Secure transactions

FST. The total vale of securities transactions settled by the Euroclear group is in excess of €450 trillion per annum, while assets held for clients are valued at more than €18 trillion. How seriously is the business-critical function of security taken by yourself and your team?

IM. I took up this role two years ago after a decision was taken to centralise security – an area of the business that has seen significant investment.
The last four or five years the focus has been on strengthening the architecture and the process and rigour, particularly at the IT systems level. I think we are in a position now to move to more of a partnership and collaborative approach to security where we now spend more time educating and developing knowledge and understanding from our user community. But as an organization we’ve always had a significant investment in security. We have an ongoing information security improvement programme and that is set to continue for subsequent years.

FST. So what would you say are the key security challenges that Euroclear faces today?

IM. I think there are two significant challenges and they are quite closely linked. The first is to move security from being perceived negatively where people see it as an over necessary evil and overhead; in other words ‘it’s slowing my project down’ into it being more of an integral part of the way people think and the way they design and build their systems. The other challenge that we have is to move our architecture and our structures into a way of supporting our business goals. With that it tends to move from the traditional bastions of security like the big wall, the moats and the crocodiles around the perimeter to something that’s a lot more flexible and adaptive.

There is a term called ‘de-perimeterisation’ which I don’t particularly like using. I term it ‘re-perimeterisation’ in so much as you always have a perimeter, albeit the external points are a little less defined. But you will certainly have differing touch points and differing entry points and so we have to adapt our security architecture whereby we can accommodate these different models, different access levels and help the business to move forward, but retaining the strength and rigor that we’ve achieved so far.

FST. Could you outline the role that technology plays in your operations, especially at a time when mobile working has become so prevalent?

IM. This organization, whilst being finance institution, is often referred to as an IT company that actually deals with some clearing and settlement. So I think IT is probably one-third of the company in terms of people and operating cost. It’s a huge part and that’s atypical of an infrastructure-type organization.

We have all aspects of normal business but we tend to be less a mobile workforce. Certainly, the senior managers travel a lot and we have a small department of product managers that go to meet clients. But to all intent and purposes, we are more office bound in terms of the workforce. But suffice to say, we use consultants that come in with their own stuff. We have the usual USB sticks and everyone has BlackBerrys or PDAs so I think this is where from a security architecture we have to move from having a de facto, ‘no, you mustn’t use these things’, to understanding that society is much more comfortable with technology. My children are brought up with it so it’s a natural part of their life.

So we have to change the way we think into saying, ‘yes, you can and this is how you use it,” so in doing so you provide the service but you provide it under your terms and therefore you help to contain the risk and the threat. It’s a mindset shift in the way the technicians operate. Historically, they liked to lock it down and prevent things but it’s like King Canute trying to hold the tide back – it’s not going to happen so we have to move again in line with doing business but try and give them the services in a way that we actually also win by providing them in a secure fashion.

FST. So you would agree that you can never be 100 percent secure?

IM. Yes. It’s back to the risk and the cost of controlling that risk. Wireless access at the moment is not part of our standard portfolio but realistically it’s going to happen whether we like it or not. London’s one of the hotbeds of wireless activity. So I’m saying to my people, ‘well, it’s going to happen so let it happen,’ and there are terms. So it may be that we provide a wireless service, which is maybe only 20 percent of what it’s capable of but that’s 20 percent more than nothing at all. And it also prevents the business from saying ‘you don’t provide this’. So that 20 percent will grow to 25, 30 as the technology matures and the controls and security improves. But we know that – we shouldn’t expect the business to know that; that’s not their role.

So it’s a way of taking obvious things that the society will use, for instance my kids use wireless already in their laptops at home. So it’s a case of accepting that it’s going to happen and allowing it to happen but in a way that we also benefit insomuch that we provide some good ground rules for them to operate in.

FST. One common cause of any security breach is the staff within an organisation. How do you combat this at Euroclear?

IM. We provide basic training to all newcomers in general for the business as well as the IT community where we go through some of the risks, the threats and some of the basic advice if you like which tends to be common sense. We also explain about our business environment and how we’re highly regulated, as well as the type of risks that we run from the brand, through the reputation and financial fines, and so on. But yes, everyone within our corporate technology division will go through some basic boot camp and we also have a representation at our introductory programmes for all newcomers to the organisation. I think that a lot of the problems that organizations face, whether it’s from malware, etcetera, you have that at home. So I think that people are more aware of the problems and if there’s some advice that we can give them in order to prevent or avoid those I would like to think that they get that here.


FST. What makes the financial services industry so attractive for the criminals and hackers?

IM. It’s the old adage – means, mode and opportunity. One of the things raised to me with one of my guys in the office is the case of the attacks and the threats are changing all the time. We have moved from the people who just want to have a bit of reputation and kudos to let’s say the organized crime that are actually there for financial gain. This is interesting because they don’t want to break your systems because if they break your systems then they know you will invest more to fix them, which makes it harder. So very often they are quite happy to allow things to work and therefore it gives them more time to penetrate or to try and get some information from you. I think it’s also about going where the money is. The retail banks are clearly open for a variety of reasons. And with their online presence, there is so many aspects that a criminal can attack; either directly for financial gain or for identity or for extrapolating money or blackmailing the organization itself. So the motive now is more about the benefits you can get very quickly from electronic crime.

FST. And, of course, financial crime or launching malicious attacks on the banks is a fairly inexpensive.

IM. Exactly. I think that the price and the cost of software and hardware nowadays is nothing. If you can invest €10,000 in some decent equipment – and you can do it on a re-mortgaging your house – then and all of a sudden you have the capability and all the time in the world to run against the networks and you can piggyback off other machines. There’s so much opportunity for the concerted criminal to gain access.

FST. Do you feel there is enough collaboration between the banks when it comes to sharing information and tactics on tackling the threats?

IM. Not as well as they could because it is case that you don’t want to have your dirty washing out in public. We have close liaisons with the police forces and special operations in most of the European countries that we work in, so that they give us a lot of insider information on different types of threats and threat levels. With the financial communities there are a number of forums to network and share information but it’s not a strength and there is certainly an opportunity where at the technical levels there can be more sharing of the way you resolve some of the common problems that we all have in a non-competitive, confidential manner. But I think that’s probably a gap that could be filled or strengthened.

FST. What are your targets for the next 12-18 months?

IM. My main objective over this period is moving our architecture from a purely bastion environment to a much more layered and segmented, flexible environment which means extending the perimeter internally if you will. It’s about having internal perimeters to allow us to much better manage and control access, regardless of whether it’s a partner, a customer, or someone we do outsource with. I want to be able to manage the security based on who they are rather than where they are and I think that will allow us to have much more management control and flexibility for the future.

About Ian Maybrey

He is responsible for protecting the company’s information assets through sound technical security principles and practices used throughout the organisation. In this capacity, Maybrey acts as the primary contact and co-ordinator, for interfacing the Corporate Technology division and internal oversight and control departments, such as Risk Management, Internal Audit, Compliance, and also with external auditors and regulators. His responsibilities include providing information to executive management on existing control mechanisms and improving existing control mechanisms and improving the efficiency and effectiveness of operational rigour.