How to Re-engineer an Information Security Risk Assessment Program
Read this interview for insights on:
TOM FIELD: Hi. This is Tom Field with Information Security Media Group. The topic today is risk assessment and information security. I'm talking with Brian Huntley, Vice President and Information Security Officer with Camden National Bank. Brian, thanks so much for joining me today.
BRIAN HUNTLEY: Oh Tom, my pleasure for being here, and thank you for thinking of including us in this program.
FIELD: Now Brian, I understand that you came to the bank just a little over two years ago, and risk assessment and building an information security program were big parts of your job. Where were the risk assessment and info sec programs when you started at the bank?
HUNTLEY: Tom, when I joined Camden National in April 2006, the Information Security Risk Assessment, which really is what drives the whole program, it was a threats-based information security risk assessment. It was not an information assets-based risk assessment, and as a result we had a number of opportunities around both that, in terms of its serving its intended purpose as defined by Graham-Leach-Bliley, and also being able to use it tactically, to be able to help us better define, develop and refine our overall program.
We had worked through what I termed a threats-based information security risk assessment, meaning that it keyed off of the different types of events that could happen. We studied what's the risk if malware were introduced on the network; what's the risk if we experienced insider theft or insider fraud. We keyed off what's the risk if this system failed, and because it was threats-based we did not gain sufficient transparency into the relative valuation of the information assets.
In 2007, both as a result of internal continuous improvement vision as well as to some degree regulatory criticism, we converted that to an information assets-based risk assessment, enabling that was an inventory of all of our information assets, be they physical or electronic. And then because we understood what information we had, we could relatively value that as a function of its importance in sensitivity for business purposes, as well as whether it represented sensitive customer information.
So the information security risk assessment was threats-based when I got here in April 2006. The information security program was kind of half and half split between subscription content that we had procured from information services providers and the other half was home grown. While the original development of our information security program had been begun with the end in mind, it didn't really emanate from a particular centralized common baseline. It was a bit piecemeal, and while we probably covered the minimum bases that we needed to, it was insufficiently broad and deep to really let us -- well for it to be scalable to some extent, but moreover I think extensible such that when additional risks or threats exposed themselves we weren't able to see readily how to apply it to those.
So long story short, the information security risk assessment was threats-based, and it was perceived by auditors and regulators as needing to be information assets-based. The information security risk assessment was a bit piecemeal, and the working was not as cohesive nor as coherent as perhaps it should have been.
FIELD: So Brian, moving between those endpoints where you started and where you needed to go, give me a sense of the scope of this. What needed to be done and really by when did you have to complete this?
HUNTLEY: Yeah, Tom, coming to Camden National was a great opportunity for me, but I will level with you: I wish I had asked a few more questions about some of the immediate tactical challenges that I was confronted with on day one. At that time I came in, we had over 100 individual audit responses or regulatory exam comments that needed to be addressed by the end of that year, so we had, well what, I guess we had from mid-April to just over seven months to be able to address those obstacles.
We had committed to our internal audit committee, the Board and also the auditors and the regulators that had levied those criticisms that we would remediate them by the end of the year. So the immediate challenge was assimilating all of that stuff. You know, when an auditor or regulator gives you a comments, it's not necessarily framed in a project management context, but rather more of a summary context. And then it is up to the executing and performing organization to really figure out what that means they have to execute tactically in order to accomplish the management objective.
So the immediate challenge, and I think I spent the first three to four weeks of being here, was to assimilate all that stuff, organize it around a project management context so that we could understand the resource requirements that we were going to need to invest in order to be able to achieve the objective of remediating them by the end of the year. Now ultimately I don't think we got after all 100 of them by December, but we came pretty close. Our challenge, too, was making sure that we were addressing the most critical risks as fast as we could, so we needed to prioritize what the different responses represented from a risk standpoint.
Then in the middle of all of that, we like many companies, if not most in the financial services industry, do an annual update of our information security program. So at the same time that we were working on organizing and then remediating the residual risks that we had, probably end of second quarter, beginning of third, we needed to do the annual information security program update.
