CISO Jeff Bardin on What Makes A Successful Training Program
RICHARD SWART: Hi, this is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we’ll be speaking with Mr. Jeff Bardin, the CISO for Investors Bank and Trust. Jeff has held top secret clearances while breaking codes and ciphers and performing Arabic language translations serving in the United States Air Force and at the NSA and also served as an armored scout platoon leader and army officer. He has worked in leadership positions in several organizations most notably with Hanover Insurance Group, General Electric, Lockheed Martin and Marriott International. Jeff was recently awarded the 2007 RSA Conference Award for excellence in the field of security practices. The Bardin-led security team from Hanover Insurance also won the 2007 SC Magazine Award for best security team. Jeff is currently the CISO for a Fortune 100 Financial Services firm and hold CISSP, CISM, and NSA IAM certifications. Today, Mr. Bardin has agreed to discuss the need for information security training and education for employees at financial institutions. Jeff, you are known for your innovative and effective training programs. Could you tell us about the approaches you have used and what has made them so successful?
JEFF BARDIN: I think one of the things I’ve been able to do is use different media types, software awareness and training programs. The different multi-media types that are given to crime targets. By that, I mean using different seminars out there, time seminars, some that are regularly scheduled, others that are timely dependent upon what you usually see in the environment on a regular basis, such as social engineering calls that may pop up. We have an awareness phase. We also perform annual training that corresponds with testing that folks have to take and pass. We put out posters, flash animation on the Internet, pop-up screens off our site as well that reflect the same posters that we put out. We have email announcements that we’ll send out to folks that link back to policies or other trends with Web postings out there. We’ve even made bookmarks for people to use in there. There are books or manuals in house. There are a lot of how-to’s as well and how to use a Win Zip folder or how to apply a password to Word or Excel and Power Point file. How to use Adobe Acrobat and the security features. One of the other things that we’ve really been successful in is rewarding positive behavior and communicating that to someone who does the right thing with respect to training and awareness. We like to let people know that they have done the right thing and make them kind of a poster child for positive reinforcement.
RICHARD SWART: Now, is your training and awareness delivered to all the employees in your organization?
JEFF BARDIN: We do deliver it to all employees as required. It’s sent out to all these folks. In addition, we may also extend this to third parties, folks such as developers or others in house who are consultants. It depends on the type of training offered. But it is definitely for all employees.
RICHARD SWART: Are there particular topics that a manager of security at a financial institution should focus on when developing their training programs?
JEFF BARDIN: Financial institutions definitely should focus on anti-money laundering and fraud type training as well as Gramm-Leach Bliley training. They’re definitely two that must be trained upon and tested. We do that. In addition, there are others that we’ve expanded into on privacy areas, performing risk assessment, building security into systems development life cycle, a little more technically focused, talking about how to build meaningful metrics that expands within a security area and privacy and compliance. We’ve also held brown bag lunches around CISSP training for more technical staff as well. One of the ones that we seem to continue to teach over and over again is social engineering. We get a lot of phone calls from outside for people posing as someone they’re not trying to gain access. Pretty much all your technical controls will be for naught if you have social engineering occur in your environment. We try and push heavily on the social engineering.
RICHARD SWART: Are there particular challenges that you face when training bank employees or employees of financial institutions in information security and what are some of the sources of those challenges?
JEFF BARDIN: The challenges are really—it’s not so much the training. It’s getting people to act upon what they’ve learned, what we find are the biggest difficulties. We can train people and have them take the test, but if they don’t practice what they have just learned, and practice this over time, we find it difficult. Therefore, we need to have the different media types to get people to maintain their level of awareness and vigilance and actually to execute what they’ve learned. One of the things we’ve done and another media type is using a jeopardy screen and developed a Power Point on the several different buttons that actually hold data protection jeopardy answers, different information security jeopardy classes. The most difficult part though is really getting people to execute and to take seriously that they need to really do what they’ve learned and execute this, therefore, the focus on rewarding the positive behavior. Some of them should try to do that have not been successful on this to try and build this into people’s management by objectives, the MBO’s, or through the appraisal process somehow when you’ve got compliance, privacy information security aligned as a value that people are measured upon.
RICHARD SWART: What has been the challenge in implementing the MBO process that you were talking about?
JEFF BARDIN: The challenge there is you need senior level support to incorporate this into the MBO. So, it’s got to be taken seriously at the top level. It also needs to be seen as something that is done but that will not impact revenue generating type objectives that people have. Getting them to understand that it is part and parcel of revenue-generating objectives and that it should be seen as a corporate value, that’s usually the most difficult part. You need to have people at the top exhibiting the same behavior and communicating that out for you and then building it in to the objective process with HR so that it is part of the business core value of the company.
