Sneaking security into Telstra, Macquarie Bank

How do you implement security when company executives only see it as a cost? Perhaps it can be snuck into the business without anyone really knowing, just like malware.
Written by Michael Lee, Contributor

Raising awareness of security means getting the top executives on-board, but with security often seen as a cost or impediment, some have had better success by slowly sneaking security into the business through other means.

Speaking at the Security 2012 conference in Sydney today, Occams Razor director Nicholas Martin recollected how during his tenure at Telstra as its general manager of security strategy, and then as Macquarie Bank's head of corporate security, he had to use alternative methods to drill security through to the executive level of both companies for their own good.

Martin's story with Telstra began with its CEO David Thodey, who at the time was in charge of the telco's largest division: enterprise and government. The division at the time was experiencing difficulties, not only on the commercial aspects, but also in how it complied with its regulatory responsibilities.

"The strategy was, 'let's go to David Thodey', whose single biggest customer group was the government at the time, and talk to him about how we can work with him and his broader team, trying to coordinate and interface with government," Martin said.

Martin essentially played the audit-compliance blackjack card, just as ING Direct recently did, promising that security could help make these problems go away.

"We essentially pitched it to him. We could come in [and] help him coordinate across regulatory and commercial. We could also be involved in any major bids."

These bids included Westfield's move to Telstra's datacentre. Martin would effectively use security as a means to provide the retail giant with assurances, as well as answer any questions related to the safety of data.

However, Martin said that the process requires patience, stating that it took two years before he felt that Telstra had a security program in place that he was comfortable with.

It also meant changing the organisation's security focus. Telstra had previously placed emphasis on anti-terrorism activities after the events of 11 September 2001, but the money that was being spent in this area wasn't actually making the organisation any safer. Instead, Telstra's security slowly transformed to focus on identify theft and fraud, as they were the real risks affecting the business, and ones that it could do something about.

The younger Macquarie Bank, in contrast, was normally seen as being more agile due to its rapid growth. However, according to Martin, with its youth came a lack of the experience in security incidents and issues, and this meant that it simply didn't have the appetite or see the need for a large, heavy security program.

"For me to go to them and say, 'Let's implement a Telstra-style program' to the organisation wasn't going to work," Martin said, recalling that he needed to find a different strategy for the executives.

"I found that the best strategy to try and get security in front of the senior team there and get their support was mainly around the executive protection program."

Although Macquarie Bank's executives weren't in any immediate danger, Martin realised that their personal lives were often under scrutiny by shareholders and the media whenever a financial report was released. Martin enlisted the help of the head of Macquarie Capital at the time, Nicholas Moore, who went on to become Macquarie Group's CEO, and used the media's scrutiny to raise awareness about security.

"I used that as a mechanism to talk to them about [the executive protection program] and that was my avenue into them. We ran reverse due diligence on all of the executive team just to show them what the members of the public could actually find out about them legitimately. Once we got their trust that we were supporting them, then we were able to then build whole other layers of security where we thought we needed it."

Martin did admit, however, that even with this trust, it was up to the executives at the end of the day as to whether they wanted to follow his advice. He recalled the actions of one particular banker whose office window sat across from the Commonwealth Bank's building.

"You could actually look out of the Commonwealth Bank, through his office window, and with a pair of binoculars you could pretty much read his computer screen. If you wanted to ... you [could use] directional microphones and all that [and] probably hear all the conversations," he said, recalling the conversation he had with the banker. The response he received was, "Why would anyone want to hear about the rubbish I talk about each day?"

"Sometimes you've got to go with what they feel and believe, unless you can really articulate the threat and the risk they're facing."

Editorial standards