The dialog below comes from an interview conducted on January 4, 2013 with "Dave". Dave was the former Information Security Officer at the bank for the last 6 years, and now he is the SVP of IT Shared Sevices. As the bank's ISO, Dave managed the information security, risk management, and governance functions. Dave provided his insights below to help other information security and IT risk management professionals develop their IT risk management programs. My interview questions are in the dark red, italic font, and Dave's answers are in normal font.
A. Cloud Service Providers
If cloud includes, managed services and solutions by vendors – yes, we have used the cloud for many years.
The public cloud is still very much in its infancy. Conversations with risk managers – you still are accountable for it and have reasonable sense of assurance what the controls are and how well the controls are being used.
How do you go about satisfying the control governance requirements when it’s in a public cloud? For example, Fidelity Information systems (FIS), has put in the controls needed. With FIS, we know the controls are put in place and where our data is. The need to know where our data is has many drivers – the dominant driver need is related security controls.
Will your bank leverage more cloud services in the future? Why, or why not?
Unqualified yes. We absolutely will; where it makes sense. The point is to deliver services in the most cost-effective manner with the proper controls in place to protect the business. The cloud allows increased efficiencies. Going forward, it’s about picking the partners, with the desired business functions, and workloads that fit our business needs. If we do not choose to leverage cloud services, our bank would not be competitive. Specialization allows cloud service providers to offer greater value at less cost.
Does your bank trust cloud service providers with their business and customer data?
Any public cloud service offering for banks requiring the storing of customer private data or financial transactions are at least two years out from being considered.
B. Mobile Devices/BYOD
Does your bank allow employees to bring their own portable devices to work and connect to the company’s network?
Regarding employees and their personal devices, the key phrase is “connect to the company’s network” – at this time, the nature and the controls are limited. Do not allow connection to the company’s network with level two accesses; however, we do allow employees to connect to selective services.
If not, do you have business drivers to consider opening up the business network to employee’s portable devices?
We see an increase demand for more access to our IT systems and data from mobile device users. Can we achieve a sufficient level of security with non-company owned devices? There are many tools available now to help us manage mobile devices. We are still a little bit risk resistant to letting non-company owned devices attach to our corporate networks. What will it take for a personal device to have unfettered layer-two access to the network? We don’t know, but we do recognize we must be ready to provide more access to our systems and data to mobile devices.
Do you allow employees to bring their iPads or iPhones or other smartphones to work and use them to access any of the bank’s mobile applications?
We do have executives pushing for more use of their personal portable devices. So far we have been successful to demonstrate that the perceived benefits are outweighed by the risk and cost of support. It’s just not a good business risk to take.
We have looked at Windows mobile and Windows 8. We have to keep up. At least so far, we have been keeping up.
C. Enterprise Risk Management
Does your bank, have an IT Risk Management program that compliments the company’s ERM program?
We do have an ERM committee and members from IT are part of the ERM team.
Do you anticipate more integration between the bank’s ERM programs and the IT risk programs?
Yes. We look at everything.
Has your bank consider acquiring cyber risk insurance?
Yes. We acquired cyber risk insurance for the last several years.
D. IT Governance
How has IT governance evolved over the last 3-5 years in your organization?
Governance and security changes – our fundamental goal has not changed. The manner and frameworks we use have changed. I have worked with COBIT®4.1, NIST, and ISO frameworks.
Governance is a leadership function, and as such, it has not changed much. Governance tools are available to help. Governance is a function of the “political will” in the organization to accept risks. The needle on risk acceptance has not changed much, e.g. liquidity, asset quality, etc. Yet, there is a growing awareness of security as an operational risk item.
The feds have been active, with updated guidance around authentication and risk management. Dave and Your bank prefer to be ahead of compliance requirements.
What do you see as the next steps to improve the IT governance needs at your bank?
I am ever hopeful. I look for some things to happen, such as a cleaner understanding of IT risks versus IT security. I would like to see more distinction on IT risks.
Does your bank have an IT Steering Committee or the equivalent composed of corporate officers who approve project funding requests?
Project completion risks are maturing.
E. Training & Awareness
What has been the most effective method of providing security training and awareness at Your bank?
We are taking a slightly more aggressive approach – using a third party. We implemented a monthly social engineering exercise. Those who participated in our social engineering exercise understand that it was a test; and that they passed or failed. For those who failed, we provide links to help them pass the next test. Even though we are only touching 20-30 people, the news spreads –“watch out for odd looking emails - it could be a test”.
With our security training and awareness program, I am not shooting for awareness; rather I am hoping to achieve a better result - behavior change.
Are you exploring any new methods to deliver information security training and awareness programs?
The new ISO will have to answer this question, and he hopes he focuses on more at the executive level to help increase their conversations on the value of information security.
F. Regulatory Compliance
Over the last 3-5 years, what have been the most challenging new regulations you had to implement?
Certainly we have had new guidance from the feds, including:
- Updated guidance on multi-factor authentication.
- Breach response and breach notification – yeah
- Looking forward to IT Risk being more explicit in future guidance from the Dodd Frank Act – about knowing your business and offering your business services in a safe and sound manner. Dodd Frank Act guidance is not complete. We are waiting to see risk guidance written on operational health and safety.
To support the new regulations, what were your keys to success to change the culture within your organization?
Culture shift – we are never done. We understand our culture is based on a common, shared belief system by a large group of people at Your bank, and the population of people in our bank keeps changing. So we are never done.
Since the downturn in the financial services industry, the economic climate has driven most of the culture change at banks. Initially following the economic crisis, the emphasis was on survival following the liquidity bust. Now we are in growth mode. We have to have all operational controls in place to support the growth and manage our risks better.
How has your Information Security staffing and skills mix changed over the last 3 years? (more or less headcount? what skills have been added?)
Is the cost of risk mitigation worth it? The business has to be profitable. If we spend too much on risk management, we won’t be profitable. We must find the balance. We don’t want to under fund or under resource risk mitigation, but we must support the business need to grow value.
We won’t be adding staff to the information security or IT risk management functions in the bank. But we do need to update the skills set. I would like to improve the skills on relationship management and understanding the business value stream.
H. Best Tip
What is your best tip, insight or lessons learned while managing IT risks can you like to share with your peers in the healthcare industry?