Making of an Auditor: featuring Nathan Johns, CISA, Senior Audit Manager, with Crowe Chizek and Co., LLC

Richard Swart: Hi. This is Richard Swart with Information Security & Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we will be speaking with Mr. Nathan Johns. Nathan is an executive with Crowe Chizek and Company, LLC risk services delivery unit, with over 15 years experience in a variety of internal audit risk management leadership and regulatory positions. He has a comprehensive internal audit and risk management background in large financial services institutions, working closely with senior management to address risks and evaluate and implement controls. Before joining Crowe Chizek, Mr. Johns was the chief of the information technology section for the FDIC.

Hello, Nathan.

Nathan Johns: Good afternoon.

Swart: Can you tell us a little bit about your position with the FDIC before you joined Crowe Chizek?

Johns: Sure. I was in charge of IT examinations nationwide for the FDIC, and that entailed pretty much everything that the examiners use when they go out to do an IT examination at a bank, from examination procedures to the guidance to the banking industry to staffing decisions to training and education for the examiners.

Swart: Quite a comprehensive role. In that role, what was your experience as to what was the best sort of training? What are best practices in training?

Johns: The best practices that we used in training, probably the best training method we had was training on the job. We had a program where we partnered up examiners with more experienced examiners almost in a shadowing kind of role or a coaching kind of role, and really the hands-on training was better – was probably the best training.

That being said, we had an extensive training strategy that we had in place; and, depending on – we had actually gone out and surveyed the banks to determine the different levels of technology that they use, and we tried matching up our examiners to the financial institutions. And so we had a training program then that took the common characteristics of those banks and said, okay, what does an examiner need, what skills do they need to examine those institutions? And so we had a training program with courses coupled with the on-the-job training to try and provide them with those skill sets based upon which group they, either them or their supervisors, wanted them to belong to.

Swart: What were some of the best practices for those training that they decide for job shadowing?

Johns: Okay. Some of the things that we did, we coupled classroom training with online training. The classroom training really had the better retention because it was more actual hands-on, very involved between both actual instructions and the doing. So it had a good retention, but they had forgotten by the time they got out to use those skills. So we coupled that with online courses that they could use more as a just-in-time type of training.

Okay. It’s been nine months since we had the course. You can go online; take a course almost as a refresher. They get the information current in their minds right as they’re walking in the door to see the technology. So the flexibility was really key.

Swart: So what would your advice be to other IT security executives who have to allocate their budgets? What should their priorities be these days?

Johns: I think a lot of the priorities need to be not so much – especially if you’re talking about auditing and where you’re going to run into a lot of different technologies and you’re not going to be focusing on a single technology day in and day out, but it’s going to be more on the process and the framework and the structure. You can learn the technologies or have a general understanding of the different technologies and the security around those technologies; but if you understand a good proper framework, whether it be COBIT or ISO or any of the other frameworks that are out there, then it becomes very easy to adapt to different technologies and apply the specifics to that framework.

So, I think spending time not so much on individual technologies but on grasping frameworks is where you’re going to get more bang for your buck.

Swart: In your experience, do financial institutions ever use the NIST guidelines? Is that getting much traction?

Johns: I think there’s varying degrees. I don’t think – I haven’t seen a lot of institutions that are using the NIST guidelines per say, but the NIST guidelines do factor into a lot of these different standards that are out there. I mean, at the end of the day COBIT and ISO and all those have borrowed, or in places at least borrowed, from the NIST guidelines. And I think that a lot of the risk assessment and risk-based approaches that are out there also borrow heavily from the NIST guidelines as well. So, I don’t think there’s a direct use of it, but I think there’s this kind of second tier correlation that you see with the NIST guidelines.

Swart: Okay, thank you. What about special certifications; which ones are the most important and how would you recommend that organizations prepare their employees to sit for those examinations?

Johns: There are a lot of different certifications out there, so, I mean, it really depends on the position that you’re talking about. But probably two of the most useful and generic or widespread I guess certifications would be the CISSP, Certified Information Systems Security Professional, and the CISSA, the Certified Information Security Systems Auditor. And preparing for them, I think that review courses are obviously a very good idea. If you have enough people, you can get – from a budget standpoint, hosting it in-house certainly has its benefits, if you have enough people taking the test.

But other things that I would suggest short of that is just taking a bunch of practice tests, just so you learn how they ask the questions, the types of material that they’ll be looking for. And the other thing is talk to people that already have the certification. A lot of times they’ll be able to provide tips that worked for them, things that they experienced while they were going through the certification, jobs and experiences that they think could help you prepare for taking the test.

Swart: And what advice would you give to someone who’s just starting their career in information security, specifically someone looking to work in a financial sector?

Johns: I would – the biggest advice I would give to them is listen to people that are out there that have experience in this area, absorb as much as you can from them. Even if they’re just telling you a war story, there are probably very valuable experiences within that story. So be open. Listen to them. Be like a sponge; absorb all that variable information that their experiences have provided them. Don’t make the same mistakes they did. Learn from what they’ve done. And plus on-the-job training, as I mentioned earlier, is invaluable. So learn from their experience; learn from what they’ve done, and basically use them as a mentor.

Swart: Well, you’ve worked with a lot of young auditors just starting out in their career. What are common mistakes and what are some things that new auditors might need to look out for?

Johns: I think the biggest mistake that you see out there is going into an audit and assuming that you know more than the people that you’re auditing. Chances are the people that you’re auditing; they use this technology day in and day out. So become their friends. I mean, okay, there’s always a little bit of an adversarial role in auditing; however, they do know this technology very well. If you explain what you’re trying to accomplish and the security you’re trying to put in place, oftentimes they can actually help educate you as the auditor on that system, on the capabilities of it; and they may be able to come up with unique solutions to problems that you’ve identified in ways that you had never thought of.

Swart: I’d like to tap your experience one more time. You’ve served on a number of FFIEC information technology committees and oversaw IT matters. What are some of the most pressing concerns that you saw in the FFIC from an IT security perspective and what do you think will be emerging as significant concerns over the next few years?

Johns: From an information security perspective, there’s a couple of things that are – well, there’s a couple of things that are currently on the front burner, and there’s some things that I think will be coming onto the burner over the next couple of years. Obviously right now one of the hottest topics is protecting information, whether it be customer information or whether it be some business information or whether it be credit cards. With all the breaches that have occurred, all the press that’s been surrounding some of the information compromises, lawmakers all over the place are trying to make a determination if there needs to be additional laws. So it certainly puts pressure on the regulatory bodies to try and work within the framework that’s there to stop these things from happening.

That being said, the direction and some of the things that they’re considering in the future, which will probably be hot topics in upcoming years, are the increased use of encryption. As costs come down on encryption and as the technology becomes better and better, it’s becoming harder for them not to increase the requirements around encryption. So I think that’s something we’re going to be seeing more and more of from the regulators as a push towards stronger and more encryption.

Swart: So it sounds like someone starting off in their career should really ensure they have a solid foundation or use of these modern technologies for encryption.

Johns: Absolutely.

Swart: All right. Well, thank you for your advice, Nathan. It’s been very interesting, and I’m sure our listeners will get great benefit from it.

Johns: You’re welcome.

Swart: Well, thank you for listening to the podcast of the Information Security and Media Group. To listen to a selection of other podcasts or to find other educational content regarding information security for the banking and finance industry, you can visit www.BankInfoSecurity.com or www.CUInfoSecurity.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.