Meet the gatekeeper

With the potential for data leaks to inflict serious financial and reptational damage on organisations, CXO seeks the advice of information security aficionado and Aviva’s CISO Paul Wood.

Information security is vital to almost every department within organisations today. What would you say are your biggest issues and challenges when it comes to protecting the business from security breaches?

Paul Wood. The issue today is around data loss more than anything else. It is the thing that is in consumers' minds as much as it is in the minds of organisations. The other issue aligned with this is the potential for financial crime and the exploiting of personal data. The main challenge, however, is around making sure that once something happens we are able to react to it appropriately, realistically and pragmatically. Often the issue becomes much worse if the incident response plan is not done in the proper and robust manner. It is about how we assess what that particular incident or breach was and how we risk assess what the impact became to the business. If it involved customer data then you have to assess the potential of that exposure for the customer. You need to see how you will limit that exposure, learn lessons from a particular mistake or error and how you will manage everyone's expectation.

In the UK we have seen some pretty serious breaches and confidential data going 'missing', even within government departments. From your experience what would you say are the common mistakes that organisations make when handling, storing and moving data?

PW. Understanding where data is at any one point in time is probably one of the biggest challenges organisations have. Also, getting the individuals inside businesses to understand the true value of information is a challenge in itself. So, a company may not adopt the appropriate security measures to reduce the potential for the risk of exposure of the data if it does become lost. This could mean not adopting sensible encryption measures, looking at how to stop or control data leaving systems or the area of mobile computing and how people use these devices. They may think it's a just a toy they have been given and don't understand the powerful nature of what that particular device might contain. 

In most organisations people are the biggest risk. In presentations I have given on security I talk about there being no patch for stupidity, which is about the 'people risk.' Often it is not deliberate but human error and mistakes or people trying to do the right thing but it goes wrong. However, there is the potential of the disgruntled employee or there is the chance for someone who wants to steal corporate data because they want to take it with them to a new organisation. The risks are split about 80-20 percent. By this, I mean there is an 80 percent risk of theft internally and 20 percent externally. Lots of people talk about hackers and threats from the outside world but the risks are much greater internally for any organisation. Staff already have access to your systems, they understand your management processes and controls that you have in place and know how to work their way around them. The only thing you can do is to have good security education awareness, ensure people know that sensitive data theft and corruption of data - be it through planting malware or Trojans - is unacceptable. If you go back and look at the disgruntled 'mal-intended' events of the past you can nearly always predict that the event was a possible. The individual will have either exaggerated signs of bad behaviour or will have been disgruntled by they way they have been treated or will have been not happy with their pay review. But people then continue to let them have access to systems instead of realising this could be a problem child and there is a need to limit this individual's access.

If you choose to outsource, again you struggle to define and protect the perimeter. What's your advice in this area?

PW. I think the issue is about protecting the data and not the perimeter. It doesn't matter how the data is being processed and what mechanism is being used to access the data because it's about ensuring that the measures you put in place to protect the data are correct. It doesn't matter if it is a laptop or desktop or a portable device - it's about making sure you have the appropriate level of encryption, controls around access and that you are regularly reviewing that the people using these devices have the right level of access. You also need to educate people about not sharing passwords and log in details but if you do discover this to be the case you need to deal with it effectively and promptly in line with your policies.

At Aviva we outsource a fair amount of our call centre and back-office processes and a bit of IT development. We do very thorough due diligence over selecting the partner we are going to do business with because we have to make sure that the negotiations and discussions over security parameters are very clear. It's important that they understand that this is a two-way undertaking and that we want them to operate as if they were part of our organisation and apply the same rules and processes. It's a partnership approach to make sure we get to where we want to be so in reality it's no different than the outsource company actually working inside Aviva.

How do you weigh up the risks versus the reward of introducing new technology for Aviva employees? For instance, a technology may allow for greater productivity from staff but is a risky proposition from a security standpoint.

PW. We look at a new technology, conduct a risk assessment to see where the weak points are and the counter-measures we can introduce, and arrive a position where we are all comfortable. That may mean that for a period of time we don't get the full benefits of that productivity if we feel the risk is too high. Equally, it may mean that we live with it [the security concern] but we look to try and mitigate it as the new technology develops. Mobile devices were a good example of this because in the early stages everybody wanted them but the levels of controls that you could position on those devices has only developed and grown over time. But we shouldn't shy away from these things because technology enables business. What we have got to is find cost-effective and pragmatic ways of reducing the risk from using these new tools.

When it comes to investing in new security technologies, bosses can find it hard to quantify how IT security benefits the business. You spend money but you see nothing much in return because it is there to purely protect the business. How do you 'persuade' management to invest in security?

PW. The days when people thought this was a 'nice to have' and we did it because it was the right thing to do have gone. People understand that customers, clients and partners all expect there to be a level of security that they are going to have to work through and expend to make sure the data that people entrust to us is protected in a pragmatic and sensible way. What we have turned around is to make sure that security is built in at the beginning of a project and not retrospectively. Management also need to accept that security is part of a project's lifecycle and it happens as a matter of course.