Keeping the Citi secure

As co-head of Information Security for Citigroup’s global operations, Mark Clancy has a big job. Aside from holding ownership of the group’s information security policies, he describes one facet of his role as “turning up rocks”. Taking time out from our recent summit he expanded on what he meant by that.

“Often, we get asked something about a particular situation – is this OK? – and we try to ask the bigger questions of kind of why are we in that position? Or if we did it here, where else did it happen? Then it’s a case of figuring out how you solve the bigger problem – what we usually see in this role is symptoms not causes.”

And what are the top challenges that this process of turning up rocks presents? “Managing the expectations. Keeping all the various constituents happy – the businesses, the regulators, the auditors, the infrastructure guys – and really trying to have a discussion about what makes sense from a risk perspective. What is acceptable or not in an ever-changing environment.

“I describe it as trying to get out of a ‘whack-em-all’ approach to problems – where something pops up and you have to swat it down – and moving towards a more strategic long-term view, acknowledging that the interruptions along the way and the urgencies of the day need to get addressed.”

So what does Clancy think are the greatest risks he faces from an information security standpoint? “It’s managing complexity on two different levels. One is we have very complex environments and there are a lot of bells and whistles that can go awry. The second is that in the regulatory context, there are multiple jurisdictions and multiple organizations in multiple countries, and they’re all starting to go different directions. We have the rules-based or principle-based regulators, you have some that put things in very narrow contexts, which conflicts with other regulators, and yet you have to satisfy both sets.”
And what kind of emerging technologies has Clancy been employing to meet these challenges? “We’ve done quite a few things in the data protection realm broadly, for example USB device control and tape disc encryption. We’ve also continued to do a lot of work on the infrastructure side to support global sourcing – we’re trying to ensure that our network and our server environments can support development and system support when they’re offshore. We’ve also done quite a bit on the virtualization side and we’re moving fairly heavily in that direction.

“What’s for sure is that as the risk landscape changes, it won’t be boring. The challenges in information security risk management or IT risk management are fairly immature; we have hundreds of years of history on loan risk or credit risk – we know kind of what’s going to happen yet credit risk still surprises us from time to time. So we need to move down the maturity curve. Today we’re working on subjective and qualitative analysis and we need to move some of it towards more of a quantitative understanding – so we can take a long-term view of a given problem rather than just produce a short-term answer.”