Simply accountable

The cornerstone of every financial services firm is security, with institutions around the world proactively working towards protecting customer data and preventing emerging threats. And as the CISO of Prudential, Tom Doughty knows all about security at the firm – you’d be worried if he didn’t – but rather than seeing himself as answerable for security, he believes his role is ensuring everyone else in the company is accountable for security. In order to ensure this is the case he has to guarantee that the impact or implications of security measures – or lack thereof – tie to each employees operational life, and that the benefits of a security programme are realised.

"It requires a little bit of intelligence and homework in terms of what is a given motivational area for their daily operations, but drawing that linkage is what I really want to do on a day-in, day-out basis," explains Doughty. Indeed, tools and technology cannot create a culture; they can leverage a culture, but at the end of the day people without access to information and processes will be making decisions that could potentially compromise security.

"Whether you're an individual contributor or a senior manager, you're making those decisions in one size, scope and breadth every day. What's really important in terms of the delivery of the security programme at Prudential - and I would argue that every enterprise is similar - is not to tell people what to do from a security standpoint and say, 'Here are the tools that I want you to use from a security standpoint,' but provide information, options and a framework within which those employees can make good informed residual risk decisions."

Rather than telling people what to do, Doughty is keen to highlight that the employee, or "risk owner", makes the right technology risk decision. "I want to ensure that the risk owner makes a decision with their eyes wide open, whether that decision is right or not, I want to start the process correctly. An uninformed risk decision is vastly worse than an informed residual risk decision."

Indeed, Doughty is focused on motivating as opposed to mandating for security sensitivity. He explains that as Prudential operates within a federated business model it engenders federated management meaning there are issues that are significantly up to the discretion of individual lines of business to navigate as efficiently as they feel is possible and required within the business environment they are operating in.

"That balance refers to the non-negotiables in terms of infrastructure level security, baseline level controls, that for lack of better description are non-optional, versus those business process specific things where we are really engendering and supporting those day-to-day, week-to-week, month-to-month risk decisions," says Doughty. "One good example could be our institutional businesses where they live both sides of that balance on a day-to-day basis and an engagement by engagement basis. However, on a business deal by business deal basis where they're selling business to institutional customers, more and more we find that security is at the forefront of the questions those institutional customers are asking of Prudential."

Doughty goes on to explain that his security team tends to get more and more involved in assisting those business discussions with institutional customers that demonstrate controls, which is a case where standard framework for internal control is not going to benefit the external expectation of every customer.

Working to Pareto's Law of the 80/20, Doughty's team provides value by trying to avoid having a checklist mentality in the security programme. He explains that nonetheless, there is a very well defined and structured set of policies, standards, security engineering specifications and guidelines that are the default expectations, which represent the 80 percent. By and large the 80 percent represents business as usual, a typical business need or problem that fits the framework. The remaining 20 percent is dedicated to the time when there is a non-standard business risk or a non-standard business requirement where the framework simply does not fit.

"In say an international arena, where Prudential is doing a greater percent of its business on a year-in, year-out basis, there are different right answers, different from the framework and different from our standards. It doesn't necessarily mean wrong, it simply means that we have to have that business risk decision design an alternate control, alternate set of mitigators, and assume the right risk.

"Now that could mean that we mitigate something exactly to the same degree and have the same level of residual risk as we would expect at 80 percent, or in some cases we could have a significantly different level of residual risk assumed by the business. As long as that's a considered residual risk and I've done my job so that the business is making a residual risk decision that is appropriate in terms of local regulation, and most importantly their risk appetite, then that's the deliverable."

Education

As Doughty is continuing to look to motivating people at Prudential the onus is very much on him to ensure that employees are educated about various security risks. He explains that this educational aspect to his role is very much an undercurrent tied to everything that happens in the security programme, even if what he is doing is implementing a technical solution. As such it remains a major part of his position and one that is difficult to measure, particularly when there is a continually shifting balance between technical control and human control - the awareness message arguably becomes more difficult to achieve over time as both positive and negative opportunities manifest themselves.

"I've been in this role for between four and five years now and generating awareness was one of my early objectives," says Doughty. "When I first started looking at what was important to an individual on a larger scale, those people who maybe saw security as an impediment or as a speed bump that needed to be navigated rather than as a resource."

