CSO Compass Awards 2010: Roland Cloutier
CSO and Corporate Vice President, ADP
By Bill Brandel
May 04, 2010 — Every day of every week, millions of employees throughout the United States and around the world receive their paychecks—whether through direct deposit or as a live check and stub—through ADP. For years, the company has been a trusted outsourced business provider—so much so that it is a critical cog in the national economic machine. With the stakes so high, it is Roland Cloutier who has been tasked with ensuring the security of this global operation and making it run smoothly.
CSO: How would you size up the security task you're charged with at ADP?
Roland Cloutier: From a security practitioner standpoint, ADP is a big target. It pays a quarter of the U.S. workforce. We float north of a trillion dollars every year. We have to ensure that millions of checks are cut and delivered to people around the globe. That is a huge challenge. Business resilience is the single key objective I have as CSO. What is the key driver to implementing a global security strategy?
We have to ensure that there is a well-developed risk framework that works across the entire organization. At the same time, we have to look at the service levels required in any specific segment, and what those risk levels are and how do we apply which services and articulate controls, and what metrics and key performance indicators (KPI) do we use to ensure that they are effective.
Editor's note: Also see The Security Metrics Collection for in-depth strategies in measurement and communication.
CSO: What do you consider the most difficult or rewarding accomplishment of your career?
Roland Cloutier: At a previous company, I used to work with this hard-core sales executive who couldn't have cared less about security. After four years of my rolling out programs and a security organization, I get a call from this guy, and he says, "Roland, I'm about to pitch an idea to my team for manufacturing stuff in an Asian country. Talk to me about security and the threat perspective and how we could manage risk in that environment." His first call was to ask the CSO, "Could we do this?" It was the first time that a senior business executive showed me that he understood that security was simply part of doing business.
Can you name one of the biggest mistakes you've made during your security career and what you learned from it?
I made two, actually. One was that I assumed—I thought—people were executing and were being held accountable. It wasn't until I put that work into a lifecycle approach that I realized that I actually had a problem. Thankfully, it was mitigated before it could become a big problem. Now, the lifecycle approach is very big with me, to have the governance and oversight of what we are accountable for. It will never happen again.