Scott Pettigrew: The Builder

Over the course of his eclectic career, Pettigrew, who's now CSO at HMS, has assembled three security departments from the ground up

If someone had told Scott Pettigrew 20 years ago when he was first starting out that he would go on to build complete security organizations for three different large companies, he might have just taken a nap. Instead at this point in his career, Pettigrew finds himself the architect of security programs for no less than Tandy Corp., American Airlines and his current employer, HMS-an achievement of which he rightly proud.

Pettigrew's security career began in 1994, when he was asked to run security at Tandy Corp., a family-owned leather goods company. "Security wasn't such a developed area back then," says Pettigrew, now vice president and CSO for HMS, a cost-containment firm that serves the healthcare industry. "There wasn't the focus on security then that there is now. It was much harder to get things done, get budget." A lot of the focus then was on basic user administration. Let's just say the world has grown much more complex.

After a stint providing security advice for management consultancy Ernst and Young, Pettigrew was lured to head security for American Airlines in 2000, where there was a lot of tumult even before 9/11. "That was right when they were splitting from SABRE and just starting to hire IT staff," he says.

As for security, the airline was lacking. Pettigrew had carte blanche developing the program. "They had so many problems on the IT security side the auditors said it was going to have to be a footnote on our next financial statement. So there was a lot of work to do at that point," he recalls.

And then hijackers struck two American Airlines flights, along with a United flight, throwing the airline, the industry and the economy into turmoil. "We were implementing a security architecture [when] 9/11 hit and everything went crazy for the next year," says Pettigrew. "I worked more in that year and a half than I ever had before." He worked with the FBI during that time, and he's still sitting on stockpiles of information that he can't talk about thanks to a nondisclosure agreement.

After that, there was a much greater emphasis on security, both at American and throughout the industry. "Internal controls became crucial, and understanding patterns and data mining pretty much started then," he says. Pettigrew remained for a year and a half after 9/11, but then he needed a break. "I just had to get away from that for a while."

He opened his own security consulting firm, but "it wasn't as easy as I thought it would be." In 2004, he was asked to create the security function from the ground up for Baylor Health Care System, which gave him an understanding of healthcare. Four years later, with Baylor's security program in good shape, Pettigrew was asked yet again to build a security organization, this time for HMS.

His reaction? "Oh my God, here I go again," he says with a small chuckle. "But I realized those opportunities don't really come along all the time." At HMS, "I had one person for more than a year; now we will have 21 people at the end of this year" protecting 2,500 employees, he says, adding that finding good people with the right mix of technical and business skills is the most difficult part of his job.

Besides building up his staff, Pettigrew has excelled at working with a corporate culture that was less than welcoming to change in general and security in particular. "This started as a very small company. Over the last five years, it has grown exponentially," he says.

When he joined in 2008, the culture was like the Wild West, with virtually no controls. Many employees had been at the company forever and were not inclined to change. Pettigrew's right-hand man (and first security hire) George Macrelli, director of security assurance, says his boss succeeded in establishing early on why it was critical for the company to change its ways.

At the same time, Pettigrew managed to move the culture without being dictatorial. CIO Cynthia Nustad says, "There are many security officers who have more of a cop-like or military sense of security. That persona might work great for certain types of businesses but may not work well in our industry. We are much more focused on finding the right balance of protection, reducing our risk and adding business value." Pettigrew takes a calmer approach, which is right for HMS, she says.

Pettigrew says he is four years into a seven-to-10-year journey to complete his vision for security at HMS.

"Right now, I am very happy with where I am. It's very rewarding," he says.

Read more about security leadership in CSOonline's Security Leadership section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Tandy Corp.Compass Awardsamerican airlinesScott PettigrewsecurityCSOSecurity LeadershipHMS

More about American AirlinesCSOFBIScott CorporationTandyWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lauren Gibbons Paul

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts