Risk Management: How to Tackle the BasicsJohn Pironti, chief information risk strategist with Getronics, shares his insight on leading edge risk management practices for information security & banking professionals. His tips include:
Focus on Basic Principles
As we start looking at risk management and more specifically information risk management, which is really what we're focusing on, one of the first things we often ask ourselves, is to figure out what problem are we trying to solve? The fundamental process that banking and finance executives should start with when they think about risk management is focusing attention on basic principles. What is it do I want to protect? To what extent do I want to protect that? And how am I going to go about that? Once the basic principles are answered and understood, we next look into going through a process that we call Threat and Vulnerability Analysis. And what this does, it allows you to go through a logical process-oriented activity that helps an organization understand what truly is a threat to its information infrastructure and information assets versus what generically exists today in the community.
Give Emphasis to Business Process Mapping
To initiate a Threat and Vulnerability Assessment is to start out by doing business process mapping, and what business process mapping will do for you is, it will give you incredible amounts of intelligence about how your business operates, including a thorough insight into your business processes. Once you start with the business process analysis, then you actually move into a logical and physical asset inventory. One of the common things found in organizations is that there is too much data out there between partners, vendors and even internal infrastructure and employees and devices that most organizations really do not have a good grasp of where their information is. So, you cannot protect something that you do not know, and you can't protect something that you cannot find. Business processes focuses and says to the business leader 'tell me how your business operates, not just through technology but through people, process and procedure as well as technology.' It focuses on the actual activities, the personnel and the contractual and regulatory requirements, everything that goes along with an associated business process.
The business process analysis, or business process mapping concepts, will actually give you visual representations of where your data is, how data flows through a business process, and unless you start building a process to say this data flows through these devices, these solutions, these vendors, these partners appropriate risk management and Threat and Vulnerability Assessment decisions cannot be made or improved upon.
Do not start with Technology
The reality of it is: technology is easy. Technology is something that is easily comprehended, it is easily understood. It is something that can solve simpler problems. Technology tends to be a reactive measure. It tends to be a situation where we have identified a potential threat that we're worried about or have been affected by in most cases, and we decide now that we're going to incorporate some technology solution to try and assist us. Technology is a great thing once we've understood the processes and the policies and procedures that we want to use to help those processes and policies be enacted, but you cannot start with technology. If you start with technology, then you're bound to fail, and we've seen this over and over and over again in situations where we've had data breaches, data leakage, hacking situations and criminal activities and things of this nature. But it is always easier for an executive team or for an information specialist to actually go and propose a piece of technology versus invest the time and effort it takes to actually sit down and do business logic activities and business process mapping and Threat and Vulnerability Analysis and a data-focused concept.
Have a structured Approach to Information Security
This involves actually setting up a real information security program and changing the mindset from a reactive process technologically-oriented concept to a proactive one where we start doing things like Threat and Vulnerability Analysis. We start building our framework or our backbone information security to our policies, procedures and guidelines and standards, and then we can start working from awareness.
Effective Security Awareness Training Program
The #1 challenge we find today in information security capabilities within financial institutions across the world is the lack of general awareness within the organization of the capabilities of a well-informed information security organization and workforce, as well as of information security as a concept within the organization. Many financial institutions spend a lot of time doing yearly planning and training and then produce a one-hour PowerPoint training session or a one-hour in-person session where someone has to sign off to say 'I've been trained for the year,' but that's not necessarily effective.
One of the things that we often talk about when we talk about awareness training is the concept of different audiences and populations that you need to address. For instance, we have in the workforce today in the United States two differentiated levels of population. We have an older population that was taught by individuals teaching them in front of a room using a chalkboard or a lecture style. We have a younger generation of workforce that's coming through now that's used to learning from computers and all electronic learning means. So, when we're doing awareness and trying to drive concepts and ideas home about information security and raise the knowledge of the population, we need to address both populations individually. We cannot assume the same learning tools are going to work for everybody, and this is something that's often overlooked, as well as we have to simplify these processes because there're cultural considerations and language considerations that we need to take into account that often are overlooked. For instance, we need to use more pictures and colors and graphics to simplify things so that any individual can understand it from any country, any culture, and any population.
Role of IT Governance in Effective Risk Management
IT governance is essential to effective risk management. I think what governance allows us to do is it establishes boundaries and key performance indicators that we can judge ourselves by and set metrics and matters in place that allow us to understand how we're doing, where do we want to go and how well do we want to do and make sure we're in alignment with business processes and with business activities. The most important thing that we can teach information security organizations and individuals is that their role is really to provide information to decision-makers to make decisions, instead of making decisions themselves. So, what governance allows us to do is it gives us a structure and a process orientation and a framework to help facilitate gathering the information, analyzing the information, understanding what information should be communicated when, to whom, how and why.
Key Questions That Banks And Financial Institutions Should Be Asking Third-Party Vendors As They Conduct A Risk Assessment:
What we often prescribe for the financial world actually is that it's important to educate your vendors and educate your third-parties about what your expectations are, of how they will deal with your data.
At the same time, financial institutions need a way to do constant monitoring. Right now we have kind of a broken process in most cases. We touch these vendors if they're parties on a yearly basis or a bi-yearly basis in most cases, which means that we have a long period or windows of time where that data can be at risk and we're not aware of it. So, one of the things that we often work with financial institutions to understand is how do you set up ongoing relationships and ongoing monitoring infrastructure and metrics and measures to ensure that your data is being protected in the fashion that you'd like it to be protected and being dealt with in the way you'd like to be dealt with?