ATC Weekend Update February 4

A Letter From Quincy

Quincy Cooper

After a year and a half serving as the Director of Operations, I’m both saddened and excited to announce that February 15 will be my last day with ATC. After the 2016 CEO Summit, I let Barbary know that I was starting to think about my next move. One thing quickly led to another, and before I knew it an opportunity had presented itself. But not to worry! I’m not going far, and I’m confident that Barbary and the team will take ATC to great new heights in 2017.

As we’ve been working through finding my replacement, a common question I’ve encountered in interviews is, “What’s your favorite part of the job?” Without any hesitation, I reply, “The people.” As the org structure changed late in 2015, so did my role. What was supposed to be an “under the hood” type of position turned into a people-focused, customer-facing job. I quickly realized the love and support that our members, partners, and Board of Directors have for ATC and the ATC staff. I think it’s rare to be surrounded by people who not only want you to succeed, but want to help you succeed in any way that they can. I’m constantly being asked how I’m doing, and people are always offering up help in one way or another. I’ve never experienced anything like that in a work place, and I can’t thank you all enough for creating a comfortable and happy environment to work and grow in.

ATC has been my home, and those involved became my family on day one. I’ve made invaluable relationships, both professionally and personally, that I will forever be grateful for. Some of my favorite memories in life came about from working here, and I imagine that list will continue to grow. So to those of you who helped make ATC so special, I thank you thank you and thank you some more. You could never know the impact you’ve had on my time at ATC, and on my life.

“Happy trails to you until we meet again.” – Dale Evans

Ten Years Later: How Our “Four I” Values Have (Or Haven’t!) Changed

By Mark McClain

I’ve been an entrepreneur for many years now (check out that gray hair in my picture on our website!), and in my experience I’ve learned a lot about what it takes for a company to succeed and grow. Now you may be thinking it’s surely all about the right product at the right time, or adequate funding (and those things certainly help), but I truly believe that the best companies succeed over the long haul because of their people and their values. Look at Southwest Airlines, the nation’s largest (and arguably most successful) airline, and a company that wholeheartedly puts its business in the hands of its employees and their track record of incredible customer service. Sure, they make sound business decisions that help the bottom line, but Southwest Airlines will be the first to tell you they’re nothing without their people and values.

Likewise, I firmly believe SailPoint’s success is directly tied to our Core Values, also known around here as the Four I’s:

Mark McClain, CEO
  • Innovation: We develop creative solutions to real customer challenges
  • Integrity: We deliver on the commitments we make.
  • Impact: We measure and reward results, not activity.
  • Individuals: We value every person in our company.

These are values that my co-founder Kevin Cunningham and I both believe in wholeheartedly, so much so that we’ve used them in previous ventures and continue to pursue them at SailPoint as we grow and evolve. These core values are the cornerstones of our corporate culture, and will continue to serve us well as we grow.

With more than a decade in the identity governance industry, SailPoint is large-scale, high-growth, pre-IPO company. We’ve seen many changes from the days of when we hosted company meetings around a small conference room to our truly global workforce of more than 650 team members spread around 20 countries. There are many, many new faces interspersed with the folks who’ve been around awhile as I walk around the office today than there were even a year ago. With these changes and rapid growth, it’s a daily challenge to manage a rapidly expanding workforce while maintaining our company values and culture.

As we continue to scale our business, there are complex operational issues that can’t be hashed out around the pool table. We’re working with employees across the globe, necessitating more systems and processes. As we make these necessary changes to facilitate our growth, there’s a temptation to take our eyes off the core values because there are simply so many other logistical and strategic challenges to manage. It’s in these times that the core values become more important than ever, because they provide clarity into “how and why” we make the decisions we make. I’m thankful our executive team truly believes in these values, because we hold each other accountable to them when making these important business decisions.

Our desire (and challenge) is to continue leaning on these values as we scale our operations, with a focus on not losing the personal and emotional connection we have as a company. When I visit our employees in Pune, India, or Tel Aviv, Israel, or New York City, I want them to feel the same connection to the SailPoint culture that our employees do at our headquarters in Austin. As we continue to grow our business across the globe, we have to make sure our values are being felt and implemented across the company.

In short, it’s a work in progress. We developed our core values to be independent of scale, and they have served us well from our early days as a startup to a global, complex enterprise business. The challenge is ensuring that our core values are consistent and relevant to all of our teammates as we move into our second decade as a business. Our growth isn’t slowing down any time soon, and my goal is to make sure the Four I’s feel just as right and real and true as ever to our people and our work.

Wortham: Social Engineering Fraud

A new modern-day crime has many companies learning an expensive lesson about the importance of strong internal control procedures.  The crime is commonly known as Social Engineering Fraud or Impersonation Fraud, and it all starts with a seemingly innocent “notice” from a trusted vendor, business partner or employee.  The notice includes either a request to change an existing account number used for wire transfers, or a simple set of instructions from the company CFO to wire transfer funds to a bank in a foreign country (with China the leading country of choice).  Acting in good faith, the employee who receives the alert typically complies with the request.  Nanoseconds after issuing the “send” command, however, the funds disappear into the ethernet.

Companies that fall victim to these types of crimes typically report their social engineering fraud claims under one of two Crime insuring agreements – Computer Fraud or Funds Transfer Fraud.  Given the typical exclusions in these agreements, however, coverage may not extend to these types of losses.  Here are thumbnail descriptions of both:

       Computer Fraud typically involves a direct loss of money sustained from the unlawful taking of money resulting from an unauthorized entry into or deletion of data from a computer system committed by a third party.

       Funds Transfer Fraud typically centers on direct losses sustained from a third party’s fraudulent written, electronic, telegraphic, cable, teletype, or telephone instructions –purportedly issued by an organization and issued to a financial institution – directing delivery of monies from an account maintained by the organization, without such organization’s knowledge or consent.

Some insurance companies have denied social engineering crime claims under both of these insuring agreements. The top three justifications cited are :

       Payment instructions were received via email – even from “fraudulent” sources – and emails are considered “authorized entries” into a computer system

       Funds were transferred with an organization’s knowledge and consent, rather than “behind someone’s back in the dead of night.”

       Language in the company’s crime policy excludes losses arising out of any employee acting on the insured’s authority being induced by a dishonest act to “voluntarily” part with money or securities.

Carriers recognize that coverage for social engineering fraud involves many shades of gray, and they have begun offering targeted coverage available via endorsement. Many domestic carriers are now sublimiting the coverage they offer to $250,000 or less (with higher limits considered on a case-by-case basis). Some of these carriers are building into the endorsement itself very specific internal control language that must be followed by the insured. And of course, supplemental applications are standard as part of the underwriting process.

Sublimits may not provide sufficient protection for larger insureds. To address the need for higher limits, Wortham has developed an exclusive facility in Lloyds of London to provide limits of up to $100 million to cover Social Engineering Fraud. Given the proliferation of social engineering fraud, companies should investigate whether they have or should obtain this coverage.