Inside the Life of an Information Security Officer: Keeping the Board Frightened, Debating Findings & Those Darn Phishing Emails
What’s it like to be the information security officer at a $1.5 billion-asset community bank? We chatted with one to learn more about the challenges ISOs face and how they manage their many responsibilities.
How did you get started in IT security?
When the first regulatory requirements for an information security officer came out, we didn’t have one. I was working in IT at the bank, and I said, “I’d like to do that.” From that day, I’ve been the person. I had an interest at the outset.
What is your biggest challenge?
I have the good vantage point of already having admin access locked down, and control over what users can do over the internet, things that other companies may be coming to later in the process. My biggest challenge now is keeping management and the board slightly frightened. Since we haven’t had any significant event or incident, they tend to get blasé.
That’s what any risk is about.
How do you make the risk feel real?
I explain that we have hundreds of thousands of records, and estimates say the cost of a breach is $5 per record. That’s a going-out-of-business problem if we have a breach. But I can’t keep saying that. I need to find new ways because it’s one of our most important risks.
News helps. I’ll use news stories of breaches to try and write a layman’s description for what went wrong, what we have to do to protect us from that, where we might have those weaknesses, or what safeguards we’ve got in place to make sure this isn’t going to happen.
How do you measure the maturity of your program?
In addition to the FFIEC Cybersecurity Assessment Tool (CAT) through Ncyber, the bank pays for a third-party IT assessment annually. It gives us an executive-eye view. Then I can show management and the board the history from first visit through now and demonstrate that our grades are always improving.
How do you know when you have enough safeguards in place?
You don’t want to go overboard in mitigation because you can spend more than the risk can justify. We are getting to that point, but we probably need to take a look at that.
How is your relationship with the IT department?
I have a good relationship with the technology department. I sit in a cubicle in the midst of them and can overhear a lot of their conversation. If they are doing something they didn’t tell me about, I can say “Have you thought about this?”.
They are well-trained, and most of the time they think about security. Sometimes an issue comes up, and I can participate in that issue early on.
I meet with all new employees for training on protecting the privacy of customer information. I talk for 10 to 15 minutes about how things like email, internet use, and even personal use of social media can impact the bank.
People aren’t always aware that what they do in private life could impact work. For instance, if I say I work at the bank and then post that I was really swamped today, or we had this happen today, that statement could impact the bank or its customers.
What role do employees play in IT security?
People are targeting banks for funds or to compromise data, and they are sending tailored emails to specific individuals. If we don’t keep training, we could have a situation.
We have a software program that lets us create phishing emails and target it to certain departments. For instance, we can send an email to the trust department saying “Here is the update to our trust management platform. Click here to enter your password.”
There are a few people who will click no matter what you do, but the overall click rate goes down with training. Unfortunately, attention to it drops over time. When things come out in the news, I use that to make people think about it again.
I mostly want to make employees understand that they need that little decision process, that little risk assessment, before they do something.
How do you respond to IT audits?
When that vendor comes in and gives us that report, I manage the mitigation of anything reported and report to the board how mitigation is coming along.
Sometimes I argue with the auditors about the value of some of their findings. I’ll say, “You said this is high vulnerability, but maybe you forgot the only reason you took advantage of it is because we turned off six systems.” Their position is that they need to have some findings in the report, so it’s sort of a dance.
I have to keep up to date with what they are looking at and also understand what’s going on on my side to mitigate those risks.
How do you keep up with IT security developments?
I do a lot of reading at home to keep up with my Certified Information Systems Security Professional (CISSP) credentials. I look to see what might be coming next. Banks are pretty big targets.
One mistake can really open up a pathway.
What other responsibilities do you have?
Our IT security program is mature enough now that I’ve got much of my focus on contract and vendor management. I’m still trying to develop that so it can be a more diffuse, placing more responsibility on department heads for evaluating vendors. Right now, it’s coming to me, and I’m putting it all together. I’m new to the vendor game, and Ncontracts makes it a lot easier.