Protect Your Institution - and Career: Interview with Information Security Consultant, Randy Caraway
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. I'm talking today with Randy Caraway, an information security professional most recently with JPMorgan Chase, and he also sits on the CISM certification board with ISACA. Randy thanks so much for joining me today.
RANDY CARAWAY: Thank you.
FIELD: Randy, could you, just to sort of set some context for us, tell us a little bit about yourself, your recent banking responsibilities and specifically about your role with ISACA and what you do there?
CARAWAY: Well, my most recent banking responsibilities were in the area of access and authentication management delivery. I've also worked with PKI's, you know, public key technology, network security ... I am, I guess, what you could call an information security generalist. I have over 15 years experience in a variety of responsibilities from simple log reading to hospital management and things like that.
My role in ISACA is we are the CISM (Certified Information Security Manager) certification board, and as such we work primarily on making sure that the CISM certification stays robust in that we try to keep up with current technologies, current issues in the security industry, and primarily four of the five board members that I work with a lot are financial service people, so we work hard. We also have military people, healthcare people, so I mean it is very broad-based certification, and we work hard to keep it very robust and very current.
FIELD: Now Randy, you've seen first-hand the impact of the economic downturn, so I wanted to ask you: How should banking and security leaders be protecting their own careers today in the times that we are experiencing?
CARAWAY: Well, I guess the key word I would use is that banks and bankers and bank support personnel like myself need to rely on the word "trust," and trust is gold right now. From a data management standpoint that is reliability, integrity and accuracy, and we will talk more about those in a little bit. But from a customer standpoint, we have a great deal of uncertainty, a great deal of issues, and if your bank or your financial institution can provide that trust, then you are going to be in good shape. If, on the other hand, there are some questionable things going on and/or just plain mess-ups and mistakes, then that trust is going to go away, and it is going to be difficult to regain it at least for two or three years. So I don't want to use the term "be paranoid," but be very diligent in what is going on, and from the standpoint of checking numbers, approach those things with a great deal of healthy skepticism.
FIELD: Well, that is interesting because one of the things that we always say is that trust is at the core of banking, and that customers need to trust that their financial assets and their informational assets are going to be safe. That sounds like what you are saying -- that trust is key within the institution itself and the hierarchy of employees.
CARAWAY: Yeah, and from the standpoint of what that means is from a reliability standpoint. It is that your systems are up there and they are doing their job, your protection systems are providing good protection, your network is a constant variable, and your people are constantly working on that. You know what your firewall rules look like and what they are supposed to do and more importantly what they won't do for you, and then the age-old story of providing defense and depth. I mean, we have read recently about several firms that were saying one thing, but the reality is that it was not there. The good CISM knows that when it is all said and done he has to deal with the reality of what is out there and not what he wishes the reality to be and that being said, he is constantly looking, he is constantly checking and he is using good metrics and terms of access attempts and so on, and he is doing path and retracing testing.
Now that being said, in times like these when money is very tight, that person needs to really align priorities with the business goals and risk management within the firm. That is being open about what is there, being open about what is going on with his or her systems and then more importantly engaging with the C-level executives saying, "Okay, here's what I think you want to do going forward, and here is what I think the goals are; here is what I think the mission is; here is what I think we can do to support that and enhance that in either a reactive way if you are little bit behind the bell curve or in a proactive way."
You know it is always difficult for your information security managers to rationalize cost, cost benefits, mainly because our job is to make sure bad things don't happen. That being said, you know there are ways to show how you are preventing things and that those preventions have saved dollars or lowered insurance premiums or various things like that.
FIELD: Now Randy, you've got some insight on what people are facing as priorities today. As you look at 2009, what do you see as sort of the top two or three strategic priorities for banking and security executives?
CARAWAY: Well as we spoke to earlier, the issues of providing good reliable systems, accurate data systems that have a high degree of integrity, which one part of integrity of course is regulatory compliance, and those are going to be up front. Now that being said, you are going to be needing to do that in a very efficient manner, and if you haven't stepped up to the idea of doing it with less staff or less resources, then you need to do that; you need to contemplate that.
So the whole purpose of planning is to get out there and see what the sensitivities are and see where things are going, see what indicators you can find to see what the next step will be or what the next scenario looks like or where things are headed. And then recognize full well that nothing is set in stone right now and that things can change and change very rapidly as we saw during the second half of last year.
I mean, giant banking institutions that were thought to be just granite to the core were suddenly absorbed by other institutions or found to be lacking in certain capabilities, and now they are struggling for cash, struggling for various other things.
