Interview: Stephen Bonner, head of information risk at Barclays

Barclays does not have a central IT department

Stephen Bonner, managing director of information risk and finance change at Barclays Bank, lists four things he and his team have to make sure of: internal staff, compliance with government regulations in 60 countries, human error, and external threats such as hackers, organised crime and journalists.

He's partly teasing about journalists, but not entirely. Hackers and organised crime have straightforward motives for stealing inside information, but journalists' behaviour is less predictable.

A criminal makes rational decisions based on profit motives, while a journalist sniffing a scoop may invest many hours investigating for little direct reward.

"The most interesting to deal with is regulation," Bonner said, meaning government requirements such as the Data Protection Act. "It changes the most rapidly, and we have little ability to influence it."

A bank can, after all, choose its employees, ensure that its systems are resilient, and limit the external services it offers. But it must comply with many regulatory schemes in countries with differing priorities.

"Regulation is where I spend a lot of my time," Bonner said, adding that privacy compliance is the source of some of his most complicated projects.

One of his proudest accomplishments is setting up the Th!nk Privacy Consortium to spread best data practices and raise awareness of the importance of personal data.

"It benefits us because if other organisations don't lose data that data can't be used to open fraudulent accounts with us. With a lot of security work, the best you can do is not to have a problem," he explained.

Some people search for straightforward answers, but Bonner's career has been a quest for the challenge of uncertainty.

His interest in computers began at the dawn of the British internet with a degree in mathematics at Warwick University. His first job was helping the Oxford Mathematics Institute secure its computers.

"When the system breaks there is nothing quite as angry as a bunch of mathematics professors who can't get at their Latex servers. It drove you to set high standards," he said.

Soon, however, it was on to Ukerna, the early 1990s trading name for Janet, the UK's education and research network, by which time he was interested in security.

"The nice thing about mathematics is that it's elegant and there's a right answer, but the difficulty is that when you have the answer, it's quite easy," Bonner said.

"In security, whenever you got the right answer the people on the other side would change what they did so it was the wrong answer. The challenge is always there, and it grows whatever you deal with."