What it Takes to be a Risk Manager - Kenneth Newman, Central Pacific Bank

Risk management today - it's less about pure technology, more about business acumen and pure communication skills.

This is the position of Kenneth Newman, VP & Information Security Manager at Central Pacific Bank. In an interview about top risk management trends, Newman discusses:

Scope of the risk management job in banking institutions today;
Biggest challenges to getting the job done right;
Necessarily skills for successful risk managers.

Newman joined Central Pacific Bank as Vice President & Information Security Manager in February 2009. He oversees the bank's information security program and the protection of its information assets.

Prior to joining CPB, Mr. Newman served as First Vice President & Online Risk Manager for Washington Mutual (WaMu) and has managed various global and regional security and risk functions for Deutsche Bank and Citigroup in New York.

Central Pacific Bank is the main subsidiary of Central Pacific Financial Corp., a Hawaii based financial institution with $5.2 billion in assets.

TOM FIELD: What are the trends in risk management in banking institutions today? Hi, this is Tom Field, Editorial Director with Information Security Media Group. I am talking today with Kenneth Newman, Vice-President and Information Security Manager with Central Pacific Bank. Ken, thanks so much for joining me.

KENNETH NEWMAN: Tom, my pleasure. FIELD: Just to start out, how about you tell us a little bit about yourself and your role with Central Pacific Bank.

NEWMAN: Certainly, Tom. I've got a background in Information Security and Risk Management in Financial Services that goes back more than 15 years now. So I've been doing this sort of thing for quite a while. I would like to feel that I've good sense because I've seen how the industry has evolved and grown up over time. You know, way back when, they used to sort of call us IT Security People and then Computer Security People, then Data Security People, then Information Security People, and finally we're beginning to get perceived as more Information Risk Managers. So it's been a very interesting evolution that I've gone through myself.

Here at the bank I'm responsible as the Information Security Manager to oversee the bank's entire information security program that is charged with protecting information assets, protecting customer's confidential information. And in order to achieve that, my goal is to help all the areas of the bank understand and meet their requirements whether they are control requirements or compliance requirements as they relate to the protection of information.

FIELD: It's a big job, Ken.

NEWMAN: I think that is something that anybody sitting in a seat like mine today says.

FIELD: Well, it's so big, I'm going to break it down into a couple of questions, and the first one I want to ask you is from your role at the bank, what do you see as the top trends in risk management?

NEWMAN: Well, from my standpoint, within financial services, obviously when we talk about risk management and we talk about information, our main focus is going to be on privacy and confidentiality. So what I see as the trends in risk management with where we are today in information security and where we still need to go to become true risk managers is today, you still see a focus in information security that is very often IT based focused on networks, focused on infrastructure, focused on very concrete controls, and not necessarily yet consistently elevated to the business logic level, the information level, the flow of data and information through the organization. So, I think from where I sit that the main trend that I think it important is we're beginning to see this transition where as information security moves into risk management, it's less just about pure technology and what is going on in the IT world, and it's more about what goes on in the business areas, how they manage information, how information flows through the organization as a commodity, and then what are the risks associated with that flow of information.

FIELD: Now, Ken, one of the interesting things you talked about a few minutes ago was the scope of your duties because they go far beyond just the information security department. You're talking about affecting other parts of the banking business. So give us a sense of what the scope of the job is for someone like yourself today.

NEWMAN: Certainly, certainly. Beyond just the traditional information security components -- because we do obviously still work very closely with our partners in the IT world to help set the policies and standards around infrastructure controls and that could be everything from antivirus software to intrusion detection systems -- at the same time we also work very closely with different business areas that may rely heavily on technology. So for example, our different delivery channels to provide services to the customers, whether you are talking about online banking, ATM, mobile banking ... So, we try and work closely with those consumers of technology and producers of products to make sure that new services that get introduced to service the customers have controls associated with them. But beyond any pure technical aspects, almost every level of management will try and interact with whatever frequency we can to understand what their goals are, what their drivers are, where the business is going. What information resource it's going to take to meet those business needs and drivers, and again how can we help with as practices, controls, compliance recommendations to make sure that with moving forward and delivering those new services via information resources that we're doing everything in a prudent and managed fashion.

Then from there, there is the operational side of things. So we work very closely with operational teams where there might be issues, and that could be transaction processing groups, going back to loss prevention and fraud teams, to determine if there are any operational factors or loss factors that might relate to something that the information securities face. So is there an opportunity where controls around information could help to minimize operational impact, help to reduce losses related to fraud, so any of those facets and then obviously legal compliance, audit, and other control functions like physical security, business continuity. We're going to interact closely with all of those areas to try and create a holistic picture of the risk landscape for the organization and try and set priorities and identify synergies. So, as you stated earlier, it's definitely a lot for anybody who is sitting in this seat.