And one of the things that you have got to provide your group is that if you say the information systems are this way and they are doing this, even in the area of outsourcing, you have got to be able to verify it. You have got show proof of it, and then you have got to show reliability and backups and sustainability in depth. I guess that is the way the deal is that you just don't have backups, but you have backups for the backups, and the backups are tested and those types of things.
The other concept I use or have talked to someone is what I call "graceful degradation." If a system goes down or if you lose a key member of your staff -- and this is certainly possible -- what sort of degradation of service are you looking at, and will it be of a nature that (a) you need to plan for that and have people in training already to replace those personnel or pick up those duties of that person or persons, and (b) is it something that you need to seriously think about not doing because it goes after your high-priority core systems and spreads you too thin or spreads your group too thin?
And the other thing, of course, which is over all, is money. I mean money is tight, times are tight, and people are tight. You have got to think in terms of value, and you have got to think in terms of value to your institution both in the short run and in the long run.
FIELD: You make a good point Randy, about resources, whether they be financial or staff being tight, but at the same time I don't see regulators taking it easy on banking institutions and I don't see the threats taking it easy. What is your insight on this? What do you think we are going to see?
CARAWAY: No, no, especially the threat or the various threats. I mean, you can look at that and say a lot of the threat right now is just the environment. I mean things are tight, there are questionable issues, people have a lot of things that they thought were rock solid and values like mortgage bonds and this that and the other and they find out that no that's the not the case they are not rock solid, or at least as a basis of value for derivative securities there are questions there; yes, you certainly need to question all this.
Regulators on the other hand are--regulation to a large degree is always a reactive stance, and it is always a stance in that if you have some extraordinarily, shall we say, "questionable" practices going on, well, the regulator has to approach it form the standpoint of saying this is something we have to look for, and they will look at it from that standpoint, but it is very reactive. And sometimes it is also very political.
You as the information security guy have got to be able to anticipate that to know that you are working very hard, that you have good SOX procedures in place, that you have strong verifiable documentation of what is going on. You anticipate the need to sample these processes in some sort of reasonable fashion and then keep the results and more importantly, be painfully honest about what the results show.
In that case, then the regulators come in and they say, "Okay, these guys aren't trying to paint a rosy picture; they are trying to paint an accurate picture." And that is your best defense because in that, you can't keep things from going bad, and you can't keep things from being difficult, but what you can do is be very realistic about it and be very honest about it and then concurrently provide that information up through to the C-level individuals.
Again, showing them that you are in line with their expectations, you are in line in what their missions and goals are and one of the key ones of course is survival and viability in terms of long-term stance, and tell them here is what is going on and here is what we believe is a corrective action, and this one corrective action is reasonably compliant and second it deals aggressively with the threat...
That is the other key thing that a CISM can do is to jump on these things while they are still manageable. Jump on these things while they are still controllable, and the reason being is that if they are small and still controllable, you have found them. On the other hand, if they are the tip of the iceberg, it is nice to know about what is going on with the iceberg before the regulators find out about it and then subsequently of course, the media finds out about it.
You have to have a good media plan, and it has to be a realistic media plan that says yeah, we have this problem, and we are taking the appropriate actions, and here is the appropriate action we are taking and be open about that and not attempt to put a false face on things. You need to put an accurate face on things.
FIELD: One of the questions on this line Randy, you've been on the inside and we hear an awful lot now about the heightened insider threat. How realistic is that? Are we seeing people that are desperate for financial reasons or for fear of their careers, and is that a heightened threat inside a banking institution?
CARAWAY: Well, more so than in previous years? I don't think so. The caveat to that would be that the important thing that comes up there is how much of a personal threat is it to an individual. If you have got people that have alternatives, that have questions, again, the issue of just the general insider issue threat always being there and the fact that you have 10,000 or 15,000 or even 50 people that know as much about your business as you do and you can't control what they say or do outside the bounds of the business, and yes, of course that is a vulnerability, and the answer to that ... is the idea of convergence, which means that if a person sees a laptop lying around with no apparent owner within the company, they do something about it. If they see a briefcase that is unattended, they do something about it rather than just say, "jeeze there is a briefcase; I wonder what the heck is going on" and that type of thing. They see conversations take place, they go past an individual who has sensitive data lying on their desk in open sight and they step up to it. Now that doesn't mean they try to create a problem or they try to create a disciplinary action, they just say, "Hey, you need to be thinking about these things."
