James Gay
Adam Burns:
So technology is relevant. It’s changed I think over the last sort of two to three years quite noticeably. What would you say the difference is for you now in your current role compared to sort of a few years ago?
James Gay:
I think the security industry as a whole has realized that it’s no longer a control and blocking industry. It’s a business enabler. People expect security. You see the challenges that people are having with losing personal data with having bank fraud, with having credit card fraud. The security industry is on the forefront of helping people resolve those challenges. So we have to be more of a people business than we’ve ever been. The technology is an enabler for what we do, but without the proper concepts of how you deal with the people piece the technology just isn’t any use to anybody.
So the technology is always gonna be there. We do need tools to implement things. We need things to do things faster, cheaper, better for us, but at the end of the day it is the professional security people who are looking at the challenges that the people we’re serving are having to deal with and helping them resolve those challenges. Mitigate I think is the word that we’d use in most cases. I think in many cases it’s just understanding, but mitigation is part of the understanding process.
Adam Burns:
Absolutely. We’ll get on to sort of people and process a little bit later, but just focus on technology. There’s a survey, as I mentioned just before from Gartner I think, so 1,500 CIOs surveyed globally. Business intelligence came out as the number one top technology priority. I suppose question one, would you agree with that? Is that something that you share? And two, what challenges do you think you need to help your company make better business decisions?
James Gay:
I think it’s the final realization that we can no longer have people wandering around in white lab coats. I know not many people do have the mainframe attitudes of white lab coats anymore, but if you can’t measure something how can you see whether you’re doing it well or badly? And the only way to measure things is to have that intelligence behind it as an integral part of the quality delivery of a business.
Your metrics are important as much as the financial performance of the business, as much as the market segregation that you have or market impact you have. The information security metrics are very important to see the added value you’re putting into that business. So without having some kind of measuring function, you can wander around all day long and say, “We’re doing really well. The awareness in the organization is going up. We’re having less breaches.” But how do you know you’re having less breaches? Why are you having less breaches? Is it because you don’t have as many challenges or is it because you’re doing a better job?
So the business intelligence is part of the metrics, the whole data warehouse of management information, the MI has to include the security aspects as well as all the other aspects of the business.
Adam Burns:
Absolutely, that’s quite a good point. Thank you very much indeed. To what then, again, just to sort of keep on this technology only for another sort of two questions and then we’ll go on to the main stuff, what are your key investment areas over the next, say, 12 to 18 months?
James Gay:
People. Without the right people, it doesn’t matter how good your technology is, you will not implement the technology correctly. You have to understand what the business needs are before you go spending on boxes and on software. The market is awash with new software and new technologies because it is the sexy thing of the age. Security is selling. Security is big business.
There are some very, very good tools. There are some very, very good technologies. But as with any other thing, there are some very bad ones and some pretty expensive things that don’t deliver. A lot of things do do as they say on the tin. A lot of things don’t do what they say on the say.
So you have to have someone who can make that decision as to what you want to try, how you’re going to test whether it works, back to the main metrics, and whether you’re going to continue doing it or it’s not having the right impact on the organization. So technology investments are important, but only after a considered, reasoned application of, “Do we need this stuff or do we just need to get the people behind this first, before we start spending on the boxes?”
Adam Burns:
Absolutely. I was just gonna ask. There is potentially, perhaps, a danger of only seeing symptoms and not causes. What sort of processes and strategies do you have in place to prevent that from happening?
James Gay:
I think Peters coined this some years ago. It’s called management by wandering around. If you sit in your office you’re gonna see symptoms. If you’re out there with your fingers in the business – I’m a naturally inquisitive person. They perhaps, sometimes a little bit unkindly, call me nosy, but I am inquisitive. Wherever I’m working in a business I want to be in it. I want to be part of it. I want to be part of the sale process. I want to be part of the delivery process.
