Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Implement security and compliance in a risk management context

CFOs live in a world where risk management is the lingua franca. CISOs have to join the conversation.

That may be overstating the case, but increasingly, chief information security officers should have a lot in common with their colleagues in finance.As a 21st century CISO has to be more than a technologist, the outstanding CFO is much more than an elevated CPA.

"The CFO should be someone who has initiative, is well rounded, and who has broad business sense and broad business experience," says Mark Hogard, CFO of Oklahoma City-based First Capital. "He has to think ahead, think outside the box, and make sure the company is prepared in this ever-changing world."

Both positions have become even more demanding in today's compliance-heavy business environment, with unprecedented requirements for data protection, privacy, consumer protection and corporate accountability. Even in the financial services sector where regulatory controls are old hat, the sheer volume of transactions and explosive growth of data has altered the paradigm.

Financial services executives call on a new breed of CISO, who looks to the example of the CFO to implement compliance and security in a risk assessment context, instead of simply firewalls, antivirus and intrusion prevention systems. There are sharp lessons to be learned for security officers from their financial counterparts.

CISOs have often been outstanding technologists, very adept at identifying and implementing new security products and systems. CFOs, on the other hand, don't regard their positions as being exclusively about numbers.

"The CFO position has always been about business evaluation, and the position has always been a business partner evaluating various business objectives," says Mike Stiglianese, who has the unique perspective of having served in both CFO and chief information technology risk officer roles at Citigroup.

That's where the CISO role needs to be, but typically is not. Much more often than not, the position is in IT, and therein lies much of the problem. Stiglianese is surprised how few CISOs are like... him.

Now an independent consultant, Stiglianese spent his entire career at Citigroup-25 years on the finance side, including several CFO positions, and the last three as CISO. The things he's encountered outside the CFO chair have opened his eyes.

"The shocking thing was the lack of metrics and a lack of discipline," he says. For example, he asked one organization how many applications it had, and was told 8,000 to 12,000. Count them, he said.

"They said, 'Everyone calls an application a different thing. I said, 'Let's have a meeting and define something. I'll call it an application and you guys call it whatever you want, but we're going to count how many of those things we have.' "

He says simple program and project management are missing, because information security is overly focused on technology and not on planning."That type of stuff was the basics that you had on the CFO side." The CFO sees everything in terms of risk assessment.

What are the potential gains and what are the exposures? What is the potential return and how much can we lose if a loan or investment goes south? What will this new technology or this new service cost us and what can we expect in revenues-and when? What controls do we need for regulatory compliance and do they properly mitigate risk to the business? Because he is grounded in risk assessment and business, the CFO has the ear of upper management- he's one of them-and will be much more receptive to supplicants who "get" business.

The IT-based CISO-especially if he is comfortable there-likely has less insight into the business and will have trouble selling new security programs and technologies to business people who think in terms of risk/reward and cost/benefit.

"If the CISO is a technology person, more often that not, he doesn't have enough gravitas with senior management to get their attention, to make them aware of a business issue," says Eric Holmquist, VP and director of risk management at Advanta Bank.

The CISO can be reduced to trying to sell insurance to executives who are not convinced of the risk. The CFO understands that he must be able to take his special knowledge, translate it into business terms and communicate effectively to the investor community outside the organization and the board and management within.

"I have the financial information, and I have enough of financial background that I know what makes sense," says Stiglianese."And, I'm going to make it easier for other people to understand."

At Citigroup, for example, the CFOs have business backgrounds, with "enough financial expertise to know what makes sense." They call on their financial experts to give them the information they need.

In parallel, Stiglianese says that in larger organizations, CISOs are moving into this role as business/ risk managers, communicating with business groups and management on their own terms. They have sufficient tech savvy and rely on experts with the technical background.

Warning Signs

Before taking a job as CISO, make sure the company you are about to join is fluent in risk management.

Eric Holmquist, VP and director of risk management at Advanta Bank, offers three signs that an organization doesn't take risk assessment seriously:

* Information security is positioned as an IT issue, and IT is being asked to manage something it has no control over and isn't a technology issue.

* The tone you hear is "just follow the guidance." You can never set regulatory expectations as your measure of success. That's always the minimum standard. You must exceed that.

* You see anecdotal evidence that people just give lip service to risk assessment, and that sloppy practices are acceptable culturally. If there aren't exceptionally good controls around data in motion, controls of third parties, etc., you have a big problem.

"If there isn't a tone from the top setting information security as a high priority, you're cooked," Holmquist says.


CFOs have always had to deal with regulatory controls, but not in as public and dramatic a way. The CFO was required to make sure the company was in compliance with GAAP standards, report to various agencies and make sure external auditors would approve financial statements.

But all this happened pretty much behind the scenes, says Stiglianese. Regulations such as SOX have changed the dynamic, drawing intense interest from investors on the outside and the board of directors within. When he started at Citigroup, the regulatory reporting group was under the CFO's office, but "as things have become more highlighted and spotlighted, you bring in a different level of talent to handle the regulatory reporting side."

GLBA created a similar environment for the CISO, but while regulatory change came gradually to the CFO, the CISO was thrust abruptly into the spotlight.

