Cybersecurity: “The First Step Is to Know Where You Stand” - Interview with Doug Clare, VP for cyber security solutions at FICO

Today we would like to invite you to read our interview with Doug Clare, VP for cyber security solutions at FICO. We talked about cybersecurity, the human factor, data research, measuring risk, and much more - take a read! 

doug-clare-new[eForensics Magazine]: Hello Doug, thank you for talking with us! Could you introduce yourself briefly to our readers and tell us what does FICO do?

[Doug Clare]: I’m Doug Clare, VP for cyber security solutions at FICO. FICO is best known for the FICO Score – the standard measure for consumer credit risk used by the vast majority of lenders in the US. What most people don’t know is that FICO also provides a long list of analytics and decision management solutions that empower business to make better decisions across a number of different disciplines. Our software and algorithms help banks, retailers, insurance companies, telecoms, and other businesses manage risk, prevent fraud, and make better, more informed decisions that help to improve performance and customer service. Over the last couple of years, FICO has also had the opportunity to leverage our analytic methods in the field of cyber security with offerings in both cyber threat detection and enterprise security scoring.

[eFM]: Out of the many industries that FICO is involved in, which do you think is most vulnerable and sensitive to cyber threats?

[DC]: As evidenced by the news on an almost daily basis, nearly every industry and almost any person, company, or government agency can be a victim of a cyber security breach or a very deliberate cyber attack. No one is immune, and as the most well protected assets are usually the biggest prize for cyber criminals, it would be hard to say that the most secure companies are the least vulnerable.

At FICO, we provide solutions to many companies that have very sensitive data, including banks and healthcare companies. As this information is frequently targeted for theft or identity fraud, we’re very keen to help them protect themselves and their unique needs are well reflected in our product roadmaps. But, as stated above, the problem is not unique to any industry or sector. As our collective dependence on data grows and its utility and importance grow as assets in conducting business, the criticality of data security is becoming a universal truth.

[eFM]: FICO has acquired Quadmetrics, which we interviewed almost a year ago. What did the Quadmetrics team bring to FICO?

[DC]: The Quadmetrics acquisition brought a couple of key assets to FICO. Most important were the skills and domain knowledge of the people. Quadmetrics had a great team, and we’re pleased that they are now a part of FICO. Their analytics approach and commitment to driving empirical methods into cyber risk analytics meshes very well with our approach at FICO. Their domain knowledge and security expertise really complement what FICO brings in terms of analytics IP and product execution skills. Quadmetrics also brought a large cache of well-organized research data into FICO as well, which has really served to accelerate what we’re able to deliver to the market.

[eFM]: How important is data research? Do you think cyber security companies do enough research or do they put it on the side, because it’s time consuming and costly?

[DC]: For FICO, data research is key. As an analytics company first and foremost, our value proposition revolves around the power of the algorithms we generate, which in turn depend upon the research we do against relevant data. Analytics is ascending as a discipline, and this is evidenced by the growing shortage of data scientists and the continuous buzz about “Big Data”. That said, in general, cyber security companies are playing a bit of catch-up with respect to their effective use of analytics in threat detection and proactive risk management. That gap is what makes cyber security a compelling domain space for FICO in the current environment.

[eFM]: Do you often use the start-up experience to enrich FICO’s solutions?

[DC]: The infusion of new talent into FICO, especially when coupled with deep domain expertise, is invigorating. The Quadmetrics team are very entrepreneurial, and FICO (despite being a 60 year-old company) is very innovative, especially when it comes to analytics methods. The combination of ideas and enthusiasm has been great, and has already generated a lot of ideas for practical applications in cyber-adjacent problem areas.

[eFM]: How do you feel about the start-up culture? Do you find it necessary for innovation in the field?

[DC]: The start-up culture adds a lot, as the does the location of the Quadmetrics team. Access to talent there (Ann Arbor, MI) is very good – being in a university town has advantages. While our team there is still small, we have aspirations of making it larger and hopefully recruiting talent there for other FICO business lines as well.

[eFM]: Is it a difficult process to acquire another company? What difficulties have you been going through?

[DC]: Acquiring companies is certainly a lot of work, but FICO has acquired several companies in the past few years, and I’d like to think we get better at it each time. I think one of the key ingredients for success is the focus you apply to it immediately after the acquisition – building early momentum and finding early wins is key to maintaining the start-up excitement and energy you find in a company like Quadmetrics.

[eFM]: FICO is actively engaged in fighting against identity theft. You are trying to involve users in the security process as much as possible - what’s your best strategy to achieve that?

