GRC for financial firms: Managing risk, vendors and changeDate: Dec 21, 2009
Learn about managing risks, vendors and change in the first part of a two-part interview with financial-services security expert Eric Holmquist.
About the speaker:
Eric Holmquist is President of Holmquist Advisory and former Vice President at Advanta Bank Corp.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
GRC for financial firms Managing risk, vendors and change
Kelly Damore: We are here with Eric Holmquist, President of
Advisory. Eric Holmquist, what are some of the key elements for an information
security governance program in financial services?
Eric Holmquist: There are a couple of key elements that I see
in people designing
their programs. The first is cross functional governance. I see a lot of
organizations where information security becomes segmented into IT or
one specialized area and a critical factor is you must have cross-functional
input into the program. This way you are getting all the different constituencies
represented in the program and can really build the holistic program you
need. The second key is risk awareness. I see this again and again that people
are not building effective risk awareness assessment programs, instead what
they tend to do is just manage to their perceived risk, but are not really taking
the time to clearly develop good risk assessments.
Assessing information security risk is not easy. This is a
moving target that has
a million points of input, but it is something organizations must do if they are
going to manage a program effectively, they have got to understand what the
real risk is, and building that awareness into their culture through training
programs because you need every single person part of the program. Finally,
they must have absolutely world-class incident response programs. I have
seen too many organizations that have an incident response team, but at the
end of the day, when you really pull it apart you realize they are going to be
making it up as they go. They really have to have thought through exactly
what they would do, God forbid, they have a breach, who would do what,
what roles and responsibilities are, because if there is one factor that is true
for every incident regarding data that has ever happened is time is not on
your side. You cannot take the time to sit back and think about what you
are going to do, you have to be able to respond quickly, and that is part
of the whole governance picture.
Kelly Damore: What are some of the frameworks that can be
support your governance program?
Eric Holmquist: The framework question is an interesting one
frankly, I am not that big of a fan of frameworks. In terms of IT, the
gold- standard is the Cobit framework that really is the only true
framework. In terms of information security, there really are no
frameworks; we have got a couple of standards. For instance, we
have got the ISO Document, documentation from FFIEC, NIST, and
some of these other standards you can look to. Now these are
really good, in terms of checkpoints for a program, but they are
really not designed for building a program around. When you are
going to implement a framework within the organization you have
to be very careful.
There is an advantage to having a framework because the
worst case would be just making it up as you go along, managing
by intuition, because you are always going to be asking, 'What
did we miss?' Some of these frameworks and standards can be
helpful for looking at, making sure you do not miss things, but
even that can be a double-edged sword, because if you implement
one of these frameworks or standards, what you do not want to do is
then swing the other way and say, 'We have done everything that is
included in the framework of the standard, we are done.' At the end
of the day, managing risk is about going beyond the framework. For
instance, for information security, ISO could be used as a good
starting point to, what do we need to think about, but you cannot
end there, in terms of implementing some of these standards. You
have got to build broad, cross- functional, holistic programs that
look at a lot of different areas. For instance, you need to be really,
clearly assessing what are the inherent risks, and then once you have
built all of your control structures, which is a lot of what these
frameworks are really about, is going beyond that and saying, 'Despite
the fact that we have put all these controls in place, what is the
remaining risk we are living with? This becomes a particularly critical
issue for information security because despite the fact that there are
controls, we still have a significant amount of residual risk, people are
using the data. As long as they are using the data we are going to live
with risks. This is where the program has to go well beyond the
framework and bring some visibility around this residual risk and
some dialogue around it. The frameworks can be a starting point,
just like a frame, but beyond that, you have got to build programs
that go well beyond just those frameworks.
Kelly Damore: How can you incorporate vendor management
into your GRC program?
Eric Holmquist: Vendor management is a tricky area, and
is an area I see, in general, people are still not managing very
effectively. Yes, we have contracts in place and in many cases
we are doing due diligence checklists, but I think the simple
fact is that we still are undermanaging vendor management.
For instance, if I have got vendors that I am going to be
providing confidential information to, yes, I am going to ask for
an SaaS 70, I might even ask for a questionnaire, do my
own due diligence questionnaire or use the BITS questionnaire,
but I have got to go beyond that. For instance, that means meet
with them face-to- face. That is nice that they did the questionnaire,
but I want to talk to them. I want them to tell me, face-to-face,
what are their controls around managing that information? If I do
not have to give them confidential information to be able to provide
the product or service that they are providing, I'm not going to give
it to them. There is just no need for them to have it.
