This week was mainly dominated by the RSA Europe Conference, which saw sessions hosted by the likes of Microsoft, the FBI and SOCA and the information security advisors group.
Perhaps one of the largest talking points was the closing keynote by rogue trader Nick Leeson, best known as the man who brought Barings Bank down in the mid 1990s. Before he delivered his keynote he spared some time to talk to the press, of which I was one of the assembled.
While Leeson is not an IT security commentator, and made no direct references to this sector, some of the points he made about failures within the banking industry both then and now did strike a few chords.
During the press Q&A session, Leeson was asked about various subjects in and around the worlds of IT and finance. He was firstly asked about the move from corporate ownership of risk to personal risk, and the levels of fairness and rightness.
He claimed that it is very difficult where changes move from corporate to personal ownership, but within organisations they are teaching good corporate ethics and making sure people know the appropriate way to behave. He claimed that the corporate ethos at Barings at the time was ‘something that was not correct', as there was a lot of risk taking and mistakes would go unpunished.
Leeson worked for Barings Security and this later joined with Baring Brothers. He said that when the two joined together ‘everything became very confused with the corporate ownership there were parts that did not understand what was going on'.
It is understandable that confusion can be created from a merger of systems. Leeson was later asked if there was an IT system in place to catch him, he said: “It could have come from anywhere, there were so many areas and if any of them had come up and challenged me on the understanding of the market and how the different parts of it fitted together, so they were unable to do that.
“But in terms of systems, Barings was a complete mish-mash of systems, there was nothing that existed across the organisation. Silly things happened with Barings in Singapore, such as when the end of the month came I gave a balance sheet to the financial controller in Singapore who would incorporate that into her system and then send it on to London who would incorporate it into theirs.
“Again going back to the human element, as long as the account balance line was agreed it was not investigated any further. Whereas if anyone picked up that data and shared it on any other day of the month they would have seen that there was a massive hole in the balance sheet which was my illegal ‘88888' account.”
With regard to communications, Leeson admitted that he was fearful of a knock on the door or phone call, and by the end was refusing to answer his home or mobile phone. Had modern technology such as smartphones existed, would evasion have been so easy?
Leeson said: “I think it should, most definitely, and within the world of finance it seems that not a lot of stuff has changed. The first thing that you need is all of the information, and if you don't have all of the information it does not matter what system you have and bells and whistles it has got, somebody is going to be able to avoid something.
“There is something like £64 trillion of trades residing somewhere in the system, and how can it do what it is supposed to do?”
He further claimed that at Barings, there was no computation done to correct the margin that was being posted, or a check on any relevance of the position. There was a human who was supposed to be doing that, and that is where the breakdowns started to occur.
Leeson said: “Email existed so we had email communications with external banks and with the internal people at Barings, but sharing of information they would have seen 64,000 option positions but in London they believe that we probably had 5,000.
“It is fairly basic stuff but the communications between the different parts was never done, and was certainly never done electronically.”
He pointed to an advert by CA in the conference guide, which states ‘prove compliance, mitigate risk, save money doing it' and claimed that every bank would want to incorporate that into their business, but he was not sure how you would sell that to them because it costs.
Leeson said: “That (the advert) to me summarises everything that is positive for a bank – you're mitigating the risk, you're proving you are compliant and you are saving money at the same time. But sitting in a boardroom full of people you will find it is a very difficult sell.
“There has to be things in place that stop you doing that, and whether that is the corporation that you work within that sends out to the central banks and exchanges that exist, they should have sufficient and good enough controls in place so you cannot go as far as I did. Those controls have to be in place and that is where the developments in IT are key because you cannot rely on the human element to make sure that those rules are in place.”
He later claimed that it was ‘pure animal instinct and you are trying to survive', and his closing keynote claimed that there was ‘lessons to be learned from failures and successes'.
He admitted that as the information was contained in different areas, if this were perhaps not the case it may not have collapsed. He later quoted a friend of his, who said that ‘knowledge is nothing without understanding', a phrase also used by the Wall Street Journal among many others.
Leeson was very honest in his speaking, to the point that Microsoft's UK chief security advisor Ed Gibson thanked him from the audience for sharing his story and speaking at the event.
His experiences of poor systems and people management, a lack of awareness of insider activity and monitoring of information all rings true in this industry. As he said in his keynote, ‘information is always there, it's up to you how you use it'.