Ask any senior security executive to name three barriers on the job and he's most likely to answer, without hesitation: budgets, manpower and time. Tragedies come and go, but the limitations always stay. Some executives have found ways to cope with them, though. Their approach is simple: never ignore issues, work around them."
Oversea-Chinese Banking Corp.'s (OCBC) executive vice-president and head of group risk management, Gilbert Kohnke, manages some 700 people, spread out over a group of risk departments. Within the group, information security (IS) encompasses two larger groups of IT security and access management. Together, the direction is set for internal governance and strategic policy making, translated from management down to the ground. A separate Basel II team is in place, with 28 of its own staff (though counting external manpower of the finance departments and vendor support, the number can go up to 400 at any given time). Clearly, the bank is paying special attention to policy-making, a trend that is on the rise, with more prioritizing the effect of security policies on operations. Almost half, or 47 per cent, of respondents in The Global State of Information Security 2006 survey, conducted by CIO and CSO magazines, in conjunction with PriceWaterhouseCoopers, say they measure and review the results of policies, compared with 41 per cent last year.
Regarded in its infancy as superfluous and bureaucratic eye washing, policies hold much more stead these days with security decision-makers, who understand that proper installation of such requirements also grants the bank preferential capital treatment--a seal of quality. Increasingly, they are also tweaking and cutting the policies to size for their own organization's needs.
Kohnke says tweaking works to allow for room within the guidelines to operate, and also customize aspects of it that might require more attention for the bank. A global Basel II process that they've undertaken has allowed for reviews and further investments in its IT architecture that has been more difficult cost-justifying in the past. "Now, we have a better system of measuring and monitoring risks, and can be more pro-active in mitigating them," he says.
Road to adoption
Kohnke recommends an approach that takes into account the organization's readiness for policy implementation. He says: "For small banks, it can be difficult justifying the huge expenditure on a Basel II requirement if the bank's turnover is only a few million dollars a year. Do it in phases, so that you're well-prepped for each leg of the journey." Strong recognition at the board level is also essential. "Banks are all about taking risk and translating it into returns for the organization," he says, "so risk is a real and top-line concern."
Does information security rank higher than other types of risk in his department? Kohnke shakes his head: "The idea is to have a uniform and consistent approach." This is the bank's philosophy that developed four years ago, when information security was taken out of the CIO's realm and into risk management. "We regard risks as an enterprisewide concern and responsibility," he says.
Former chief risk officer of Fidelity Investments and FGIC Capital Market Services (US), James Lam, says the most important thing is to have someone accountable for setting up the frameworks of metrics and reporting for the risk department. While this simplifies the business case for the board, it doesn't make the report simplistic, he says.
Geoffrey Leeming, regional head of information risk management (IRM), Asia-Pacific, at Barclays Capital, talks about the need for refining the palatability of policies in their raw form for general consumption: "I can't count the number of times I've seen organizations that have policies 70 or 80 pages thick, which hit the table with a heavy thump each time. When you've got a situation where even the IT security team is befuddled by the complexity of the policies, no one outside's going to bother reading it," he says. The answer? "Short and sweet and easy to understand," he says. As for tweaking, he feels that with each organization having a different risk profile, there ought not be one standard policy for all to follow. Customization is important, with attention paid to the organization's needs.
At Barclays, IRM sits outside the IT department while the operation of technical security controls remains inside IT. While this affords some independence to its decision-making, it also gets a vantage point over the IT operations, so that impartial advice may be given. "We have different budgetary drivers than IT," says Leeming, "so we have the independence to run a number of projects that raise the bar and improve controls on information security."
One such example is Intrusion Detection Event Correlation--"a fairly long-winded name", says Leeming, with a laugh. A way to combat the false alarms that intrusion detection throws up, the method looks at patterns of usage, instead of individual events. This intelligence is seen in the simple example of alarms sounding when a user logs in simultaneously from home and work--an impossible occurrence, indicating a likely security breach.
Leeming acknowledges the necessity of having a close working relationship with the IT security team. "We're information risk, and about 60 per cent of our time is spent on IT security, so we need to work extremely closely to execute common standards according to the business' direction."