And this approach has paid dividends for Doughty, not only in terms of avoiding beating people over the head with ideas, but encouraging them to do their homework in terms of what is important to that risk owner and find a way to deliver some unsolicited value for them that they didn't even ask for. "What ends up happening as a result of looking at how to make someone's life easier is that some of those relationships that were positively contentious have become my most fruitful allies within some of the business units because if you reach that realisation with somebody that it's okay to want the right thing for different reasons, that's not something that should be resisted."

And in terms of ensuring his team is integrated within Prudential to guarantee the best relationship possible, Doughty explains that there are two aspects that he considers important in facilitating this. First, there is a direct team as part of the Information Security Office at the enterprise level, which has a functional line of responsibility and is focused on security in the infrastructure that corporate technology management maintains to provide a technology-operating environment for each line of business.

The second aspect is down to the Business Information Security Officers (BISO), who Doughty describes as the people who have security in their job title. "It's really core to having people engender the concept that it's not a security person here from the corporate environment, what we want is the business risk drivers to feed into the programme as directly as we can. We want the business risk owners to feel like they own the Business Information Security Officer, as a partner within the business unit," explains Doughty.

So while the BISO's have a functional role plugging into the Information Security Office, external to the corporate technology outreach side are Doughty's direct employees who deal with the people on a project level in the lines of business. "We rely on the BISO and their teams to feed information from that line of business back - they are the security evangelist for the programme as past of the business as opposed to the outside pushing in."

Metrics are a hugely important element of this. However, as with everything else in his role, Doughty has an alternative way of identifying useful metrics. "I tend not to be a huge fan of red versus green metrics for security, ROI for security or some other methodologies that you'll see some programmes use," he says. "That gets too close to the checklist mentality. I look at the deliverables and the security programme deliverable in my mind is facilitating those informed risk decisions, and it really comes back to that concept of allowing ourselves to not only facilitate, but take intelligent risks."

Doughty explains that his management will give him direct feedback if they believe him to be allowing excessive risks. "I think my philosophy is different from a lot of people in my role. We do have some structured things in terms of annual structured assessments with both qualitative and quantitative measurements in terms of each business unit's execution measures within that federated model that I'm responsible for.

"I think a lot of CISO's rely excessively on the quantitative measures. The fact of the matter is those quantitative measures should be indicators and if the qualitative feedback is that I'm missing something one of the first things I'm thinking of is if I am looking at the wrong quantitative measures and do I need to adjust those metrics then. There's a lot of qualitative stuff that we do to run the programme at an infrastructure level to protect the business. In terms of how well that's translating the business value I need qualitative discussion with business people who are responsible for various lines of the business."

Social media

Looking at another aspect to his role Doughty explains that Prudential work from the top down when implementing new initiatives. And one particular subject has been discussed in great detail: social media. Specifically looking at how best to embrace it, how to draw judicious boundaries around it and how it should be recognised whilst being taken advantage of in order to make the most of this emerging communication technology. "This is a media for communicating with customers, communicating with each other and for gathering information that's useful in the marketplace.

"At the same time there are realities ranging from purely security concerns in terms of data leakage, surface area for malware and at the same there are some regulatory realties we have to make sure we are paying close attention to here, particularly in terms of registered representatives and our requirements to modulate, monitor, archive, capture electronic communication in the workplace - these are certain non-negotiables. I think it's become much easier for organisations, including Prudential, to recognise that there's a balance to be achieved in embracing these tools as part of a bigger reality that has come to pass in the workplace in the last few years."

Doughty goes on to explain that Prudential remains very flexible in terms of where people are able to do their jobs from - using very robust remote access architecture in a secure manner - so they can achieve more work-life balance. "Sometimes I look at this and think if we are okay with people working flexible hours and there's less of a hard line between personal time and work time in both directions, we also shouldn't be too concerned with giving reasonable controls to someone using social media even for personal reasons within reasonable guidelines in the workplace."

While this calls into question what is reasonable and what is not, Doughty believes that the firm is taking a healthy look at how to ensure people work to their full potential while doing their jobs. He says that while there is some technology beyond the tools themselves that he is looking at in terms of better monitoring capability he hopes to open these tools up more to the registered representatives who have the regulatory concerns.

