Interview: Prudential CISO Tom Doughty on balancing security with business requirements

During his five years as chief information security manager at Prudential, Tom Doughty has dealt with parts of the business that perceive security as...

During almost five years as chief information security manager at Prudential, Tom Doughty has dealt with parts of the business that perceive security as an impediment or something to be navigated rather than a resource.

In such cases he says you need to use security to deliver a benefit they have not asked for that makes their job easier in some way. Relationships started in this way have become Doughty's strongest and most fruitful. "If you reach the realisation with somebody that it is okay to want the right thing for different reasons, that should not be resisted."

Watch the video interview with Tom Doughty here >>

Business challenges

Doughty says that in terms of security there is an interesting balance, given that Prudential runs a federated business model. "A federated business model engenders a federated IT management, which to a certain degree engenders a federated information security model, meaning that there are things that are significantly up to the discretion of lines of business to navigate as efficiently as they feel is possible and required within the business environment they are operating in."

In this context balance refers to the things that are not negotiable, such as infrastructure-level security or baseline level controls, compared with business process-specific security.

He says the institutional businesses at Prudential will benefit from the mandatory infrastructure-level protections within the company. "On a business deal-by-business deal basis, we find that security is at the forefront of the questions institutional customers are asking of Prudential."

In turn, the business is making a decision about what controls to invest in and sell to its institutional customers as a value-add as part of the business portfolio.

"My team tends to get more and more involved over time in assisting with those business discussions with institutional customers that demonstrate our controls, and that is where our standard framework for internal control is obviously not going to benefit the external expectations of every customer. They are coming to the table with different expectations."

This means the security model has to be flexible.

Doughty says Prudential runs a well-defined and structured set of security policies, standards, engineering specifications and guidelines, which takes care of 80% of business operations. A typical business need or problem fits the framework very nicely, he says. "Where we provide most of our value within the security programme is managing the 20% of non-standard business risk, or non-standard business requirement where the framework does not fit."

Social media risks and rewards

Social media is a powerful business tool. "Most of the company's businesses are looking at social media. We have talked a lot about social media in terms of how we are going to embrace it, how we are going to draw some judicious boundaries around it, and how we are going to recognise that while taking advantage of it we are fully embracing within the lines of business."

Social media offers a way of communicating with customers, communicating with each other and gathering useful information, but it also increases exposure to risk, he says. At the same time, Prudential needs to comply with regulatory requirements. "We have to make sure that we are paying close attention, particularly in terms of registered representatives and our requirements to modulate, monitor, archive and capture electronic communication in the workplace," he says.

Doughty believes it has become much easier for organisations such as Prudential to recognise that there is a balance to be achieved in embracing tools like social media. In part this is due to changes in the workplace leading to a shift in work-life balance. He says it takes a flexible approach to where people do their job from, and provides a robust remote access architecture that lets staff work from alternate locations.

"If we are okay with people working flexible hours and there is less of a hard line between personal time and work time in both directions, then we also should not be too concerned with giving reasonable controls to someone using social media, even for personal reasons, within reasonable guidelines in the workplace," he says.

Clearly, there are technology controls like better monitoring and better archiving, but the business needs to ascertain what is reasonable and what is considered unreasonable. He says, "This really does constitute an area where we trust people as a primary control and use the technology as a complement. If you give people access to Facebook, LinkedIn and Twitter during their working day, for instance, or take steps toward letting them use their personal web mail, none of the other rules go away in terms of what you can and cannot say about Prudential. When you speak on behalf of Prudential, all of the other controls in terms of other categories of websites that for several reasons that we would prefer not to be used in the Prudential workplace are still enforced.

"Just as we don't monitor and control everything that someone may say on the telephone, we trust [staff] to do the right thing within certain avenues and social media as well."

Read more on IT risk management