The role and background of senior people is changing as the sector turns professional, says Deloitte's UK security supremo. By Paul Fisher.
Deloitte's corporate logo has a very deliberate green full stop at the end. It suggests that what the company offers is backed up by solid expertise and decades of experience and thought. Potential clients need look no further. This is the complete package. End of story.
Well, not quite. Part of the package is head of UK security services Mike Maddison, or, to give him his full, somewhat long-winded title, director of UK security and privacy services, technology assurance and advisory.
More than 17 years' experience with blue chips such as BACS, Xansa and Barclays has given him a good grounding in technology risk, information security, physical security, IT forensics and business continuity. Like many in the business, he's noticed a change, both in the way security professionals behave and the attitude of the wider business world towards them.
"I've moved roles and industry sectors, but what has struck me lately is how security is growing up as a professional discipline," he says. "We now have senior management's attention." But as many in the industry have pointed out, this is a double-edged sword. It's nice to finally be recognised and get a budget, but once in the spotlight, there's nowhere to hide. Maddison agrees: "The pressure, visibility and risk for senior security people has changed quite significantly, too."
He also thinks that information security people from an IT background have to start rethinking the way in which they communicate with others. "You are now the senior security persona and will be reporting to a non-IT person, which means talking a different language," Maddison explains. "There's a real feeling that (the function) is moving from a technical one into a business protection, business-assurance role. It's the biggest change I've seen in the past five years."
So how is this shift going to affect the profession and the businesses it serves? Will we see the emergence of a new kind of information security professional, and with it new training and education requirements?
"Definitely. We will see everything coalesce into a more rounded way of managing risk to an organisation. This will start to happen particularly in major financial organisations," says Maddison.
"The challenge will be to find out what sort of person will be able to fulfil a new, multi-disciplinary role. A lot of organisations have found this difficult. The ex-police or former military person might work for some organisations, but you'll find that it's not everyone who can work across several disciplines. However, the future security professional will need to be a jack-of-all-trades."
Maddison is trying to implement strategic change in his own role. When asked what keeps him awake at night, he says that it is "finding good people", but his approach to building his team follows a creative approach to recruitment. Currently, he heads a team of around 100 security experts
"I've got barristers, MBA graduates, system architects, project managers, programmers. If we are running a multi-million-pound implementation, we need to understand the right mix of skills and bring the right people together. And on top of that, I need people with scars on their backs"
The 2006 Deloitte Global Security Survey (see box, page 28) unveiled some shocking statistics on security awareness and training. While 96 per cent of respondents were concerned about employee misconduct involving IT systems, only a third (34 per cent) had provided their staff with some form of information security and privacy training in the past year.
"This is damning, especially as in the previous year it was high on the list of initiatives to be kicked off by CSOs," Maddison admits. "But in the real world, it's a question of priorities. With so many pressures and drivers to respond to, unfortunately it gets put on the back burner."
His next point is more revealing and goes to the heart of the return-on-investment challenge faced by CTOs and CIOs. "It's very hard to prove the value of security awareness," he points out. "We all know that the weakest link is people, but it's still very hard to prove.
"But the line has to be drawn somewhere, and it's hard enough to recruit people to do the important stuff. It's the 'must do now' that takes priority, and security awareness drops off a little bit."
So it seems that just like in any part of the business, away-days and strategic planning produce lots of positive ideas, but those good intentions drop away as soon as there is an emergency and the realities of limited resources and time soon take their toll.
To make things worse, Maddison says that many organisations are failing to get to grips with the new threat landscape; they are not dealing with a protagonist model that has fundamentally changed. "They talk about it, but fail to see the response required," he laments.
"Organisations are aware of new threats, and especially the insider threat, but what they struggle with is joining up the dots in very disparate organisations." It comes back to the idea of implementing a holistic approach to security, and technology is part of the equation.
"For any technology to be effective, you have to understand the threat first. Technology can be part of the solution, but not the whole answer. Equally, technology is fundamental to all industry sectors, but if you don't build in security, you can't maximise your protection. What we still see is piecemeal, poorly integrated security," continues Maddison.
I think back to InfoSec 2006 in April and what was, to me, an overwhelming array of prepackaged solutions. To professionals looking for technology, the vitality and choice on display was exciting but bewildering. "It's great that there is innovation in the industry, but whether a product is any good is down to its implementation," agrees Maddison.
