James Gay, Travelex: 'Everybody in the company is part of security and if people don't understand that, you're heading for problems'
MeetTheBossTV editor-in-chief Adam Burns talks to chief information security officer of financial services company Travelex, James Gay, on the challenges behind keeping data safe in today's increasingly mobile world.
MeetTheBossTV: As CISO in a business, there's a real danger of only seeing symptoms and not causes. What sort of processes and strategies do you have in place to prevent that from happening?
James Gay, CISO, Travelex: It's called management by wandering around. If you sit in your office, you're going to see symptoms but if you're out there with your fingers in the business [...] Wherever I'm working in a business I want to be in it. I want to be part of it. I want to be part of the sales process. I want to be part of the delivery process.
I am the CISO. I have to be part of the security process but the security process is just part of the quality delivery of the organisation. So although I see the symptoms, if I haven't predicted something happening I'm not doing a very good job.
So do you feel that it is your role to look outside of Travelex perhaps, and maybe outside of your industry for best practice? And if so, what sort of lessons has Travelex taken on during your tenure?
It's very, very important that you look at the security industry rather than your own particular piece of it - say, in my case the financial services area - mainly because what's happening today out in academia, for example, that's becoming the tools of the future, that's supporting so many encryption technologies that are developing, some of the new structures that are happening in the banking area, in the credit card areas.
For example, I'm halfway through a PhD at the moment because I believe that by interfacing with academia, understanding what academia is thinking about and helping academia understand some of the problems that we've got, we've got that joint approach to solving some of those problems. It's new stuff that we're in.
I'm discussing with various people the new web 2.0 - for example, the cloud, what we're going to be doing with some of the newer technologies, mobile, things like that.
I look at some of the industry forums - not necessarily the security industry - but where people are looking at new ways of doing things, they're also looking at new ways of breaking things, and if they're going to break they're going to break in an insecure manner. I want to know what their ideas are on how to stop them from breaking in the future.
Have you followed the Jericho Forum's ideas of the walls coming tumbling down? Where are the walls for your organisation? People are bringing in USB sticks and all that sort of stuff - how do you feel about that?
I think the concept of actually having had walls has been rather oversold.
We've had perimeters that we've tried to protect very, very carefully, and in some businesses you can protect a very, very secure perimeter. Quite often you have people with guns and bombs and things like that to stop you going too far into it, but in a general commercial environment you have to open up your doors if you want to do business, and the doors are what break down some of those walls.
Businesses need to open up their walls, according to the Travelex CISO
(Photo credit: Shutterstock)
So although people may have the concept of having a perimeter around them, firewalls as we call them and controls, every now and then, because it's important that you enable the business, you just open up this little crack and that little sunlight that comes through is the one that opens up the temple.
So I wouldn't say that the walls are coming down and that Jericho is upon us, but Jericho, I would like to suggest, is probably more about looking at the future of how to enable rather than destroying. They're not talking about destruction of walls, they're talking about you have to have a control around your information.
Traditionally we've tried to do that with physical things like firewalls and stopping people getting through ports. The Jericho Forum has some very, very good ideas about how we protect the information itself rather than places that it is sitting, and they're very forward-thinking...
I spoke to someone once about the "theatre of security" - of making people feel like this is a secure thing. Do you find yourself very often having to almost sort of play within that theatre?
I don't think it's so much about theatre: I think it's about positioning the need within the environment you're in, so if somebody needs something, it's obvious to you that they do need your services. You've got to get that sell correct. If they want to feel good about what you're doing for them, that's what you sell to them. If they want to feel bad about what you're doing for them, you can do that as well.
When you can, throw fear grenades in any organisation that wants to be scared; some organisations want to know what their risks are, they want to know to the finest detail. That's why I call it a fear grenade - pull the pin, throw it and see what funding comes back.
It's not a way to have a long-term career in an organisation because people start to do the 'cry wolf' story.
You have to be there to help them get the feeling they want to have, and if your exec says to you, "I want to be sure that our resilience is top notch. I want to be sure that our security is top notch," you help them understand what it means to get there. When you've got there then you can say, "That's what you asked me to do". But until you get there it's not so much a theatre, it's a reality show. It's the TV reality show that's broken, and until we fix it don't go to sleep this weekend.
How do you balance that need to keep the lights on with the need for innovation?
I do have a responsibility to the organisation to help them migrate to the 21st century of information movement.
