Steven Jones of Synovus on: Risk Management and Incident Response
Steven Jones: Good morning. How are you?
Swart: Doing well. Letâ€™s start with talking about your responsibilities there at Synovus. Can you tell us what falls under your responsibilities as the Director of Information Security?
Jones: Well, thatâ€™s a good question, Richard. I appreciate the opportunity. The scope of my responsibilities at Synovus has increased pretty substantially over the last few years. A lot of that we see as a result of the increased consumer confidence issues, and just the media presence, and just the overall presence of information and security risk as a whole, particularly in the banking industry. Banking and consumer confidence is a big issue and a big differentiator, as we see today. My scope today involves typical areas of information risk management, to included policy definition and policy management, business resiliency, and disaster recovery. We do a lot in the identity management space, incident response, and of course risk management, risk assessments and so forth.
Swart: Sounds like quite the load. Letâ€™s talk about risk assessment and risk management for awhile. What type of risk assessment methodology do you employ?
Jones: Weâ€™ve been evolving our risk assessment methodology over the last three or four years, and the intent was really to align our activities and our efforts towards what is important to the business, and we felt like historically, a lot of information security organizations have come out of the space of network security and working towards perimeter security, and things like that. So, we have made a very genuine effort towards making sure that the folks, the efforts that we are working on are what is important to the business. So, we really look at three different perspectives. We have an enterprise risk assessment. We have identified about 60 different microbusiness processes throughout the organization, and so we look at each of those. And then, due to our organizational structure as a bank holding company, we have 39 different banks right now. So, we take a different look at each of those banks, and we actually sit down and we interview with business process owners and bank facilitators which are sort of information security officers at the banks and we ask them questions regarding threats and vulnerabilities, and then compensating controls. And, we come out with kind of a residual risk factor. So, those residual risk scores are sort of a benchmark that we can use to measure areas of remediation, measure progress, and just measure overall risk within different areas of the organization.
Swart: How do you actually ensure that your risk management program is aligned with those business objectives?
Jones: Itâ€™s actually built into the process itself. A lot of what we do is about understanding the information architecture. As a part of those risk assessments that we do, particularly with the business process owners, we sort of sit down and we walk the business process owner through the typical business process, kind of at a macro level. And as we do that, we try to identify key information assets that are part of their day-to-day business. And we can then tie those information assets and begin to understand the impact, both from a confidentiality and an availability standpoint. So, we have about nine questions that we use that are oriented around reputational risk, financial risk and regulatory risk, and we put it in sort of a quantitative method so that a certain amount above or beyond a degree of net income, for example. So, we may say, â€œIs this going to be an impact over $20 million or under $20 million?â€ And then that gives us some repeatable scores that we can use to understand the impact of that asset, if it were compromised from a confidentiality standpoint or if it were compromised from an availability standpoint. And those factors go into our risk assessments for the business process owners. So, we can quickly establish relationships between systems and IT technology resources, to understand how that information is being accessed, how it is being stored, and how it is being transmitted. And all of that goes into both the quantitative and the qualitative components of our risk assessment. So, at the end of the day, we can share with the board of directors and we can share with the business process owners, you know, where they are and where they need to improve. And we can take, and thereby we are taking a risk-based approach to our information risk management program.
Swart: You sound like you have a very robust risk management program. But I was curious, what other metrics do you use to demonstrate ROI on your security initiatives and security programs?
Jones: Well, of course, the residual risk is one, but another one that weâ€™ve done is weâ€™ve recently done sort of a 360 risk management alignment diagnostic, and we did that in cooperation with our businesses, to try and get a sense of what was important to them, and how well they thought we were doing. And there were about 16 different attributes that we used, and interestingly enough, you know, it may seem like common sense, but risk identification and risk communication were among the highest, in terms of effectiveness and in terms of importance. So, that gave us the sense that we were, you know, working on some of the right things. And you would probably expect that risk identification and risk communication would be in there, but it was actually a little bit of a surprise when you saw some of the other attributes that were measured, things to include security awareness, business friendly posture, and user education and user policies. Those are things that I might have expected to be a little bit higher. So, it was good for me to see that, you know, identifying risk and communicating risk were two of the key objectives that the business was looking for us to deliver, in terms of value add.