Vendors were given the gift of a new marketing pitch a few years back, thanks to the wonderful people at Enron and WorldCom, This was the big C - compliance. But has this had an adverse effect on the information security profession? And is business in danger of being crippled by compliance?
Maddison opens up on the subject. "The general tenor of the legislation has done great things to improve the way controls in business are implemented, and this has improved consumer confidence. But finding the right level of suitable compliance can be extremely difficult," he says.
"Some vendors have over-hyped the issue, which has caused problems. However, the more mature organisations sought advice and found compliance very beneficial in terms of better internal processes, improved reporting and cost reductions."
A recent survey called Secure the Trust of Your Brand, conducted by the Chief Marketing Officer (CMO) Council in association with Symantec and Factiva, found that more than one third of respondents said they would strongly consider taking their business elsewhere if their personal information was compromised. Is it about time that financial institutions came clean about their security breaches? Maddison is not so keen on playing consumer champion.
"Security breaches are commercially highly sensitive. I'm not an advocate of financial institutions revealing details of attacks, but whether they have invested enough is open to debate. I believe there will come a time when consumers start demanding better protection," he says. "As often happens in banking, there's a lot of talk and not enough action. It's not only consumers, but internal structures too."
So do banks just not care or can they not be bothered, hoping for the best? "They do recognise the problem, but they need to find a solution, because there may come a time when consumers will legitimately be able to say: 'I know that in some parts of the world there are better solutions. You are taking due care, but that is not good enough.' It's a serious problem to the online economy and we need to address it," Maddison insists.
If this is a problem consumers understand, here's one that many in the profession still struggle to get to grips with: deperimiterisation. Part philosophy, part bandwagon, it's hard to see what all the fuss is all about. Given that Maddison has seen quite a few changes over his 17 years in the sector, what's his response?
"Deperimiterisation has been around for some time, and we will never totally get away from it. The concept may mature, but there needs to be a lot more thinking and straight-talking about what it actually means."
At its best, moving beyond the perimeter can be seen as a driver for innovation both in business and for shaping new technology. But is there a chance that the new awareness of information security may be draining research and development budgets and in turn slow down innovation?
For Maddison there are two sides to this. "There is a real danger that the fear of a risk could prevent the deployment of innovative technologies designed to advance the business. And that is a worry. At the same time, CIOs and CTOs under pressure to justify their existence could mean a reluctance to innovate. In the end, I would hope that security is part of the combined R&D effort," he says.
Throughout our meeting, Newcastle-born Maddison comes across as a man not given to hype nor a sufferer of fools: he will only allow someone to cry wolf twice. He does not have much time for people who have a negative approach, either. "That's a very quick way to lose your audience," he states. A lesson that many in business should heed.
Maddison takes his work incredibly seriously and clearly relishes the daily challenges. He loves "the variety, the pace, the manic times, the different clients". He has a no-nonsense attitude and you always get the impression that he knows what he is doing. "I try to be open and honest with people," he says.
He's bullish about his profession and the people in it. Despite his earlier fears about business failing to wake up to new ways of thinking, he believes that the information security industry has never been in a better state. "There are lots of very talented people out there."
Perhaps Maddison's best piece of advice is the most obvious. When asked what has been his biggest mistake, he replies: "Not knowing when you've lost a battle; when it's simply not worth it in political terms. You have to realise that it's just a battle and not the war."
MIKE MADDISON - THE CV
1988-1998 various security and intelligence roles, HMG
1998-2000 IT risk manager, Aviva
2000-2002 Head of information security, BACS
2002-2003 Global head of information risk and continuity, Xansa
2003-2005 Director of IS security and business continuity, BSkyB
2005 to date head of UK security services, Deloitte
William Welch Deloitte
William Welch Deloitte was the grandson of Count de Loitte, who had fled France during the French Revolution. At the age of 15, Deloitte became an assistant to the Official Assignee at the bankruptcy court in the City of London.
At 25, Deloitte opened his own office opposite the court in Basinghall Street. He made a name for himself fighting fraud in the high-tech industry of the day - the railways. In 1849 he became the first independent auditor appointed at the Great Western Railway. He discovered frauds on the Great North Railway, created a system for railway accounts and came up with a standardised model for hotel accounting.
In 1893 he opened offices in the US, and soon after started to audit a growing soap business. Procter & Gamble is still a client.
Today, Deloitte is the global brand name for the Deloitte, Touche Tohmatsu group of member firms. It is one of the 'big four' management services groups, working in 150 companies. Its head office is in New York City.