Nullcon The chief security officer of payroll giant ADP says his executive peers will need to become technical if they want to have a future in the industry.

Roland Cloutier, who has a stint as EMC's chief security officer on his CV, told the Nullcon security event in Goa, India, that executives must be a lot more technical than they presently are and understand security controls tools in use both across the enterprise and the products it sells.

The former cop who has “studied his arse off” over the last six months to learn more about encryption says chief security types will need to focus on four areas including security technologies, threat information, risk, and convergence.

“First they have to fully understand IT, networking defence operations, basics of big data, and so on,” Cloutier told delegates. “If you are protecting [SCADA systems] you better know how a programmable logic controller works.”

“And you have to understand a deep acumen of defence models, and response capabilities.”

He says risk is critical for security executives despite that he admits it is his weakest area. “I hate risk,” he says.

Converged security is the final area that executives must conquer. Here disparate security divisions are brought together to share threat and other information. Cloutier gathers his 13 security executives together for 09:00 AM Monday meetings so they can share security intelligence.

Cloutier warns that attackers will become more determined and skilled as security defences improve.

He talks from experience. The payroll company recently deployed an in house built anti-fraud system that shot attack detection rates from about 64 percent to 93 percent “overnight”.

“The number of attacks went up 10 [fold] because they needed to try to find other ways to break in and steal money,” Cloutier says.

Ultimately it is a balance between leadership and technical skills, the ratio depending on the business.

“All [better security] it means is that you will piss of the bad guys and they will become more sophisticated.”

The company processes some 12 billion events a day through its global anti-fraud platforms including transactions and external threat data which it uses to create more detailed attack overviews. ®