I am the CISO. I have to be part of the security process, but the security process, as I say, is just part of the quality delivery of the organization. So my quality test of the organization has to understand what the organization is trying to do. So by being out there and being an integral part of it, and knowing what people are trying to do, and knowing what they are doing, and knowing what’s failing I get to see the things that are actually going to be happening to us. So although I see the symptoms, if I haven’t predicted something happening I’m not doing a very good job.
Adam Burns:
Absolutely, of course. So do you feel then that it is your role to look outside of Travelex perhaps, and maybe even outside of that whole sort of industry for best practice? Do you look elsewhere? Do you keep an eye on automotive, for example, or air or the financial industry in a way to sort of scale? And if so, what sort of lessons has Travelex taken on during your tenure?
James Gay:
It’s very, very important that you look at the security industry rather than your own particular piece of, say, in my case the financial services area, mainly because what’s happening today out in academia, for example, that’s becoming the tools of the future, that’s supporting so many encryption technologies that are developing, some of the new structures that are happening in the banking area, in the credit card areas. We’ll be looking at reviewing how those are being implemented because we do prepaid cards, for example. So although we’re not out on the bleeding edge looking for new ways to do credit card security, we will be dependent on those new technologies to protect our use of those credit cards. So we do have to look everywhere.
I mean for example, I’m halfway through a Ph.D. at the moment because I believe that by interfacing with academia, understanding what academia is thinking about and helping academia understand some of the problems that we’ve got, we’ve got that joint approach to solving some of those problems. It’s new stuff that we’re in. This is the Wild West.
I think we’re talking later on about where the evolution has come from, but the security industry is very, very new. I’ve been in this business for 32 years. The first ten really was the Wild West. You couldn’t get it wrong because nobody knew what wrong was. So you do have to interface with everybody that’s got an opinion. You don’t necessarily have to take everybody’s opinion onboard as being what you’re gonna do, but opinions will form that body of knowledge that you’re gonna use and move forward.
I do that within Travelex, looking at things like – I’m discussing with various people the new Web 2 for example, the cloud, what we’re gonna be doing with some of the newer technologies, mobile, things like that. We might not be there today, but if we’re waiting for the people to come forward with something and then say, “Okay, we want some of that too,” we’re gonna be so far behind we’ll be left behind.
So to answer your question simply, yes, you absolutely have to interface with anybody who’s got an opinion, but you have to sort out what’s valid and what’s not valid for what your needs are. It may be from the industry. It may be from academia. It may be from our business as well, because just because they’re not called security professionals doesn’t mean they don’t have good ideas.
So I look at some of the industry forums, not necessarily the security industry, but where people are looking at new ways of doing things they’re also looking at new ways of breaking things, and if they’re gonna break they’re gonna break in an insecure manner. So I want know what their ideas are on how to stop them from breaking in the future.
Adam Burns:
Absolutely. Have you followed the Jericho Forum, the ideas of the walls coming tumbling down? Where are the walls for your organization? You used to have gate port 808 or whatever, 880, and now of course it’s all disappeared as people want to get – people use mobile. People are bringing USB sticks and all that sort of stuff. How do you feel about that?
James Gay:
It’s an interesting point you make. I have heard that the horn is working again, but I haven’t seen the walls tumbling yet. I think the way that I would answer your question, if I may, is I think the concept of actually having had walls has been rather oversold. We’ve had perimeters that we’ve tried to protect very, very carefully, and in some businesses you can protect a very, very secure perimeter. Quite often you have people with guns and bombs and things like that to stop you going too far into it. But in a general commercial environment you have to open up your doors if you want to do business, and the doors are what break down some of those walls.
So although people may have the concept of having a perimeter around them, firewalls as we call them and controls, every now and then, because it’s important that you enable the business, you just open up this little crack and that little sunlight that comes through is the one that opens up the temple. So I wouldn’t say that the walls are coming down and that Jericho is upon us, but Jericho, I would like to suggest this, is probably more about looking at the future of how to enable rather than destroying. So they’re not talking about destruction of walls. They’re talking about you have to have a control around your information.