RICHARD SWART: Aside from the sort of instilling a culture of security at the highest levels, what are some of the challenges or I should say what are some of the differences in the training that senior people need in information security as they move up the career ladder?
JEFF BARDIN: I’d say at the beginning, if you’re just starting out, information security as a new professional, you should really focus on your technical background. A lot of folks will focus folks specifically on infrastructure. You need to also focus on software development inside the house, a very solid technical background that covers as much as possible of the IT infrastructure is key. Again, software development should be a focus. I think there also should be some training in the international side whether it’s new professionals or existing as more and more of our sourcing is done offshore, whether it’s India, China, or even starting to expand in South America as well. So, having an understanding of different cultures, of defense regulations that they’re not just nationwide but also international is something that both newly minted security professionals and existing folks should really learn about. When it comes to a business and learning the business, it is absolutely required of an information security professional to learn about the business, learn the competitors of their business and what they’re doing, learn the risk appetite of the business and what risks they are willing to accept and which ones they’re not. Those are key things they’re interested in and focus on, like if you sum this up, a real solid technical background, whether you’re new or not, should have that international focus, regulatory and statutory environments national as well as international and then learning the business and having a solid understanding of the business and the overall risk appetite and all things going on the business around you and competitors of what they’re doing.
RICHARD SWART: For someone just starting out, it sounds like they really need to have a solid technical foundation. What should they do after that? What does the career path look like if someone wants to aspire to be a CISO such as yourself? Do they need to go get an MBA? Should they go to law school, continue technical training? What’s the career objective or career path for somebody who wants to move up in terms of training?
JEFF BARDIN: Well, you mentioned an MBA and I think that is a very smart move. A lot of folks will focus on a Master’s in Information Security or Information Insurance, both of those proposed by--the National Security Agency has this program at different colleges and universities are offering Master’s in Information Insurance. Those are valuable but in a very pioneer business, having a Master’s in Business Administration with possibly a minor in Information Security or Technology or an International focus on that is definitely where I think things should go. Too often, information security professionals will focus exclusively on the technical background and will then see and others see information security as solely a technical issue and it’s not. I look at the technology side as maybe about 20% of the issue. There’s policy procedures and there’s working with people that are absolutely critical to making this happen. Having an MBA focuses on the business and gives you the background to understand the business is where I would go next with respect to receiving a Master’s degree. Going out and getting certification such as CISSP or CISM that is more general in management that’s solid to go after. There are more specific ones out there in the marketplace. But if you’re going to grow I think into more management rank and move toward the CISO level, you should keep it more broadly focused in the management type certification than specific technical area.
RICHARD SWART: It sounds like the role of the CISO is undergoing some evolutions virtually based on the things you’re talking about, internationalization and compliance. Is it your impression that the role of a CIO and CISO are changing in general? What would be some of those changes and what impact does that have for an information security officer?
JEFF BARDIN: I think and to focus on the CIO, traditional CIO’s were really focused inwardly on enterprise or the ERP type systems and financial systems. More CIO’s today that I’m looking in financial space are really focused on revenue generating Internet focus, Internet facing applications. So, they’re really driving and pushing risks to generate revenue. In the past, they were more concerned with the internal focus. So, I see a CIO today as really more of a VP of product management engineering type that is generating revenue. I think there are some conflicts there with focusing on the internal side. Now that’s got an impact on the CISO from the perspective that CIO is pushing out new applications that generate risk while the CISO is trying to mitigate or limit the risk. So, there is a natural conflict between the CIO and CISO. I would like to see more CISO’s not reporting them to the CIO but actually on a peer level with the CIO, reporting into some other function. That could be—requires risk management type grouping in house or risk committee. It could be something of that nature. But reporting directly into the technology side again minimizes the position when it should be more focused on risk because ultimately information security is really business risk. And then in the financial services space aligning it right next to credit risk, financial risk, Basel II type issues is where it should be allowing C-level folks to look at it as a business risk along with the rest of the risk in the company and make decisions on mitigation strategy, transference of the risk or acceptance of it from that view.
RICHARD SWART: Excellent information. It sounds like the roles of these positions really truly are evolving and that information security officers today do need to have a well rounded and well developed sense of business acumen. Thank you for your time today, Jeff. It’s been an excellent interview and thank you for providing such useful information to our listeners.Thank you for listening to another pod cast with Information Security Media Group. To listen to a selection of other podcasts or to find other educational content regarding information security for the banking and finance community, you can visit www.bankinfosecurity.com or www.cuinfosecurity.com.