Home - Farallon Risk Group - FarallonRisk.com

"Boring, Irrelevant, and A-Waste-of-Time"

Does this sound like your IT compliance training program?

Problem Statement

How do you get employees excited to learn information security policies, procedures and develop new habits? Clearly, training and awareness posters are not enough. And we know that most compliance training programs are both boring and rarely change the habits of our workforce. We need a new approach to learning, one that is both compelling and fun. Otherwise, the old insanity definition will certainly be applicable to the "proven" learning methods pushed by compliance trainers. And wouldn't it be nice to receive reports with smart analytical metrics that measure the effectiveness of learning content, retention levels of our workforce, and whether we changed the habits of our workforce - or not?

Approach

The fundamental issue is that our old learning methods are so out-of-touch with new digital learning methods. Just look at people who are hooked on an internet game and smartphone games. Wouldn't it be nice if we could get people at work to show the same intensity learn new new information security policies and procedures and adopt new security habits? We explored the digital learning industry for workforce training games, referred to gamification solutions, and we found Ringorang™ . Next we partnered with Vergence Entertainment, the creators of Ringorang™, to deploy an information security game for (Puget Sound Energy (PSE).

Results

What were the results of the Ringorang™ NERC CIP (information security compliance) training game at PSE? PHENOMENAL! Click on the "read more" button to have fun and learn more about Ringorang™.

read more

IT Risk Management insights shared by an Information Security and IT Risk Officer of a Pacific Northwest bank

Does your bank leverage cloud service providers for core and non-core business needs?

If cloud includes, managed services and solutions by vendors – yes, we have used the cloud for many years.

The public cloud is still very much in its infancy. Conversations with risk managers – you still are accountable for it and have reasonable sense of assurance what the controls are and how well the controls are being used.

How do you go about satisfying the control governance requirements when it’s in a public cloud? For example, Fidelity Information systems (FIS), has put in the controls needed. With FIS, we know the controls are put in place and where our data is. The need to know where our data is has many drivers – the dominant driver need is related security controls.

Will your bank leverage more cloud services in the future? Why, or why not?

Unqualified yes. We absolutely will; where it makes sense. The point is to deliver services in the most cost-effective manner with the proper controls in place to protect the business. The cloud allows increased efficiencies. Going forward, it’s about picking the partners, with the desired business functions, and workloads that fit our business needs. If we do not choose to leverage cloud services, our bank would not be competitive. Specialization allows cloud service providers to offer greater value at less cost.

Does your bank trust cloud service providers with their business and customer data?

Any public cloud service offering for banks requiring the storing of customer private data or financial transactions are at least two years out from being considered.