurity Bundle.
“Thrive’s team of industry experts work with organizations to not just secure their tech stack, but also to continuously train their employees and in-house IT professionals on how to prevent cybersecurity attacks and be a collaborative partner for the organization,” said Grey. He added, Thrive’s security experts are constantly staying up to date on emerging technologies and best practices, with over 900 technical certifications within the organization.