Traditionally we’ve tried to do that with physical things like firewalls and stopping people getting through ports. The Jericho Forum has some very, very good ideas about how we protect the information itself rather than places that it is sitting, and they’re very forward-thinking. They’re not necessarily talking about what we’re using today, but very close in the future. Some of the ideas they’ve got we’re gonna have to embrace.
So I believe in what they’re doing. They absolutely are needed out there, but I would suggest that they’re probably not trying to tell us the walls are falling down. I think it’s more suggestive of them are saying, “Moreover, have you ever had a wall? Do you really believe that that wall was there or was it that factor that gives people the warm and fuzzy feeling, well we’ve got controls? We’ve got firewalls so we’re secure.”
Now it’s a wonderful group. They do a lot of great work and their ideas sometimes are scary, but I always take them onboard.
Adam Burns:
I spoke to a great guy once who was CISO I think for Dresdner Kleinwort, and you talk about giving people that warm and fuzzy feeling. He talked about the theater of security. He made the point that, really, do you honestly believe that by taking your shoes off in an airport you are actually any more secure on the plane? And it’s this theater of security, of making people feel like this is a secure thing. Do you find yourself very often having to almost sort of play within that theater, to create extra roles when in fact perhaps they’re not doing that much?
James Gay:
I don’t think I’ve ever been accused of creating a role that doesn’t do very much. I’m a little bit pragmatic and very northern in my attitude. If it costs too much we ain’t gonna do it. We’ll do it a different way.
That’s why I’ve got on so well I think. I tend to be very, very pragmatic, to a fault sometimes. People I’ve worked with sometimes go, “Well that was a bit heavy,” but it got the message across.
I like to believe rather than being a theater it’s a way of selling. If you want to sell toothbrushes, you better know about teeth. If you want to sell shoes, you better be able to walk around and show people what shoes are comfortable. If you want to sell what you are doing in security you better know the business that you’re selling into.
So I think a long answer to a very short question, I don’t think it’s so much about theater. I think it’s about positioning the need within the environment you’re in. So if somebody needs something, it’s obvious to you that they do need your services. You’ve got to get that sell correct. If they want to feel good about what you’re doing for them, that’s what you sell to them. If they want to feel bad about what you’re doing for them, you can do that as well.
When you can throw fear grenades in any organization that wants to be scared, some organizations want to know what their risks are. They want to know to the finest detail. That’s why I call it fear grenade. Pull the pin and throw it and see what funding comes back.
It’s not a way to have a long-term career in an organization because people start to do the cry wolf story. You have to be there to help them get the feeling they want to have, and if your exec says to you, “I want to be sure that our resilience is top notch. I want to be sure that our security it top notch,” you help them understand what it means to get there. And when you’ve got there then you can say, “That’s what you asked me to do.” But until you get there it’s not so much a theater. It’s a reality show. It’s the TV reality show. That’s broken, and until we fix it don’t go to sleep this weekend.
Adam Burns:
Absolutely. As CISO you’re responsible for running and changing Travelex, and running the company. You are keeping all systems up and safe, and changing the company. You are leading the information security organization and looking at innovation, standards, governance, strategic change, etc. Can you give me some insight into the day-to-day managing of your activities in both areas now, and your concerns about the shift in balancing a running business regarding innovation and change?
James Gay:
It is a long question. And it’s a multipart question, so I’ll try to answer it in the parts that I think it’s delivered in.
I do have a responsibility to the organization to help them migrate to the 21st century of information movement. We are a company that sells money, and traditionally when you first start in that business you have folding money and you push it under a window, and people push other money back under the window. That’s how you start doing currency exchange.
Travelex is an organization that has evolved from that first beginning, a fantastic beginning with Lloyd Dorfman, our chairman, to now actually doing international transfers of money at the click of a button, to selling people cards to go on holiday with rather than a wallet full of cash. On that card there’s nothing that identifies that person. It’s kept on a server in a very, very secure location. So there’s no risk to the people, but there’s a risk to the organization.
