Liner Notes: Nick Sherwood

Welcome to Liner Notes, where I reveal the stories of Moody’s colleagues and other guests who are moving the financial industry forward. Up this month: Nick Sherwood .

Thank you for joining me, Nick. Let's start by getting to know more about your role.

My role at Moody’s is Chief Information Security Officer, which means I’m responsible for protecting our people, data and technology from cyber threats. This involves setting the cybersecurity vision for the company and implementing solutions that help protect it.

Among other things, my team works with engineering groups across the organization to ensure cyber resiliency is integrated into our design processes and the control functions to make sure we’re meeting our regulatory requirements around the globe. Our employees are the first line of defense, so training them in the latest tactics and techniques used by cyber criminals is also important.

Agreed that everyone has to play their part in Cyber! How did you get into this area?

I started my career in technology infrastructure and architecture after receiving my degree in computer science and psychology. This solid foundation helped me land a position as a Cybersecurity Engineer, where I was responsible for implementing solutions such as multifactor authentication, firewalls and remote access systems – having this broad knowledge enabled me to move into management roles and where I am now.

With cyber becoming an important focus area, how have your role and responsibilities as Chief Information Security Officer evolved into what they are today?

Over the past decade, the impact of cybersecurity events has risen, motivating organizations to invest in resources to protect themselves against ever-changing risks. I’d say the biggest change is that in the past cybersecurity teams may have been viewed as a blocker to the business, whereas now they’re a trusted partner to help securely enable the business.??

The impact of these events has surely motivated us to focus more on cyber – both in terms of managing risk and how we can help our customers. Can you speak more of the importance of it?

Today’s threat landscape makes reducing cybersecurity risk a must – it's a shared responsibility across the business, rather than just a technical problem. Criminals have monetized computer crime, costing businesses billions of dollars annually. Their ability to orchestrate attacks combined with the interconnected world we live in gives them an enormous attack surface, which has increased due to the pandemic, digital transformation and internet of things.?

How has the increase in cyber threats impacted our approach to building cyber resilience in order to manage risk? ?

We have a strong culture of cybersecurity across Moody’s - this translates into building resilient, secure solutions for our customers using a security first approach. It starts with leveraging leading-edge technologies to educate our employees about the latest tactics and techniques used by cyber criminals. Our cybersecurity team is also embedded early on into the architecture and design phases of projects, which is important because you can’t just bolt on security.?

What tools and capabilities does Moody’s have to empower companies to build resilience and incorporate cybersecurity intelligence into corporate decision making???

Last year, we invested $250 million in BitSight , a leader in cyber risk quantification, because it is becoming increasingly important to consider cybersecurity when measuring the risk of an organization or sector. We’ve seen the disruption that ransomware and supply chain attacks can cause, as well as the importance of understanding your third-party risk in measuring risk exposure. In fact, leveraging BitSight data, we recently published our 2022 cyber heat map, which reflects how we think about cyber risk from the perspective of credit, applied across 80+ global rating sectors. And we’re incorporating cyber analytics and BitSight scores into an increasing array of risk assessment solutions, ranging from Know Your Customer to supply chain.

Speaking of BitSight, can you talk more about how you are using BitSight to improve Moody’s own cybersecurity?

We use BitSight to identify and prioritize areas that need improvements and make decisions with third parties by better understanding their security posture. Examining the digital exhaust of a company’s technology footprint along with their overall internet-facing security posture is a great way to reveal what’s happening in the rest of their technology ecosystem.

As we think about the future, what’s next on the agenda for cyber at Moody’s?

The field of cybersecurity and the threat landscape are always changing – there’s never a dull moment for those of us working in cyber! Due to the amount of information collected by data brokers and social media platforms, people are a growing target for cyberattacks; this data is then stitched together and leveraged by criminals in creative ways to attack organizations. Data science has a key role to play in protecting against attacks – we need to increase capabilities around detection and response time since threatening factors leverage automation.

On the horizon of cyber, quantum computing will have a massive impact on computer power and there will be many implications to the cybersecurity field because modern encryption methodologies will be able to be decrypted at real time speed.

What do you love most about working at Moody’s?

What I love most is the talented people I get to work with – having a global footprint means having the opportunity to work with people from all over the world with unique backgrounds and skills. This type of culture makes Moody’s an awesome place to be and a company that I’m proud to work for!?

Couldn’t have said it better myself Nick, we have a special culture here! Who is someone in your life who has inspired you? ?

Regarding my career, there is someone in my life who gave me my first opportunity in cybersecurity - I had no idea how important cyber risk would become to an organization and in turn how the demand for cyber talent would increase. He also taught me the power of having an awesome team and passing along the sage advice that if you’re the smartest person in the room, then you’re in the wrong room. In a field as complex as cybersecurity, one person won’t have all the answers – it's a team effort!?

And finally, what career advice would you like to share? ?

Remember that you own your career – so seek out mentors and try to surround yourself with positive influences. Having a great mentor as a sounding board can help you avoid having to learn bad lessons firsthand. I’d also add that navigating to the sweet spot of what makes you happy and what you excel at is up to you.?