Every day of every week, millions of employees throughout the United States and around the world receive their paychecks—whether through direct deposit or as a live check and stub—through ADP. For years, the company has been a trusted outsourced business provider—so much so that it is a critical cog in the national economic machine. With the stakes so high, it is Roland Cloutier who has been tasked with ensuring the security of this global operation and making it run smoothly. CSO: How would you size up the security task you're charged with at ADP? Roland Cloutier: From a security practitioner standpoint, ADP is a big target. It pays a quarter of the U.S. workforce. We float north of a trillion dollars every year. We have to ensure that millions of checks are cut and delivered to people around the globe. That is a huge challenge. Business resilience is the single key objective I have as CSO. What is the key driver to implementing a global security strategy?
We have to ensure that there is a well-developed risk framework that works across the entire organization. At the same time, we have to look at the service levels required in any specific segment, and what those risk levels are and how do we apply which services and articulate controls, and what metrics and key performance indicators (KPI) do we use to ensure that they are effective.
Editor's note: Also see The Security Metrics Collection for in-depth strategies in measurement and communication.
CSO: What do you consider the most difficult or rewarding accomplishment of your career? Roland Cloutier: At a previous company, I used to work with this hard-core sales executive who couldn't have cared less about security. After four years of my rolling out programs and a security organization, I get a call from this guy, and he says, "Roland, I'm about to pitch an idea to my team for manufacturing stuff in an Asian country. Talk to me about security and the threat perspective and how we could manage risk in that environment." His first call was to ask the CSO, "Could we do this?" It was the first time that a senior business executive showed me that he understood that security was simply part of doing business. Can you name one of the biggest mistakes you've made during your security career and what you learned from it?
I made two, actually. One was that I assumed—I thought—people were executing and were being held accountable. It wasn't until I put that work into a lifecycle approach that I realized that I actually had a problem. Thankfully, it was mitigated before it could become a big problem. Now, the lifecycle approach is very big with me, to have the governance and oversight of what we are accountable for. It will never happen again.
The other mistake was with communication. We can get so busy in developing our organization that we fail to communicate with our own team or with clients internally or externally. In fact, you have to constantly reset your communication strategy. It's a fundamental part of doing business today. Every day I wake up and think about how I am going to communicate today and measure accountability.
What are two things about security or security leadership you wish you'd known 10 years ago?
More often than not, that the people we support are looking for an answer. They want us to say: Here is your problem, this is why it is a problem for you, and here is how I suggest that you remedy that problem. I wish I had known that 10 years earlier. Before, I had always assumed that we were being requested to do things, and would respond with, "What do you want to do?"
It's also very important to have business acumen. I was fortunate enough to work for one of the smartest CFOs in the industry. It provided me with a financial perspective on how you can genuinely affect the organization. You really need to know the details of financial knowledge to truly understand how your security practices impact an organization.
How has the current economy affected security?
It has not presented threats on the physical side, but on the cyber side, fraud issues have increased dramatically. Phishing schemes are up 10-12 times over the last year. You see people who leave their organizations and are taking trade secrets to other businesses. The economy has had an impact.
When it comes to business stakeholders, what is their most dangerous misunderstanding about security?
That anything that you do in security is a one-time fix. People think, "Something was a problem, but the security guys fixed it." Often, security practitioners themselves rest on their laurels for a variety of reasons and become complacent in measuring the actual outcome of their efforts. We end up forgetting to look at lifecycles or KPIs or what we had committed to in terms of security. This is where security professionals have to communicate that security is a moving target. Bad guys will change the strategy and the technology they use. We have to remember that security is a living, breathing part of the business fabric.