He regards having separate IRM and IT teams as indication of the maturity of an organization's risk management strategy. "An immature one focuses purely on IT; maturity is marked by an established governance team, giving oversight to IT operations and nontechnical business risks."
Talking about the model of having IT security under IT operations, Leeming touches on the conflict of interest encountered by IT managers, whom he says are usually graded on the quality of service provided at a short-term level, measured by key performance indicators, budget demands, and so on. "It's quite hard measuring a CIO on the security of the operation," he says. "A CIO with priorities of keeping cost down and operations smooth in the short term will have trouble balancing those with the long-term demands of risk management, because complex risks tend not to surface in the short term, and it's easier and cheaper to avoid those risks in that time frame to keep the perception of their operations up and cost down. The sign of a mature relationship between IT and IRM is the ability to develop these metrics to allow the CIO to measure his team on long-term risks as well as short-term costs. "It's quite a conflict to have the information risk staff reporting to the very people they're managing," he says.
Up at night
When asked what his biggest worry is, Leeming's voice drops down to an almost hushed tone: "The rogue insider, with the power to abuse his access, is always a threat," he says. "While there's no way you can prevent someone from going that way, there are many ways you can make intrusions much, much more difficult."
Kohnke is similarly hard pressed to list a specific threat. "Because we have better granularity of the risks nowadays, it's highly unlikely that we'll have big surprises. If anything comes up as a threat, it'll likely be systemic: market risks, new participants in the financial industry changing the balance of financial processes, perhaps. Bubbles created from the greater globalization of financial institutions bringing about herd mentality. The point is, risk management then hinges on your ability to measure and plan the movement of the market place," he says.
Leeming says that one of the biggest limitations is time scale. But he does not view the buying of time as acceptable. "When management wants it fast, you have to give it to them fast." That is one of the key indications of a mature risk management team, he says, that will listen to the business, find out the time scales and adjust accordingly. "An undeveloped team will usually need to buy more time; we don't tell business and IT managers that they need to slow down or delay because that would make us part of the problem, not the solution," he says.
Shedding some light on the ambivalence to limitations that typically worry other departments, like limited budgets and time, he says, "Limitations are not quite problems in the sense. A risk management team, in the long term, is trying to keep costs down, be that the threat of a loss or operational costs. So if you are spending a million dollars to protect something that's only worth 100,000 dollars, suddenly you become the threat itself, and not the protector. "Unlimited manpower or budgets would therefore cost the bank more than any savings it would accrue from the department. It is very important to keep balanced and mind the trade-offs between the risk you're trying to control and how much it'll cost to do exactly that, so these limitations are really...not."
Bashing down barriers
Kohnke brings up the perpetual problem of limited available skill sets. He takes steps to encourage his people by managing their careers and personalities, which he says is important in garnering long-term rewards and making staff know that they are prioritized.
Lam agrees with such management practices: "Over time, with experience and cultivation, you'll have a deeper pool of talent. A comprehensive strategy for developing these people is needed; training alone is insufficient. Certification and grooming will pay off."
Both touched on the need for transparency. Kohnke says disclosing all risks in the annual report opens them to scrutiny, but it also takes unnecessary pressure off the job, when people can track progress of the department's efforts.
Such transparency is also a mark of a well-developed IRM program, says Lam. "For US banks, where IRM is more advanced than it is for counterparts in Asia, discussion is encouraged through extensive disclosure in annual reports, through the amount of data included. "Asian companies tend to want to 'save face' and solve a problem before escalating it to upper management. Western companies often take the opposite approach and quickly bring it up, because sometimes little problems can get out of hand," he says.
Leeming regards a harmonious relationship with the CIO as the solution to possible problems. "I'm very thankful for the good relationship that IRM has with the CIO. I've often seen a very combative relationship between IT senior management and IT security in other organizations, which again is a sign of an undeveloped team," he says. Not underestimating the power of people underscores all three men's advice: Leeming recalls the spirit of cooperation while witnessing the chaos after 9/11 broke out. "The utter desire to get back to operations and recover from the disaster was very touching, and really the reason preventing worse effects from the damage."
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.