BA's chief information security officer believes that understanding and openness are paramount to achieving buy-in from staff. By Paul Fisher.
The British Airways headquarters building is tucked away just off the old Bath Road, once the main route out of London to the west. If not exactly far from the madding crowd (the -combined roar of both the M25 and -Heathrow Airport are just a stone's throw away), the lofty, atrium-styled building, complete with trickling water features, does at least conjure a sense of calm.
It's here that SC met up with BA's CISO, Pauline Jorgensen, who is responsible for information -assurance and compliance, data -protection, business continuity and management escalation. She started in her current role on 1 April this year. “Perhaps, an unfortunate choice of date” she says, with a smile.
She's been with BA for some time, -however, running various projects, including making the company compliant, a major programme of change for the carrier. Before that, she had a hand in running applications delivery in finance, sales strategy, cargo and revenue management.
Coming from a technical background, Jorgensen was attracted to information security because of the great mix it offers. Dealing with business problems across the organisation, actually understanding a bit about the business and how application technology can help, is an enormous buzz, she says. This allows her to get involved across the whole business and, she believes, make a real difference.
What she avoids is the mentality of the stereotypical IT crowd, the tendency to maintain a “best kept secret” culture about their work. Refreshingly, she sees clear communication as paramount to her function – that and clearly defining risks and the right solutions.
“It's not something that's always at the top of everybody's mind. It's important to link security guidance and security standards to the risk message,” she says. “I think there is a tendency in security to end up with set standards that are applied rigorously, regardless of what the risk is, no matter what the business environment is. You need to understand and apply risk so you can prioritise the actions.”
According to Jorgensen, you then need to tell people about what you're doing. Coming from a delivery and development background, she understands the need for security standards to be presented to developers in an easily accessible format.
“We try to make sure that the strategy and architecture of the department are mapped out. We need to know what we're doing for the next five years and ensure that we have a proper plan in terms of the things we have to deliver; that we've got the right level of focus,” she says.
Jorgensen has responsibility for around 30 people employed in the -various teams that comprise BA's security -function. There's a consultancy team that is involved in the firm's information -security projects – they give technical advice and make sure people are -following the -standards. The data protection and compliance teams, including a group dedicated to SOX, will be taking on PCI compliance and will “beat the drum” on the various projects.
“One thing I'm very keen on is that, when we manage change, we do it as projects rather than additional activities, so that you get proper starts and finishes in a timely manner” she explains.
BA is without doubt one of the UK's “barometer” enterprises – a turnover of more than £8.5 billion and some 50,000 employees ensure that. And, as an airline, security is a priority. Jorgensen is keenly aware of its value to the business and is bullish about its effectiveness.
“Security is a key priority of British Airways. It isn't something that's done as a second string. It's very important to BA as a whole. We have a good reputation and we want to maintain it,” she says. But she adds that security has to have a -purpose; it has to be seen as a contributor to the business, it must be responsive and achieve things in a cost-effective manner.
“You have to be sensible and make sure it's not security for security's sake. You must understand what you're trying to achieve; what's important. You need to make it clear to people why you're doing things and put it in context for your -people. We need to be very fleet of foot. We can't be in a position where we're delaying the business. We need to think ahead and plan ahead,” she says.
This means ensuring employees are aware of, and understand the reason for, security. Jorgensen is quite clear about the value of training, which she sees as fundamental, especially in IT. She maintains that if BA people don't think about security when they are designing new systems or buying new products, then the business will pay for it later.
“If you want to be fast and efficient you can't afford to revisit the problem,” she says. “We also can't afford to implement stuff that isn't secure, so it's very important to put in the right stages of the management life cycle.”
Complying with Sarbanes Oxley was a massive job, and one which Jorgensen says followed her rules on implementing change in line with the core business. As far as she is concerned, compliance just has to be done – it's part of business life and it's simply wrong to suggest that it may hurt other areas of the business.
“If it's legislation we have to comply with, what we have to do is comply with it in a sensible manner. We are doing neither too much nor too little,” she says.
BA continues to operate in a changing and increasingly competitive landscape, which must put extra demands on Jorgensen and her teams. She is forthright and positive about such pressures and how to deal with them.
“The key is that we make sure we reduce the costs of operating controls,” she says. “There are a lot of things we currently do manually that we need to automate. Things such as access management, provision and deprovisioning. There are three benefits: cost reduction, more effectiveness and the ability to pull out regulatory evidence very quickly.”
Getting employees to buy into security and its benefits is still a challenge for BA, but Jorgensen is keen to put this right and has already made inroads into refocusing people's minds. She has even achieved this in some less-than-obvious areas – such as the web developers group.
Jorgensen organised penetration testing of some of BA's web properties to find potential holes. These were then presented to the web developers to encourage them to write more secure code. It worked. The developers lapped it up, responding to the real-world examples and showing a real thirst for what good design and good coding looked like.
“It's practical examples that really mean something rather than theoretical guidelines or standards that people don't understand,” she declares. “Practical training is helpful. Somebody standing at the front of the room telling -people about standards is not going to set anybody alight.”