Barclays CSO and CISO roles merge – Chief Security Officer Troels Oerting on future threats and board support

Barclays has merged its two security functions, with the previous Chief Security Officer and Chief Information Security Officer roles coming together under combined CSO Troels Oerting. [See also: Chief Information Security Officer salary and job description – What’s the CISO role and how much do CISOs get paid?]

Previously the organisation’s CISO, Oerting – together here with Elena Kvochko, the bank’s Global Head of Cyber Security Strategy and Implementation – explained to CIO UK some of the strategy behind the decision and how it could strengthen the company’s combined security defences.

Why did you decide to establish a Chief Security Officer Function? Troels Oerting: With the current threat and ecosystem landscape that is continuously evolving, we identified the need to redefine our approach to security to comprise cyber and physical security, as well as intelligence, investigations and resilience in order to take a truly holistic approach. For this reason, we established the Chief Security Officer function that will bring together these functions and allow us to utilise knowledge, intelligence and expertise across the global organisation which creates a very powerful response.

What are the key drivers for this change? Elena Kvochko: In today’s environment, organisational agility and operational effectiveness are decisive factors for a competitive future and present. By establishing a holistic approach to security, we intend to deliver better service to our businesses, and keep innovating. Innovation is key to maintaining trust of customers.

What can traditional CISOs at other organisations learn from CSO thinking? Troels Oerting: Large organisations are composed of employees, stakeholders, physical locations, technology infrastructure, third-party providers, and so on – and all of these components work together to accomplish a common goal while remaining independent from each other. For this reason, in order to effectively protect a large organisation, the organisation should account for the often disjointed nature of the technology infrastructure, locations, business units within the organisations, and have a holistic approach to better detect, react, and recover from sophisticated security threats. That probably also requires a powerful database solution in order to collect, collate, analyse and utilise structured and unstructured data from all kind of sources.

How will the integrated unit strengthen the organisation’s security defenses? Elena Kvochko: By building group wide investigations, intelligence, resilience, physical and cyber supported by joint operation centres and a data platform, we aim to remove duplication, provide better visibility and enhance overall resilience against threats regardless of their nature. We will focus on the ability to detect and react to the right ‘signals’. Having a group wide Security function will allow us to have greater coordination and close gaps Group-wide.

How should the accountability process be organised? Troels Oerting: It depends on the needs of the organisation, the industry they operate in, and the size of the companies, but I believe the responsibility should be shared between professional teams and those who own the risk. As we just discussed, in our view, in order to deliver effective security, we should deliver it holistically, as a service. Some time ago in the 90s, law enforcement had to restructure itself to deal with evolving landscape. In the old days crime was committed based on expertise and policing structure reflected that.

When organised crime emerged as criminal supermarkets, the response to that development also needed to be adjusted. This is what we are doing right now in Barclays. Adjusting to the development in criminal activities and realising that cyber is one of the enabling tools in the criminal toolbox, but not the only one. They might also use insiders or physical access or a combination. That’s why security is a holistic discipline these days.

Embedding security and tackling future cyber threats

Speaking at Trend Micro’s CloudSec conference earlier in the month, Oerting said that the amount of board level engagement and knowledge in security issues had improved, but that this did not mean organisations were necessarily willing to “throw suitcases of money” at the problem.

“I think in the early days we had problems, right now the board is all over it – possibly because there is a lot of regulation against banks,” he said. “There is a personal liability for the CEO, so again it is all about highlighting what is actually a threat, where are the priorities, and when can we do something and are we good enough. So I’m in a good position to have a very good update with board; they understand it.

“It’s not like they throw me suitcases of money, but they actually want to give me what I need and then it’s all about creating good enough security to protect my assets – and in a bank you have to protect your customers’ information. We take your customers’ information very, very seriously; if we have a big breach it will have a devastating impact and we don’t want that.”

On current trends and future strategies, Oerting said that embedding security in all stages of the development process and dealing with unknown emerging threats was a key concern for the bank and its aligned security function.

“In the old days we developed, and then we pen-tested and afterwards we went to market,” Oerting explained. “Now we have stopped that and instead we build in security by design, by being embedded in the development so we can actually skip the pen-testing at the end in some areas.”

“And then again I’m not so interested in what is hitting me now, but more what will hit me. We invested heavily in intelligence. Because that’s the real threat and otherwise I am just preparing for the past, and while I’m doing that the criminals are inventing new methodologies of penetrating so that’s the two ways we are approaching this right now.”

Security and competitive advantage

Kvochko added that security, privacy and trust had become key strategic business enablers in fast-moving digital markets.

“As companies have expanded their digital presence, they have been able to scale their business much faster,” she said. “It became a commonplace that every company is now a digital company. Trust and security are at the centre of competitive differentiators, since the biggest loss that a company can incur is failure to uphold the implicit agreement with its stakeholders to keep their valuable assets safe.

“We see in many industries that the interest, prioritisation and strategy around cyber security is growing tremendously. Security and privacy, along with speed to market and functionality, are key to every successful business.”