For Tom Doughty, CISO for Prudential Financial, a financial services leader with approximately $693 billion of assets under management, security – and risk management – are key.
Yet, in a recent presentation, Doughty admitted that “the security manager [i.e.: him] isn’t accountable for security, rather, he is accountable for making sure everyone else in the company is accountable for security.” Now, in an exclusive, candid interview with the executive business channel, MeetTheBoss.tv, Doughty explains this thinking further – and just how it translates into helping make Prudential a leading financial services firm.
“Typically speaking, what’s important to someone's boss is important to them,” Doughty explained to MeetTheBoss.tv’s editor-in-chief Adam Burns. “And in each one of those areas they probably don't think of information security deliverables as the things that are in the forefront of their mind.
“What they tend to think of is their P&L, their operational efficiency. So tying the impacts or implications of security measures, or lack thereof, to something they already think they own is, in my mind, what it is all about.”
Following the global financial meltdown over the last two years, risk management remains a huge issue for legislators, consumers and financial services professionals alike.
Just this week, in fact, reports about the recently Senate-passed overhaul-bill say that the new legislation weakens banks’ risk-taking and profitability. What’s more, if the final bill – currently being negotiated between the House and Senate – shares certain characteristics with this draft-bill, then ratings companies, such as Standard & Poor’s and Moody’s, will almost certainly lower credit ratings for some of the biggest banks.
Doughty agrees that risk has to be micro-managed. “What we really want to do is provide the information, options and a framework within which those risk owners can make good informed residual risk decisions. It’s not about telling somebody what to do; it’s about facilitating options around how.”
In the exclusive interview with MeetTheBoss.tv, Doughty discusses how initial business strategies have to start with the security manager. Speaking about security focus in general, he explains that the security manager has to be the one who is focused on making sure everyone else in the company is accountable for the security of data; and that everything else has to fall in line after that.
“80 percent of the time you are dealing with default expectation to risk,” he adds, “which is the basic everyday business getting done with a ‘controlled amount of risk’. The other 20 percent of the time you are dealing with a non-standard business risk and to handle that 20 percent, there needs to be interactive programs for stakeholders to get involved in protecting the company.”
In the end though, it is the secrets about taking risks that Doughty reveals that seem to be most enlightening. “If it were not for taking risks we wouldn’t be generating any revenue, we wouldn't be taking care of our shareholders, and we wouldn't be taking care of our customers. That's how we deliver, by taking prudent risks.”
No comments:
Post a Comment