Does your bank leverage cloud service providers for core and non-core business needs?

If cloud includes, managed services and solutions by vendors – yes, we have used the cloud for many years.

The public cloud is still very much in its infancy. Conversations with risk managers – you still are accountable for it and have reasonable sense of assurance what the controls are and how well the controls are being used.

How do you go about satisfying the control governance requirements when it’s in a public cloud? For example, Fidelity Information systems (FIS), has put in the controls needed. With FIS, we know the controls are put in place and where our data is. The need to know where our data is has many drivers – the dominant driver need is related security controls.

Will your bank leverage more cloud services in the future? Why, or why not?

Unqualified yes. We absolutely will; where it makes sense. The point is to deliver services in the most cost-effective manner with the proper controls in place to protect  the business. The cloud allows increased efficiencies. Going forward, it’s about picking the partners, with the desired business functions, and workloads that fit our business needs. If we do not choose to leverage cloud services, our bank would not be competitive. Specialization allows cloud service providers to offer greater value at less cost.

Does your bank trust cloud service providers with their business and customer data?

Any public cloud service offering for banks requiring the storing of customer private data or financial transactions are at least two years out from being considered.

B. Mobile Devices/BYOD

Regarding employees and their personal devices, the key phrase is “connect to the company’s network” – at this time, the nature and the controls are limited. Do not allow connection to the company’s network with level two accesses; however, we do allow employees to connect to selective services.

If not, do you have business drivers to consider opening up the business network to employee’s portable devices?

We see an increase demand for more access to our IT systems and data from mobile device users. Can we achieve a sufficient level of security with non-company owned devices? There are many tools available now to help us manage mobile devices. We are still a little bit risk resistant to letting non-company owned devices attach to our corporate networks. What will it take for a personal device to have unfettered layer-two access to the network? We don’t know, but we do recognize we must be ready to provide more access to our systems and data to mobile devices.

Do you allow employees to bring their iPads or iPhones or other smartphones to work and use them to access any of the bank’s mobile applications?

We do have executives pushing for more use of their personal portable devices. So far we have been successful to demonstrate that the perceived benefits are outweighed by the risk and cost of support. It’s just not a good business risk to take.

We have looked at Windows mobile and Windows 8. We have to keep up. At least so far, we have been keeping up.

C. Enterprise Risk Management

We do have an ERM committee and members from IT are part of the ERM team.

Do you anticipate more integration between the bank’s ERM programs and the IT risk programs?

Yes. We look at everything.

Has your bank consider acquiring cyber risk insurance?

Yes. We acquired cyber risk insurance for the last several years.

D. IT Governance

Governance and security changes – our fundamental goal has not changed. The manner and frameworks we use have changed. I have worked with COBIT®4.1, NIST, and ISO frameworks.

Governance is a leadership function, and as such, it has not changed much. Governance tools are available to help. Governance is a function of the “political will” in the organization to accept risks. The needle on risk acceptance has not changed much, e.g. liquidity, asset quality, etc. Yet, there is a growing awareness of security as an operational risk item.

The feds have been active, with updated guidance around authentication and risk management. Dave and Your bank prefer to be ahead of compliance requirements.

What do you see as the next steps to improve the IT governance needs at your bank?

I am ever hopeful. I look for some things to happen, such as a cleaner understanding of IT risks versus IT security. I would like to see more distinction on IT risks.

Does your bank have an IT Steering Committee or the equivalent composed of corporate officers who approve project funding requests?

Project completion risks are maturing.

E. Training & Awareness

We are taking a slightly more aggressive approach – using a third party. We implemented a monthly social engineering exercise. Those who participated in our social engineering exercise understand that it was a test; and that they passed or failed. For those who failed, we provide links to help them pass the next test. Even though we are only touching 20-30 people, the news spreads –“watch out for odd looking emails - it could be a test”.

With our security training and awareness program, I am not shooting for awareness; rather I am hoping to achieve a better result - behavior change.

Are you exploring any new methods to deliver information security training and awareness programs?

The new ISO will have to answer this question, and he hopes he focuses on more at the executive level to help increase their conversations on the value of information security.

F. Regulatory Compliance

Certainly we have had new guidance from the feds, including:
  -  Updated guidance on multi-factor authentication.
  -  Breach response  and breach notification – yeah
  -  Looking forward to IT Risk being more explicit in future guidance from the Dodd Frank Act – about knowing your business and offering your business services in a safe and sound manner. Dodd Frank Act guidance is not complete. We are waiting to see risk guidance written on operational health and safety.

To support the new regulations, what were your keys to success to change the culture within your organization?

Culture shift – we are never done. We understand our culture is based on a common, shared belief system by a large group of people at Your bank, and the population of people in our bank keeps changing. So we are never done.

Since the downturn in the financial services industry, the economic climate has driven most of the culture change at banks. Initially following the economic crisis, the emphasis was on survival following the liquidity bust. Now we are in growth mode. We have to have all operational controls in place to support the growth and manage our risks better.

G. Staffing

Is the cost of risk mitigation worth it? The business has to be profitable. If we spend too much on risk management, we won’t be profitable. We must find the balance. We don’t want to under fund or under resource risk mitigation, but we must support the business need to grow value.

We won’t be adding staff to the information security or IT risk management functions in the bank. But we do need to update the skills set.  I would like to improve the skills on relationship management and understanding the business value stream.


I would advise them to ask, seek and get a documented statement on the business organization’s risk appetite. When you ask, you won’t get it the first time; but if you keep selling the value of your request, i.e. you need a statement on the organization’s risk appetite, and executives will get it (understand you) eventually. Once you have a documented statement on risk appetite, you can make well informed decisions using the correct trade-off analysis to be in alignment with your business executives.