PayPal's CISO's Psychological Warfare

Security is a game of perceptions, especially when you're protecting against insider threats. "Eighty percent of the effect is in fact psychological," says Michael Barrett, chief information security officer at PayPal. Barrett was hired a year ago as the online payment services provider became an autonomous unit of eBay. "You tell people that you're monitoring even before you implement the technology."

With more than 5,000 employees, there's a lot of perception to manage, and with 143 million user accounts worldwide, there's a lot of data to protect. Barrett and his staff of 30 must keep tabs on what information employees are accessing and use audit controls to track what they do. Every quarter, Barrett gets a list of users who have access to PayPal's systems, and every quarter he sends a report to the company's managers to ensure that each of the users listed still requires access. Anyone who's no longer with the company gets scrubbed from the list.

Of course, it's unrealistic to think that any CISO can drive a company's risk level to zero. "It's not good to reach for your tin-foil helmet and become completely paranoid," Barrett says. CISOs must know how to identify risks and prioritize resources, he adds, "and you have to be able to revise the plan as you go along."

Return to the story:
Cigna's Craig Shumard: One Man's Security Mission Continue to the sidebars:
Mozilla's Window Snyder: A CISO With A Different Agenda
and
PCI Standard Drives Some CISO's Work This Year