The missing link Despite decades of staggering advances, technology can still only do so much. Travelex CISO James Gay tells FST about security’s vital human component.
S
ince the fi nancial crisis put the global economy in a stranglehold, the market for international payments services has rapidly expanded as businesses and consumers the world over place increased importance on cash management. Businesses in particular have sought to achieve integrated global payment platforms that are capable of meeting their international payment needs. Travelex, the world’s largest non-bank provider of international payments and foreign exchange solutions, is well placed to take advantage of this market expansion, and rivals even the largest global banks in its ability to deliver a truly global payment solution. In September 2009, consulting fi rm TowerGroup ranked Travelex Global Business Payments as the industry leader in global payment solutions for the small-medium enterprise (SME) market and as number three globally for innovation in payments in the SME market. Th is is testament to the fact that Travelex continues to innovate in the payment industry. James Gay is the CISO at Travelex and despite the importance that many attach to the role of technology in innovation he tends to believe that when it comes to security, technology is vital but it isn’t the most important part of the puzzle. “The security industry as a whole has realised that it is no longer a control and blocking industry. It is a business enabler. People expect security. You can see the challenges that people are facing with the loss of personal data, bank fraud and credit card fraud and the security industry is at the forefront of helping people resolve those challenges. So we have to be more of a people business than we’ve ever been,” says Gay. In his view, the technology is an enabler for what Travelex does, but without the proper concepts of how to deal with the people part of the puzzle the technology isn’t really much use. “The technology is always going to be there as we need the tools to implement things and we need to do things faster, cheaper and better,” says Gay, but he is quick to stress that the main areas of investment over the next 12 to 18 months will be in people. “Without the right people it doesn’t matter how good your technology is, you will not be able to implement it properly,” he explains. The importance of understanding business needs before investing in technology is vital since the market is awash with technology solutions – some better than others – and businesses need to have the correct person in place to make decisions regarding the viability of technology investments. Th is, Gay believes, is the most challenging aspect of rolling out any
type of information system, whether it is security related or not. Most of the challenges he faces in his role are human as opposed to technological. “Security and information security is about people. It’s about getting people to understand that they are adding value somewhere and that they are responsible for security. Everybody in a company is part of the security and if they don’t understand that then we are heading for trouble,” warns Gay. As CISO, Gay believes that he is not actually responsible for security at Travelex, but rather he is accountable for it and those who deal directly with the customers, those who do fi nance and those who work in the offices, are responsible for security. “I simply make sure that they have the tools and the awareness to get it done,” he says. “I’m accountable for the quality of that process.”
“Security and information security is about people. It’s about getting people to understand that they are adding value somewhere and that they are responsible for security” And this is why processes are so important. It’s no good implementing them if the staff cannot work with them or they slow the staff down and they end up circumnavigating them, says Gay. “The whole point of our security is to add a protective shell around our processes, but it shouldn’t get in the way of those processes. If there is a quicker cheaper way of doing things – as long as it doesn’t increase the risk to the company – then we have to fi nd a way of enabling the security in a different manner.” The way that Gay evaluates the effectiveness of the business processes is quite hands on and involves him actively getting the opinions of those who use them – his staff. Wandering around the office he enquires as to how and why staff do what they do and likewise how they would ideally like the processes to work. Based on these responses he then tries to fi nd a compromise that lies somewhere between efficacy and security. There are obviously some processes that are unavoidable such as audit trails, which are required by legislation, but even in this case Gay says that this doesn’t necessarily have to be done the hard way. “In my ex-
www.fsteurope.com 73
James Gay.indd 73
23/07/2010 15:36