We’ve shifted the risk from you getting mugged in a street. I won’t demean any country, but you could say Amsterdam, Paris, Cairo, wherever. If your wallet gets stolen, with this new technology we’ve introduced nothing actually happens to your finances. You’re gonna be upset. You’re gonna feel violated. But by the time we’ve gone through your authentication on the phone we’ve got another card on its way to you, and the person that’s stolen the card can get nothing off it. Because there’s no identification they won’t know it’s you, so they won’t be going off to your house because they know you’re on holiday.
Having the organization understand the benefits of all that, but also some of the risks that we introduce to ourselves by taking that risk from the consumer into our pocket effectively, it’s a difficult stretch for a lot of people the first time off. Once they embrace it, you get this sudden excitement of, wow, what a fantastic sell point we’ve got here.
Does that mean we’ve got a bigger security risk? Well, probably not. It’s a different security risk. I mean it’s that shift that’s my responsibility to help an organization understand. It’s not that we’ve got a million pounds here and we’re gonna lose it any differently than we did before. It’s we’re gonna lose it in a new way. We won’t be losing it through physical loss. We’ll be losing it through information loss.
So the controls we have to have are gonna migrate from having bulletproof glass in the branches and things like that to having bulletproof security on the Internet. So my main job at the moment is to help the organization embrace those new security risks and the controls we’re bringing in to mitigate them.
On the day-to-day management piece, I have to understand whether that’s getting through or not, whether people are out there going, “Oh, we shouldn’t do this because it’s too scary.” It’s my job to make sure that nobody ever says that in the organization. Nothing is ever too scary. Something may be a new risk. Have we understood the risk? Have we gathered the mitigating circumstances we need to understand whether we’re controlling the risk or not? And is the risk too much for the business to face?
Those three things I have to help – and we talked about metrics earlier – I have to help people understand the metrics behind that, and then help the business make the decision as to whether we want to move in that particular area. It’s not my job to stop or to start any particular piece of the business. It’s my job to make sure that the executive is properly informed to make the right business decisions, but not be scared about moving into the new age because they haven’t been there for 20 years. It’s new to them in a lot of areas and we’ve got a very, very forward-looking executive.
It’s an exciting company to work with because we’re really out there on the leading edge. We’ve just won awards for our Cash Passport product, for example. So I’m not taking old-fashioned bankers into the new world. I’m taking people who have got some very, very innovative ideas and saying, “Yeah, we can do that.” If we want to do it long-term let’s make sure we do it securely. If we want to do it short-term and just have a test of it, we can still do it securely, but in a different way.
So it’s making sure I’ve got the appropriate controls. That’s a funding decision as well as a risk decision. So for example, if we’re taking half a million risk versus a 500 million risk, the investment for the controls around it are going to be very much different.
Now on top of all that you’ve got the Travelex name, which is very, very important to us. It’s a fantastic brand name. It’s one that we guard jealously. If we were on the front page of a newspapers saying Travelex has just lost all the customers’ information or we’ve just lost £100 million in fraud that wouldn’t be good either, and our executives understand that. So they’re very supportive of what I’m trying to do.
The day-to-day management piece is making sure I don’t get it wrong, that piece of the are you watching on a daily basis. Yes I’m watching on a daily basis. I’m working with the fraud teams, with the risk teams, with the IT teams to understand the metrics that are coming back. Are we rising? Are we lowering? But I’m not really that interested in history. It’s useful to learn from history. I’m interested in today, sort of what’s happening right now. I’m more interested in what’s gonna happen tomorrow, that predictive part of my job that I discussed earlier.
Adam Burns:
Absolutely. If we could just talk a little bit about the strategies behind – so you introduced this payment card, and you said the onus then is back on the company. The risk is then back with the company. Clearly you must have been consulted within that process at some point; somebody comes to you and says, “This is what we’re doing. We’re aware that this is going to happen.” What are your strategies then in explaining that on the day-to-day? How would you go about making sure that the transition goes smoothly?