Part of that due diligence project needs to be very, very
about whether they need that information, what information they
need to provide, and then talking with them about what their
protective controls are. Part of that becomes talking to them
about their whole change management program because what they
are doing today is not necessarily what they are going to be doing
tomorrow, so I want to talk to them. How do you manage change?
How do you communicate change? How do you manage the risk
associated with change? This is all part of the idea of governance
risk and compliance. We have got to get beyond checklists and
basic contractual measures. Part of managing risk is managing
some of the subjective elements and you are never going to get
that from a checklist. You are only going to get that from sit down,
Kelly Damore: What are some of the essential elements
for change management in your program?
Eric Holmquist: The real key is awareness, and this is an
area where I see again and again that an organization will
have an event, and inevitably, we can trace that event back to
some change. Going back to my three, the triad of risk
management, awareness, accountability and actionability; this is
key for change management. Part of effective change in an
efficient way is building awareness around 'Why are we doing
this change? What are we trying to accomplish through this change?'
The second is clear accountability to that change, and more importantly,
accountability to the assumptions that are baked into this change:
What is it going to get me? Who is it going to impact? What systems is
it going to impact? What processes are going to change? Most
importantly, the granddaddy question: What could go wrong?
What I see again and again in organizations is change is
focused around 'What is this going to get us?' We will also talk about,
'What is this going to cost me?' Which is the hard dollar and soft dollar
cost. Maybe I will spend a little bit of time thinking about what could
go wrong. That is the area where we really need to be spending
more time, and part of a risk manager's approach to implementing
change is thinking more holistically and just getting beyond, what is
it going to get me and just what is it going to cost me. This is the real
key. We have got to go beyond that to looking at the other
implications, but to do that I have to understand what are my
assumptions built into the change process and what the impact
of this change is going to be.
Kelly Damore: How can information pros assess
information security risks?
Eric Holmquist: That is a really tricky one. I would say that
the work that I have done in and around information security the
assessment piece is quite possibly one of the most treacherous.
At the end of the day, it really is quite impossible to truly assess
what your risk is. What I say is this: You need to focus on this as
being a relative exercise. I am never going to get to where I can
do a perfect assessment of risk in any given area. Instead, focus
around trying to find out what is relatively riskier, in terms of system,
data, third parties, and physical records; those are the four quadrants
where you need to be assessing your information security risk. It is
worth noting I separated systems from data, because systems have
one owner and data has another owner, it has business owners.
Within those areas, the first thing I really need to be able to
really categorize what the data is. I need to know what the data is
and I need to know where it is. If you cannot identify those two
things, you cannot assess your information security risk. The
second thing is I need to think about scenarios, and in the event
of a breach or even a partial breach, I need to be able to assess
what is going to be my impact. How much is this going to cost me
to fix? What is going to be the operational burden in fixing this?
What could be my regulatory impact and what could be my
reputational impact? Again, I cannot come up with absolutely
perfect quantification values, but I can estimate. For instance,
if I have got a venue that has a massive amount of customer
data, confidential customer data, I can pretty well assess what
would be the impact of that having a breach. If I have got a
vendor with a small amount of data or maybe just some
sensitive data, I can categorize those differently. Again, if I
do not know where the data is and I cannot categorize it,
I cannot get my head around assessing risk.
When it comes to the remediation side where you typically see
netting effect of risk where it is how much can I prevent an event?
How much can I monitor and how much can I recover? This is
where the analysis gets a little bit grim, because I can do an
awful lot to prevent an event that is clearly where a lot of our
focus is. Monitoring is tricky because if somebody is going to
steal the data, I may or may not be able to recognize when it is
being stolen because taking the data is not necessarily leave a
footprint. Recovery, let us face it, if the data is gone, it is going to
be ugly. I really cannot really net that down so I have to accept the
fact that I am living with a lot of residual risk.
I make that point because I think one of the best things
that information security officers can do to manage the
risk assessment process is to bring more awareness to
the reality of it. We live a large amount of residual risk
because people are using information, and people need
to be aware of this. We cannot kid ourselves into believing
that we have mitigated the risk away just because we got this
suite of controls that we can parade around. The reality is that
the information is in motion and as long as it is in motion, it is
going to represent a lot of risk. Here is the good news, the
more I can bring awareness to this, the more we can
continue to build additional controls and build credibility
and justification for really, really strong incident response
programs. The fact is we are living with a lot of risk; we
have got to get used to it and better manage it.