Former Treasury CISO Ben Chisolm on Financial Institutions and Security
RICHARD SWART: Hi. This is Richard Swart, Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today, weâ€™ll be speaking with Mr. Ben Chisolm, recently the Chief Information Security Officer of the United States Treasury. He has 16 years of experience in federal government, and has coordinated information security projects on a national scale for a number of agencies, including the IRS and Commerce. Can you explain what your position was at Treasury, and also could you tell us a little bit about how Treasury interacts with other financial institutions from an information security perspective?
BEN CHISOLM: My position at the Department of Treasury was CISO for Headquarters and Enterprise Systems. With Treasury, just like any other organization has a headquarters corporate element or location, which is the fabulous 1700 Pennsylvania Avenue, so itâ€™s right next to the White House. And Enterprise Systems of course were those systems which span control or interactions across the Department of Treasury. So, as the CISO I was responsible for coordinating those activities and the information systems security managers who work for each one of the particular corporate elements. How Treasury works with the banking industry is that Treasury does a great deal of auditing, of compliance monitoring, and information exchange with banking elements under various regulatory and legal regimes. And of course as a federal entity, it has to follow itâ€™s regulations as well as those of the entities it regulates. So it makes for an interesting interaction in terms of ensuring that everyone follows the rules; Treasury follows not only the federal rules, but the rules that it â€“ the federal government has levied on private industry.
RICHARD SWART: So, if weâ€™re talking about FISMA obviously from a federal perspective, but what are some of the other rules that are particularly challenging?
BEN CHISOLM: Well, the rules such as those with Sarbanes-Oxley. Obviously, those are challenges as well as the industry have established their own regimes such as the COBIT regime, those established by major financial institutions, the credit card industry and the like. So, theyâ€™re internal standards that have established by banking industries as well as the interpretations of Sarbanes-Oxley and how they can comply with those regulatory requirements.
RICHARD SWART: Youâ€™ve got an incredible experience at a national level. Could you talk about what some of the management challenges have been of coordinating information security over such a wide scale or at a national level?
BEN CHISOLM: Probably the biggest challenge is understanding that while â€“ that the job needs to be done in â€“ as an enabler and not an impediment to daily work, meaning that everyone of course wants to do the job securely. Everyone wants to make sure that those systems are secure, and that theyâ€™re not compromised, and the information thatâ€™s exchanged the individuals who itâ€™s supposed to be exchanged with and not leaked out or utilized in heaven forbid some criminal fashion by those who shouldnâ€™t have access to it. But, to â€“ it canâ€™t be done in a fashion where people canâ€™t do the job they need to do. Iâ€™m sure every â€“ you as well as every other techno-geek has heard the joke â€“ the only secure computer is one thatâ€™s unplugged. Well, yes. Itâ€™s unplugged, itâ€™s got no power, no keyboard, no input or output, itâ€™s very secure. Itâ€™s also very unusable. So, the greatest challenge is to make sure that security is implemented in a fashion that enables business or enables people to get work done.
RICHARD SWART: How did you do that? What are some of the best practices that youâ€™ve learned over your career?
BEN CHISOLM: Best practices are a lot of human skills, a lot of soft skills in terms of negotiations. Understanding what the business requirements are for any particular organization or element. You know, people would like to approach such solutions from the standpoint of itâ€™s a technical solution. One of the CIOâ€™s that I personally got to work with who I thought was absolutely fabulous was Ira Hobbs at Treasury, and Mr. Hobbs would always say these are people solutions, not technical solutions. We need to be able to work with the people and understand their work and how they function and what information they need to access, and work our way to a technical solution that allows them to access things securely. And when you put a fairly large in some aspect but extremely knowledgeable â€“ technically knowledgeable contingent into the mix to discover those answers, they â€“ the conversation tends to lead toward fire walls, IDS, IPS, VPNâ€™s. And when those conversations go in those directions, you can see the business people â€“ you can see their eyes roll back in their head. I mean, theyâ€™re literally looking at people as if theyâ€™re speaking in another language because they are. When what we need to talk about are what are your business processes, what are your information exchange, what are you â€“ who are your partners, what are your interconnection requirements in terms of getting information to and from those partners.
RICHARD SWART: Very good advice. From personal experience, I know itâ€™s a huge challenge. How does Treasury balance the challenges of providing assistance and oversight ?
BEN CHISOLM: I think Treasury has a long history of doing that in an absolutely fabulous manner with great agencies like OCC and FinCEN and the IRS. But probably the key to those â€“ to that oversight and interaction is that Treasury Department really does endeavor to work with their partners and understand that theyâ€™re â€“ they are there to support and enable their partners to do business. That itâ€™s a competitive edge thatâ€™s in the national â€“ of vital national interest for our industries or any industries that are regulated by the federal government to be able to function securely. So I have been very lucky in my career that I worked with two great agencies â€“ the Department of Treasury and the Department of Commerce â€“ who have a very good industry centric model in supporting private industry. So working together as partners â€“ as equal partners is probably the key to the approach of how we do things saying, well thereâ€™s obviously a regulatory regime thatâ€™s been established. We all agree itâ€™s in our best interests â€“ both our best interests and the national interest to function in accordance with that regime, so how do we get that job done. So I think having very good agreement that we all need to do our job securely, that being said the real work is the â€œhowâ€, and when you get past the â€“ once you have established the â€œwhatâ€, then the â€œhowâ€ is a lot more â€“ you have a lot more motivated people with a clear path that says okay, weâ€™re just working on really how weâ€™re going to do this.