James Gay:
Well the first thing I did was went and got two cards. We do euros, we do U.S. dollars, and we do British pounds. I went and got two cards and played with them, and saw how they worked, saw how the customer interface worked, looked at the design of the architecture behind it. I’m involved in the architecture of how we do things.
Then I sat down with a business and said, “If I was gonna try and defraud you, this is what I would do. Now where are the controls to stop me doing that?” And we went through them and they’re all there and we understood them, but highlighting the fact that we have got controls. I mean we don’t just develop software in isolation. The security team are involved in the design, but highlighting with the business some of the comfort they can have behind going into some of the scary areas that they’re going in. They’re going into some of the scarier markets with this product.
It gives them the confidence to come back and say, “Well, I’ve been thinking about this. Couldn’t we do this with this card and defraud it this way?” And some of them have got really good ideas, and if they were on the dark side rather than the white side then we’d be worried. And we look at it and we say, “Okay, maybe as this evolves that may become a possibility, so let’s talk about putting some controls in there,” but if we can’t put the controls in straightaway at least get some more monitoring. Let’s see if there is a trend in a particular country to do a certain type of thing with a card.
So long answer to a short question, but I think it’s more about helping the business understand what it is they can do rather than what they can’t do that makes them come back for more.
Adam Burns:
Yeah, of course, absolutely.
James Gay:
Does that answer your question?
Adam Burns:
Yes it does. Thank you very much indeed. So it seems like BlackBerry devices and iPhones continue to pave the consumer experience expectations are continually being reset by people who are demanding and embracing these new technologies, perhaps at a more rapid pace than business. How does the CISO react?
James Gay:
I would like to jump up and say I welcome it. It’s a scary world out there. If you look at the way that people use new technology that’s my problem. It’s not necessarily the way that we want to enable it for our business because mobile is somewhere we have to be. If we’re not there we won’t be in business. Mobile is what people are saying is gonna be the new contactless technology, etc., etc.
We need to embrace the way that people are going to be using it, but also understand that we then have a duty to educate our customer base, not just our employee base, because you talk about Jericho Forum, but they have a beautiful description out there of the digital immigrants, “We’re digital immigrants. We’re desperate to use this technology, but we wonder about whether we’ve got the right Windows version or we’ve got the right –”
And my son is a digital native. He’s doing his Ph.D. at the moment. He sat doing his write-up and he’s watching TV. He’s texting. He’s Twittering. He’s doing absolutely everything. And you talk to him. You say, “Well what version of Windows do you got?” “I don’t know. It’s stuff.” It’s just stuff to what they call the digital natives, the new generation that are coming through, the children that have been playing with the PSPs in nappies. That’s the digital native.
They’re the people that we’re going to be doing business with. And they don’t want to know about passwords and authentication and whether it’s a BlackBerry or an iPod or whatever. They just want to know that they’ve communicated with you and they have a request for service. Are we filling that service correctly or not, because if we don’t they’re gonna go somewhere else.
So my job as CISO is not just to make sure it’s gonna be secure in the future, but as part of the information technology team to help the business embrace that new world willingly. And again, as I say, we’ve got a fantastic exec. They’re out there. My boss has been made responsible for mobile technologies, which is great, because I’ve got a really good relationship with my boss and I can try new stuff out there that I don’t have to explain to 100 people on a committee. I can just go to my boss and say, “Let’s have a try at this. Let’s have a look at that.” “Is that good for the business?” “Yeah.” “Okay. Why don’t we talk to the business about it?”
But if you’re not in that new space and you close your eyes to it, you’re gonna be out of whatever business you’re in. If you want to communicate and serve a population that’s using those things, if you say we’re not gonna do it you won’t be serving them. They will go somewhere else.
So we’re not there today. I’m not gonna pretend that today we’re ready for iPods and BlackBerrys and all this other stuff, but we are actively embracing where we need to be. What is it that people will be wanting to do with those?
And if you look at the way that people are using those things there is a shift happening. If you look at the traditional way of buying things, you appear somewhere and you say, “I would like to buy this. Can I have some of your service please?”
