Interview: Paul Hanley
Interview: Paul Hanley

Ambitious and business-minded, C&W's global head of corporate security is the archetypal modern infosec professional.

The suited-and-booted young man sitting opposite me could be used as a blueprint for the "new model" information security professional. He looks, and sounds, right at home in the glassy Soho offices of the PR firm engaged to sharpen his image, and that of his employer, Cable & Wireless (C&W).

Not that he needs much sharpening. It may have been a PR-suggested pose for him to be reading the business pages as I enter the room, but as our time progresses it becomes clear that, for Paul Hanley, it is more than a pose.

First, some history. Hanley was trained by the award-winning people from the Information Security Group at Royal Holloway and then served his apprenticeship at a start-up, later absorbed by Sun Microsystems. A stint at lottery operator Camelot was followed by consultants IRM ("I think I was the fifth employee there."), a period of grappling with PKI at Entrust, on to a principle security consultant role at BT and then finally to C&W as director of security consultancy.

He admits to a technical background, but is flattered when I tell him he doesn't look like the average techie. "Don't I? Oh great, thank you," he says, clearly delighted and reveals that, in his spare time, he likes a spot of cooking, martial arts and bowling.

His arrival at C&W coincided with the acquisition of rival telecoms outfit Energis. He soon found himself heavily involved in integrating the two businesses. Hanley must have impressed, as two years into his time at C&W he was asked to head the global corporate security function. That was just a couple of months ago, and quite an achievement for a 32-year-old.

"I am quite young in terms of what I do," he admits. "Sometimes when people meet me, I know they think: 'So why are you in that role? Who says you've got the security knowledge or the business acumen to help me with whatever change I've got?'

"So I have to demonstrate that, actually, yes I do know what I'm talking about and this is how I can help them. I'll say to them: 'Spend a bit of time with me, and then you'll know a little bit about what I'm talking about, too.'"

And that's what I'm here to do, so I let Hanley enlarge on his role: "It is a senior position. Effectively, in terms of security, a global remit, covering things like risk management, policies and procedures. It's working out what direction we should be going in and making sure our networks and operation systems are secure.

"But it's also about meeting with customers, making sure they have a good feeling about what Cable & Wireless is up to, what we're doing. Because if we're not secure, why should a customer trust us to look after their systems and run their systems?"

Good point, but it must bring quite some pressure, this double-headed responsibility - both gamekeeper and corporate ambassador. He shrugs it off. "Not really. We have a distributed model within Cable & Wireless, with security embedded into a number of functions within the business. For example, physical security at the moment is part of facilities," he says.

"This is the best way of having security. If you have it embedded in the function then you can get a lot closer to that function, rather than a central model where everything is under one area. Often you tend to miss things in the organisation." he adds.

So what about the other side, does C&W use its internal tools and procedures as the basis of commercial solutions as BT, one of its main rivals, does - a neat way of turning research into revenue? "I think there is an element of that. There are a number of very bright guys trying to solve problems internally that nobody else has done in the past."

He mentions his colleague, Malcolm Seagrave, global head of security services, who heads C&W's commercial offering and with whom he has a very close working relationship.

"If for example he comes across a new product that he thinks is a great opportunity, from a professional services type of perspective, he'll let me know about it and potentially we look at using it internally. Likewise if we come up with some good ideas internally, then we will go to him to see if it's something that we should be offering to our customers."

There is no doubt that Hanley is a seriously business-minded man, clearly loyal to C&W; but what is the reality of security awareness among the board? Is he a living example of a chief information security officer being taken seriously, listened to, his precious words acted on? The reality he describes is a little patchy.

"I have a number of conversations with the senior management. I meet up with the CTO fairly regularly. I've met the CEO before, chatted to the chairman about security in the past.

"So that's about as high as I typically get. I don't formally speak to the board, but I speak to the C-level. If there is anything specific then they will raise it." he says, painting a perhaps less-than-complete picture of boardroom buy-in.

But to make amends, he goes on to reveal his own feelings on the subject and how he and his peers should make themselves heard. And, of course, it's all about the business.

"Typically the CSO, director of security, whatever you like to call them, have struggled to align themselves to the business. In the future, what the best CISOs need to do is make sure that when they do speak to the board, they speak very clearly; they are very articulate and they don't talk about technical concepts.

