Tuesday, July 23, 2019

Keeping the Balance: IT Security and the Org Chart

Posted by OnCourse Staff January 17, 2014 11:49am

Photo Credit: Felipe Horst

One of the most difficult things for a community bank to do is to balance the efficiency we need from IT - with the security IT requires.  Efficiency and security have an inverse relationship to one another.  You can have high efficiency or high security, but not both.  It's like an old scale or a children's seesaw.  As security controls of a system are increased, the efficiency gained from the system decreases - and vice versa.  For example, I can be really secure by unplugging my Internet connection from the wall, but it's not very practical and certainly wouldn't be very efficient.

Community banks tend to favor efficiency over security. Why is that?

Cost limitations. This is the first and obvious reason. Community banks are fighting a constant battle to remain competitive.  Implementing security in systems adds costs - there is no way around it.  The information systems deployed must yield efficiencies to justify their expense.  More security equals more cost which equals less efficiency.  Sacrificing on security to get to market faster or improve operational efficiency are common trade-offs seen in community banking.

Risk. It's not always a conscious decision for a bank to improve efficiency by sacrificing security. Sometimes there's a lack of understanding of the risks associated with the systems we deploy. By not understanding the risks we tend to underestimate the required security needs.  This is a very common situation in community banking and has its roots in the fact that many community banks are highly reliant on outsourced systems.  That is not a bad thing by itself.  The problem arises because many banks lack the in house expertise to properly evaluate the vendor and they don't fully understand their own obligations as specified in the SAS 70. There is a general misunderstanding that the act of contracting with a vendor somehow alleviates a Bank of the responsibility of monitoring and controlling the data associated with the outsourced systems.

Personnel limitations. The many-hats syndrome runs rampant in smaller community banks.  Consider a small de novo bank - the BSA officer is the IT officer - she's also the office manager, she deals with HR related issues, she waters the plants, she shovels the snow in the winter...I'm exaggerating (am I?), but the point is that some Banks, even those that possess the in house expertise to assess security needs, lack the man power to do it effectively.

Regulatory emphasis.  The current regulatory environment stresses controls as they relate to policy and procedures.  The sad reality is that satisfactory regulatory or internal control audits have a very low correlation to the overall security profile of the Bank.  Don't get me wrong; a satisfactory control environment says very positive things about an organization's dedication to protecting non-public data and its own business continuity planning.  However, we must be careful to consider the highly technical risks associated with modern information systems.  Those dual controls and segregation of duties work marvelously in preventing internal fraud, but they potentially do very little to prevent a compromised laptop from opening a tunnel that can be used by an attacker to siphon data out of the bank.  The results of audits - no matter how good the results are - cannot be used on their own when assessing the security environment before deploying an information system.

It's common for banks to consciously or unconsciously underestimate security needs. What we really need to do is to find the balance between security and efficiency.  How do we do it?  Given the biases described above, how to we maximize efficiency while also adequately considering the security needs of the information systems we deploy?

One way to find the balance is in the organizational structure. Let's take a look at a typical organizational structure as it relates to IT:

CEO CIO CISO


I'm using these "C" level titles to illustrate my point.  You may call these people by different titles in your bank.  However, I think "C" titles are easy to understand so I'll start here to make my point and then relate it back to community banking.

The thing to understand here is that in general, the CIO is the person who cares about efficiency and the CISO is the person who cares about security. They have competing goals.  Remember the seesaw analogy from above; you can have one or the other but you can't have both. In a typical vertical organizational structure, efficiency tends to win out over security.  The decision maker, the CEO in my example, will make her decision based on the input from her direct report, the efficiency biased CIO.

Lets see how a more modern organizational structure better incorporates security into the CEO's decision-making process:

CEO CIO CISO 2


Here, the competing forces of efficiency and security are on the same horizontal plane of the organizational chart. They will be considered equally as the CIO and the CISO are both direct reports to the decision maker.

What about small banks that don't have the depth or breadth in the organization to support the structure described above?  As I described when I discussed personnel limitations, there are banks where one person does everything. Unfortunately, that's just a growing pain that many small banks must overcome. If you work for such a bank, just remember that as the bank grows, you can think about creating positions and pushing responsibility down. Remember this structure when you are considering new positions.

