SecurityInfoWatch.com recently caught up with Gareth Webley, the CSO for National City, the eight largest financial services company in the U.S. As Webley puts it, "We're the biggest bank you've never heard of." National City has close to 1,600 branches in eight states, and with its brokerage and mortgage divisions, the company has a virtual national presence, despite the fact that the Ohio-based bank is still somewhat regional in focus.
Webley shared an inside look at his organization's security convergence, bringing the "geeks and guns together", so to speak. From the creation of a converged security command center that would be in operation 24/7 to the general benefits of merged risk assessments, the excerpts from our Q&A with National City's Webley help shed light on security convergence for any organization.
Webley will also be speaking on Wed., Nov. 15 at the ADT Financial Security Symposium in Florida. His presentation will be available for free live on your computer via SecurityInfoWatch.com's webcast series (register now for Wednesday's online seminar).
SecurityInfoWatch.com: Can you share with us some of your history as well as the history that led to a converged security program at National City?
Webley: I joined National City in 1999 primarily to head up the information security department and grow it. The bank had gone through a series of acquisitions. It had doubled, and then tripled it size in about 10 years. In 1995, they identified a need to focus on information security, so I joined the bank and built the information security team over about four years. They named me CISO. Then about a year-and-a-half later, about two years ago now, they decided the physical security side needed the same sort of technology investment and programs approach to delivering security services. They decided to merge and give me the opportunity to lead both the electronic and physical security departments. So I am a chief security officer in the true sense in that I have both data security and physical security reporting to me.
Prior to working with National City, I worked for British Petroleum, and I had quite of bit involvement there with the physical side because they used a lot more technology to secure their plants and their pipelines. [At BP] there were a lot of things that we leveraged our data systems to do for security.
SIW: What was the transition to converged security operations like at National City?
It was a very interesting transition. The physical security side is in many banks made up predominantly of law enforcement and ex-FBI or military people. They had a very different view of their world. It was typically a command-and-control attitude of "we've got to stop people from robbing our branches." And we were dealing with a lot of aging technology. What I really brought to the merger was this notion of organizational convergence. It was the notion that the teams really need to do is work together. Part of the goal is that services that are commonly delivered -- such as administration, security engineering, risk assessment - can be done out of a single group. We won't have a single risk assessment and then an electronic risk assessment, but we will have a team that delivers risk assessments.
We're combining our logical and physical access into a single card. "One card, one access" is sort of our motto. We've just begun the rollout of a multi-year program to upgrade our physical card system. And the same system that provisions our mainframe systems and our LAN systems is also going to provision our card access system under what we call role-based access control. The same people that are adding people to user accounts on computers are also going to be adding people to the card readers, and it can all be controlled by a single user ID.
SIW: How did the issue of Sarbanes-Oxley affect convergence at National City?