Effective corporate governance is perhaps the single most effective security control in an institution. In community financial institutions, it is usually the responsibility of the audit or supervisory committee to hold management accountable for the decisions they make. That includes holding the information security officer accountable for the security issues identified as part of internal audits and security assessments. An audit committee can have a very positive, or negative impact on organizational security, which will largely be a function of how capable the committee is at managing an area that has quickly evolving threats and risks.
Consider a well-defined process in a bank. If an employee of a bank fails to file a suspicious activity report, there are very well defined penalties. Penalties for willful failure to file a suspicious activity report can even be imposed on the officers and directors of an institution and can be quite significant. Consequently, those in governance positions often take a very hard line when dealing with these types of audit findings. Failures in process can often be grounds for dismissal…and rightfully so!
Not Information technology, however. That must be managed differently. Where certain processes, like suspicious activity report filings, have very well defined rules, expectations, risks and penalties, information security management processes do not. Effective information security is more about the process than about the individual issues. That is not to imply that the information security officer should not be held accountable for decisions. Rather, governance personnel should account for the fact that they have oversight of a moving target.
Consider an organization that performs a review of its patch management efforts. Let’s say that it discovers it has 200 security patches missing for the software deployed on institution workstations. Imagine an administrator at the organization takes the time to meticulously patch every machine. If the exercise of patching the machines is completed in the absence of a larger process (that is, it is only performed once), the organization will likely find that it has another 200 missing patches at the next review.
Why? Because the environment, itself, is continually changing. New software may have been installed, new vulnerabilities may have been discovered that require new patches, the topology and vendors might have changed, and so on. From a governance perspective, it is usually not the individual issues that matter. Instead, it is the oversight of the processes that ensure that patches are applied consistently and timely that will ultimately contribute to the security of the organization. Focusing on the individual issues at the expense of the process actually degrades the information security of the bank.
Those in oversight positions must ensure that the culture of security is established. The personnel responsible for managing information security must be free to express when new vulnerabilities are discovered. If the culture of an organization is such that security personnel are afraid of being criticized, getting fired, or that bonuses will not be given - then those personnel are going to do everything they can to ensure they are not put into a position to be judged. That may manifest itself through resistance to more advanced technical controls, which could expose issues, or the outright hiding of issues when discovered.
From an audit perspective, resistance by management to the use of advanced technical controls, or even automated tools that aid in the audit process itself, is potentially a red flag indicating that the institution has corporate cultural issues that impede information security. Is the culture of the bank such that any issue identified results in a rebuke from those above? Does the comprehensiveness of a technical assessment scare the IT department? Are there concerns about how the report will be interpreted by the regulators or by the audit committee? Is the resistance actually an indicator of a larger cultural problem?
Effective corporate governance with respect to information security should not be overly concerned with the number of issues identified. Instead it should focus on the adequacy, management and oversight of the processes designed to remediate the issues. A culture that rewards the identification of vulnerabilities rather than penalizes the identification of vulnerabilities will be more effective. It is very difficult to accurately predict the next threat in an evolving environment, especially since the business of a bank is banking, not information security. The strength of the process surrounding information security and culture of the institution is what is going to ultimately determine the security of the financial institution.
Peter Viglucci, CISA, CRISC
Director of Information Technology
Peter Viglucci, Director of Information Technology, has over 17 years of experience in all aspects of Financial Industry IT