Chris Greany

Insights: Chris Greany

16 August 2018

Chris Greany moved from a three-decade career in policing – including senior roles in counter-terrorism and counter-financial crime – to become Head of Group Investigations and Insider Threat working at Barclays Chief Security Office. Here, he shares his insights on how his teams work to help Barclays maintain security, legitimacy and trust.

One of the things I learned when I was on the “other side”, as National Coordinator for Economic Crime and Cybercrime prevention for UK policing, was that the banks who supported the wider approach with law enforcement to prevent, identify and stop criminal activity were the ones who were seen as driving legitimacy across the board.

So, I’ve always felt that my role within Barclays is to support our joint mission of ensuring legitimacy through preventing and identifying threats to our business. Because, ultimately, customers will go to the service they trust and can believe in. The unique selling point for banking and finance particularly in the 21st century is in the answer to the question: “Do we trust you – with data, with details, with money?”

Part of that trust journey is demonstrating that when we do find clear criminality – and every organisation, no matter how good they are will have some in isolated pockets – we deal with it and that there are consequences. That’s good for the trust outside the bank and for driving a positive, responsible culture inside the bank. Protecting the business from a whole range of threats protects our customers and society more generally.

The secret is to identify and deal with it – confront the issue face on, and be open and honest about what you’ve found, and then move on. And when you do that, people will understand that you are doing the right thing.

I think what our customers wouldn’t like is for it to be hidden away. So, the role is to identify it, discover it, and deal with it – and where necessary fully support a law enforcement investigation. Doing the right thing, walking towards the fire, dealing with risk and making decisions – no matter how hard – is key.

How do we do this? My official title is ‘Head of Group Investigations and Insider Threat at Barclays Chief Security Office (CSO)’ and that’s already long enough – but you can’t have everything you do in the title, otherwise your business card would be four metres long! It’s a global role and covers many different countries and legal jurisdictions so we have to be aware of that as we work across time zones, and different cultural attitudes.

My team are located across the key International Barclays sites, so we have reach and depth when we need it. CSO comprises many areas, and I am one of the many cogs that collectively makes it a successful holistic security function, delivering a service to the wider bank. We also have excellent legal support, and a designated lawyer to help guide and advise us during complex decision making.

What we do is investigate wrongdoing, poor behaviour and suspected criminal conduct that affects our business, customers and clients.

We also provide network monitoring services to ensure that data and documents that leave the bank should be leaving the bank. (Dealing with data leakage prevention is key to any Insider threat programme, as is recognising the fact that anyone could be an unwitting insider – so CSO also has wide-ranging education and awareness programmes).

The unique selling point for corporate industry in the 21st century is the answer to the question: “do we trust you?"

Chris Greany

Lastly, we provide an in-house computer forensic service to the bank. When devices need interrogating – for whatever reason – we provide that service. So it’s a three-pronged approach to keeping the bank safe from these threats

My job involves such things as fraud investigations, unauthorised data leakage and cybercrime. We identify, investigate all these things. Within that, we have to recognise that the bank will always be a target for cyber-criminals. Nobody is ever going to completely stop cybercrime, but you’ve got to be prepared and ready to respond to it when it happens, and remediate it.

Having spent a long time in counter-terrorism and crisis management across policing, I can make the comparison that you’re never going to completely stop some serious issues, but you have to be prepared so that if it does happen, you can do the best you possibly can in the circumstances.

Barclays has become very good at this. Within the bank there are a huge number of training programmes and resources available to staff. There has to be recognition that the threat will never end – that cyber is the internet, and the internet isn’t going to get turned off anytime soon.

Banks and corporate businesses will always be a target for cyber-criminals and fraudsters etc. You’ve got to be prepared to prevent and be ready to quickly respond should you be a target