As CISO for Travelex, James Gay is accountable for security across the company and one of the main challenges he faces is not technological but rather ensuring that the staff adhere to the processes in place.
Since the financial crisis put the global economy in a stranglehold, the market for international payments services has rapidly expanded as businesses and consumers the world over place increased importance on cash management. Businesses in particular have sought to achieve integrated global payment platforms that are capable of meeting their international payment needs.
Travelex, the world’s largest non-bank provider of international payments and foreign exchange solutions, is well placed to take advantage of this market expansion, and rivals even the largest global banks in its ability to deliver a truly global payment solution.
In September of last year, consulting firm TowerGroup ranked Travelex Global Business Payments as the industry leader in global payment solutions for the Small-Medium Enterprise (SME) market and as number three globally for innovation in payments in the SME market. This is testament to the fact that Travelex continues to innovate in the payment industry.
James Gay is the CISO at Travelex and despite the importance that many attach to the role of technology in innovation he tends to believe that when it comes to security, technology is important but it isn’t the most important part of the puzzle. “The security industry as a whole has realized that it is no longer a control and blocking industry. It is a business enabler. People expect security. You can see the challenges that people are facing with the loss of personal data, bank fraud and credit card fraud and the security industry is at the forefront of helping people resolve those challenges. So we have to be more of a people business than we’ve ever been,” says Gay.
In his view, the technology is an enabler for what Travelex do, but without the proper concepts of how to deal with the people part of the puzzle the technology isn’t really much use. “The technology is always going to be there as we need the tools to implement things and we need to do things faster, cheaper and better,” says Gay, but he is quick to stress that the main areas of investment over the next 12 to 18 months will be in people.
“Without the right people it doesn’t matter how good your technology is, you will not be able to implement it properly” – James Gay
“Without the right people it doesn’t matter how good your technology is, you will not be able to implement it properly,” he explains. The importance of understanding business needs before investing in technology is vital since the market is awash with technology solutions – some better than others – and businesses need to have the correct person in place to make decisions regarding the viability of technology investments.
This, Gay believes, is the most challenging aspect of rolling out any type of information system, whether it is security related or not. Most of the challenges he faces in his role are human as opposed to technological. “Security and information security is about people. It’s about getting people to understand that they are adding value somewhere and that they are responsible for security. Everybody in a company is part of the security and if they don’t understand that then we are heading for trouble,” warns Gay.
As CISO, Gay believes that he is not actually responsible for security at Travelex, but rather he is accountable for it and those who deal directly with the customers, those who do finance and those who work in the offices, are responsible for security. “I simply make sure that they have the tools and the awareness to get it done,” he says. “I’m accountable for the quality of that process.”
And this is why processes are so important. It’s no good implementing them if the staff cannot work with them or they slow the staff down and they end up circumnavigating them, says Gay. “The whole point of our security is to add a protective shell around our processes, but it shouldn’t get in the way of those processes. If there is a quicker cheaper way of doing things – as long as it doesn’t increase the risk to the company – then we have to find a way of enabling the security in a different manner.”
The way that Gay evaluates the effectiveness of the business processes is quite hands on and involves him actively getting the opinions of those who use them – his staff. Wandering around the office he inquires as to how and why staff do what they do and likewise how they would ideally like the processes to work. Based on these responses he then tries to find a compromise that lies somewhere between efficacy and security.
There are obviously some processes that are unavoidable such as audit trails, which are required by legislation, but even in this case Gay says that this doesn’t necessarily have to be done the hard way. “In my experience there are easier ways to do things and still be as secure and have the same risk mitigations. You just have to think outside the box,” he says.
But, he stresses, this can’t be done by just looking in from the outside and requires that you work with your staff so that you can become an integral part of the solution rather than the problem. And this pretty much sums up Gay’s management style in general. “I think Peters coined the term ‘management by wandering around’ some years ago. If you sit in your office you’re going to see symptoms. I’m naturally an inquisitive person, wherever I’m working a business I want to be part of it, part of the sales process and part of the delivery process,” he says.
“As the CISO I have to be part of the security process, but this is just part of the quality delivery of the organization. So by being out there and by being an integral part of it and by knowing what people are doing, what they are trying to do and by knowing what is failing, I get to see the things that are actually going to happen to us. So although I get to see the symptoms, if I haven’t predicted something happening, then I haven’t done a very good job,” explains Gay sternly.