It was pretty clear from having been here just a short time that the program needed some redevelopment. As I mentioned in the introduction, it wasn't as tactically effective as it could have been, and so I kid of looked at it and said, "Well, gee, I would like to re-engineer this." Well re-engineering is fine if an organization has an opportunity to step back, throw the baby out with the bath water and start all over again, and that wasn't possible for us, and probably wouldn't be possible for anybody that is operating a program real-time. And also what we were faced with was folding into the program, the critical remediations that the audit and regulatory comments had said we needed to add, positioning it for subsequent overall redevelopment in the coming year and also correcting any errors or inconsistencies, but being sure while we were doing that that we didn't increase risk, but rather at minimum maintained the risk baseline that we already had.
So in summary, short-term, it was remediate a number of regulatory and audit comments as well as consecutively work through the program update for 2006.
FIELD: So what would you say you've accomplished to date, Brian?
HUNTLEY: Well, I think that the most beneficial aspects are that the programs redevelopment in 2007 unbundled and decoupled the policies that comprised the program components and gave them more transparency for our stakeholders -- that's our term for our employees -- so it helped our stakeholders plug into their individual accountabilities as expressed in our policies.
If you have not--in our legacy document it was as if you were reading a novel. There were separate policies for the different types of control domains that are important, but to find them you had to page through, page through, page through, and the redevelopment in 2007 positioned each one of those control areas as a separate policy and also broke out a separate section in each one where our stakeholders could tell what they are individually accountable for in terms of living up to the policy. So that transparency and that availability of the information for the folks that work here has done a lot for us in terms of our employees fluency awareness, but moreover I think their effectiveness in working in a secure and safe and risk-mitigating mode.
What we've also done is created a situation where any of our information security activities, monitoring and testing, logical access reviews, the things that we had been doing to some degree inferentially, perhaps casually, were recommitted to, amplified, but moreover cohered in more of a programmatic context in such a way that all of our observers, be they internal or external, could more readily tell exactly where we were coming from around some of the trusted definitive source baselines that we have to work toward to achieve effectiveness, such as the FFIEC Guidelines, Graham-Leach-Bliley.
And I didn't mention it earlier but I would like to now, that was really key to our ability to do what we did. Putting things into a project management context enable us to work our plan; you know work through the roadmap. But by base lining what we were going to do, taking our plan back to a trusted definitive source baseline, we were able to ensure that the work product that we ended up with met the expectations of our external observers, but moreover enabled our company to feel confident that we were doing all of the right things. The kinds of baselines that we referenced, as I said, the FFIAC Guidelines and their interpretation of the Graham-Leach-Bliley Act. We also used the missed guidelines and have a vision, and they are still working to it, that ultimately when this is all mature, say in the next couple of years, that we will have a world class ISO 27002 compliant information security program. Now will we go for ISO certification? I suspect not, but it will be enough for us to be able to show that it could be rendered that way.
FIELD: What would you say has been the toughest part of this transition so far?
HUNTLEY: I think for me personally it has probably been picking my spots and not over-committing. Probably as you can tell from talking with me, I'm pretty energetic and I like to work and I enjoy doing things, but coming into Camden National where our environment, because our company had committed to trying to do the right things around information security, I found a number of investments having already been made in tools, in systems, and we just needed some help with managing the program adequately.
To me, as an information security professional, coming into an environment like that where management and the board are also committed to doing the right thing but hadn't found the right people to help them do that yet, it was like being a kid in a candy store. So to some degree it was like, "okay, what do I do first" and for me it was prioritizing and making decisions around what to do first, what to do next, to maximize the company's ability to secure our information and mitigate the related risks.
I think it was a little frustrating, too, that I wasn't able to start from scratch. You know, that's just not possible, and I think that was a little naivety on my part coming into it. I had this vision that redevelopment meant re-engineering, and that just was an inaccurate kind of an outlook on my part. And so having a lot of opportunity and not being able to do all of it in a 50 to 55 hour workweek, and then on the other hand not necessarily being able to do it exactly in the way that Brian Huntley had thought he wanted to do it when he looked at the opportunity. Those were probably the biggest challenges.
On the flipside of that, some of the easiest things, I got to tell you that I think our company probably has one of the most engaged, most knowledgeable, most committed and most caring senior executive team as well as the Board. I can't -- you know the first time you go through a Board review of your information security program, that is always pretty daunting because at the end of the day, with the Board having the formal fiduciary and legal responsibility for the governance of your information security program, there is a tendency to go into those kinds of interactions with a good degree of trepid feelings; "Oh gee, what if I've fallen short" you know, "what if I didn't capture this" or do that or whatever.