That's where in this year I would hope that a lot of CISM's are talking seriously and working harder in terms of educating employees because they are going to find themselves faced with decisions, serious decisions. Decisions that have a great deal of impact and one, they need to be knowledgeable about that and two, they need to be comfortable enough making those decisions and comfortable enough with the company, i.e. trusting of the firm, that if I make this decision this way, which may not necessarily benefit me, but it is the right thing to do, so I am going to do the right thing here. People need to be able to know that doing the right thing works well and then that helps you work with the insider threat.
My experience has been that people ... don't steal to be dishonest; people steal because they are fearful of something. They are fearful of physical issues like hunger, lack of prestige or something like that, or they steal it just out of plain ignorance and as such. In both cases, those are trainable issues; one, you reduce fear and you reduce uncertainty and two, you say now this is the type of stuff that you need to take special care with and that gets back to your policies and your information and your regulatory compliance regarding your information classification policy, your data retention policies, your appropriate use policies and enforcing those in a realistic and consistent manner.
And then I think you will find your insider threat is certainly manageable. It never goes away just due to the nature of the people and the fact that, you know, on any company who is the biggest user, well of course the insiders; 80% of your systems are being used by insiders all of the time for 90% of the effort that is going on. Now that is just an exposure issue so, you know, specifically making them knowledgeable about phishing expeditions, social engineering concepts, about using the appropriate passwords, using their secure transmissions, taking good measure with the information they get out, to be careful what they print off and be careful about what they take home, a good flash drive use policy, locking down your laptops, those types of things are all two edged swords.
One, they protect you against the outside, but they also help employees do the appropriate thing and not wander into a set of circumstances where they are not prepared to deal with or to get taken advantage of and yes, the insider threat is there.
The best thing you can do is get your people all on the same plan and working with you as a security person instead of working against you.
FIELD: That makes sense. Randy, let's talk about ISACA a little bit. What is ISACA doing as an organization to respond to these times that we are in?
CARAWAY: Well, ISACA has several things going. Of course we have the certification process, which is real robust for the information auditors, the CISA. Recently they have stepped up with the governance certification and of course in the CISM, this particular group I work with is constantly looking at methods; we are looking at issues.
One of the things we are working with right now is wireless and what is going on with handheld wireless, as well as wireless networking and things like that. They have a lot of publications out there regarding security and they are instrumental in several metrics groups both in the United States and throughout the globe.
They also have some input -- I mean, they are not writing regulations, but they certainly are looking at the issue of how do we provide good information and assurance and good system assurance because of worldwide concerns. The recent issue with the outsourcing firm in India, that has popped up again, and then ISACA is going back and looking through the taskings and the knowledge base and saying, 'Okay was there something here that we didn't help people see? Is there something that we need to add to the training that talks about when you are doing a due diligence on an outsourcing firm, what are the key characteristics you need to think of?'
Well, you know it comes up to say you can't just presume that accounting standards, while they attempt to do the same thing certainly, are going to be consistently applied everywhere. So in terms of due diligence here are some steps you need to take in terms of reviewing the firm's capability, reviewing the firm's financials, reviewing the firm's service level agreements and contracts you have with them.
What is nice about ISACA is that it is a wonderful clearinghouse right now of information; two is that it is long-term training solution. I mean these guys have been doing this for as long as I can remember, and that has been a while. More importantly, they have consistent use, and they consistently talk with the practitioners from around the globe.
FIELD: Very good. Randy, one last question for you. How are you going to approach this next step in your own career?
CARAWAY: Well, I'm a guy who has done a lot of things, and like I said earlier in our discussion, I have a broad, expansive experience. So going forward right now I am in the process of assessing doing some consulting, and I am also looking well into the education field.
The big thing going forward is looking at what the basics are and what is taking place and doing for several firms some root cause analysis of what is going on; second, working with the trade associations and looking to get back to the situation of being in a position to solve problems because that what it is about in the information security world.
I mean, if we do our jobs right and we do them very, very well, we eventually work ourselves out of a job. Right now I don't think that is going to be a big problem because there is a lot of stuff going on, but my plans are to probably do some serious consulting over the next two years because I feel like there is certainly a potential there and there is certainly a market there.
FIELD: Well Randy, I appreciate your time and your insights today, and I wish you well in your future endeavors.
CARAWAY: Thanks Tom. Okay, you too. Take care.
FIELD: We've been talking with Randy Caraway, information security professional. For Information Security Media Group, I'm Tom Field. Thank you very much.