Swart: Interesting approach. Letâ€™s talk about incident response for a minute. Many organizations use that term different ways. Some people use it in terms of a robust computer incident response team with forensic capability. Others simply mean incident reporting. Can you tell us, from your experience, what are some of the best practices for managing the scope of this, and also for managing the incident response function in a large financial institution?
Jones: I think there are some differences, depending on your organization. Synovus has some unique aspects to it, you know, having so many different affiliate banks related. But, we do have a very formalized incident response program, and it has evolved over the years with new threats, such as phishing, and things like that that have come out. As part of that, we rely heavily on our security facilitators and folks within the banks, to help us, to let us know when these incidents occur. But, we donâ€™t get into, and I understand, Iâ€™ve talked to other financial institutions that actually get into some of the customer computer forensics issues. If there was a customer that came to us and they had some issues at home, and some confidentiality breached as a result of their personal computing environment, you know, we do everything we can to talk with them and advise them on best security computer practices. But, we donâ€™t actually get into the business of doing sort of customer forensics. We work with local and federal authorities on any kind of case that might involve forensics, but we donâ€™t lead that investigation. So, that is kind of where we draw the line, in terms of forensics. But, you know our incident response process is more around triggering triage, handling and reporting, whether it is internal communication, external communication, or just really coordination within the business, in terms of what type of incident it is.
Swart: How do you tie your incident response function back to your fraud prevention and detection efforts?
Jones: For us, thatâ€™s actually the easy part, because they are really reporting up through the same area, and they work very closely together. Weâ€™ve got incident response coordinators that work with incident response handlers, and those are sort of the network and security engineers that work with the response coordinators, and so all of those detection and prevention controls are in very close reach to incident response folks. For us, the challenge is to make sure that that message is understood throughout the organization. We are [indiscernible] organization throughout the Southeast. So, making sure that the front line folks know, you know, when to engage the incident response process, and when to, you know, trigger the alarm to get the folks working, to ensure the extent, understand the extent and appropriate response for a particular incident.
Swart: What changes are coming in information security, in regards to financial institutions? Are there new threats or new challenges that are altering the way that risk is managed?
Jones: Well, there are a lot of changes I see that are coming in the financial space, and a lot of that is really being driven, I think, by the increased awareness and understanding of both the consumer and the banking regulatory agencies. On the consumer side, I think the consumers are becoming much more savvy through just general exposure in the media, and just general understanding of the risk that they expose themselves to every day through conducting online transactions, rather it be in the retail space or in the e-banking space. And then the stories around identity theft, and so forth. And that is also, I think, that same awareness is being understood within the FFIEC and all the banking agencies. So, we are seeing a raising of the bar of expectations and responsibilities around managing risk, especially in the banking industry. In terms of new threats and challenges, identity and access issues are related to that consumer confidence piece, I think from the consumer space, and even internally. But, obviously, the proliferation of data, mobile computing and mobile banking, all of these trends present new threat opportunities, and new challenges for us.
Swart: If you were going to give advice to somebody aspiring to become a CISO, or moving up the security career ladder, what are one or two key skills or abilities that they must possess today to be successful.
Jones: I think the ability to work very closely with the business, and understand the businessâ€™ needs. You have to understand the business, and understand and provide value. If youâ€™re not providing value to the business, then youâ€™re not going to have the cooperation of the business, which is critical to the success.
Swart: Well, thank you for your information today. Itâ€™s been great.
Jones: I appreciate it.
Swart: Thank you for listening to our podcast. For other educational information, or for other podcasts on banking and information security matters, you can go to www.BankInfoSecurity.com or www.CUInfoSecurity.com.