Ken Newman of American Savings Bank on: Educating Your Employees
RICHARD SWART: Hi. This is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today weâ€™re speaking with Kenneth Newman. He joined the American Savings Bank as the Vice President of Security in March of 2005, and is responsible for managing their business continuity, information security and records management programs. He has extensive experience in information security for over 15 years, and has previously worked at Deutsche Bank, and also with Citigroup. Good afternoon, Ken.
KENNETH NEWMAN: Good afternoon.
SWART: Well, Ken, I was wondering if you could talk to us about what is the greatest threat to information security in the banking and finance industries.
NEWMAN: I think the greatest threat today in banking and finance with regard to information security is the potential for exposure of customer information, the risk of data being stolen, data being lost, data being exposed in some fashion. Itâ€™s what every financial institution has to face, because customer information exists in so many places, it can exist in so many different applications, so many different day repositories, individual servers, individual laptops, e-mail accounts, PDAs, cell phones, the list goes on and on, all the places where a financial institution can maintain information with regard to its customers. And then, along the way, what can potentially happen? Are all the possible avenues being protected? And, if there is an exposure, what can the institution do to quickly detect that exposure, respond to it, determine the threat and take the appropriate steps, both mitigating the risk to prevent an exposure from happening again, as well as if there is a requirement for customer notification, taking appropriate steps to notify the customers.
SWART: Well, obviously, you canâ€™t talk to us specifically about your bankâ€™s security architecture, but in general can you talk about some of the best practices that you and your colleagues are seeing, in terms of preventing data leakage or data loss?
NEWMAN: There certainly are a number of strong practices out there. But, the single most important, really, is going back to basics, and in the organization, performing a risk assessment, identifying all the stores where data and information exist, the type of data, and then based on the probability or likelihood and potential impact of an exposure of that information, what is the risk. Once an organization has taken a broad view of that, they really can begin to understand where they may need stronger controls, if they donâ€™t have them today. But, because information is so pervasive, you really have to take a broad sweep, a broad approach. You canâ€™t target individual things, or individual technologies until you really understand where everything is, where it is going, and what the impact is, and then decide where you may add additional controls, additional layers of protection around your applications, encryption, better access controls, stronger authentication strategies, individual things on an application basis that will minimize that potential risk of exposure.
SWART: Well, letâ€™s change gears a bit. Thatâ€™s a great answer. I know that a lot of our listeners are very concerned about training and education issues, and the extensive research that shows that training is often the single most effective thing you can do in a security program. I know this is an interest of yours. Why do you think training and education are so important?
NEWMAN: Well, as we just talked about, data and information, and the risk and threat of exposure can be everywhere across that organization, but the real challenge is all of the individuals in the organization that have access to all that information, and they taking appropriate measures to take care of it. Because you can have perfect controls in place, you can have ultimate control, you know, if cost is obviously no issue, and usability is not issue, you could have ultimate control, but you still could have users sharing information in inappropriate ways, and it could be things as casual as conversations in public areas, not picking something up from a fax machine or a printer, or leaving something on a copier. Confidential information could potentially be exposed in any of those ways. And it really comes back to your users, your employees, and their responsibility to control that information. Because the security programs in todayâ€™s organization needs to be the entire company. Itâ€™s not just the security officer and his staff, the entire company has to take responsibility for security, and that means training awareness has to be very, very strong at all levels of the organization, so they understand the requirements, and they think about control, and they think about security when they are handling that information.
SWART: What are some of the biggest challenges that you see facing banks and financial institutions as they try to develop an effective security training program that would meet those objectives?
NEWMAN: Like most companies, financial institutions are challenged with delivering so many different kinds of training to their employees today in so many different areas. Security training is important, itâ€™s as important as any of those other kinds of training. But, if youâ€™re talking about a financial institution that already has its employees committed to â€œXâ€ number of days or weeks, or even months of training per year, depending on the kind of business they may happen to be in, the challenge is getting their focus, and being able to take time for a focus on security. Are you able to physically bring people together? Do you have to go to people? Do you have to use web tools? Do you have to use Podcasts? What are the strategies that will let you get some of the training time that is earmarked for these people? I think that is really one of the biggest challenges. We could potentially spend all of our time in training, learning new skills. Security training has got to be pervasive and simple, and itâ€™s got to cut through all the noise that is going on out there, not to mention that some people may only get some of that training on an annual basis, and how do we make sure they are thinking about it all year long.
SWART: Well, what are some of the ways that banks are approaching that training? I mean, what are some of the actual practices that you are seeing that are actually working?
