A broader focus

James Beeson of GE Commercial Finance answers our questions on risk management and technology advancement, and tells us how looking at GE's broader set-up can provide real ROI.

“The more you share and virtualize, the more risk you have as you put all your eggs in a single basket; on the other hand, the more autonomy you give people, the more they’re likely to bring in extra threats that you’re not aware of”
-James Beeson, GE Commercial Finance

Take a look at General Electric’s company overview and you’re faced with a rather extensive list of disciplines and work areas. From jet engines to power generation, financial services to water processing, and medical imaging to media content, GE claims that its people are dedicated to turning imaginative ideas into leading products and services, which in turn help to solve some of the world’s toughest problems. Furthermore, the organization continues to pride itself on its slogan ‘imagination at work’.

That’s all well and good, except that in today’s climate the ‘world’s toughest problems’ are massive, and the idea of ‘imagination at work’ – for many – undoubtedly seems a little stifling.

Headquartered in Norwalk, Connecticut, is GE Commercial Finance, described as one of General Electric’s largest ‘growth engines’. With lending products, growth capital, revolving lines of credit, equipment leasing, cash flow programs, asset financing and more, GE Commercial Finance plays a key role for client businesses in over 35 countries. The industries served include healthcare, manufacturing, fleet management, communications, construction, energy, aviation, infrastructure and equipment, and as a main component of GE Capital – General Electric's financing unit that serves consumers, retailers and businesses around the globe – GE Commercial Finance has assets of over $276 billion.

You have to admit, it’s a pretty impressive portfolio. Especially given the current state of our economy. But such achievements don’t come without their challenges, as CISO James Beeson is only too aware of: “It’s certainly a big stumbling block if we have a major breach somewhere. For a company like GE that trust and reputation is absolutely critical. We’ve got one of the best known brand names in the world and the last thing we want to do is harm that reputation. Building trust is a big piece of that.”

Do you think that it’s your role to bring in new technology approaches and do you ever look outside of banking’s four walls for best practices?
I would argue that our job is to enable the business to take a risk. That requires us to bring new ideas in to the business and to say to management, ‘Here’s a way that you could take a bigger risk’, and that’s a massive part of our job to do that.

The way we go about it is through various methods. We certainly look within the financial services arena for best practice, but of course, being GE, we’re part of this huge conglomerate with stuff in aerospace and healthcare and we have a very diverse set of product lines that we can look into at get best practices that we may not otherwise have thought of using in the information security space.

Of course, most of the things that you’re battling against in information security are commonalities, regardless of what kind of business you’re in. Some businesses may have more physical threat than logical threat, but still, when you get down to it, we’re mostly fighting the same bad guys. We look everywhere for best practices and opportunities to collaborate on solutions that might help us be more secure or improve our posture. We go out and we look at government and do collaborative work with government and academia to see what things are coming that we might be able to take advantage of. We look everywhere. We leave no stone unturned. 

What lessons has GE Commercial Finance taken on during your tenure?
There is certainly more focus on awareness and education. I know one of the things that we have found is that education is a tough thing to sell on. We’ve learned from a lot of statistics out there that people will click through things, and everybody certainly does that at home: ‘Oh, I know there’s a security warning, but I don’t care.  I just want to get to whatever I want to get to.’

What we have found is that one useful way to help educate people is to bring it closer to home, so we will have brownbag lunches at our facilities and the draw is, ‘Come on in and we’ll give you some suggestions or ideas as to how to better protect yourself on your home PCs or protect your children on the internet.’

Amazingly enough, we get a lot more interest from people who’ve got kids and who’ve got PCs at home who want to know how to set up a wireless network and how to secure that network to keep their kids from going to all the bad sites on the internet. And even though it’s not really got anything to do with business security per se, the fact is we’ve found that when we get them in that mindset at home, they begin to think smarter in the workplace too. They use more common sense around security and they tend to then take better care of GE’s proprietary data and information.

As CISO, there’s often a real danger of only seeing symptoms and not causes.  How do you work around this?
You have to deal with both. We ‘patch’ our systems, but we don’t patch them based on what’s actually being taken advantage of but based on vulnerabilities.

Just because there’s a vulnerability doesn’t mean somebody’s exploiting it, and I think that’s what’s driven us into this area of treating the symptom instead of the cause. We need to figure out how to shift that and become more focused. That doesn’t mean we can ignore vulnerabilities all together, but we do need to get more focused on where the threats are coming from.

And how do you ensure that focus and then move towards a more cause-centric solution?
I think we have to get smarter at using the tools and the information that’s out there. There’s a huge amount of information today that companies are getting from different sources and we don’t necessarily take advantage of pulling that information together and putting things against that to allow us to correlate the information and help us predict what’s going to happen.

The other way is that we have to collaborate more with each other as well as with the information that is out there. The public, private and even the academic side of the equation need to pull together and collaborate more. We don’t do enough of that today. 