"The CISO," Stiglianese observes,"went from zero to 100 miles per hour instantly."

The upshot is that while CFOs understand the regulatory environment, how it affects the business and how it fits into the risk equation, CISOs are still learning.

"Coming from the financial background, with what we were doing with the compliance function," says Stiglianese, "I saw I was spending a lot of money in areas where I really didn't generate risk, and probably wasn't spending enough to mitigate areas that were riskier."

These are critical considerations. In contrast, there's the CISO, who comes to management with a shopping list of technologies he says they need to comply with PCI or meet the security requirements of SOX, GLBA or HIPAA. The checklist, rather than risk-based, approach will probably pry some dollars loose. However, it won't serve the best interests of the company, which may or may not be technically compliant, and is not significantly more secure than it was before the purchase.

Consider that the intent of these regulatory controls is to protect your company, its customers, its investors and its partners.

"Compliance is about protecting something, some resource, typically," says Dick Mackey, vice president at SystemExperts. "If you fall victim to compromise because your controls aren't good enough, you didn't achieve the goal or intent of the regulation."

The premise is that there is risk here. Address compliance within that context, so that compliance flows from your risk assessments, rather than being bolted on.

"When you come up with compliance policy that's based on risk, you have to come up with something that works in all cases," says Stiglianese.

That's key to avoid overspending and devoting redundant resources to comply with each regulatory requirement, especially in large organizations, where compliance may become fragmented among various business units.

"One of the first things you realize is that we [financial institutions] are more heavily regulated than most," says Anish Bhimani, managing director for security and risk management at JPMorgan Chase. "So, how do you demonstrate compliance across a number of varying sets of requirements?"

When you build your security program on risk assessment, you are going to protect your company. When you build a program based on compliance, you have, well, compliance.

"We never set the bar for any program based on regulatory expectations," declares Advanta's Holmquist. "I set the bar higher than their expectations. We create as robust a program as we can based on awareness, accountability and the ability to take action.We always exceeded regulators' expectations."

Risk is also well understood by regulatory auditors and bank examiners, who are not-and should not be-simply working off a checklist.

"With regulators, I've always found I was able to do things with a risk-based approach," says Stiglianese, "as long as I was able to take them through what my methodology was for evaluating risk."

Depending on whom you talk to, compliance in the financial sector is something of a black and white affair, but that's not to say it's all or nothing.

The overriding consideration is the safety of the business-that is to say, is there a real danger that the business could collapse and put customers and other institutions in jeopardy. That's at the heart of many regulatory requirements and a different consideration than the soundness of the business, which speaks more to its level of profitability.

So, while banks should use risk assessment to develop programs that meet or, preferably, exceed regulatory requirements, comply they will. "We follow guidelines laid out for the company," says First Capital's Hogard. "Risk assessment determines to what degree of effort and cost does the company expend making sure we're complying with the regulations."

Hogard applies the 80-20 rule, achieving 80 percent of compliance quickly at 20 percent of the effort, then implementing more effort-intensive methods to enhance compliance.

The key is presenting a plan that makes sense to examiners/auditors. If your company can't implement controls immediately, presenting a risk-based, specific plan-with a time frame-will work.

"Generally, it looks something like a 24-month rolling plan," says Steve Katz, founder and president of IT security consultancy Security Risk Solutions, who managed information security at JP Morgan, Citigroup and Merrill Lynch. "It gives business managers as well as auditors and examiners a sense that you're not just trying to solve the immediate problems. If there are open compliances, you have a plan to remediate over time."

"Compliance is black and white," says JPMorgan Chase's Bhimani. "However, the way some of the regulations are written requires interpretation by the regulatory authority.

"SOX 404 is a classic example-it's maybe 150 words long. Our goal has always been to assume the strictest interpretation unless you hear otherwise."

The relationship between the CFO and CISO varies from one organization to the next.

For compliance, in larger organizations such as Citigroup, the CFO may rely on the CISO to provide metrics to support internal audit and, in turn, rely on audit to evaluate the security/compliance controls.

In smaller-not to say small-less complex companies, the relationship may be more direct.

"I look to our IT director to help assess if we have the proper controls, and if controls we are thinking of implementing will actually provide the integrity we are looking for," says First Capital's Hogard. "We want to make sure that before we invest the dollars our plan will actually be effective."

Often, the CFO is the one giving thumbs up or thumbs down to the CISO's spending requests. The CISO will be far more successful if he's one of the new breed of security officers who's grounded in the business and risk assessment.

"I was somebody who basically denied investing in a lot of proposals and then spent three years getting the proposals passed," says Stiglianese.

"The interdependency is more of the CISO on the CFO than the reverse.When I was CFO, as long as I was not having any information security breaches, I didn't mind if I never saw the CISO come in asking for money."

Nonetheless, as a CFO he would have been more receptive to funding requests from CISOs, now that he understands their importance.

"The proposals weren't articulated in a way I could understand. They made no sense to me, so we didn't make the investment. I learned there's a need for a more efficient way to communicate between the two functions."


Article 2 of 16

Dig Deeper on Security audit, compliance and standards

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All