James Edgar’s wide range of experience protecting public- and private-sector organizations from cybersecurity threats has helped him hone his ability to see the whole picture when it comes to cybersecurity.
Edgar came up through the ranks in network engineering, earning his first information security officer role at the Georgia Department of Corrections after working as a consultant for the agency. “At the time, the state of Georgia was looking to form a new organization called the Georgia Technology Authority, pulling the technology areas of all different agencies within the state.” With that initiative, the state developed cybersecurity standards and established the information security officer position. At the Georgia Department of Corrections, the second-largest agency in the state, Edgar helped integrate the technology functions of each Georgia agency under the Georgia Technology Authority umbrella while securing the data of the state’s 34 correctional facilities.
After securing the Department of Corrections’ networks for a number of years, Edgar stepped into a new role at ChoicePoint, now owned by LexisNexis, to help build out their cybersecurity function as the company dealt with a breakdown in business practices and an FTC audit. “It was a great opportunity to step into an environment and a program that was obviously under a lot of scrutiny, but getting a lot of support from executives.” There, Edgar played an integral role in maturing the organization’s cybersecurity function, overseeing encryption practices and expanding the corporate cybersecurity policy.
Edgar then moved to Cox Communications, where he grew into senior management roles, leading their security architecture program and third-party risk management efforts. From there, he moved to Elavon, a payment processer and subsidiary of U.S. Bank, where he led their security architecture and assurance teams and helped to mature the financial organization’s cybersecurity program. As he rose through the cybersecurity ranks, Edgar developed programs that matured alongside his career.
Now, Edgar holds the role of Senior Vice President, Chief Information Security Officer (CISO) at FLEETCOR, a corporate services and business payment firm. As the organization’s second-ever CISO, Edgar leads the company’s Global Information Security team, which covers North America, South America, the U.K. and Europe, with some connections in the APAC region.
The Global Information Security team covers a number of cybersecurity goals within the organization and with its external partners. One team within Global Information Security focuses on incident response, security operations and vulnerability identification and remediation. The security engineering & consulting team ensures that FLEETCOR and its clients have the proper controls in place to support growth and update existing solutions. “They’re kind of the frontline to ensure that as we develop, grow and build up frameworks around our program, they are being applied properly and we have the right controls, tools and processes in place.” Another team works on IT governance, compliance and risk efforts, covering over 20 audits and assessments that the organization undergoes each year to ensure a competitive and compliant cybersecurity posture.
FLEETCOR has BISOs throughout its regions as well, who help to infuse the company’s cybersecurity practices with location-specific intelligence. “As organizations get bigger and they get spread out, it’s very difficult to manage everything from a central location. When everything is funneled through one area, it helps to have engagement with the lines of business (LOBs),” says Edgar. “That’s why these business information security officers are so critical to success. They ensure that local CIOs are engaged with our cybersecurity program, that we’re meeting compliance requirements, and that risk is being addressed within those LOBs.”
Growth has been a common theme throughout Edgar’s career, and FLEETCOR is no exception. “We’ve quadrupled the Global Information Security team since I started here. With a truly global team, we’ve been able to bring in a lot more maturity to the program.” A business-critical aspect of FLEETCOR’s cybersecurity team is ensuring the security of the company’s mergers and acquisitions (M&As). FLEETCOR has acquired over 100 companies in the last decade, and Edgar’s team works to reduce risk and ensure compliance as those organizations merge. Edgar foregrounds compliance to ensure security during these business transitions. “Of course, every acquisition is unique, but there are fundamentals that you want to follow. From a security standpoint, it helps to start with a compliance framework. From there, because a lot of these companies are private, smaller businesses that didn’t grow up in the world of SOX regulations, you go in and help them understand what it means to be part of FLEETCOR.”
Training newly acquired companies on how to deal with that cybersecurity “culture shock,” as Edgar calls it, is one of the most critical aspects of securing a business during and after M&As. By taking the time to explain the cybersecurity programs implemented in their environment after an M&A, large companies can help small businesses understand the need for cyber compliance, says Edgar. “It may not happen overnight,” he says, but emphasizing and expanding policies, security standards and compliance can help provide a framework for acquired businesses to bolster their cybersecurity programs. “It really comes down to instilling a culture. We need to make sure that security is everybody’s job. Everyone’s a part of that process, and it only takes one person to click on the wrong link.”
That security culture conversation extends from M&As to internal boardrooms as well. Edgar says he’s seen a shift in the way cybersecurity & compliance are talked about in the C-suite. “Businesses realize the importance of engaging security,” he says. “Security is really about enabling the business and helping them understand that if we want to be more competitive, security is a big part of that. At the end of the day, compliance doesn’t equal security, but if you do security right, you’ll be compliant.”
Edgar says that throughout all of the industries in which he’s worked, protecting data comes down to building a security-minded culture within the organization. Whether it’s impressing upon a corrections officer the importance of avoiding suspicious websites or training executives not to click phishing links, cybersecurity starts with everyone building security awareness across the organization. “Cybersecurity really is a team sport. As I’ve gone through my career and moved up the ladder, it becomes more and more important.”