FIELD: Given that, Ken, what do you find to be your biggest day to day challenges?

NEWMAN: That is an excellent question. I wish I could say there were fewer challenges. It's always nice to be challenged because then you feel like you are working towards something and you can overcome something, but I think the biggest challenges that we face looking at information security, looking at risk management, from where those of us who sit in organizations like mine, are the communications aspect. We could talk about technical limitations, we could talk about budget, we could talk about resources, but I find a lot of it really comes back to communications. How effectively am I interacting with different areas of the business? How effectively am I understanding their needs and their drivers, and most important how effectively am I communicating to them what their risks are, what the requirements are, and what they should be thinking about? It's not going to be always core to their thinking, because they've got a day to day business responsibility and that's their driver, but can I communicate in a way that makes it more effective for them to understand and maintain and embrace that there are security aspects, there are risk aspects that go hand in hand with what they're doing?

So, I think for me one of the biggest ongoing challenges is trying to maintain that communication with everything else that is going on.

FIELD: Well, it's easy to see how you overcome the challenge-- it's by maintaining that communication. How do you measure your success there?

NEWMAN: How do you measure your success for things like communication? There are obviously some traditional things that we are going to look at. Are our initiatives and projects, are they proceeding a pace? Are things delivered in a timely fashion on schedule? And yet, we still have the opportunity from a security and risk standpoint to do reviews, to do assessments, to make recommendations. So, if we're able to meet our goals for a given project, and that project is still delivered on time, on scope, on budget, then I feel like the communication has been effective back and forth. So that's definitely going to be an element that is so important to us. Are business goals being met?

Some of the softer things that I'll tend to measure are how often people may come to me with things. So rather than my having to reach out to the business all the time if I learn about a new project or a new initiative, or just to find out what's going on, am I seeing more cases where the business comes to me proactively and says, 'Oh, we've got this new application we're going to implement. Or there is a new initiative, there's a new market and a new business opportunity and we'd like to talk with you now, and we'd like to sit down now rather than later when we're further down the field.' So those types of things I measure as a greater level of success in communicating my needs effectively out to the business.

FIELD: Ken, you talked about your experience in the field and how long you've been in it. What would you say today are really the essential skills necessary to fill your role?

NEWMAN: I think five years ago, we still would have been talking more about technical knowledge, the hard aspects of security, being familiar with intrusion detections, firewalls, all those sorts of things. And I would say all those things are certainly still important today. But what's truly essential, what's going to prepare somebody to sit in this seat and manage a security function, and help to manage risk for the organization are those softer skills like communication. Those are going to be an important component that shouldn't be overlooked and obviously a business understanding.

When I look for folks to bring into my organization, I tend to look for more people with some kind of operational background in the business rather than a pure technical IT background. And if I can find people that understand business operations, understand the nature of my business, understand the importance of delivering business, and they have soft skills so that they can communicate effectively. They can communicate over the phone, the can communicate in person, they communicate in email. They can get a point across without taking things personally. I think those are key resources that on top of a technical foundation of how security technically works provide the balance that prepares somebody to grow in an organization and really become more of a risk manger and not so much of just a technical security person or an audit person, or a compliance person, but someone who is going to be able to balance the risk with the reward to help the business make a decision.

So I really think it is a combination of things, but more and more it's that operational business sort of knowledge, as well as having those types of soft skills that let you convey your points and be moderate and be managed, and not take things personally. I think we've all got to a certain degree have a little bit thicker skins if we're going to do this kind of work.

FIELD: Well, that's a great segue to my last question for you, which is someone that's trying to start or even restart a career today in security risk management; if you could boil it all down, what advice would you give them?

NEWMAN: I'd say don't just focus on the technical aspects. You definitely need to be familiar with the technical aspects, but a lot of it in risk management today is conceptual. So, you've got to understand what firewalls and intrusion detection and intrusion prevention and antivirus software and encryption controls are there for and the purpose they serve and the control they provide. You don't necessarily need to be able to build a technical solution from the ground up, but I would say have that basic foundation, but also then look for opportunities either in your work or in your education to get more of an operational focus. If you are in the work force right now, volunteer on projects, look for opportunities to get involved more than just a security aspect, but look to the operational side the business side. And try to place yourself in more situations where you can understand the points of view from those other sides, and then with that work on teams, work with people, work on your communication skills so that you can interact more effectively. I think that's going to provide a strong foundation. It's going to make you really marketable and give you an opportunity to move up into the risk management space.

FIELD: Ken, that's great advice. I appreciate your time and your insight today.

NEWMAN: It was my pleasure, Tom. Thank you very much.

FIELD: I've been talking with Kenneth Newman with Central Pacific Bank. For Information Security Media Group, I'm Tom Field. Thank you very much.





Around the Network