Part II: Personnel Profiles for Information Security Positions in Banks

Omar Herrera (

Traditional roles

Traditional information security roles that are found in banks include (but are not limited to) those described in the following list.

- Control Administrator – in charge of the installation, configuration and operation of security controls within the organization (e.g. antivirus, firewall, IDS, IPS). Rather than having expertise related to a specific brand, personnel within this role are expected to posses well rounded knowledge of the underlying technology (i.e. know how multiple controls work and why they are (in)effective under different circumstances) when hired. Training that is specific to the brand of controls used by the organization can be provided after the personnel is hired.

- Assessment Professional – identifies vulnerabilities or security deficiencies, evaluates the organizations risk, and provides doable solutions. Specialties within this domain include: security auditors, penetration testers and application security evaluators. The risk assessment portion of this role is becoming more important due to recent security regulations and redesigns that are implemented to fine tune preventive security. Assessment professionals must therefore possess a well rounded understanding and knowledge of banking processes and priorities. These skills are l (more important than plain technical evaluation of issues).

- Incident Response Professional – identifies, contains and solves security incidents within an organization. The number of different incidents is large, therefore, these professionals need to be proficient in several areas of information security (e.g. network security, application security, access control, hacking techniques and malware).

- Manager – organizes budgets and physical resources through planning, and directs teams of information security specialists. A profound knowledge of business processes, organizational needs and culture is required. Within the banking industry, Information security managers are not only required to be up to date with new technologies, trends, and news related to information security, they need to understand the overall security resource requirements needed in the bank.

New roles

Due to recent changes in trends and needs in banking information security, new roles have appeared. Some of these new roles are:

- Intelligence Analyst – analyzes and conglomerates security information from security controls, security trends, security news and publicly available information. The Intelligence analyst than produces statistical priorities that reflect the current state of security within the organization, allowing management to a focus their efforts and budgets on the waning area. Banks are particularly interested in this information because it allows them to create measurable metrics that measure the effectiveness of security controls that allow them to justify security spending, provide input for risks assessments, and establish that compliance efforts are taking place when being audited. Also, security Intelligence Analysts will help banks to identify threats, a benefit that is not able to be automated. A good example of this is if someone is discussing sensitive information regarding a product or service of the bank in a public forum. Reporting this type of breach might prove to be invaluable in the prevention of a attack information leak. Personnel in this position should be proficient in attaining public information on the Internet, possess a good understanding and knowledge of business processes, and be able to foster human relationships within the institution.

- Forensic Investigator – collects and analyzes evidence on the motives, cause, and impact of information security incidents. Due to potential legal implications, forensic investigators should be properly trained and qualified to comply with law enforcement requirements in the event that evidence handling and collection may need to take place. They should also understand the technology that surrounds the fraudulent acts (e.g. operating systems, applications, hardware) and the access controls and processes that exist within the institution.

- Malware/Scam Analyst – identifies, analyzes, traces and eradicates malicious software or fraudulent schemes up to date and maintained technology (e.g. guard institution against scams and phishing attacks). The Malware/Scam Analyst serves as a specialized form of forensic investigator, as so many scams are specifically designed or customized for financial institutions. It is becoming increasingly necessary to have these specialists in banks because vendors of anti-malware solutions may be unable to detect this kind of targeted attack (e.g. custom trojan horses). Additionally, it is not in the best interest of the bank to involve other third parties in the investigation of an attack involving custom malware (other than law enforcement maybe). Malware/Scam Analysts must therefore possess a good understanding on how services and products from the bank work, as well as the relevant business processes that will allow these professionals to correctly assess the impact of Malware and scams to the institution. From a more technical perspective, these analysts must also be proficient with reverse engineering and the internal working of operating systems.

- Architect – analyzes security requirements of critical systems, processes, products and services in order to maintain the most cost effective solutions when integrating and designing technological advancements. In the past, security architects used to be outsourced (e.g. integrators, or personnel from vendors of information security controls who are hired to select the best configuration and set of products from their point of view), due to a product centered vision of the problem. Nowadays, more banks recognize the need to include security as an integral part of the design of products and services. Security architects therefore tend to be persons with knowledge and experience within the businesses processes and its needs. This allows banks to design security solutions even in cases where there are no commercial products available (extremely important, because of the amount of proprietary products and services in banks). - Cryptographer – design and analyze security controls that provide confidentiality and integrity of sensitive information. This is done using cryptographic protocols that require a specialized form of information security architect. Because most banking services and products need to have controls in place that robustly protect sensitive information, many of these solutions are custom-made. Several commercial components can be integrated; however, these products are only effective when special developments can be designed to certain integrate security controls within these systems (e.g. the customization of access controls, secure storage and non-repudiation systems). Cryptographers in banks must have a deep understanding of nformation protection needs, cryptographic techniques, their limitations (including their mathematical background) and the programming languages and frameworks used by the bank (in order to verify the correctness of their proposed solutions in the implementation). Experience with hardware using cryptography (e.g. smart cards and some types of tokens) might also be necessary.

Hiring new personnel

Determining if a candidate possesses the skills necessary to fill the position effectively before hiring him/her is not a trivial task. Below are some suggestions that are given to aid Human Resources departments within banks to identify qualified information security candidates:

- Mandatory background checks – this is essential due to the sensitivity of information that information security personnel will have access to. Under some circumstances (and where law permits it), polygraph tests might be used to verify background information of the candidates. These tests also give the organization a look into the candidates interpersonal skills and personality (i.e. some core requirements such as trust and responsibility may be tested).

- Standard psychometric tests – many of these tests could be useful to determine how well a candidate does with core requirements such as team work, creativity and commitment.

- Standardized information security tests – general tests that outline the basic concepts of information security should be given to evaluate the candidate’s competency level. Referencing renowned security certifications might be used instead of providing your own testing, in order to get some assurance that the candidate possesses a basic knowledge of information security practices.

- Interviews – if the organization possesses qualified personnel to evaluate a candidate (e.g. information security professionals interviewing candidates for information security positions) an interview involving experienced human resources personnel, the qualified person at the bank, and the candidate will provide a well rounded view of the candidate.

- Previous work – publications (e.g. books, articles, theses) should be requested and reviewed in order to evaluate the candidates written and information security technical skills.

- Unorthodox methods – sometimes it will be extremely difficult to assess technical skills, especially if there are no other employees proficient in the specific area that is being expanded. The bank could then require potential candidates (those that satisfy all other non-technical requirements) to do some sample work under controlled/simulated conditions, and then present what was done, how and why. Good examples of this would be to test forensic investigators by asking them to analyze a bait system, and to ask cryptographers to solve a hypothetical situation in a robust and cost-effective manner. Even if the institution lacks the skills or knowledge required to set up a proper simulation environment, this process will be improved through evaluating several candidates under the same circumstances. It should be clear at the end of the exercise which candidates are the most proficient in technical terms, compared to the others.

It is important to note that for some position, it might be very difficult to find a perfect candidate (sometimes even finding a single candidate might be quite difficult). Banks should realize that they need to be somewhat flexible, and define some thresholds above that make the hiring process cost-effective. Training less experienced candidates may be a viable option when cost and time to fulfill all requirements is flexible.

About the Author

Omar A. Herrera Reyna - CISA, CISSP

Omar Herrera is an information security officer working for the central bank of Mexico. He has previously worked as information security consultant for Deloitte and is member of the OISSG. He is experienced in technical information security assessments, risk analyses, incident response team management, technical security training and malicious software analyses.

Around the Network