Travelex is an organisation that has evolved to now actually doing international transfers of money at the click of a button, to selling people cards to go on holiday with rather than a wallet full of cash. On that card there's nothing that identifies that person - it's kept on a server in a very, very secure location, so there's no risk to the people but there's a risk to the organisation.
Does that mean we've got a bigger security risk? Well, probably not. It's a different security risk. I mean, it's that shift that's my responsibility to help an organisation understand. It's not that we've got a million pounds here and we're going to lose it any differently than we did before. It's we're going to lose it in a new way: we won't be losing it through physical loss, we'll be losing it through information loss.
The controls we have to have are going to migrate from having bulletproof glass in the branches and things like that to having bulletproof security on the internet, so my main job at the moment is to help the organisation embrace those new security risks and the controls we're bringing in to mitigate them.
On the day-to-day management piece, I have to understand whether that's getting through or not, whether people are out there going: "Oh, we shouldn't do this because it's too scary." It's my job to make sure that nobody ever says that in the organisation. Nothing is ever too scary. Something may be a new risk. Have we understood the risk? Have we gathered the mitigating circumstances we need to understand whether we're controlling the risk or not? And is the risk too much for the business to face?
"My main job at the moment is to help the organisation embrace those new security risks and the controls we're bringing in to mitigate them": James Gay, CISO, Travelex
(Photo credit: Shutterstock)
I have to help people understand the metrics behind that, and then help the business make the decision as to whether we want to move in that particular area.
It's not my job to stop or to start any particular piece of the business, it's my job to make sure that the executive is properly informed to make the right business decisions, but not be scared about moving into the new age because they haven't been there for 20 years.
The day-to-day management piece is making sure I don't get it wrong, that piece of the 'are you watching on a daily basis?'. Yes I'm watching on a daily basis. I'm working with the fraud teams, with the risk teams, with the IT teams to understand the metrics that are coming back. Are we rising? Are we lowering? But I'm not really that interested in history. It's useful to learn from history but I'm interested in today, what's happening right now. I'm more interested in what's going to happen tomorrow, that predictive part of my job that I discussed earlier.
What are your strategies then in explaining that day to day?
How would you go about making sure the transition goes smoothly?
Well, the first thing I did was get two cards. We do euros, we do US dollars, and we do British pounds. I went and got two cards and played with them, and saw how they worked, saw how the customer interface worked, looked at the design of the architecture behind it. I'm involved in the architecture of how we do things...
...Then I sat down with a business and said, "If I was going to try and defraud you, this is what I would do. Now where are the controls to stop me doing that?" And we went through them and they're all there and we understood them, but highlighting the fact that we have got controls.
I mean we don't just develop software in isolation: the security team are involved in the design, but highlighting with the business some of the comfort they can have behind going into some of the scary areas that they're going in and going into some of the scarier markets with this product gives them the confidence to come back and say, "Well, I've been thinking about this. Couldn't we do this with this card and defraud it this way?" And some of them have got really good ideas.
Things like BlackBerry devices and iPhones continue to pave the consumer experience. Expectations are continually being reset by people who are demanding and embracing these new technologies, perhaps at a more rapid pace than business. How does the CISO react?
I would like to jump up and say I welcome it. It's a scary world out there. [...]
We need to embrace the way that people are going to be using it but also understand that we then have a duty to educate our customer base, not just our employee base, because you talk about Jericho Forum, but they have a beautiful description out there of the digital immigrants: we're digital immigrants, we're desperate to use this technology, but we wonder about whether we've got the right Windows version or something.
Mobile devices such as the iPhone and the iPad are changing the way people work, presenting new challenges for the CISO
(Photo credit: Josh P Miller/CNET)
My son is a digital native. He's doing his PhD at the moment. He's sat doing his write-up and he's watching TV, he's texting, he's Twittering, he's doing absolutely everything and you talk to him you say, "Well what version of Windows have you got?" "I don't know. It's stuff." That's the digital native.
They're the people that we're going to be doing business with. They don't want to know about passwords and authentication and whether it's a BlackBerry or an iPod or whatever. They just want to know that they've communicated with you and they have a request for service. Are we filling that service correctly or not? Because if we don't they're going to go somewhere else.
So my job as CISO is not just to make sure it's going to be secure in the future, but as part of the information technology team to help the business embrace that new world willingly.
But if you're not in that new space and you close your eyes to it, you're going to be out of whatever business you're in. If you want to communicate and serve a population that's using those things, if you say 'we're not going to do it' you won't be serving them - they will go somewhere else.