What are the greatest risks that you face from an information security standpoint?
My spin is that education is still probably the number one risk and making sure that users understand what those risks look like. We have to spend time and resources educating people and making sure they understand that. Number two is the issues surrounding third parties, and as more and more companies are outsourcing a lot of information we have to make sure that we have processes in place that ensure these third parties, who are storing, using, processing our information, are handling it appropriately.

This is an even bigger challenge given the thousands of third parties that most big companies have. Something that I loose sleep over is how you maintain that, in a really dynamic space, where third parties are constantly merging, etc.? They may outsource to another third party – how do you maintain that? 

It’s a problem across all industries and there’s not a good process for dealing with that. We can go out and we do due diligences but as soon as you’ve done that, tomorrow it may not still be the way they handle things.

In this day and age we can quite happily say that everybody has security software. Yet there are still these very public security breaches. What is missing from the overall picture? Is it the people or the processes?
It’s probably a mixture of those things. There’s no simple answer. I don’t think there’s a silver bullet to what’s missing. The SocGen incident is an excellent example of what has got everybody scared right now.

There, there were billions of dollars that this one individual was able to perpetrate from within the organization and all of a sudden antifraud committees across the board found some energy. I’m no expert, but it was probably all of those things that made up that particular issue at SocGen – and so we have to continue to look at all of them.  We have to get access controls, process controls and people controls in place. You have to have it all.

Of course, the more complex the environment becomes and the more bad guys come that into the environment, the harder the job is to maintain those controls. Currently, there’s somewhere in the region of 800,000 to a million new people that come onto the internet every day, 365 days a year, and some percentage of those are bad guys. And so on top of that, and the fact that you’ve now got organized crime supporting these guys, all you can do is just try to stay on top of it as best you can.

And as things like the BlackBerry and the iPhone continually pave new consumer experiences, the demand for technological change is happening far more rapidly than businesses are comfortable with and reacting to. How do you as the CISO face that challenge?
While I think most CIOs are going to react by saying ‘Keep them out. Block them. Don’t let employees have these devices’, I don’t necessarily think that is the best option. While I agree that you have to take precautions to not cause a problem, I think what you really need to do is take the other side of that and say, ‘How can we make this work in to our advantage? What new technologies can we bring? What can the suppliers and vendors bring that will help us enable the business to take more risk with these devices?’

We’re kidding ourselves in the business world if we don’t realize that this generation that is coming into the workforce aren’t going to want to use these devices. So we need to figure out how to enable these new technologies because we’re going down a path that would suggest that we’re going get to a time where a new employee will say, “I’ve already got one or two devices. They’re my little personal devices and I don’t want a GE machine anymore. Just let me access what I need to access through whatever device I’m comfortable with’. 

How do you balance the need for autonomy in technology solutions by each business line with the demand and need for synergy across the whole enterprise?
For us, we have obviously a lot of divisions or subdivisions within the commercial finance business and I tend to frame it up in my mind as a target.

The question really is how do you find the right balance between those things and typically it’s about flexibility. You want them to be able to be more agile and more quickly respond to a business need and, again, there’s no simple formula for what’s the right balance. You have to understand what those business processes look like out at the front edge of the business and understand what your business model is.

From a security perspective there’s also two sides to the puzzle: The more you share and virtualize, the more risk you have as you put all your eggs in a single basket; on the other hand, the more autonomy you give people, the more they’re likely to bring in extra threats that you’re not aware of.  You just have to find the right balance. 

The key lies in sitting down with the business partners and understanding how, operationally, the business is run and not just having your ‘IT blinders’ on. You have to take these off and look at the business processes and understand them from a universal perspective.

James Beeson has been with General Electric for 11 years. He started as a Technical Services Manager in GE Capital, Vendor Financial Services, moved into Information Security in 2000 with responsibility for Mid-Market Finance, and is now responsible for Information Security and Data Protection globally at General Electric - Commercial Finance.

Prior to that, he worked at Trinity Industries, Inc., a Fortune 500 Dallas based manufacturing company, for eight years in a variety of IT leadership positions.

The GE portfolio

ENERGY INFRASTRUCTURE
GE's Energy Infrastructure segment is leading the field in the development, implementation and improvement of the products and technologies that harness our resources such as wind, oil, gas and water.

TECHNOLOGY INFRASTRUCTURE
Around the world, we are helping build the healthcare, transportation and technology infrastructure of the new century. Many of GE's fastest growing businesses are in GE's Technology Infrastructure segment.

GE CAPITAL
GE Capital offers an astonishing array of products and services aimed at enabling commercial businesses and consumers worldwide to achieve their dreams. Services include commercial loans, operating leases, fleet management, financial programs, home loans, insurance, credit cards, personal loans and other financial services.

NBC UNIVERSAL
NBC Universal s one of the world's leading media and entertainment companies, developing, producing and marketing film, television, news, sports and special events to a huge global audience. NBC is America's Olympic Network, and we are pleased to broadcast this legendary, global event through 2012. Come explore the world of NBC.

CONSUMER & INDUSTRIAL
From the familiar light bulb to the latest advancements in consumer technology, GE Consumer & Industrial has a long tradition of life changing innovations that have improved the quality of life for millions of people everywhere.