RICHARD SWART: Are there particular threats or challenges facing Treasury or financial institutions that our listeners might not be aware of, or that they should be paying more attention to?
BEN CHISOLM: Probably the greatest challenge facing all of the banking industry as well as the federal government is the criminal use of the information that we possess, or the increasing value of that information. I mean, there was a time where information being leaked or being accessed in and of itself was a problem and it was a disclosure issue, but that was pretty much where it stopped as a disclosure issue. Now itâ€™s actually an â€“ for a lack of a better way of putting it â€“ an actionable issue meaning that there are persons that would like to get access to this information to do something with it. I mean, your name and social security number, and personal address, and your motherâ€™s maiden name, and all of these things â€“ your financial habits, what you buy, what you consume â€“ all of that information now has gained significant value. And because it has such significant value, there are all sorts of elements that are â€“ that are pursuing it. Information is the new currency to which bank robbers are targeting to use an old â€“ an older paradigm.
RICHARD SWART: Thatâ€™s where the money is these days it seems.
BEN CHISOLM: Exactly. And Treasury has â€“ generically speaking â€“ Treasury has a very good model of working through itâ€™s assets or identifying itâ€™s assets, and coming up with targeted, sensible actions to do so. I mean, once you under the information you possess is of value, then you start to kind of â€“ I donâ€™t know, work your way backwards is the best way to put it. But then you understand well, hereâ€™s the information we have. This information resides on the following servers, and the following networks utilized by the following people and itâ€™s interconnected with the â€“ these other partners. So you start to come up with this holistic approach that says okay, knowing where the keys to the kingdom are, where are we going to put our efforts to having increased monitoring, to increase auditing in reference to those key nodes or key elements within the system.
RICHARD SWART: Iâ€™m also curious about youâ€™ve dealt with the effective training requirements. Many organizations struggle to develop effective training and awareness campaigns. Whatâ€™s been your experiences and what lessons might you be able to pass on to our listeners?
BEN CHISOLM: Thereâ€™s an absolutely I think fabulous training team within Treasury, and the targeted training in terms of role based training has been absolutely excellent in terms of relating what security training is necessary for particular individuals in their roles. So, if you have someone whoâ€™s a system administrator, obviously they need different sorts of training than someone who is a user or even someone who is a power user, or someone whoâ€™s a CIO or an Executive. So, coming up with targeted training â€“ security training that relates specifically to individuals roles has been I think extraordinarily successful. And the other tactic is to not only look toward â€“ or look inwards toward training but to look outwards. There are fabulous organizations such as the Computer Security Institute and SANS and Black Hat Federal who have excellent training opportunities. So to look outward and look at what these organizations are doing who as a rule keep up with all the goings on in industry and the new leading edge technologies. So, focus on the individuals roles and responsibilities internally, and externally partner with or interact with those organizations who through their mission are always working on leading edge technology and answering the questions that people need to know for their next steps because as computer technology moves at light speed, we need to make sure we stay ahead as much as possible.
RICHARD SWART: What career advice would you give to someone just thinking of getting into the information securities space at this point, and what skills do they really need to ensure that they have?
BEN CHISOLM: I would say that there are two things that I would advise them of. One is that the information security space is like many other environments. Itâ€™s extraordinarily large. So â€“ and itâ€™s becoming larger and larger I think every day. So if you want to get into information security, I would say great but you need to ask yourself where, in what vein, with what industries. I mean, you really need to start to target the follow-on of where youâ€™d like to work. Would you like to work in a law enforcement industry, would you like to work doing computer forensics in law enforcement, would you like to do data analysis in law enforcement which is a bit â€“ [indiscernible] a little bit different than data analysis in terms of the banking industry or the retail space. You really need to start to target one, what industry youâ€™d like to work in, and two within that industry what pieces and parts some of the traditional and I guess ever evolving responsibilities do you want to pursue.
RICHARD SWART: What if someone wanted to get into the financial industry specifically, what career advice would you give them?
BEN CHISOLM: I would give them the advice to have a partner skill along with that. Look at project management, look at accounting, look at business intelligence. Itâ€™s really not â€“ well, it really is a space that you need a companion skill to truly develop. So you need to look at computer forensics, but â€“ data analysis, GIS. I mean, you really do need a companion skill thatâ€™s applicable within the industry or within technology in general to be truly effective. Because from what I understand, thatâ€™s what our banking partners are looking for. Theyâ€™re looking for people who not only are IT security experts but who are also project management, business intelligence, business analysis, e-discovery expert or knowledgeable as well.
RICHARD SWART: What is it about the banking and finance industry that has that particular expectation for new employees? I mean, many industries are looking for very narrowly focused individuals, and it seems like youâ€™re saying that banking wants people with a broad set of skills or at least a companion skill.
BEN CHISOLM: I think itâ€™s because of the nature in which theyâ€™re infusing information security at all levels. So, I mean previously the model â€“ or the model in many industries is to have an information security element that kind of is central to the organization and works outward. And in the banking industry, youâ€™ll find information security experts who work in the project management shop, who work in the compliance shop, who work in the auditing shop, who work in the business analysis shop. So, within banking it appears at least to my eyes to have an approach where theyâ€™re placing individuals within organizations and actually, I think thatâ€™s a good thing because it allows people to be very knowledgeable and understanding of the requirements of the entire organization and not to look at IT security as sort of a â€“ as a one faceted paradigm that says Iâ€™m here to keep the bad guys out. No, youâ€™re here more than to just keep the bad guys out. Youâ€™re here to make sure the good guys are able to work and to get their work done.