And if you look at the way that people are using those things there is a shift happening.
If you look at the traditional way of buying things, you appear somewhere and you say, "I would like to buy this. Can I have some of your service please?" The Jericho people and a lot of other people in the industry are saying that's changed. We no longer can sit there and wait for people to come to us and say, "I'd like to buy from you. I will identify myself to you." There will be a persona out there that will want something, and we will have to make sure we're there and ready to service that need when they want it, and it may not be someone that we know, and we may not be able to use traditional characteristics to identify who we're doing business with.
That brings on all sorts of problems, not just with the security of our risk, but money laundering - know your customer, all these wonderful legislations.
As that technology shifts, will legislation stay on pace with it? I hope so, but I have a doubt, because legislation is even slower than the IT industry in reacting, so we have to be able to help the legislative bodies understand what we want to be doing with these new technologies, and ensure that those legislations change quickly enough to do that, to stay in the markets we're in.
Are most of those challenges in rolling out any sort of the information system, whether it's security or whatever, human rather than technical?
I would say yes. Most is probably the best word to use. Every now and then you find a wonderful piece of technology that falls so flat on the floor in a very, very insecure manner that you go, "Oh, thank God we've got one at last." But yeah, security is about people. Information security is about people.
It's like the old story of everybody in a company is part of marketing. Well, actually everybody in the company is part of the security as well, and if people don't understand that, you're heading for problems. They will see security as being done by IT or being done by the security team or by the risk team and it's their problem. It's their responsibility...
...I'm not responsible for security in Travelex. I'm accountable for security but the people who are in Travelex dealing with the customers that are doing finance, that are doing the offices, they're responsible for the security. I simply make sure they have the tools, they have the awareness to get it done, and I'm accountable for the quality of that process.
You talked earlier about mitigation. There's that famous phrase about people, processes and technology. How do you mitigate for the people and process?
If I was in a closed room talking with my team I'd be talking idiot factor and stupidity factor and user factor, but it's wrong to do that. There are no idiots. There are no stupid people out there. There are processes that we force them into that force them to do stupid things.
The mitigation is understanding what people will do with the technology, understanding what they will do with the information. They will walk home with USB sticks in their pocket because they forgot. They will leave the laptops in the pub. They will do stupid things when they're working from home on their PCs. Stupid for me, but very, very intelligent for them because it got the thing that they needed to do, done. [...]
It's important that the mitigations are looking for those sort of things, so I test my people on a regular basis and say, "What do you think is the worst thing that can happen in this process? If you were going to be really, really crassly IT unintelligent, how would you break this process?"
That's where we need to be - that's where the controls need to be, that's where we need to be watching. If we allow someone to break in that way, we failed in our duty to make sure that the architecture supports them doing things in a very, very different way from what we designed, sometimes called stupid, but also very innovative in some cases.
So your management style then would be around being out there, talking to people, and very much watching how they interact with your systems?
It is in a way. I prefer to take the people that have just shown me something really interesting into the middle of my team and say, "Show them. They're the ones that did this stuff. Just show them how bad we did it. Talk to them about how you'd like it to work better for you."
And on my teams, I'm not the only one that wanders around. I have my teams wandering around as well. They're out there sitting with the business. They're out there sitting with the IT. It is about understanding how to do better rather than do differently.
It's an improvement process that we're talking about and as much as I go wandering around, my teams wander around and they come back to me and say, "Do you know that that these guys have been doing this?" "Well no, but let's go see why. Why did you do that? Okay, so team, what do you think we should do?"
Part of being a CISO is actually making sure that the next generation of CISOs understand the thought process, the risk management process, the risk assessment process. I try and get my people to do the same sort of analysis that I do.
It is about being in the middle of it, being in the thick of it, but you'll never be on the front line. As much as you want to go and sit on the call desk or you want to go and sit on the support desk - and we do, we sit there regularly - you don't see every smart little problem that comes and hits you because if you're there once a week out of five days a week you're only going to see 20 per cent of the problems.
Having that confidence from the user base as well, where they come back to you and say, "We know you're always looking for crazy things. Well I've got a new one." That's the thing that wandering around creates. You don't have to be on everybody's shoulder every day, because when they've got the confidence that you're interested in what they're doing and you're interested in their ideas, but also the failures they're experiencing, they'll come to you as well.
For the full video interview visit MeetTheBossTV