Prudential Preaches Pragmatism

Chief security officers should walk softly to get execs to take their message seriously. This was the warning from Tom Doughty, Prudential Financials vice president of information systems, at today’s Information Security Decisions conference in New York.

Increasingly, IT managers are resorting to scare tactics in order to get other parts of the business to address security. (See Harum Scarum! and Security Survey Underlines Fear Factor.) But Doughty is taking a more cautious approach at Prudential. “I think that the ‘Harum Scarum’ approach has to be used selectively,” he says. “It can tend to make people feel constrained.”

Rather than strong-arming disgruntled users to deploy a slew of security technologies, Doughty believes the trick is molding the security mantra to their specific needs. “Talk to them in terms of their outages, talk to them in terms of their Denial of Service issues," he said. “Let them do the math.”

Controversially, this may involve turning a blind eye to certain risks: “If a risk is purely technical and not impacting the business -- ask the question ‘so what?’ ”

Doughty admited that getting users in an organization as large as Prudential to sing from the same security song sheet is easier said than done. The firm’s securities business alone, for example, has over 15,000 end-users, and Prudential runs literally “thousands of servers” across numerous platforms. “It can take a little bit of patience.”Other security gurus at the New York conference also highlighted the importance of bringing security to disparate business operations. Charles McGann, manager of secure infrastructure at the United States Postal Service, echoed Doughty’s sentiments. “There are things out there that happen and you have to be joined at the hip,” he said.

But this is easier said than done. The cultural gap between technology mavens and their counterparts elsewhere in the business is often cited as a challenge by IT managers desperate to make themselves heard. (See IT Leadership: More Than Just Bits and From IT Speck to Business Exec.)

To bridge this divide, Prudential uses ‘business information security officers’ who act as intermediaries between the firm’s central security office and business line managers. But these guys are no geeks. “They are not technologists first,” he said. “What they are there to do first is to understand the business.”

The exec, however, warned that thick skins are often a prerequisite for this role, particularly when dealing with execs on the trading floor. “Don’t get run over. Tough people respect toughness and exploit perceived weakness,” he said. “The first conversation is always the toughest.”

But even after getting these folks on board, there is still plenty of work to do, warned Doughty. “When your job becomes easier over time, the biggest risk is complacency,” he explained. “You have to be careful that you don’t adopt a ‘just let me know when you have a problem’ mentality.”— James Rogers, Site Editor, Next-Gen Data Center Forum

Companies mentioned in this article:

Prudential Financial Inc.

United States Postal Service