My first encounter with Neira Jones was at the Infosecurity Europe show this April, when she was inaugurated into the Infosec Hall of Fame. When I mention this particular event, she breaks into a grin, proud of the industry recognition.
I remember the Hall of Fame session well. Jones may have looked out of place (being a woman in a ‘man’s world’), but she certainly didn’t sound it, instantly silencing any potential critics with impressive industry knowledge and insight. But more on that later.
I met with Jones at the Barclaycard HQ in Northampton, where she has worked for three years. Interestingly what attracted Jones to her role at Barclaycard wasn’t the position she was offered, but the brand itself. “I’ve always been interested in working for organizations that have something to offer to me. The Barclaycard brand always interested me because it is associated with innovation and agility”, explains Jones.
After approaching Barclaycard, someone advised Jones of a position opening – a role responsible for the deployment of the PCI DSS standard for all Barcalycard merchants. “I did a bit of research because, admittedly, I knew nothing about it”, she confesses. Three years later, Jones sits as a board of advisors member on the PCI Security Standards Council.
In fact, up until this point, Jones had no information security experience at all. Her expertise was in change management and financial services. At her previous employer, Santander, Jones “was focused on the integration of what used to be Abbey and Abbey National within the new Santander infrastructure. I used to manage very large portfolios of change programs – including all aspects of people process and technology”, she remembers.
So, while the new position at Barclaycard wasn’t exactly within her comfort zone, Jones said “Yes, I will give it a go, because to me this sounds like change, and I know change. It was something completely new, working for an organization that I associate with innovation.”
Evolution of Role
Jones describes herself as haven “fallen into security” as a result of her natural desire to “fix something that’s not going as well as it should”.
But while Jones was somewhat a stranger to security until July 2008, she was by no means a stranger to IT. “I have a master’s degree in information technology – specializing in applying IT to business studies. I’m a bit of a nerd!”, Jones laughs.
On joining Barclaycard in July 2008, Jones’ role was essentially to promote compliance with PCI-DSS. Within a year of joining the company, Jones’ role and job title evolved in correlation with the industry. “We rapidly realized that it’s not just about that particular standard, and it’s certainly no longer about compliance”, she says. “It’s about risk management.”
Jones is now head of payment security for the acquiring side of Barclaycard, looking after organizations that accept card payments – either face-to-face with a card terminal, online, over the telephone or via mail order. “We all want the same thing in this industry”, Jones says, who insists that it is her job to ensure exactly that – that her (just short of 100,000) customers “avoid becoming the next Sony”.
Rather than keeping her up at night, Jones says the press horror stories about various data breaches fill her with “sadness. There are very well-defined information security practices. Common sense can be applied. It’s not rocket science”, she adds.
Educating the industry about how they can help themselves is “our duty”, Jones affirms. “These media horror stories prompt me to speak even plainer English, tailoring to the audience I’m actually addressing.”
Working in partnership with industry bodies and financial services institutions to promote the message is essential, advises Jones. “We also work with information security companies and card schemes such as MasterCard and Visa. We make it our business to spread the gospel”.
While Jones’ role addresses outward facing external security, she explains that in order to ‘spread that gospel’ correctly, there needs to be a very big exercise in internal communication and education.
“Sales managers and relationship managers will be in direct contact with our customers who may ask them questions in relation to payment security or related areas. They need to have a level of understanding whereby they can field the questions, and only refer to us when the queries become more complex. Otherwise, I’d need a hundred people to do my job”, she says.
Being a financial institution with a lot to protect, security is naturally an integrated part of the Barclays culture. “Security is part of our training, part of our resource, and part of what we offer our customers”, Jones advises. “Even though payment security is not a commercial proposition for us, it’s definitely a value-add for Barclaycard”.
When asked about her team, Jones breaks it down into three parts: compliance operations; support for compliance operations; and business development.
“The compliance operations team is in constant contact with customers. When the queries come in, there is an efficient process in place to answer them. If the business development team [doesn’t] know the answer, we have to carry out research, contact various organizations and talk to the industry to find it”.
Compliance operations support is “about streamlining and automating the processes, ensuring we’ve got the appropriate management information and tools.” Industry knowledge is an essential part of this duty, explains Jones, who “needs to know on a daily basis whether fraud is rising or compliance is going down, for example”.
Finally, the business development team is broadly classified by Jones as “Technology watch – looking at the market, at fraud profiles, and at threat assessments.” Responsibilities for this team also include speaking engagements, developing the website, and providing tools for customers.
If You Want to Be in Her Gang…
When hiring, Jones doesn’t impose a general skill set. Instead she requires experience in the financial services sector, prefers an IT background, and welcomes those with change management experience, because “they are flexible and transportable”.
If you fancy a role in Jones’ department you would need to be: “Adaptable, flexible, have a ‘can do’ attitude, and be happy to learn new things”.
A willingness to travel is also required. “All of my team have to travel to meet our customers.”
