Monday, April 18

Be the Serpent - Part 1

Look like the time; bear welcome in your eye,
Your hand, your tongue: look like the innocent flower,
But be the serpent under’t.
—Macbeth I.v

I hadn’t been on a job interview in fifteen years. I counted myself among those who had come out of college, joined a firm, and worked my butt off to ascend to my level of incompetence. I was raised in a traditional family. My father went to work every day of his working life at the same company and had risen from a wiper on a fishing vessel to dock foreman. He’d retired with a pension and was rewarded for his many years of service. And when he died the next year, he left my mother with a modest but comfortable nest egg that ensured her security for the rest of her life. It was the American ideal.

Well, the dying part sucked.

My years of loyalty to Henderson Associates were rewarded with a bankrupt company in which the bastards at the top had stripped out every cent of our retirement plans, most of which was held in company stock.

I’d spent the better part of Sunday with Lars, getting briefed on the job and the background of the company I was going into. He was suitably impressed with my new look, though I cringed when he suggested I looked just like “one of them” in my black slacks and gray cashmere pullover. I’d opted to go without a shirt under the sweater and was still reveling in the feel of cashmere against my skin. Lars reminded me, however, that I needed to keep up with the shaving. I realized I didn’t currently have any shaving equipment, just my clippers. That was going to take some getting used to.

Central Card Services was one of a number of independent credit card issuers that had sprung up about 25 years ago. It had never made it as big as Discover, its chief rival, because it refused adamantly to align itself with any mainline bank. Instead, it issued credit cards under private labels for various associations, unions, and even churches. It looked like a prime take-over candidate to me, but miraculously it had staved off attempts by big banks during the great consolidation wave. It kept to its niche market, offered good services, and was semi-privately held. Though technically a publically traded company, the vast majority of its stock was held by a fairly small number of large investors who seemed of like mind when it came to maintaining their independence.

Among the circles that knew about such things, it was also held to be a fortress regarding personal information and computer security. The very thought that the company had become vulnerable to cyber-attack grated on the nerves of management and IT. Lars suspected the unusually proactive movement on the part of the company had other motivations as well. Financial organizations are not required to report incursions into their systems unless customer data has been compromised. Most do what they can to cut off the threat and silently swallow the losses rather than have them made public. The fact that Central was calling in a consultant meant they thought the threat might be internal.

***

Monday morning I was up and dressed by 8:00, having taken care not to cut myself with my new razor. I could suddenly tell just how difficult it was going to be to maintain the little strip of whiskers on my upper lip. Shaving close to it without cutting it off was going to be a daily challenge.

By 9:30, I was sitting in the plush 23rd floor offices of Central Card Services on 3rd Avenue in Seattle. I’d reported in to the receptionist, a woman about my age with an extraordinarily pleasant voice. She asked me to have a seat and I heard her call to say I was in the lobby. Her tone in dealing with the person on the other end of the line was one that would calm a tornado. I heard her answer another line in the same calm, reassuring tone as she explained to someone that the party they were trying to reach would not be available until after 2:00 and could she take a message? I instantly thought that if I ever had a business that involved a lot of incoming phone calls, she would be who I wanted answering them. Well, that day was so far away I couldn’t see it on the horizon.

A woman came through the security doors on the left and stopped to speak to the receptionist. They conversed in low tones for a minute, then the woman turned and approached me. She was professionally dressed in a dark suit and white blouse with one of those long collars that tie into a bow at the neck. Her skirt was cut scarcely above her knee and the one-inch heels she wore clearly stated that she was here on business. I was suddenly thankful that I was wearing a gray suit and carefully knotted tie as I stood to greet her.

“Mr. Hamar? I’m Darlene Alexander, Mr. Wells’ admin.” Well, that answered my first question. She wasn’t the executive I was interviewing with. “His meeting is taking a few minutes longer than he expected and he asked that I get you situated in his conference room. Would you come with me, please.” I acknowledged her greeting and agreed to follow—almost before she turned and marched back to the security door. She waved her badge at a black box on the frame and the door clicked to allow us through. On the way to the conference room we passed a small kitchen and she asked if I would like a cup of coffee. I stopped myself from automatically saying yes. I asked if I might have a glass of water instead and she quickly showed me the cooler and glasses. I filled a glass and continued to follow her to a room next to the corner office with a round table and four chairs. I selected the chair that faced the door and after I sat down the admin departed. It was a great view, out across the Sound. I turned away from it and faced the door, relaxing in my chair.

I’d already decided that if there was an inside leak, it was the executive who was going to walk through that door any minute. I had to keep reminding myself that I hadn’t even been told fully what the job was, so it was foolish of me to jump to the conclusion that the guy was guilty, just because he was a vice president and CTO of a large financial institution, though in my mind that was about enough to convict him. I had to learn not to judge people based on my experience with crooks in other organizations.