It's important to understand that the "C" level titles I used are strictly for illustrative purposes.  What matters is the organization structure should allow for decision makers to receive equal counsel from security conscious and efficiency conscious personnel.  It does not matter how far up or how far down on the organization chart the decision will occur.  A balanced structure will allow the decision maker to draw a conclusion that best considers all points from both the efficiency and security point of view.  From a governance perspective, those in positions of oversight can gain comfort that the decision, no matter what it is, has been carefully contemplated and appropriately balances these competing forces.  

Technology is not going away.  On the contrary, expect it to be ever more prevalent in the things you do.  Security, while sometimes relegated to an afterthought, will continue to grow in importance as more and more of our processes become reliant on technology. Considering security as an organizational responsibility will help to ensure that it is adequately considered in the decision-making processes.


Comments

Add a comment

  • Required fields are marked with *.

If you have trouble reading the code, click on the code itself to generate a new random code.



 Image

OnCourse Staff

The OnCourse writing staff work to keep you informed about the most pertinent financial industry news of the moment



OnCourse Staff's Posts Subscribe to RSS Feed



New Jersey's Corporate Business Tax Legislation: A Look at the Impact for Banks
Correspondent Banking: The Challenges of Data Transparency
Training – An Investment and Risk Management Tool
Are You Gambling with Your BSA Program?
The Case of Foreign Banks and Heightened Scrutiny
IRS and New Jersey Tax Audits of Banks
State Taxation of Financial Institutions in Today's Environment
Does your 401(k) Plan need an Audit?
De-Risking of Foreign Correspondent Banks
Same Day ACH Credits – Phase One
FinCEN Finalizes Ruling on Beneficial Ownership and Ongoing Customer Due Diligence
Is the IRS Status of your Defined Benefit plan in Jeopardy?
The Dilemma of Banking Medical Marijuana Businesses and Other Indirect Risks
Is your Institution Monitoring Working Capital Lines of Credit?
Financial Reporting and Regulatory Update on the Horizon
BSA/AML Training: Is your program effective?
Planning in a Consolidating Banking Industry
To opt-out or not to opt-out, that is the question – A reminder on March 31, 2015 Call Report, Schedule RC-R, item 3.a
Anti-Money Laundering – The Age of Technology
FFIEC Releases Revised BSA/AML Examination Manual: So what’s new?
OFAC Consolidates Non-SDN Listings
Coping with HOPA
Coping with the CFPB’s Ability-to-Repay Rule
Appraisal Disclosure Rule
Cybercriminals Broaden their Attacks in Social Networks
The Importance of Segregating a Bank’s Credit Function from its Lending Function
Appraisal Management Companies in Regulatory Crosshairs
All About the Home Owners Protection Act
Requesting Current Financial Information
Countdown to Windows XP End of Life and Support: Are you still at Risk?
314(b) Distinct Advantages for Financial Institutions
Where is the Document?
The Credit -- Er, IT Crisis?
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
Wag the Dog
Consumerization of Technology and its influence on Information Security
Keeping the Balance: IT Security and the Org Chart
IT Security: "IT's" About Process
Detective, Reactive and Preventive: Evolving Your IT Security
Do You Know The Security Features of the New $100 Bill?
Segregation of Duties for Wire Transfer Processing
Summarizing ACAMS White Paper on EDD and AML Risk Assessments (Industry Survey)
Allowance for Loan Loss Tips and Tricks
Community Banks Slowly Warm Up to Private Student Loans
Has your Bank updated the Adverse Action Notice?
How Does Your Bank Handle Customer Requested Maintenance Changes?
OCC Releases Booklet on "Common Sense" Community Banking
New SAR Filing Updates
Is your BSA/AML automated monitoring system up to par?
The Importance of BSA Training
Office of Foreign Assets Control (“OFAC”) introduces the OFAC SDN Fuzzy Logic Search Tool
Filing the New CTR Forms: What you need to Know
FFIEC Proposed Risk Management Guidance on Social Media: Beware and Prepare
Pandemic Preparedness: Are you testing your Pandemic Plan?