"At the end of the day this really does constitute an area where we trust people as a primary control and use the technology as a compliment to that," says Doughty. "If you give people access to use Facebook, LinkedIn and Twitter throughout their working day, none of the other rules go away in terms of what you can and can't say about Prudential and all the other control in terms of other categories of websites that for several reasons we would prefer not to be used in the work place are still enforced. However, just as we don't monitor and control everything that someone might say on the telephone, we're trusting them to do the right thing within certain avenues and social media as well."

Taking a common sense approach, Doughty emphasises that there are still very established guidelines that didn't need to be changed around embracing social media and the types of information that can be shared, rather there are very specific types of higher risk information that need to be caught and blocked. "The point is that while there's more surface area, all of the same controls still apply. And if you're going to exchange some information on Prudential you're doing so responsibly and within the policies and guidelines of Prudential."

Like social media, Doughty explains that many of the tools and technologies used to ensure security in financial services can be bought all day long because there are so many to choose from. The trick is choosing the tools that are going to provide active protection from a purely technical perspective, but pick the tools that improve workflow and benefit those that use it. "At the end of the day, you need to be very judicious about the policies that you implement."

The personal side of business

Prior to his role as CISO for Prudential Finance, Doughty was himself in a BISO role for Prudential Securities. Looking back he is certain that he would have approached the position differently. Highlighting his current external focus as opposed to having responsibility within one specific business unit, Doughty says that to some degree his external focus is due to the culture of the business unit and the different breadth of businesses that the overall information security programme for Prudential as a whole. "There was definitely more of an opportunity for consensus building on a wider basis in this current role as opposed to the former role within the business unit," says Doughty.

"Of course, within a given business unit there tends to be an operational focus and where an optimal solution may work for one, it positively won't work for another. The balance is all down to ensuring the many different solutions are maintained across the organisation for the greater good and that will clearly become more complex, the more moving pieces you have in the organisation. And this manifested itself relatively early on in the role. We really focused on clarifying some of those roles and responsibilities, taking a really hard look everything and turning the organisation on its side to see how everything would and should work alongside everything else."

Is the organisation aligned correctly in terms if what is expected from the enterprise security organisation and the corporate technology side? Well Doughty explains that, for the most part, everything meets in the middle, which is something he hopes to continue, particularly in terms of how the threat landscape changes and to what degree controls shift back and forth between business process and business unit application logic versus infrastructure level controls. 

"We're going to continue asking hard questions of ourselves: are we organised in the right way; are we focusing resources the right way; are we focusing in some areas where we're inadvertently diverting resources towards legacy controls when they've become either mature or overcome by events and we need to shift that resources to new controls coming into the portfolio?"

Doughty describes his current position as a different level of decision-making and resource directing to match the vision that he had in the prior role, saying that part of that transition was down to being able to think that way during such a large transition of Prudential Securities into a joint venture with an outside company. "Converting all that control infrastructure within the business at the primary application level involved turning the whole system on its ear to see whether we were doing the right things in order to integrate with another organisation. It was undoubtedly a good stepping stone set of lessons to what became a bigger challenge with some of the same requirements on a larger scale."

In terms of strategic direction for the security programme and helping to set the security direction is not something that can be done within the four walls of Prudential alone. Indeed, Doughty spends a fair amount of time talking to peers in other enterprises regarding strategy as well as advance warning from talking to others who are experiencing problems. 

"It's often said that financial services tends to face problems earlier than some other industries - but even within financial services, we all have our turn taking the first bite of the apple so to speak, in terms of different problems. Sometimes it help to have those relationships to be able to learn from their experiences or thoughts before they manifest themselves here, and then we have our turn where maybe something is manifesting itself here first. Hopefully we can sow some seeds that we'll reap some informational investment from later on by sharing with others."

Indeed, interacting at the right level in terms of exchanging information is tremendously helpful - the more you give, the more you tend to get. Doughty explains that as well as pooling together to look at resources, he and his peers will also be involved in the vendor space to some extent, generating ideas for technology direction, for example. "This can help us based upon our vision of where we think the next generation exposures and risks are going to be that we need to develop new pieces of the portfolio for," he says. "Looking at the portfolio of controls over time is a really healthy way to avoid complacency in this game we're in."