I didn’t have long to wait and stew about this. The door opened and a slightly balding man a little shorter than me strode through the door with purpose. He closed the door and then turned to me.

“Hamar? I’m Arnold Dennis. Don’t get up.” I’d begun to rise when he entered the room, but settled back. This was not a man who beat around the bush. I needed to hang on for the ride. “I’ve checked your references and unless you’ve got questions about whether you want to take the job, I’m happy to dispense with the hiring interview. Let’s get right down to what the assignment is.”

“Lars Anderson briefed me, but I’m sure he didn’t have all the details. Why don’t you start with exactly what you’d like me to accomplish here,” I said. I think he was thrown by my turning the suggestion back to him. I didn’t strike me as a man that many people stood up to. He paused as he considered me and I looked him straight in the eye.

He smiled.

“Good. Here’s the situation. Our losses due to fraud are increasing. Every credit card company assumes some risk of fraudulent card usage. We expect it and plan for it. Most fraud losses would cost us more to prosecute than the loss itself. Frankly, you can’t even call it fraud most of the time. Usually it’s a spur of the moment decision by someone who is desperate and sees what they think is an opportunity. Could be as simple as finding a credit card and charging a shopping spree to it. Sometimes we still get the captured number and signature used by an unauthorized person. Occasionally it’s something more serious like a raid on a series of card numbers for charging porn. The Internet makes it more difficult to track some of those uses, but we are vigilant about protecting the customer and where we can make an impact we prosecute the offender.”

It was a pretty typical spiel. Both State and Federal Laws were pretty specific about the responsibility of financial institutions to protect their customers from fraud. But they weren’t required to press charges. Business crimes occur every day and wasting their money on small cases wasn’t profitable for the institution’s shareholders. But managing losses was something every manager at every level was responsible for. If losses were increasing, however, moderately, it was going to raise red flags.

“It is a tough market out there and a shift of a single base point could mean millions of dollars in losses. I’ve been given sweeping authority to investigate and remedy the situation.”

“Why, if I may ask, does that fall to the Chief Technology Officer and not to the Chief Financial Officer?” I asked.

“Two reasons. First, we believe our losses are specifically tied to incursion into our systems. It’s my job to plug that kind of leak. Secondly, technology is now fundamental to every job in our company. Every single employee has a computer and is tied into our network. Our employees and our network are our greatest vulnerability. Finance will be watching my every move on this, but Tech has the ball.”

“Don’t you have inside people who can trace network use?”

“Yes. But they are suspects. And that pisses me off. It further pisses me off that I’m a suspect. I’ve decided to bring in an outsider and send him into the network to sniff out the leaks and vulnerabilities. I’ll call you my Technical Assistant. That will give you unfettered access to everything on the network. Everything. You will have read access for every single computer and server on the network. I want to know whose pocket every missing penny lands in.”

I’m licensed and bonded, but it was sounding like I was just being given the keys to the kingdom. What company was going to give an outsider complete access to their financial documents, strategies, marketing, and technology? Not only that, but this company had a complete division that handled fraud. Those folks certainly wouldn’t be happy about having an outsider looking over their shoulders. There had to be a catch somewhere. Arnold’s smile was back on his face. He looked like he’d just caught me with my fingers in the till.

“You’ll be watched,” he said simply. “I’m not about to launch anything like this without safeguards that I personally have put in place. I will know where you go and every file you touch. I would do this job myself if I didn’t have so much else on my plate, but the least I can do is watch the watcher.” I nodded. That made sense. I’d spend the next few hours pondering exactly how they were going to watch me.

“If you are ready to go to work, I’ll introduce you to my Director of Network Security, Don Abrams. He’ll get you a computer and log-on. You’ll need to go downstairs to get an employee badge and the usual orientation spiel. You are going to be an employee, however, I’ll be paying your agency a fee as well. No one in the company knows that you are an outside consultant or the precise nature of your job. As far as anyone is concerned, you are doing specific technical investigations on my behalf to regarding new technology in the financial world. I hope you can hold your own in a conversation about The Fed’s new policies on electronic record maintenance. I’ll have Darlene fetch you to take you through the new hire process. She has the position number and employee job req.”

He stood to leave but turned to look at me once again.

“I’ve followed the story of Henderson Associates and I have sources who have given me insight into exactly how the embezzlement in that company came to light, and who held the torch. I don’t want the same thing to happen to this company. I’ve been here 23 years and I expect to be here another 10 before I retire. You did good work there. I want that level of dogged determination in this job. Don’t let me down.”

All right. Maybe I was too quick to condemn corporate executives.

Maybe.

No comments:

Post a Comment