The Jericho people and a lot of other people in the industry are saying that’s changed. We no longer can sit there and wait for people to come to us and say, “I’d like to buy from you. I will identify myself to you.” There will be a persona out there that will want something, and we will have to make sure we’re there and ready to service that need when they want it, and it may not be someone that we know, and we may not be able to use traditional characteristics who we’re doing business with.
And that brings on all sorts of problems, not just with the security of our risk, but money laundering. Know your customer, all these wonderful legislations. As that technology shifts will legislation stay on pace with it? I hope so, but I have a doubt, because legislation is even slower than the IT industry in reacting. So we have to be able to help the legislative bodies understand what we want to be doing with these new technologies, and ensure that those legislations change quickly enough to do that, to stay in the markets we’re in.
Adam Burns:
Of course. I want to touch on a couple of those things actually in a couple of questions time, but just sort of get where we are now. When staff see processes not only being time consuming, but also detracting from customer service without necessarily added protection and control, they’re perhaps less likely, less inclined to take the corporate view. How do you work around that?
James Gay:
It’s interesting because somebody else asked me this question on a Twitter interview I did. I think there’s something wrong if people are working around processes. If I have to work around what people are doing because the processes are slowing them down or whatever, there’s something wrong in what we’ve done.
The whole point of our security is adding a protecting shell around a business process, but it shouldn’t be a block to get in that business process. If there’s a quicker, faster, cheaper way of doing something, as long as there’s not any more risk to the business, and it’s that risk analysis piece that’s very, very important from a business process point of view, then we have to find a way of enabling the security in a different manner.
We shouldn’t be blocking the business. The days of us being able to say, “No, you can’t do that,” are long, long gone in this industry, in any industry I would suggest, but certainly in the industry I’ve been working in. We have to be there working.
And as I said before, I’m nosy. I’ve got to wander around and, “Why did you do that?” “Well security said.” “No I didn’t. Well let’s figure out why you got the message that you have to do it that way? What is the way you’d like to do it? How would be the best way for you to do that? Show me the best way. Show me the way you’d do it if I wasn’t here. Let’s see if we can find a compromise here and find a way to protect what you’re doing in another way. If we can’t, we have to compromise with the business and say that’s so risky you absolutely have to do this, this and this.”
And there are some legislative things that in various industries you have to have audit trails for this; you have to have this, whatever. But that doesn’t necessarily mean you have to do it the hard way. There are easier ways. In my experience there are easier ways to do things and still be as secure and still have the same risk mitigations.
You just have to be outside that box. This is the old-fashioned out-of-the-box thinking, but you can’t have the out-of-the-box thinking if you’re not working with the people that are trying to get around the process. You can’t sit on the outside and say, “Why are they bypassing a process?” You’ve got to be down there in the middle with them and say, “Why are you doing that? What is it that makes you do that?” After understanding you understand what you’re doing to the organization, but you become an integral part of the solution rather than the problem.
Adam Burns:
Yeah, of course. How do you manage then the human element across Travelex’s IT operations? In fact I think you touched on it earlier. We were talking about the human side. On most of the challenges in rolling out any sort of the information system, whether it’s security or whatever, are most of those challenges human rather than technical?
James Gay:
I would say yes. Most is probably the best word to use. Every now and then you find a wonderful piece of technology that falls so flat on the floor in a very, very insecure manner that you go, “Oh, thank God we’ve got one at last.” But yeah, security is about people. Information security is about people.
It’s about getting people to understand that they are adding some value somewhere, but to add that value and to maintain what they’re doing you get paid next week. They have to do it in a certain way. If they want to do it in a different way, repeating what I’ve said, if they want to do it in a different way you will work with them, but they have to understand that it’s them that does the security.
It’s like the old story of everybody in a company is part of marketing. Well actually everybody in the company is part of the security as well, and if people don’t understand that you’re heading for problems. They will see security as being done by IT or being done by the security team or by the risk team and it’s their problem. It’s their responsibility.