Our senior executives and our Board couldn't have been, and remain to this day, couldn't be more supportive in terms of doing what we need to do. Moreover they are interested and they are caring. I am always wowed when I talk with those folks and they ask technical and tactical questions that, you know, the types of dialogue you and I as information security professionals would have. They want to know about how host intrusion detection works. They want to know how anti-virus works, they want to know how when they are at home they should conduct and comport themselves in their own information technology use in such a way that they can minimize their personal information security risk.
To find that, especially in a Board, with as little amount of time as what typically I would get as one of 35 people that they typically interact with the Board on a policy program update basis, to have that opportunity is really affirming, it is really energizing. And so that I would have to say is on the flip side of what's been tough that that's probably what has been the easiest.
FIELD: Brian, what would you label as maybe your biggest success to date with this program?
HUNTLEY: As I thought that through, I think what we've done with our monitoring and testing program has really been the biggest success. I mean, I've talked through a lot of things, but it has been the daily monitoring of our events logs, the ability to assimilate and interpret and take away business indication from the very arcane information that is in those logs that has really helped us gain a comfort level with our company's information security risk posture.
As I mentioned, we have host intrusion detection systems. We run a couple of perimeter firewalls and a spam firewall and learning, well organizing first and then learning, how to assimilate all of that, collate it around what's going on with our business and create transparency and knowledge for the management team around how are we doing around information security risk, what's happening out there in the environment, that has probably been the biggest success.
Our technology steering committee has a transparency into that that they never had before. It makes them feel more comfortable and more confident around executing business decisions for things that enhance value for our stockholders, all of our constituencies in the company. I mean for example, in the last several months we worked through an acquisition integration of another bank here in Maine.
The fact that we had such a good baseline around monitoring and testing when we merged our systems, we knew what we were looking at and we knew and could anticipate the types of things that we could expect form an information security risk standpoint. So that was greatly enabled. And again, I just think it is the monitoring and testing program that has given us the most capability, maturity of all the things that we've done.
FIELD: Give me a sense of what people see that is different now. What tangible results can employees, for instance, see?
HUNTLEY: Well, as I mentioned earlier, I think that they've gained confidence around the company's expectations of them as individuals. What their individual accountabilities are in terms of fulfilling the company's expectations for information security. You know, no longer does an employee need to worry 'Well, is this the right thing or the wrong thing,' they can fairly readily tell that it is and do that on their own. That is really important, you know, it is kind of like the old adage of "united we stand and divided we fall." If we can get everybody acting together in more or less the same way, we do a lot better job and so we've achieved that forced multiplication I think through the individual employees knowing more and being able to tell better what their individual accountabilities are.
Furthermore, I think our organization now having the human capital, the intellectual capability, whatever you want to call it, of a single point of contact that is dedicated to this function of information security. That has tactically enabled us to work faster because whenever we think things through it is no longer a decentralized point of contact.
I didn't mention it at the beginning, I don't think, but the information security officer prior to my arrival did it on a part-time basis. It was a function that was added on top of our operations manager's duties. And so when new things would come up, it wasn't always clear whether it should be directed right there or whether it needed to be technology, but by virtue of having an information security officer's role defined there is a sense of specialization, there is a sense of ownership that I think has helped everybody in the company when they are proposing new business initiatives, when they are dealing with operational issues know where to direct those inquiries and where to direct their concerns and have them dealt with as expeditiously and as competently as we can.
From a customer standpoint, that is pretty important too. Because of the additional focus that we have achieved as well as the additional insight, we've been able to reduce processing errors, and I would like to attribute all of that to the information security program. You know I'm not sure that we can entirely, but I can tell you that we've reduced our processing errors. I think what we've been able to do as a corporation is we have increased our service responsiveness, whether it is through the introduction of some new technologies in our branches or whether it is simply because we are able to tell a customer faster how, or maybe if, we can do something more for them than we could before. You know, you kind of cut it back to well, our depositors probably get higher interest rates to some degree because our costs are lower. Probably our borrowers get to some degree a lower rate on their loans because we are not incurring perhaps the same less efficiencies, the same lower efficiencies that we were. So it's a little bit tough to say to the customer, to the stockholder exactly what the tangible benefits are, but as I've thought it through in the context of both our stakeholders, our employees, as well as our customers and our stockholders that are the other part of our constituency, that that is kind of what I've taken away for myself as being the tangible benefits we've delivered.
