A need for a coherent response to threat led insurance company Aviva to create its group business protection director role. Ron Condon reports.
Six weeks into his new job, Paul Wood is still thrilled with the view from his 20th-floor office in the City of London, right next door to the iconic “gherkin” of 30 St Mary Axe. “Look, down there you can see the London Eye, and below us there's Tower Bridge and the river,” he enthuses.
The only blot on the landscape is the new Willis building going up next door to the Lloyds building, which threatens to block out some of the view.
Wood has gone up in the world in more ways than one. Previously chief security officer for UBS, which he joined in 1999 and left in April of this year, he has now taken on the grand title of group business protection director for Aviva, Britain's largest insurance company and around the sixth largest worldwide.
The job gives him a global role with ultimate responsibility for protecting the business from any type of threat to its operation or reputation.
“The title was part of Aviva's philosophy to encompass everything that is involved in protecting the business from traditional security threats,” he says.
“They wanted to get away from the coy phrase of CISO or CSO. We still have aspects of those roles across the organisation, but we are trying to bring things together on this single business protection platform.
“The group looked at its structure last year, and decided that, in order to move forward into the top tier of thought leaders, it needed to bring in someone at a senior level to lead a strategic charge around information security, physical security, business continuity and crisis management.”
The need for an integrated approach is explained by the company's international ambitions and stems back to its adoption of the Aviva name in July 2002. The company is the product of successive takeovers and mergers, encompassing (among others) Commercial Union, General Accident, Norwich Union and even the RAC.
The Aviva name was designed to bring some cohesion to the various business units and to provide a springboard to an international expansion that has continued apace, venturing into countries of the former Soviet bloc and even into China, as well as taking some parts of the operation offshore.
That kind of expansion brings with it a whole host of risks, and it is Wood's role now to make sure that those risks can be managed and mitigated in what is still very much a federation of separate business units.
He reports directly to the group finance director, Andrew Moss, who sits on the main board of the company. “They were keen to demonstrate that this new role has impact and influence,” he says. “The challenge is how to bring a common philosophy and approach for business protection issues across the group, which combines some very UK-centric business with Norwich Union, and a more international flavour through other parts of Aviva.”
His role, therefore, is to set strategy and policies, and also see where any synergies can be found between different units.
And there is already plenty of knowledge and expertise around the company, he says. Before Wood's arrival, a director of group security and a head of information security were already in post, both of whom now report to him.
In addition, every business unit has its own information security manager and business continuity specialist. On top of that, there is a central team called UK Business Protection, which provides a centre of excellence for security to all of the UK business units.
“I am looking, with that team, to see how we can optimise that model or, if need be, make changes to serve the group overall,” he explains. “You can describe the process as the growing-up of business protection and security.”
Within a month of joining the company, he went off to attend Aviva's annual three-day security conference near Milan, where he met 42 information security managers and business continuity specialists from around the group. “That three-day workshop gave me the equivalent of three months of travelling around the globe. I could meet the personalities, talk about the issues we face, the approach we might want to take and what I wanted to do in terms of setting high-level policy.”
He admits he had been cautious about the workshop, worried that people in the various units might resent the new central control. In the event, he says that they “welcomed it with open arms” and, especially for the smaller units, welcomed the idea of a common standard.
As someone who is used to dealing with difficult situations (his MBE was awarded for “services to government” after his service in the MoD and spells in Germany), the experience so far at Aviva has been pretty painless. The only challenge he admits to so far is getting people in the insurance industry to open up and give him, the new boss, a ‘warts and all' account of the current situation.
His mantra, often repeated during our interview, is to deliver “cost-effective and pragmatic solutions” to the business and to manage risk. With his high-profile position, security gets closely involved in all decisions about new markets or even mergers and acquisitions. “We get involved from the outset. We will talk to the M&A team, who'll ask us about a particular country or environment. We will add value to their proposition,” he says. “There is a real willingness to engage with us, and make sure we are working for them. Our challenge now is to show we can deliver it.”
To make this happen, he has already taken some concrete steps. Although some of his staff have professional security qualifications such as CISSP and CISA, he is urging them to join the new Institute of Information Security Professionals.
“I am encouraging people to join the institute because I think that is the right way forward. It is more about real core values of information security, and includes mentoring and interacting with your peers, which is so important.”
Additionally, the company belongs to security user groups such as I-4 and ISF, and Wood is looking at signing up for a new service from Gartner to help executives with information security.
On top of that, he has just launched a “Security and You” section on the company's intranet, which promotes security awareness and will introduce a compulsory security test for users. “You need a carrot-and-stick approach – you need to make people aware, to understand their personal responsibilities. People often forget that and believe security is just the responsibility of the information security department,” he says.
The need to get users involved is key to his thinking, and underpins the broad responsibility he has for all aspects of security, including physical security and business continuity.
“I don't think that you can provide an international group like Aviva with a true picture of the risks you face, if you don't bring all those things together at some point in the organisation,” he says.
“There doesn't have to be a link at every level, but in order to get an overview and to set policy and strategy for the future, they have to come together at one point. They are so inextricably linked – you just can't separate what is happening with people and process and technology – all those things are affected in some shape or form by physical security as well as information security and business continuity.”
Information security people, he says, focus too much on technology and tend to forget the people and processes, and that is a dangerous mistake.
“What frightens me more than anything else – it's the people issue. We have been arguing for far too long that we are only at risk from hackers from the outside world. But that is just 10-20 per cent of the risk. The rest comes from within. Those people are already inside the organisation and know what the control weaknesses are. They know what the management's appetite for risk is, they know how to circumvent the controls and they know what your organisation looks like.”
And he suggests that organised crime has already worked out that it is much easier to plant people in an organisation than to try to use hackers to penetrate from the outside. “The criminals realise their best way of gaining influence is to get inside an organisation. It is not impacting us today, but there is evidence from the High Tech Crime Unit that criminals have infiltrated retail banking.”
The answer is to do proper staff vetting, and also control how much access people have to information. “You need to control privileged access. That is a big issue that many technologists forget. They are of a mindset that says everyone needs to have everything – but you need the principle of least privilege,” he says.
“The golden keyholders are the ones who can cause you most pain. You make sure that you have commensurate controls around those people so you can monitor what they are doing. That can involve a variety of things, including the education and training of managers. It is often forgotten that you give these people high levels of access and, when they become disaffected or unhappy, they still have the keys to the door.”
He suggests companies undertake a regular review of access privileges to ensure that users do not acquire or retain privileges they no longer need.
That approach takes judgment and sensitivity, and there needs to be a fine balance between trusting people and applying heavy-handed controls. But he is in no doubt that it needs to be done. “You must trust people, of course, but you also have to make it clear what your tolerance is for any abuse of trust. If you are upfront with your employees about what is expected of them, and what you will do in terms of monitoring, there is no issue.”
As Aviva continues its rapid expansion, the challenge will grow and Wood knows he has to impose his security vision fast. “The plan in my first 90 days is to engage with key stakeholders, key managers around the business units, and the people we need to work with, both in the technology space, facilities management, and other areas of the business,” he says.
He has made a good start but, with offshored operations in Sri Lanka (for call centre and some processing) plus several new joint ventures in several emerging markets around the world, it looks as if he won't get too much time to enjoy his view over London.