When Roland Cloutier joined ADP seven years ago to focus on operational risk, he was tasked with helping the business outsourcing solutions and payroll giant adopt a security first mindset that would ultimately yield cost savings, new markets and revenue.

"I was brought in to specifically do this and [ADP] was ready to accept change to do it," says Cloutier, senior vice president and global chief security officer at ADP.

Some of the steps Cloutier took included having senior-level practitioners placed in a group called the client security management officers (CSMOs), whose full-time job focused on quickly and accurately answering security questions raised by customers and potential clients about ADP's protection of their data and funds.

"Why that is important is because this is not sales people answering security questionnaires, nor is it people in marketing. It's a group of people who have access to the entire portfolio of our security program and can translate that to clients, give clients reports on our critical response center and be on the front end of sales opportunities with answers to security upfront," Cloutier says.

He added that security can be an enabler for the sales team to close deals, because contract negotiations often hit a snag because no one has ever explained security to the customer.  

[Cloutier will be speaking about Managing Risks to Reap Rewards: How to Use Security as a Growth Advantage during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To learn more about his presentation, other Interop security tracks, or to register click on the live links.]

Another step Cloutier took included changing the timing of when a security engineer was brought into the software development life cycle. Previously, the process went from developing a product, then having it go to the security engineer for evaluation, only to have it returned back to developers for retooling before it was released to the market. Security engineers are now embedded into the development team, as well as quality assurance teams, which Cloutier says speeds the time to market.

More Tricks of the Trade

Cloutier also scored cost savings by reducing his customers' password resets by 68% over an 18-month period. Applying a business process overview, he evaluated where password resets were frequently occurring and used security automation for password resets in those areas.

"Imagine hundreds and thousands and thousands of calls that come into our call centers from around the globe for password resets," Cloutier says. "This takes our experienced human capital management client service representatives [out of the loop] to reset passwords."

Other customer service issue he tackled with a business process approach included cutting the response time on security questions to within 24 hours, compared to the previous four to six weeks.

Transition Challenges

Although Cloutier has had success in overlaying a patina of security across ADP's businesses, he notes some CISOs may find the move challenging.

"Security is often seen as a component of IT and there are still many companies where their security executives may not be security executives," Cloutier notes. "They may have security leaders in the company, but they don't have access to the C-suite to be able to drive those conversations."

He added that security budgets are often designed as defensive cyber operations and budgeted in a way to only manage, maintain and use technology to defend the environment, rather than handle research and development, or go-to-market operations.

Until these things happen, it is difficult for companies to make it part of their digital go-to-market strategy and sales opportunity, Cloutier says. For instance, he does three client advisory board meetings a year and ADP's global sales organization pays for those meetings. Cloutier also runs an organization that is fully focused on protecting ADP's marketplace and the company's chief strategy office pays for the organization's costs.

"There are some responsibilities across the business that understand that security is a lever, as well as … a component of their cost of goods sold," Cloutier says.

Risky Business

When it comes to operational risk management, Cloutier defines it as the ability to understand the issues that can potentially impact ADP's business, its shareholders and clients and then make informed, contextual-based decisions to reduce the risk to acceptable levels.  

The company's eco-system of risk programs begins with its enterprise risk management organization, a centralized program looking across 12 dynamic areas of risk, such as, financial risk, legal risk, regulatory risk, IT risk, strategy risk and others.

"ADP is extremely formulized in how they think about risk and develop programs to test and remediate," Cloutier says, adding that it relies on a scientific formula called factor analysis for information risk (FAIR) to measure market risk and understand the data thresholds. He says FAIR gives him a consistent and measured approach to evaluate risks across all of ADP's businesses, factoring in the company's diversified market segments from human capital management platforms to technologies and services, and provides the means to look at all of these segments independently.

He believes other large, mature multinational corporations are also taking a similar approach to risk management and shifting away from a knee-jerk reaction to high-profile security breaches.

"Organizations have been able to look [at] their operations and critical assets and take more of a business operations protection approach, rather than a straight-line cybersecurity approach or a straight-line risk management approach," Cloutier says. "They look at the operating process, their operating platforms, risks and issues and vulnerabilities associated with those and then measure them accordingly to make very informed decisions. So, I truly believe mature businesses are migrating away from that knee-jerk approach." 

Related Content: