Explain what you do in less than 50 words:
Facilitating the Society and our 25 subsidiaries to manage information security risk and protect our customers’ information. Our role is to put in place and operate the governance structures, policies, management support, assurance and oversight necessary for effective security. This means meeting regulatory expectations as well as facilitating business change.
What is the biggest information security threat to your industry?
I see two: Firstly, ensuring we maintain a balanced focus on security risks in the face of changing legislation and regulation – in financial services this is about ‘conduct risk’ as well as data protection rules. Secondly, responding to a changing threat landscape where critical and data systems are more exposed and more interconnected than at any time in the past.
What technology or information security solution could you not live without?
Personally I couldn’t live without my iPhone and iPad; workplace technology can’t keep up. We need to take advantage of consumer technologies in the workplace – and do so securely – whilst meeting the expectations of staff and management. [It] will be an ongoing challenge.
If you were leaving your role, what one piece of advice would you give to your successor?
Trust your judgment and don’t wait for permission. Though ‘don’t trust the coffee machine’ might be just as helpful!
What is the information security industry’s biggest shortfall?
It is too divided between technically minded people who don’t rate business skills highly enough, and business-minded people who don’t rate technical skills highly enough.
What is your proudest achievement?
Skipton’s ambition is to be the most recommended mutual. The work we have done recently to improve information governance and develop new programs to address security risks has made a real contribution to that, resulting in a ‘high assurance’ rating from the ICO in February. We have a long way to go, but I’m proud of the journey we’ve been on.
What is your biggest regret/mistake?
Not going into information security earlier.
In three words, what should the information security industry expect to be facing in 2013?
Even faster change.
Name a project, movement, product or legislation / standard that has impressed you in this industry.
If I have to pick one, Chatham House for their work on cybersecurity, which puts into context the environment in which we all operate.
Who, in this industry, inspires you?
Fred Piper (of Royal Holloway University) for making sense of complexity and his work to professionalize the industry. Also, Michael Brown of Callcredit, for his work there and for the infosec community. Security is full of inspirational people.
What are we, as an industry, doing right?
Professionalizing and getting to grips with the skills gap. Development of organizations such as the IISP [Institute of Information Security Professionals] in improving the technology curriculum could be transformational in a generation. It’s good that the coalition government appears to be listening and addressing the IT curriculum – when I wanted to study IT at school in the 1990s, I was told there was no demand and it wasn’t important. We’re still living with that legacy.
If you weren’t an information security professional, what would you be?
A politician. I’m a District Councillor in my spare time, and stood for Parliament in 2010 – fortunately unsuccessfully, as it has allowed me to focus on keeping Skipton’s customer information secure. The skills are very transferable though, and I think it is important to play a part in the wider community. Governments need a practical view of security that only industry can provide.
What are you hoping to see/hear at Infosecurity Europe 2012?
New solutions and ideas from a confident industry that’s going places, and up for the biggest challenge in generations: protecting the currency of the information age in an era of unparalleled interconnectedness and complexity.
Matt Palmer will be speaking at Infosecurity Europe 2012 at 14:30 on Tuesday, April 26, in a session titled ‘Defining ‘Risk Management’ & What It Means in the Context of Information Security’. |