NEWMAN: What I always try to do, and several others have shared similar stories with me, we find training is most effective, security training in particular when we make it significant for our employees, we make it personally significant to them. We need to relate it in ways that are meaningful for them. That, I think, is the biggest goal, and the biggest opportunity. Now, certainly, from a technical standpoint, there are options out there that allow you to do very impressive web-based training and not have it be boring, have it be interesting, have it be, like, games, have it be, like, stories, so that you can get a message in to people. But, at the fundamental level, even if you are face-to-face with a group, doing plain, old fashioned, instructor-led training, you need to be able to make it meaningful for them. You canâ€™t just read them a litany of policies and procedures and requirements that say they have to protect data. You have to give them an idea of what happens if that data is not protected, and put them in the shoes of the individual who has lost the data. And from what I have seen, when it is significant for them, as individuals, they are more likely to remember it. I do a weekly training session, a very short one, for our new employees, for new employee orientation, I will go in every week for about half an hour, and the one message that I try to kick them with five or six times during that session, because I know they are going to have a full day of information, is telling them some stories about potential losses of information, and asking them how they would feel if it happened to them. â€œWhat would you do in this situation?â€ â€œWhat would you do in this situation?â€ â€œHow much effort would it be for you to recover from this kind of impact?â€ And the single message I try and leave them with is what I am going to ask them to do, as employees, for their tenure with the company, is to treat customer information that comes across their desk like it is their own, and treat it with the same level of respect. And, to always stop and think about how many other places around the world right now might somebody have access to their information, and would they like to think that all of those other people around the world that have their data are doing the same thing to take care of it. Very much a â€œwhat goes around comes around,â€ message, I think, is very effective.
SWART: Well, letâ€™s switch emphasis a little bit. What about training and educating the board of directors? Many times, they need to understand these issues at a very deep level as many donâ€™t have an information security background. How would you go about organizing, or what would you present to the board?
NEWMAN: That is definitely a substantial challenge. Not only are they a group of individuals that generally we get very little face time with, because they have so many things going on, and so many concerns of the organization, itâ€™s even harder, I think, to provide knowledge and learning to that group of individuals, just from an available time standpoint, but they also have very significant responsibilities. And, in financial services, if you look at the various regulations and guidelines, most of us tend to follow the FFIEC handbooks, for example, with regarding to information security and other disciplines, and the board is specifically called out as having responsibilities for oversight of a security program for an organization. So, youâ€™ve got a double-edged sword of very little of their time and a higher level of commitment. And I think the only way to do it is with really, really tight, really, really simple messages. When I am able to get before a group like that, which is generally on an annual basis, to present a report on what has been done for the year, what is planned for the next year, and ask for their approval, Iâ€™ve generally got a very brief time to do everything. And what I will tend to focus on is one or two particular success stories in the past year that really underscore what was accomplished by the security program, or by delivering security training. It can be, as an example, something that might have introduced some value to the organization beyond security, you know, something we did in the records space was host a community shredding day with one of our vendors that shreds documents for us, and we set up at various locations, where members of the community and our customers could bring their personal documents, and we were going to securely destroy them free of charge for them. And there was a good deal of press, and benefit, that came to the organization from having done that. And there was appreciation from the community and appreciation from customers. And I think some of those simple sorts of things that can be tied to something more practical than just controls and regulations, help to get the message to that kind of group.
SWART: Thatâ€™s an interesting example. I guess that brings me to the point of how has information security changed over the last few years, or the last decade? You wouldnâ€™t have seen somebody bringing a shredding truck out ten or fifteen years ago. Whatâ€™s new?
NEWMAN: Whatâ€™s new are the regulations. In reality, there has been a phenomenal growth in regulations, not only in financial services, but across all industries, over the last seven to ten years, where, starting with [indiscernible], then HIPAA, and now weâ€™re looking at SOX , and 36 states and the District of Columbia have individual laws and regulations around protecting consumers from identity theft, and how to handle breaches and how to protect the customer information. So, weâ€™ve really been inundated with this requirement. And, another popular anecdote is 10 years ago, in most institutions and most entities is, if a laptop got stolen, we replaced the laptop, and might not have thought about it much beyond that. But, today, if a laptop is stolen, lost, goes missing, anything, it is a full-blown incident, it is a full-blown security investigation, to determine what information might have been on that laptop. Were customers involved? Was there exposure? How many customers? What is the likelihood of use of that information for negative activities? And, what is the requirement to notify? And not only what is the requirement to notify those customers, but what is the right thing to do, if the requirements arenâ€™t clear? So, I think with what we have seen, in changes in regulations over the years, that has recemented our focus in so many ways.
SWART: Well, Iâ€™ll ask you, the last question is what are essential skills that many information security professionals lack, given the change in the field?
NEWMAN: I think today, probably some of the most essential skills are the nontechnical ones. There are lots of great training programs out there to learn about technologies, both academically and in the vendor space. But, there still isnâ€™t enough yet of the soft skill side. Being the security officer in a company on a day-to-day basis, is more about sales, marketing, and communications than it actually is about specific technical decisions about devices or technology or any of those things. That is why, as an example, with ISACA, a group that I am very proud to be involved in, their Certified Information Security Manager designation that first appeared in 2002, and now, by the way, there are probably 7,000 of us that have that certification, so we are beginning to see some growth in it â€“ it doesnâ€™t focus just on technical aspects, it begins to focus more on management. And I think we need to see more training opportunities like that, more certifications, more programs that go toward the soft skills and the business skills and donâ€™t just solely focus on the technical aspects, the IT aspects of security, because information is everywhere. Another common example I like to use for folks that think about their risks and think about security is they may know about their systems, they may know about their applications, but I like to ask if they know what their marketing department is doing, if they know what customer information their marketing department has, and how many vendors they may give it to to perform services over the course of a year, like a survey, like a mass mailing. There are no systems involved there, and there are no technical controls. Itâ€™s simply a business group performing that function, their function. But, that function involves giving information out to other areas. So, if you are too rooted in technology, and you donâ€™t understand the business, and youâ€™re not marketing and selling security to find out what is going on out there, that is a gap you are never going to be able to address.