Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Interview: Financial Services CISO David Pollino

CISO Uses Predictive Analystics to Bolster Risk Management Program

As an information security practitioner working in financial services, David Pollino has the task of managing risk associated with potentially fraudulent transactions. He uses predictive analytics, which he describes as an invaluable tool that makes risk management relevant to the business.


What is predictive analytics and what does it have to do with information security?
Analytics is just a disciplined approach to doing data analysis. Some call it the science of data analysis, but it's basically taking the data you have and having a disciplined control methodology around how you look at the data and analyze it. Most security professionals use some sort of metrics, but analytics is the more disciplined approach – using those metrics to make data-driven decisions. Normally when you move to that level of discipline and sophistication, your methods of gathering the data get more sophisticated. You move beyond Excel or Access databases to potentially using a data warehouse and analytics software like SAS -- those types of tools.

A great example of predictive analytics is a credit score: it's a historical view of the data that's known about us to try to predict whether we'll pay our bills in the future.

How is predictive analytics used for risk management in online banking?
Normally a risk manager can only control a certain number of factors; they can't control the economy or market conditions, but they can control risk system configuration options. Based on those configuration options, you can use analytics to predict how controls would perform in the future. You could put data through analysis to produce a score that says these types of customers are better or worse. Part of the challenge is knowing all the variables; some things aren't immediately apparent from looking at the data, such as time of year or advertising [campaigns]. Because of the complexity of predicting what could happen in the future, it's important to understand the influence of the data in front of you but to also have a holistic approach that takes into account some external factors.

When you're online, you're 10 seconds from every creep in the world. You can't pick your neighborhood, but you do know where they're coming from. You can say, "Where is this person coming from and is that an indictor of risk?" You could say based on this geographic area, we'll apply this decision making to them. There are all sorts of legal implications in the financial services world on how to do it, so it's something to be cautious of.

How can predictive analytics be used by information security professionals in other industries?
A lot of businesses make their money in auctions [but] many things can get in the way of collecting on whatever wares you're peddling. Analytics can be used to look at what we know about this person who is going to pay this money. The more we trust them, the higher score they're going to get. Individuals we know little about will get a lower score. We'll do a calculation based on the propensity of these people to pay their bill and compare it with the price they're willing to pay. If you never intend on paying your bill, then most likely you could care less how high something is bid.

Employee surveillance is a common function provided by information security groups. Whatever system you have for watching user activity, you could apply an analytical approach that looks for abnormal activity. Using analytics can help you to focus your attention on things that are likely to be the most relevant.

Does predictive analytics require a lot of resources?
It requires skilled resources, so you need to learn it or hire someone. You may be able to borrow resources from other parts of the company. I always got them from marketing. A lot of times it was easier to say [to marketing], "We've got our data to a point where we can do some analytics on it. Could we get one of your guys to do some stuff for us?" There's a lot of highly trained people who can predict user behavior and use analytics; they reside in marketing.

Does executive management generally see the value of this type of analytics?
Absolutely, especially when it comes to regular reporting. If you work for a publicly traded company or a well-regulated industry, you'll have regulators and auditors at the door, asking things like, "How do you rate your controls?" and "What are your key risk and performance indicators and how have they changed over time?" So you need to be able to produce those and a lot of times that involves the use of analytics. When it comes to wanting to stay relevant to the business in making recommendations on how to appropriately take on risk, you need to be at the table from the get go, from the inception of the project and be a trusted advisor to the business. If you're just the rubber stamp they come to right before the project is implemented that's not a good thing. You lose your relevance to the business and chances are the senior level executives aren't going to care about what you're doing.

Probably the best compliment I've had recently -- and its' been a tough business cycle for financial services – is that the analytics we produce on a monthly basis we've been asked to produce on a weekly basis for the president of the bank…It goes from the information security or compliance or audit group being the rubber stamp along the way to being the trusted advisor, and relevant to the business.

Article 14 of 14

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All