This wandering around is also something that he encourages his staff to do so that they too can understand how things can be done better. “Part of being a CISO is making sure that the next generation of CISOs understand the thought process, the risk management process and the risk assessment process,” says Gay. ” So quite often I won’t come up with a bright idea, in fact I try not to. I try and get my people to do the same sort of analysis that I do.”
But as much a Gay likes to be in the thick of it, he admits that being on the frontline and seeing every smart problem that arises is not actually very realistic in his job. So he relies heavily on the feedback from his user base as to the problems and failures they experience.
But despite the proactive and interactive approach of Gay and his staff, it is still necessary to implement some kind of measuring process in order to judge performance. This is an integral part of business intelligence. “I think there has finally been a realization that we can no longer have people wandering around in white lab coats, but if you can’t measure something, how can you see whether you are doing it well or badly?” asks Gay.
“The only way to measure things is to have that intelligence behind it as an integral part of the quality delivery of a business. Your metrics are just as important as the financial performance of the company and the market impact that you have,” says Gay.
Another aspect that he rates very highly is the need to look outside of Travelex at the whole security industry rather than just at the financial services industry, in order to learn what the tools of the future will be. Academia is an extremely important source of information for Gay and he monitors it to see what is occurring in encryption technology, banking and in the credit card arena, which is particularly pertinent since Travelex recently launched its own prepaid cards.
“I’m halfway through a Ph.D. at the moment because I believe that by interfacing with academia, understanding what academia is thinking and helping it to understand the problems that we face, then we have a joint approach to solving some of those problems. You have to interface with everybody that has an opinion. You don’t necessarily have to take those opinions on board, but opinions will form the body of knowledge that you use to move forward,” says Gay.
He is already doing this with the likes of web 2.0 and the cloud and plans to do so with regards to the newer mobile technologies. “I look at some of the industry forums, not necessarily the security industry, but wherever people are looking at new ways of doing things and at new ways of breaking things. If they’re going to break, they’re going to break in an insecure manner, so I want to know their ideas are on how to stop them from breaking in the future.”
Regarding mobile technology, this is something that Gay welcomes and he says it is something that Travelex will have to get involved in otherwise it risks not being in business at all. “Mobile is what people are saying is going to be the new contactless technology. We need to embrace the way that people are going to be using it but also understand that we then have a duty to educate our customer base, not just our employee base,” says Gay.
He goes on to explain that there is an important distinction between those who have to learn to adapt to this new technology -digital immigrants – and those who have grown up with the technology and are comfortable using it – so-called digital natives. Digital natives, he says, are the people that he will be doing business with and they need to ensure that they are in a position to do that as seamlessly as possible.
“They don’t want to know about passwords and authentication and whether it’s a BlackBerry or an iPod. They just want to know that they have communicated with you, that they have a request for service and whether we are fulfilling that service correctly or not, because if we don’t they are going to go somewhere else,” he says. “We’re not there today and I’m not going to pretend that today we are ready for iPods and BlackBerrys, but we are actively embracing where we need to be.
“So my job as CISO and as part of the information technology team is to help the business embrace the new world willingly,” says Gay explaining that he has a fantastic group of executives behind him. “My boss has been made responsible for mobile technologies, which is great because I’ve got a really great relationship with my boss and I can try new stuff out there and I don’t have to explain to 100 people on a committee. I can just go to my boss and say ‘Let’s have a try at this’ or ‘Let’s have a look at that’,” says Gay.
Having a supportive executive also makes it easier for Gay to sell information security, and by all accounts this is no easy task as you are selling something for which effectively the very best outcome you can hope for is nothing. “In a lot of the financial services areas nothing is a pretty good result and by having a supportive executive it’s not that difficult to sell the need,” says Gay.
“The quantity is always a difficult discussion in any business. I would like to have perfection. The executives would like to have perfection. We look at the cost and we balance the risk with what we are willing to pay. In an industry like ours where we are in the business of risk, we take a risk on a daily basis and that risk decision is made by the executive on an informed basis. It’s my task to make sure that they have all the information to make that decision. Sometimes its quantitative and sometimes its qualitative.
“Sometimes its just a plain-old case of ‘I’ve been doing this for so long and I can tell you that there will be a problem if we don’t do this’ and luckily, with the respect I have from my boss and the executive, if I have to pull that one out of the bag they say ‘Well if you really believe that then we will go with you, but don’t play that card too often'”.