Providing value to their customers is something that Jones places great emphasis on. “As long as I can see that our – and my – contribution is of value to customers, the industry and the organization, then that’s my personal ambition fulfilled”, she says.
"Traditionally the infosec space has been made up of the ivory tower type, putting lots of letters after their name" |
When asked what the future holds for her, she is insistent that her “job [at Barclaycard] is not yet finished. As long as we are still providing value to our customers, that’s what I’ll do, and I can definitely see us doing that for the foreseeable future”.
What’s Hot, What’s Not
When I switch topic and ask Jones to talk about any new trends she has seen in the industry, her entire demeanor changes. Her eyes light up as she begins to talk excitedly about the sea change in the information security industry over the past eighteen months. I see instantly that this is what fuels her enthusiasm.
“In January 2010, I made a very public prediction. I said ‘we’re sitting here talking about compliance. In a year’s time, we will all be talking about risk.’ Lo and behold, we’re now all talking about risk”.
Jones welcomes this fundamental shift in the industry with open arms. “What I’ve been advocating over the past 18 months is to look at your risk profile and your risk appetite, because what we all want is to avoid data breaches. So please do not go and spend £/$100 to protect a £/$1 asset, because it doesn’t make sense, especially not in the current economic climate.”
While Jones admits that many organizations are still “grabbing at compliance”, she recognizes a definite shift toward risk management, particularly in the corporate space. In the SME space, she warns, “there is still a lot of work to do in terms of education and awareness”.
Why? “As a small organization, they do not have the resources, or even the knowledge, to understand these things. It is therefore our duty to make it real for them.”
“They may have suffered personally from card fraud or identity fraud. They understand that when they experienced it, it was a pain.” Transposing that message to make it understood that their customers may be in that position because of what they may or may not be doing is key, advises Jones.
Slightly more controversial is Jones’ take on advanced persistent threats. “It’s APT this, and APT that”, she says, bemused. “Ten years ago we started seeing the first SQL injections. We now know exactly how to prevent the SQL injection.” According to the [Verizon] DBIR report, explains Jones, default prevention, in combination with a lapse of credential and password management and bad log management, was responsible for approximately 90% of attacks.
“If you actually address those three, you can more or less eradicate most of the threats. So yes APT exists; yes, evasive techniques can be used to actually deliver the malware and everything else; and yes, we should be protecting against that.” But, should it be high on the priority list, Jones asks? “No, fix the basics first.”
Another trend that Jones considers the industry to be unnecessarily obsessed with is the cloud. “It all comes down to risk”, she explains. “What is it that an organization is trying to move to the cloud? How sensitive are those assets, and what could happen if they got lost or compromised? A bad security posture will have the same effect whether it’s in the cloud or not. A good security posture will have the same effect whether it’s in the cloud or not”, she argues.
Less Bang for Your Buck
Jones recognizes the tendency for organizations to panic-strikingly invest in unnecessary or irrelevant technology ‘solutions’ according to whatever horror story has hit the headlines. “The board will pay attention to these stories, as they are often big names. The IT department within that organization may then take that opportunity to get approval for the next silver bullet”.
Organizations mistakenly then try to achieve compliance in silos, Jones sighs. “They’ll try to do PCI, they’ll try to do Data Protection Act, they’ll try to do SOX and this and that”. In doing so, they’ll spend an awful lot of money, she says, some of which will be completely wasted.
“If you look at it in a holistic fashion, without panic, and try to address the risk one step at a time, it’s a much more sustainable proposition.”
Advantage Jones
At the beginning of this article, I mentioned Jones being inducted into the 2011 Infosecurity Europe Hall of Fame, which is impressive given that she only became involved in information security three years ago. It seems (perhaps wrongly) even more impressive given that she’s a woman in a very male-dominated industry.
“Have I ever felt out of place? No, quite the contrary”, smiles Jones when I raise the issue of her gender. “I have found the agility of this organization, and the way it wants to listen and is prepared to take new ideas on board, extremely refreshing”, she says. “I have not felt that my gender has been a hindrance within this organization at all.”
Referring to the industry as a whole, Jones admits it “very true that it is hugely male-dominated”. Rather than allow this to get the better of her though, Jones has played it to her advantage. “Suddenly there’s this person”, she says referring to herself, “who doesn’t use acronyms, and doesn’t try to swamp everyone with science – actually she’s talking some sense – and therefore I find that people listen more. It has been a benefit, exemplified by the awards we keep winning in the team. There is space for lots more women in the infosec sector”, she says, to which I agree.
I consider her comments about not using acronyms or talking in technical language and really think she is on to something. “Traditionally the infosec space has been made up of the ivory tower type, putting lots of letters after their name and everything else. They like the technology, and yes, it’s very exciting to deploy new technologies and new ways of doing things.”
“At the end of the day”, she concludes, “we live in the real world, we live in the commercial world, and we have to face the realities of life”, which she believes can be communicated far more effectively through the use of simple language. At last, a security professional who has ditched the acronyms and the buzz words in favor of simple, logical language.
Neira Jones, I salute you.