FFIEC issues revised “Supervision of Technology Service Providers” booklet
Is Your Institution's Marketing UDAAP Compliant?
What is Enterprise Risk Management?
New OCC Guidance Released on Investor Owned Properties
Electronic Work Papers - Why P&G Made the Switch
OCC to Toughen Exams in Response to United States Senate Permanent Subcommittee On Investigations
Clarifying Regulatory Obligations Regarding Continuing Activity SAR Filings
Federal Regulatory Agencies Proposal New Rule
Risk management - Smaller institutions and the benefits of ERM
Strengthening Your Loan Maintenance Monitoring
New Lending Proposal from CFPB
FDIC Reaches Settlement on Overdraft Fees
FRB Guidance on Foreclosures
Loan Denials and Withdrawals – Tips to Sure Up your Process
The Summer of CFPB Proposals
Community Lenders Seize Market Share From Big Banks by Using Advanced Online Lending Technology
Dodd-Frank Rule to Change Legal Lending Limit Monitoring Requirements
The ABCs of a TDR
Supreme Court ruling for the Freeman, et al. v. Quicken Loans, Inc case
New FinCEN Guidance for CTR Aggregation for Businesses with Common Ownership (FIN – 2012 –G001)
Senior member of House of Financial Services Committee Introduces Overdraft Protection Act
FinCEN is looking to streamline the financial institution reporting process by issuing mandatory E-filing reporting requirements.
Curry: Operational Risk Now OCC’s Top Concern
JOBS Act Client Alert - Rules 506 of Regulation D
New Rules Proposal for Servicers Coming from the CFPB
Wall Street Receives Volcker Rule Clarity
De-stressing with stress testing
Banks Participate in Information Sharing to Battle Online Theft
IT security: Is your program still effective?
Banking Solutions: ALLL and GAAP in Agreement
How are the most recent regulatory enforcement trends that banks are facing today affecting internal audit? Why?
What are the most recent regulatory enforcement trends that banks are facing today?
Mobile banking: How do we get there?
UBS further struggles with $2 Billion loss by Rogue Trader
Capital One Becomes Dodd-Frank Test as Nation’s Fifth Largest Bank
Community Banks to receive US Funding for Small Businesses
FDIC fields questions about overdraft guidance
Negligent Hiring – A mistake can cost more than just money!
Regulatory Burden – Managing the Pain
From Embezzlement to Imprisonment: Former Citigroup employee faces charges with $19.2 million in bank fraud
TDR or Not to TDR …Much Ado about Nothing?
Finding the Right Hire
Model behavior: Is your ALM model capturing your bank’s risks?
ALLL best practices: Pay attention to qualitative factors
Abandoned Property Law, and its new New York State of Mind
Consumerization of Technology and its influence on Information Security
FDIC releases Provisions on Dodd-Frank to help Community Banks
Social Media in the Employment Arena – It Gets Funky!
The Proof is in the Pudding: Affects of Dodd-Frank on Community Banks
Banks and Businesses get "swiped" over Fees
A little bit of this, and a little bit of that: Fed Unveils list of Banks Helped during Financial Crisis of 2008
IT Security: "IT's" About Process
To Test or Not to Test; That is the Question
2011 Failed Bank List Hits 25
Wag the Dog
Committee on Financial Services to Hold Hearing on the Effects of Dodd-Frank on Small Biz and Banks Today
2011 Failed Bank List up to 18
A Culture of Whatever: On the Path to Proper Governance
The Test Drive: Leasing or Buying a HR IT Platform
Detective, Reactive and Preventive: Evolving Your IT Security
Cracking the ALLL Code: How to Develop the Right FAS 114 Methodology
Double Digits: Bank Closings up to 11 in 2011
FCIC Releases Report on the Causes of the Financial Crisis
Part of the In Crowd: Thoughts on the Dodd-Frank Act
Another One Bites the Dust: Regulators Close 4 Banks
Keeping the Balance: IT Security and the Org Chart
On Notice: FDIC Issues Rule for Temp Unlimited Deposit Insurance
2011 Failed Bank List Up to 3
Welcome to OnCourse
Stick 'Em Up!
Time for a Tune-Up: The Necessity of a HR Audit
Visa Instituting Two-Tiered Debit Card Interchange Structure
The First Failed Banks of 2011
The Credit -- Er, IT Crisis?
Painting a Masterpiece: The Art of the ALLL Reserve
The Law on Your Side: Understanding HR Regulations in 2011
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
No Respite from RESPA