Part 1: Personnel Profiles for Information Security Positions in Banks

Omar Herrera (omar.herrera@oissg.org)

Information security personnel in Banks

Banks have specific requirements for the experience and abilities of their information security personnel. However, it is becoming harder for qualified professionals to satisfy requirements from these institutions.

While information security personnel can be trained in specialized areas of information security, they still need to have relevant general information security background and a minimum number of years of experience in the industry.

There are several reasons to be selective when hiring information security personnel. First, with the high diversity of specializations and required levels of proficiency in certain domains, it is becoming nearly impossible for banks to train someone without any background or experience in information security (i.e. it is becoming extremely time consuming and expensive).

This is true for people with backgrounds in other areas of information technology such as application development, telecommunications and system administration. Fortunately, the academic world recognizes the importance of information security and is now incorporating relevant courses in most information technology programs. However, the current level of information security training for many graduated professionals is still lacking.

The second reason to be selective is not really related to technical skills. Soft skills are becoming increasingly important, as skills like verbal/written communication skills, ability to work under pressure, and ability to work in a team environment is becoming increasingly valuable.

The third reason is related to personal values. Trust, for example, is one of the most important aspects that a bank must consider when hiring information security personnel. There are some positions within a bank where people’s work has a tremendous impact, and information security positions usually fall under this heading. The last thing a bank would want is to have a malicious person in a position that could possibly be so compromising.

Core requirements

As we mentioned before, there are certain personal skills that might prove to be more important than technical qualifications. These skills are compulsory for any candidate seeking information security positions within a bank. This applies to not only management but technical positions within a bank. Unfortunately, these softer requirements are often overlooked, and hard to evaluate during the interview process.

Trust

Information security people will be given access to sensitive information; this can’t be avoided. For example, the bank is subject to significant levels of exposure when an information security professional is asked to evaluate operational risk according to the Basel II Accord. The evaluator must fully understand the functions and interactions of systems to understand the levels of risk that the bank is exposed to.

Therefore, this position allows a lot of damage to be done if the wrong person is chosen to evaluate the system. Not only will this person have extensive knowledge of how things work within the organization of the banks infrastructure, but they will also be given the opportunity to design, implement and manage the information security controls that the bank puts into place. Therefore, the organization needs to be able to fully trust the personnel in these positions. Responsibility

Banks are complex organizations with many proprietary processes and services. They need information security personnel that are confident about their knowledge, able to apply what they know to the particular environment of the organization, and then be able to justify their actions.

Complex organizations usually can’t afford several layers in the hierarchy to verify each piece of work or design implementation. Additionally, many information security tasks are time sensitive. A good example of this would be that the incident response personnel in charge will need to make decisions that affect the business process in order to prevent negative impacts.

Proactivity

With the increase of complex attacks against banks and their customers, information security personnel can’t wait until incidents materialize. They need to be able to plan ahead to prevent incidents. In order to do this, they must be able to participate in the design and construction of new services and systems before they are deployed.

Being proactive also means being aware of their environment (i.e. how/where banks work and interact with customers) and security trends. Proactive information security personnel will then be able to identify genuine security threats when they are still small and manageable, thus anticipating potential incidents of high impact.

Commitment

Many bank services are now offered 24 hours a day, 365 days a year. Information security tasks are no exception. It is therefore important to find personnel willing to work unusual shifts, and be able to respond whenever there is a situation that requires immediate attention.

Information security personnel are not required to withstand inhumane working conditions or renounce their rights as employees, however, they are expected to l be flexible and respond to organizational needs like other professions with similar requirements, such as medical staff.

Creativity

A complex environment with proprietary products and services also demands information security personnel that are able to provide creative solutions to uncommon problems.

Banks are institutions where best practices and proven solutions will work less frequently, therefore, creativity is a must.

Team work

Information security personnel will work closely with both internal and external bank employees. Due to the ever more frequent requirement that information security personnel be involved in the design and operation of new products and services, it is essential that they are able to interact and effectively communicate with people from different areas and backgrounds (many of which are non-technical).

Auto-didactic

Much of the specialized, and up-to-date information required to be an effective information security professional will not be available through courses and formal training. Details about the operation of the bank can only be obtained from internal documentation, and it is unlikely that there will always be someone there to give a presentation or formal training about every aspect.

Hence, it is essential that information security personnel working in banks can learn fast and all by themselves. They should devote an important amount of time daily to learn and keep updated about events in the organization, technical information particular to information security, and other information that will allow them to improve all their skills.

Good communication skills

Both written and verbal communication skills are required by information security personnel. They will interact with people within different disciplines, as information security information is often required by senior management within banks. Clear, well written reports are required to satisfy audit requirements and the increasing number of regulations with which banks must comply.





Around the Network