August 10, 2012

This entry has been modified from its original version to correct the spelling of Herath's name and add additional information at the end.

In some ways, security and privacy executives aren't like other executives. For example, we've all heard the stories about how a CEO shows up at a meeting with the latest gadget and all of a sudden expects IT to deliver business capabilities through that new, shiny channel. That doesn't sound like Kirk Herath's style. The chief privacy officer for Nationwide told me in an interview this week, "I would never bank on a mobile device to save my life."

"That includes my iPad," he says. "They just aren't secure. I don't check any financial accounts on it, not brokerage or banks or even my Nationwide account. I always go through my laptop [for online financial services], and only when I'm using the corporate laptop over VPN."

Herath of course understands consumers' desire to use their technologies to manage financial accounts. He doesn't put the kibosh on Nationwide mobile initiatives out of hand. But he does think consumers and device manufacturers have a way to go before the platform can be seen as totally stable.

"You don't generally have firewalls on mobile devices," he says. "They're not architected for security, they're architected for ease of use. And everybody wants ease of use, one-click sort of stuff."

Nationwide's policy is to make information more difficult to get at the more sensitive it becomes. Taking a quick look at your P&C coverages is pretty easy, Herath says — but it's when you move into more sensitive information that you have a higher level of authentication for those areas.

"That way, if someone strikes you, they won't get the keys to the entire system. We'll give you the keys to the most innocuous stuff — the dungeon, as a colleague of mine puts it — but not the second-floor suite," he explains.

What do you think? Is Herath's skepticism well-founded?

Edit: Some initial response to this piece leads me to believe I didn't explicate Herath's position correctly. The rest of our interview focused on how he works with various stakeholders at Nationwide to deliver innovative customer-facing initiatives in a secure way. He is not anti-mobile by any means; in fact, he owns and uses an iPad.

However, when someone of this level of expertise in this area makes such a bold statement and says there is a line he won't cross in using that device, I think it's important to put that out there. The balance between convenience and security is a delicate one, and is explored more in-depth in the feature for which I interviewed Herath.

In the wake of Wired reporter Mat Honan's identity theft, I think a little healthy skepticism about our digital lives is warranted. In fact, the extra level of authentication Nationwide uses for more sensitive financial information shows how Herath has applied his skepticism to his job in an effective way. If more organizations (*cough* Amazon and Apple *cough* had him on their staffs, perhaps Honan's nightmare could've been avoided.

ABOUT THE AUTHOR
Nathan Golia is senior editor of Insurance & Technology. He joined the publication in 2010 as associate editor and covers all aspects of the nexus between insurance and information technology, including mobility, ...