Derek Blyler loves mathematics so much that in conversation he casually quotes a high school math teacher.
The teacher described math, Blyler recalls, as both the queen of and handmaiden to all forms of science. In other words, math is the raw material and ruler of numerous fields of knowledge. Those fields include the effort to make the technological underpinnings of the nation’s financial system as safe and secure as possible.
Just ask Blyler. An applied mathematics major from Georgia Tech, the 10-year Atlanta Fed veteran recently moved into one of 28 jobs across the Federal Reserve System focused on an increasingly critical link in the financial IT infrastructure. That link: big service providers, such as payments processors, credit card issuers, and mortgage servicers whose IT systems are tied to those of banks.
Of course, it is crucial that financial institutions safeguard their own systems. At the same time, third-party firms working with the institutions can serve as a back door for hackers aiming to loot sensitive bank customer data. So over the past several months, the Fed System has launched an initiative to deepen its scrutiny of the cybersecurity apparatus of outside service providers that touch financial institutions.
Landing one of the 28 new cybersecurity appointments was not easy. Blyler underwent a rigorous national screening process.
Now he is among the leaders in updating the Fed’s framework for instituting and enforcing cybersecurity standards at major IT service providers. The job requires technical skills and know-how, to be sure. But that’s not all. Blyler’s patience and ability to explain technical concepts to nontechnical people is crucial, says his colleague Marcel Cottman, a director of examinations at the Atlanta Fed. He describes Blyler as smart, calm, and level-headed.
"Derek is helping to redefine how we evaluate service providers, and how we think about what they're doing to protect consumer data," Cottman says.
Part IT geek, part diplomat
Indeed, there's more to Blyler’s job than numbers. He must finesse tricky interpersonal situations. For starters, the service providers tend to guard their inner workings, which many view as proprietary competitive advantages.
So Blyler often has to convince skeptical service providers, who are unaccustomed to financial regulation, of the need to shore up their security to comply with new rules. He deals with highly accomplished IT professionals. And they don’t always welcome an outsider questioning their information security practices, he says.
Blyler’s skill in diplomacy can defuse tension, Cottman says, backed by a thorough knowledge of cybersecurity. He is among a small group of Fed supervision and regulation staff members who hold advanced certifications in information security systems and the auditing of those systems.
As Blyler negotiates complex interactions with supervised entities, he also acts as a liaison between examiners on the ground and policymakers in Washington, D.C., from the Fed, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC).
These exchanges can be delicate, he explains. Washington-based Fed staff are mainly concerned with formulating the best possible regulatory framework to apply across the financial system. For their part, on-the-ground examiners are more interested in the details of the particular examinations in which they are immersed.
In seeking to bridge that divide, Blyler functions as a translator "between the macro and the micro."
Shaping cybersecurity regulation is complex. Over several weeks this fall, Blyler and colleagues are piloting the Cybersecurity Examination Tool, or CET. After applying it at a handful of large service providers, he and colleagues from the Fed and other regulatory agencies will synthesize results, get feedback from examiners and the industries, and then refine the tool and the larger cybersecurity regulatory approach.
Piloting a major new method will challenge all Blyler's reserves of tact, says Maria Smith, an assistant vice president in the Atlanta Fed’s Supervision and Regulation department. In convincing teammates to adopt a new set of techniques, you are bound to encounter differences of opinion and even resistance.
"Finessing his way through those situations is critical," Smith says.
So is winning the trust of officials at other regulatory agencies. The Fed, the OCC, and the FDIC share responsibilities for regulating the service providers. For each major provider, the agencies take a lead role on a rotating three-year basis. Thus, each agency has an equal stake in the outcomes, and an equal voice.
"So you have to have interpersonal savvy to get the other regulators to come along," Smith says. "You have to work with them day in and day out."
Drawn to the logical
Blyler is drawn to logic. He relishes the systematic, orderly quest for answers, for solutions to problems. Math, for him, is the perfect manifestation of this. It’s also why in off hours he loves gaming—video games and board games.
"You have a set of rules, a framework, a set of constraints," Blyler says. "What's the goal, and how can I get there?"
Blyler began working at the Atlanta Fed as an intern. He ended up staying because he was able to use his math and computer skills and because the headquarters is an easy bicycle ride from the Georgia Tech campus. He started work as an associate examiner, traveling mostly to small Southeast community banks to help ensure the security of their IT systems.
In that experience, he honed the diplomatic skills he employs today. And there was, and is, math and problem solving.
"I don't really do all the fun math I did in college," Blyler says from a couch around the corner from his eighth-floor cubicle at the Atlanta Fed headquarters. "But it's the same logical process of steps and procedure and methodology."