Interview: Alex Hutton, Director of IS at Too Big to Fail Bank

In this episode of the Security Influencers Channel, Jeff Williams interviews Alex Hutton, the director of information security at Too Big to Fail Bank.

Alex was previously employed by Verizon, where he worked on modeling risk and contributing to the Verizon data breach report.  

In this interview, Jeff and Alex discuss risks, governance, current trends and what is in store for the future. The following is a brief excerpt of the complete interview. 

Jeff Williams: So let’s jump into it. Tell me what you’re doing in your current role about risk management and governance and so on.

Alex Hutton: So my current role, we’re really focusing on IT GRC. A lot of listeners may recall, or may not recall, some of the things that have been said in the past around RSA panels, better send it around IT GRC and so forth. And I've offered this. Governance without metrics is just dogma, we do things because we do them. They may be smart dogma, they may be stupid dogma, but we don't just know. Once you add metrics to governance, now that’s risk management. And so part of my current mission at the Too Big To Fail Bank, is to really figure out, “Okay, great. So governance with metrics, what does it mean?” Let’s talk about application security, change management, IT operations, in terms of how that affects the CISO’s missions. How much risk do those functions introduce if we do we them well or else did we do them poorly? That sort of thing.

So I'm really on this kind of mission, if you want to call it "moneyballing" IT, that might be a way to think about it. But really take a look at how a IT department ticks. How that IT department introduces risks into its environment, what that risks mean and are we accepting or introducing risks we don't know about? How good of a job do we need to do in things like application security? Right? Are we okay with copious crossed-eyed scripting issues coming into production, or not? That’s the sort of mission that I'm on, it’s kind of a neat journey.

Jeff Williams: Wow. I mean, that is fantastic. I love the moneyball analogy, I've used that myself quite a bit, about talking applications security. Because you’re exactly right, we have almost no idea whether anything in application security actually works. There’s these complex maturity models and so on. And they're probably good stuff to do, but nobody knows.

Alex Hutton: Right. So something like, just to pick on one, Besam, that gives us a great starting point. There’s nothing that Gary and team have done there that I can fundamentally disagree with. The question becomes, when your thinking about something like Besam, or whatever application of security framework in standard and governance you want to start implementing in your environment, how much is too much, how much is not enough? Where? You know, you've got basically hundreds of different places where your business can make investment. Where’s the greatest bang for your buck? Why should you do it there? What is the right governance, right? So I've heard of another Too Big To Fail Bank, where if you introduce... if you commit code with a basic security error. The first time it’s a warning. The second time you do that, it’s actually an HR event. The third time is a resume-generating opportunity if you want to think of it that way.

Jeff Williams: [laughter]

Alex Hutton: Yeah. That organization has finally said, “Look, our environment is too complex to have these basic things cropping up again and again in security testing pre-production. So let’s do something about that in terms of governance.” That conversation, that decision is going to be different from organization to organization. I think that’s the journey we’re on, is trying to figure out at what point do you want to generate policy and governance that suggests resume-generating opportunities for just committing code with errors. Or at what point do you want to say, “You know, it’s okay if it’s a cross-eyed scripting error for an internal app. We'll let that go into production, and we'll kind of monitor the situation.” The answers are unclear. And the business, when anybody has been in my position have the fortunate and the unfortunate experience with talking to business, they're going to be familiar with them. They do this all the time.

Want to hear the rest of the interview?  Click here to download the rest of the interview on iTunes.