I’m not responsible for security in Travelex. I’m accountable for security, but the people who are in Travelex dealing with the customers that are doing finance, that are doing the offices, they’re responsible for the security. I simply make sure they have the tools, they have the awareness to get it done, and I’m accountable for the quality of that process.
So the awareness is important and people are the security. Security is dependent on people. The easiest way we explain it is if we don’t get it right you don’t get a job. The bonus disappears. Your salary disappears. The company disappears, because inevitably in a company like ours if security fails then there’s nothing left in the coffers.
Adam Burns:
Yeah, of course. You talked earlier about mitigation. There’s that famous phrase about people, processes and technology. How do you mitigate for the people and process?
James Gay:
If I was in a closed room talking with my team I’d be talking idiot factor and stupidity factor and user factor, but it’s wrong to do that. There are no idiots. There are no stupid people out there. There are processes that we force them into that force them to do stupid things.
The mitigation is understanding what people will do with the technology, understanding what they will do with the information. They will walk home with USB sticks in their pocket because they forgot. They will leave the laptops in the pub. They will do stupid things when they’re working from home on their PCs. Stupid for me, but very, very intelligent for them because it got the thing that they needed to do done. So my view of the activities of stupidity, their view is absolute intelligence, “I got this done so much more quickly.”
It’s important that the mitigations are looking for those sort of things. So I test my people on a regular basis and say, “What do you think is the worst thing that can happen in this process? If you were gonna be really, really crassly IT unintelligent, how would you break this process?”
That’s where we need to be. That’s where the controls need to be. That’s where we need to be watching. And if we allow someone to break in that way, we failed in our duty to make sure that the architecture supports them doing things in a very, very different way from what we designed, sometimes called stupid, but also very innovative in some cases.
So I laugh and joke about stupid users. We all do in the IT industry, but they’re not stupid users. They’re just doing things differently from what we expected. If we don’t embrace that we’re never, ever gonna be on side with them.
Adam Burns:
You talked about walking around, being nosy, you said yourself. I’m guessing. I’m trying to sort of put things together. So your management style then would be around being out there, talking to people, and very much watching how they interact with your systems, and then taking that information back to your teams and saying, “Look, this is what they are actually doing. Now we need to program, design, create for that.” Is that the –?
James Gay:
It is in a way. I prefer to take the people that have just shown me something really interesting into the middle of my team and say, “Show them. They’re the ones that did this stuff. Just show them how bad we did it. Talk to them about how you’d like it to work better for you.”
And on my teams, I’m not the only one that wanders around. I have my teams wandering around as well. They’re out there sitting with the business. They’re out there sitting with the IT. It is about understanding how to do better rather than do differently. So it’s an improvement process that we’re talking about. And as much as I go wandering around, my teams wander around and they come back to me and say, “Do you know that that these guys have been doing this?” “Well no, but let’s go see why. Why did you do that? Okay, so team, what do you think we should do?”
And part of being a CISO is actually making sure that the next generation of CISOs understand the thought process, the risk management process, the risk assessment process. So quite often I won’t come up with a bright idea. I’ll try not to; although you can obviously tell by now I do have opinions on most everything.
I try and get my people to do the same sort of analysis that I do, “Okay, what’s the worst thing that can happen and how do I get there?” How do I stop us getting there and how do I stop us doing that again in the future with the next level of architectures? So it is about being in the middle of it, being in the thick of it, but you’ll never be on the front line. As much as you want to go and sit on the call desk or you want to go and sit on the support desk, and we do, we sit there regularly, you don’t see every smart little problem that comes and hits you because if you’re there once a week that means five days a week – they’ve got five days a week, you’ve got one day a week – you’re only gonna see 20 percent of the problems.
So having that confidence from the user base as well, where they come back to you and say, “We know you’re always looking for crazy things. Well I’ve got a new one. It just happened to me yesterday when a user called me to say.” That’s the thing that wandering around creates. You don’t have to be on everybody’s shoulder every day, because when they’ve got the confidence that you’re interested in what they’re doing and you’re interested in their ideas, but also the failures they’re experiencing, they’ll come to you as well. So you don’t have to be always on their shoulder. They know where to come when something is interesting.
