CHICAGO -- The first year in any new job is full of challenges. As CISO of one of the world's largest financial institutions, the learning curve is especially steep.
JPMorganChase's Anish Bhimani spoke candidly about the hurdles he faced and how the company addressed them -- including operating in a global, outsourced environment and building a support network within the lines of business -- at the Information Security Decisions conference last week.
"The scale can sometimes be overwhelming," said Bhimani, now vice president of IT risk management. "You have to take it one bite at a time."
Shortly after Bhimani joined JPMorganChase it merged with Bank One, presenting an even greater scale to protect -- $1.1 trillion in assets, 200+ datacenters, 30,000+ servers and 170,000+ desktops.
Bhimani told attendees the merger gave them the opportunity to centralize the components of IT risk management. Since each line of business has a different profile with regard to operational risk it was important to establish an information risk management board with a reporting structure to lines of business. It was also a chance to refocus team charters and strengthen ties with other groups, like operational risk and audit.
Bhimani related a dozen critical lessons he learned as CISO:
- Don't get hung up on organizational models/titles. The function can report to anywhere so long as it has appropriate visibility.
- Scale and complexity are the enemies of security. Likely, you can't change either.
- Compliance is not the same as risk management.
- Use meaningful metrics. Citing W. Edwards Denning, "What gets measured gets done," Bhimani advised measuring what you can measure, but said that metrics for metrics sake is useless -- you must demonstrate value. Provide a meaningful view of the risk posture of the organization and get the data into the hands of people who can act on it.
- Focus on cost-cutting to increase investments. "Don't fall into predictable patterns, constantly reevaluate," said Bhimani. "Automate and streamline commodities; invest in process and tooling. Greater spending doesn't equal more security."
- Focus on a few things and execute well. "'Define your gaps and close them' doesn't really get you to a level of security; focus on manageable chunks," said Bhimani. "Prioritize based on risk reduction versus achievability."
- Fix the plumbing. Get buy-in from the appropriate people and communicate what you're doing. Bhimani cited Ed Miller, president of AXA Financial, "90% of vision is execution; 90% of execution is communication."
- Leverage a broad base of programs, resources and people. Tie your programs into other, more visible firm-wide programs, like regulatory compliance.
- Make sure you understand the regulatory impact of what you're doing. Read the regulations; they are often misunderstood.
- Audit is your best friend. It gives you the "teeth" you need to improve the environment. A strong partnership between IT risk and audit is a powerful combination.
- Focus on execution. Don't sit around waiting for others to provide you with the tools and information to do your job.
- Remember that there are three components to every program: people; process; and tools.
By 2010, the position of CISO will have changed considerably. Likely it will morph into a "deputy risk manager" and will be split between risk management and IT, said Bhimani. He also predicted that engineering and operations will move into IT, but that policy and strategy will remain separate.