FIELD: Now Brian you mentioned perhaps the grail of ISO certification. What is next for you?
HUNTLEY: Well, where we need to head as a still relatively small, we are financial service company and we introduced to this Camden National Bank and that's the flagship of Camden National Corporation; we also operate a trust subsidiary known as Acadia Trust, and then the service corporation itself. And while just over a $2 billion dollar company, in terms of total assets and some 300-odd, nearer to just over 400 stakeholders now, we are a relatively small company. Yeah, we have a footprint in nearly two-thirds of the state of Maine, but, we don't have an awful lot of extra cash these days. And so for us, where we need to head is automation. We need to find ways to take the things that we are doing manually now and automate them.
Furthermore, we are relying on administrative controls, and while those meet our needs from a risk mitigation standpoint, there is always opportunity to do better and it is the installation of, it's the specification and installation of technical preventive controls that kind of compliment the automation vision and make things a little easier and provide you with the resource relief that you need to go ahead and begin to further mature the program.
We are also going to be doing a resource gap analysis this year to ensure that we've got the right level of human capital applied to this and you know, that is driven by residual risk, the prudency principle comes into play. We are not going to spend more on mitigating this risk than what it actually represents. Knowing what our information assets are from the inventory I alluded to at the beginning, knowing how much they are worth and what the residual risk around them in the forms of perhaps the additional controls that we could implement -- that gives us good direction from a business planning standpoint. And we will use that to plan and ultimately implement the additional automation, the additional technical preventive controls that I think are going to position us to do even more with this than what we have been able to achieve so far.
FIELD: Brian, you laughed up front saying you wished you had asked some more questions before you took the job. I'm curious now, what advice would you give to a peer stepping into a similar situation with these challenges?
HUNTLEY: Well, don't get me wrong on that Tom, I mean that that was speaking a little casually. In no way, shape or form have any of my expectations not been way exceeded in terms of the opportunity and the trust and just simply the commitment the company has made to what we are trying to achieve. So yeah, I guess if I wanted to take off on that a little bit I would clarify it to say, when you are looking at an opportunity in a company at the get go, please be sure to interpret it in the context of not only your vision for it, but perhaps more importantly, the company's vision for it. So that is a clarification on the earlier comment that you alluded to.
I think what I would advice somebody else to do is the old adage, plan your work and work your plan. There is no substitute for using a project management context to approach any type of work. You know, you don't necessarily have to have a fully fleshed out project management program to use project management concepts in terms of decomposing your tasks into smaller and smaller more definable and executable bites.
When you are faced with a huge scope of work, sometimes it can be very daunting to even get started, let alone get anything done unless you do decomposition. Because that is the key to making a list and then being able to execute on it. I think too, as I mentioned and I think you might have alluded to it as the holy grail, I think it is really important that whenever you--whether you come into a situation with the opportunity that I had to redevelop, or you enter a situation where you are going to be in more of a caretaking mode around a program that is fully fleshed out and already pretty mature, I think it is important to make sure that that which you are responsible for is aligned with whatever taxonomy applies to the environment. You know, look around and figure out whether it's HIPPA, whether it's Graham-Leach-Bliley, whether it's the NERC Critical Infrastructure Protection Standards, whatever taxonomy applies around information security, in the functional environment that you are responsible for, look at that as that Holy Grail that you mentioned and use that as your touchstone.
An information security professional's goal, among other things, is to translate the theory into practical operational realities, and it is those standard frameworks that not only tell you where you should go, must go, but moreover, if you look at them in a project management context, can give you that direction that may not be there when you first arrive.
And then, lastly, I think I would like to share that people need to measure as many things as they can. As well as do management reporting. Because information security, as a functional area in many companies today, is still in its infancy and many of the people that have the management responsibility for governing the environment may not know as much yet about what they need to know. And it's that measurement, it's that reporting that helps them gain the tactical fluency that helps them gain the professional competencies that they need in their roles to be able to help you as the information security officer achieve the things that you are responsible for.
FIELD: That makes sense, Brian. I appreciate your time and your insight today.
HUNTLEY: Well, Tom, thanks for asking. I hope it achieved your expectations and hopefully everybody else that is in the audience on this will gain some benefit from it as well.
FIELD: Very good. We've been talking about risk assessment and information security. We have been talking with Brian Huntley, Vice President, Information Security Officer with Camden National Bank. For Information Security Media Group, I'm Tom Field. Thank you very much.