"If they're talking about risk, for example, they need to be able to articulate risk in a very clear manner, and they also put it in a language their audience understands. If you're speaking to the chief financial officer, you may well bring up a load of numbers to validate what you are talking about, you need to speak the language of business," he says.

"With risk that's absolutely key. Talking about counter-measures, talking about mitigating risk, that's fine if your audience understands what you're talking about, but modern CISOs shouldn't walk away until they've made sure their audience understands."

These days, risk is a hot-button issue. Merely whisper the word and prick up the ears of information security professionals. Risk management, risk modelling, risk assessment - all have a glamour that bread-and-butter information security lacks.

Hanley's view - which he encourages his team to share - is pragmatic. He believes the whole concept of risk modelling can be taken too far. "You could say there is a risk that a spaceship might come down and destroy the company - yes it could happen, but it's unlikely.

"All the security people within C&W do the correct thing in analysing risk, of the risk actually happening and coming up with a business answer; what's important for the business," he continues.

"And we look at the risk in different ways for different customers and different sectors. For example, we have government customers who require you to do specific calculations to work out the risk."

He admits that he has had to take a step back from the technical side. He concedes that the C&W board doesn't want to know about problems, instead they just need to know what his recommended resolution is and how much it's going to cost.

"It's quite difficult, but once you've mastered it, once you've been able to get your message across to the board, then I think that's very powerful," he says.

The other advantage, Hanley claims, is that in time the board learns the lesson, and the value, of keeping the security function in the loop when it comes to changes in strategy and direction. "It's not a case of remembering five minutes before it happens: 'oh let's contact security to see if there are any issues' - which we've had in the past," he says.

As an alumnus of Royal Holloway, Hanley has some distinct views on his contemporaries and their failure, sometimes, to see beyond the technical. "Most people are competent. They can understand how a firewall works. They can set up a wall base to make sure it works properly. They could even patch it and monitor it, and so forth. But I think one thing that a lot of people in security miss is aligning themselves to the business - which effectively means the customer," he laments.

Historically, he says, people coming into security had come from traditional routes - defence and government; or a general background in IT - "they got a feel for networks and then jumped on the security background", as Hanley puts it. But over the past ten years there has been a shift towards more formal security qualifications.

Eager, maybe, not to give out the impression that all he wants is MBAs with an extra degree in information security, he qualifies this by saying that the ideal balance in any organisation is to have people from all of those areas. "I think they all complement each other quite well," he says.

But whatever the background, there's no place for dullards seeking a cushy nine-to-five existence. "The best security people are those that are passionate about what they are doing - they actually love what they do. They work long hours because they want to, not because they have to - which is a big difference for me," he says.

Like most of his peers, Hanley knows that even in the most ideal setups, where every conceivable step has been taken to minimise risk, you can never fully legislate for the stupidity of people - the password jotters for example.

"People are the weakest link, and I'd be surprised if that ever changes. But I would then turn around and say, so why are these people writing down their passwords? There are probably three key reasons," he muses.

"One of them is that they don't know they're not supposed to. So actually that relates to my role in terms of security awareness. So perhaps I need to beef things up slightly.

"I think the second is maybe they're writing it down because they have 500 passwords to remember because there are 500 systems that they need to access; maybe there's no secure sign-in solution. So again, that's an issue with the business, that would need to be addressed.

"And I think the third thing is actually just plain stupidity, or not following process. All three are very challenging and you would deal with each in a slightly different way," he concludes.

By now it's clear that Hanley is extremly focused on the business of C&W and his part in it; this is one security professional who has serious designs on the board - not just buy-in but perhaps a place, one day. Clearly ambitious, he also seems to understand that every great leader must also have a great team to lead, and some humility to add to the knowledge and desire.

"I know I've got the team able to support me. And I've learned from experience about having the ability to turn around and say I don't know everything about security. I don't know all the technical aspects; I don't know risk management inside out.

"In the past, people have tried to either bluff their way through, or because they haven't understood, they've just said no. Security's often been seen as a blocker because of that," he says. "But the reason they say no is because the top guy doesn't necessarily know the risk score sheet; he doesn't necessarily understand the risk behind it."

On the other hand, Hanley seems to understand the value of everything he says. This is one CISO who really does mean business.