[DC]: Awareness and transparency. One of the key goals of our product is to enable a degree of security transparency - allowing organizations to better understand their own security posture in a way that’s clear, traceable, and understandable for experts as well as non-expert managers and senior level decision makers. Additionally, our solutions also allow businesses to understand the security of their partners and supply chain. The idea is that when everyone has a basic understanding of their security posture, and can understand their position vis-à-vis peers, they make better decisions for themselves and for other entities that depend upon them. By allowing organizations to know where they stand, and where their partners or potential partners stand, they will make better choices that reward the secure and which will create new, natural incentives for everyone to improve.

[eFM]: In many sources, human factor is often mentioned as a weakest link in cybersecurity and identity theft. Do you agree with this?

[DC]: Yes, it’s clearly true. It can also be one of the most difficult things to guard against, and to measure. For our Enterprise Security Score offering, it’s a particular challenge because we don’t necessarily get to make any direct assessment of the people factor for assessed organizations. Instead we look for behavioral signals by assessing – for example - whether, how, and how quickly identified issues are remediated in a company’s network. These and similar observable factors are strong surrogates for direct information about people and policies in an organization.

[eFM]: Your Security Score offers predictive analytics. How does it work?

[DC]: While the algorithms are complex, the score’s objective outcome is really simple – the likelihood that an organization will suffer a material data breach or other significant/damaging security event in the next 12 months. We use a host of factors in our models, and base the score on a combination of elements that represent both current posture and behavioral trends. The model is not based on expert opinion or arbitrary point allocations, it’s based on the empirical correlation that these elements have to the model’s objective outcome (the risk of a material breach in the one year time-window).

[eFM]: In that same suite, your verified users can analyze other organizations. Do you think security ratings will play a larger role in choosing business partners?

[DC]: Yes, I think it will have to. We’re already seeing this in regulated sectors such as banking, where institutions have to have demonstrable controls over 3rd party risk (business partners and vendors). Security scores are a tool that will make these required processes more effective and more affordable. What starts in banking as best practice often drifts to other sectors in short order.

[eFM]: “Today’s data breach is tomorrow’s fraud” - with recent big data leaks, some of which are from 2012, this sounds more true than ever. Do you see a solution to the problem?

[DC]: I see a lot of remedies, but not a complete cure. We have to continue improving our game when it comes to security by building better defenses, but we also have to acknowledge that we can’t eliminate all risk. In response, we have to do two things: 1) continuously monitor for things that get through our best defenses, and 2) understand our risk levels and the risk levels of firms upon whom we depend (business partners and vendors). By continuing to improve our defenses, our understanding of our risks, and our readiness for inevitable failures, we’ll be in the best position possible.

[eFM]: Which metrics do you find to be the most important when measuring cybersecurity risks?

[DC]: Interestingly, it’s not as much about current posture or the temporal existence of threats in infrastructure as it is about an organization’s response to these problems. While I can’t comment on specific elements, I can say that what we are able to tell about organizational response to threats is often more important than the appearance of such threats in the first place. Those who catch colds but recover quickly are less likely to get seriously ill.

[eFM]: So would you say that general awareness of cyber threats and proper incident response is improving?

[DC]: Yes, and I expect it will continue. As breaches become more expensive, public notifications more mandatory, and regulators apply more pressure, it will undoubtedly increase awareness for all stakeholders (from consumers to the largest organizations).

[eFM]: Do you have any piece of advice you would like to share with our readers?

[DC]: Get ready for greater transparency. As certain industries drive in this direction through necessity (driven by regulation and the need to efficiently implement and manage its impacts), others will have to follow. Greater transparency will provide ample incentives for security improvement, and the rising tide should lift all the boats.

[eFM]: What would you advise a company that wants to increase transparency? What should be the first steps?

[DC]: My guess is that most companies wouldn’t choose more transparency, except as it applies to others! But the reality is that the good and proper needs of better security and more effective risk management are served by a degree of transparency that we don’t have today. Regulation and business efficiency will drive it, and the net effect will be positive. Those with good security will prosper from it, and those with issues will have to step up their game. The first step should be to know where you stand, and that should help inform how (and how urgently) you should apply your resources to improved security.


FICO is a global analytics software company, which is now applying its technology to tackle one of the most challenging problems in Cybersecurity — the measurement of cyber risk with the goal of creating actionable metrics that are immediately useful for mitigating enterprise cybersecurity weaknesses, and ones that are predictive in nature.


October 20, 2016
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013