Adam Burns:
Yeah, of course. This is sort of what I kind of referred to earlier. You were talking about getting people involved selling the information security. Tell me, how do you sell something for which effectively the very best result you can hope for is nothing?
James Gay:
I talked about fear grenades earlier. In a lot of the financial services areas that’s a pretty good result. Nothing is a pretty good result. We’re all dealing with fraud on a daily basis. It’s the nature of the business. If you look at credit card companies, they have an in-built margin of fraud that they’re willing to live with because it’s just too expensive to do anything else.
The sell is look at people like us and look at the failures that have been for relatively simple things that could have been fixed. I’m not gonna go into details, but Travelex is in the same industry as many of the people who have had challenges. There have been challenges in Travelex.
There is a history that you can say, “Well although we didn’t get turned over, look how close it could have been. Look how close it would have been if we hadn’t had this or we hadn’t had that.” And again, we’ve got contractual commitments to customers. We service an awful lot of organizations, very large organizations, and they have expectations that they set upon us for that service. It’s not just, “We’d like to buy some money from you if you’re around.” “We’d like to buy some money from you on a regular basis, and to do that you better be around.” So we have to show guaranteed resilience of some type to many of our customers. So there’s a business benefit to that, of being able to show even if the worst happens over here we’ve got another version of it running over here, or we can withstand losing three or four pieces of the services because the other three or four pieces will keep going.
So again, by having a supportive executive it’s not that difficult to sell the need. The quantity is always a difficult discussion in any business. I would like to have perfection. The executive would like to have perfection. Then we look at the cost, and we have that risk versus how much are you willing to pay benefit.
In an industry like ours where you are in the business of risk, currency business, we take a risk on a daily basis, that risk decision is made by the executive but on an informed basis. It’s my important task to make sure they have all the information to make that decision. Sometimes it’s quantitative. Sometimes it’s qualitative. Sometimes it’s just plain old, “I’ve been doing this for so long, we’re gonna have a problem there if you don’t do it.” And luckily, with the respect I have from my boss and the exec, if I have to pull that one out of the bag they go, “Well if you really, really believe that then we’ll go with you, but don’t play that card too often.”
Adam Burns:
Yeah, of course. I hear a lot, you have the informed perspective, but as a kind of a punt as it were you hear a lot about the recession, there being very much an increase in fraud, very much an increase in sort of financial crime and that sort of stuff. Is that something that you’re seeing?
James Gay:
I have to say that I’m not necessarily seeing an increase because of the recession. The recession is affecting Travelex like anybody else. So if you look at percentages of business it may be that you could extrapolate an increase in fraud because the business is down further, whatever.
In general, no. The type of frauds that we’re dealing with, apart from the pretty crime frauds of people wandering up and trying to steal £50.00 or whatever, these are seasoned information criminals that we’re dealing with. We have interfaces on the Internet that are being attacked on a daily basis. We get the same number of hits that the banks get. We get the same spam attacks. We get the same phishing attacks.
So it hasn’t increased; it hasn’t decreased, because I don’t think the recession has hit the fraudsters, in my opinion. I’m sure people would argue in some areas because there’s not as much money around and they’re not making as much, but the fraud industry doesn’t seem to be going through a recession. The organized crime industry doesn’t seem to be going through a recession from what I see.
And I’m not in the middle of it. I’m on the outside looking in, so I can’t give you facts and figures. I think there is a lot of reporting about some of the more petty crimes and people in middle classes getting more into shoplifting and that sort of thing, but that’s not the type of crime that I’m monitoring. I’m monitoring more the Web type of activities, the attacks on our interfaces, and those are neither increasing nor decreasing. It’s a steady amount. We’re constantly under attack from both organized and school boys and script kiddies or whatever you want to call them today. We have extensive Web interfaces. We transact on the Web with our customers, so we’re always gonna be under attack.
Adam Burns:
James, thank you very much indeed.
James Gay:
You're very welcome.