Insider information

FST meets the World Bank’s CISO Jim Nelms to discuss security, complexity and a whole lot more.

The role of the CISO/CSO requires multiple skills in today’s complex global business environment. You need to be able to understand your company’s business objectives and articulate effectively at all levels of the organization on how the security organization supports them. The ability to effectively work and build alliances across the various business groups within and outside the organization is also key, and nurturing strong relationships can often mark the difference between success and failure.

Jim Nelms is the Chief Information Security Officer of the Treasury of the World Bank. As such, he is responsible for the information security infrastructure for the Treasury as well as all related financial services, including computer and network systems, business systems, web-based applications, e-commerce and online trading systems. Jim manages a team of information security specialists that provide information security services such as cryptography, digital signatures, access control, reliability testing, intrusion detection, firewalls, penetration studies, security event detection and evasive action. His 25 years of expertise come from his consulting experience to over 250 companies, conducting over 500 classes/seminars, and publishing over 150 technical journals on areas of information systems and security.

For this issue, FST asked him to give his thoughts on some of the industry’s hottest topics. Here are his thoughts...

Industry developments
“One of the biggest developments in the financial industry over the next few years will be the convergence of information security and risk management. In the past, information security has been thought of as technology problem. Business people know a lot more about operational risk, and generally leave information security to the IT people. However, if you look at what has happened recently, especially over the last five years, the complexity of the financial instruments we deal with has increased to the point that they can no longer be performed or managed manually; technology is required, which naturally brings the risks associated with using that technology into the field of operational risk.

“SOX has tried to bring some of that into focus by instilling good practices. If you look at how any system is built, it is built in five layers: there’s a network level, an operating system, a database, some sort of middleware, and the application itself. All operational risk exists in the application processes and procedures – which leaves the other four layers below that producing risk based on technology. CSOs/CISOs are consequently having to deal with managing risk from a remediation or mitigation standpoint as they would with operational risk. Those are business problems, and approaching them from a bottom-up perspective as a technician is not going to gain as much momentum as they would if you were to deal with them top-down as a business problem.

“I think people are really going to have to start thinking less in terms of ‘information security’ and more in terms of risk management based on the technology risks that are inherent in processing complex financial instruments.”

Identity and access management
“Identity and access management play key roles in the governance process for risk management. Without some basic identity management controls, you lose the uniqueness of reference for individuals – after all, if you’re going to hold someone accountable for a particular function then you have to unequivocally identify that person.

“Identity access management has two primary pieces: the identity or authentication of someone; and then the authorization of what that person is allowed to perform (also called provisioning or entitlements). A key step is the segregation of these pieces from the application. Removing the authentication/authorization piece from the application means that it will become much more resilient, more robust and have more longevity than it would have if it were residing within the application itself. We’re seeing the lifecycle of financial services applications getting shorter all the time because of the need to move with the market – if you build your authentication/authorization mechanisms into every application then you need to rebuild it each time you change that application. Your staff hasn’t changed, what they can do hasn’t changed, so the identity and access management function should be static with the business in which they report. Only the application should change.”

Managing complexity
“Complexity as it exists is largely technology-related. The inter-relationships between systems and businesses are governed by how technical minds have determined the business process flow should occur. Now placing that under the responsibility of the business units may or may not make the complexity go away, but what it does do is it allows the business units to determine whether they want to enter into that level of complexity or not. There is a cost associated with that complexity, and that’s not a technical decision; it’s a business decision because it costs money.

“What we have to admit is that IT departments are just custodians. We don’t own any data, we don’t own any systems or networks; what we do is provide services. However, what has happened is that in many cases those services have grown so far into the business lines that the knowledge of the business resides largely in the IT group. They’re the ones writing the specifications and the codes, and so the business is driven by what IT can provide to the user. However, because of the cost of services and the need for rapid deployment and more resilient applications, the business owners are becoming more aware of the fact that they should be driving technology rather than the other way around. It’s about harmonization and collaboration. If a business owner says “I need A, B and C,” a technical person should be able to say “Well, here are three technologies that can provide that, here’s the cost, and here’s how they will or will not integrate with what exists in the organization now,” rather than just “Here’s the solution.” The decision-making process is being moved into the business-side, rather than residing in the technology-side. The role of the business-focused IT person is becoming more that of an advisor rather than a one-stop-shop.”

Business continuity
“The way we’ve practiced disaster recovery over the last few years has been largely IT-driven. It’s been about high-availability, distribution of processing, etc. However, the bank has recently created a new business continuity group that looks at BC/DR as much more of a business issue. Obviously, IT is very involved in that because of the network and data issues, but the bank is now very focused on how to continue to work both in the short and long term given certain scenarios – single building failure, campus failure, single or multiple data center failures, etc. There’s been an entire shift in focus for disaster recovery that reflects some of the wider changes at the bank and the way certain things, such as security and technology, are now viewed. Disaster recovery started out as a subset within the security department of the IT organization; now however, security is not necessarily considered part of IT, it’s thought of as risk management. Similarly, disaster recovery is no longer thought of as purely an IT problem. Both security and disaster recovery are truly business issues because they occupy top-of-mind for senior people within the organization ¬– even as far up as board and executive-level – and involve making business-based decisions on what is important, what the parts of the bank need to be available at what times, what risks can be accepted, etc.

Compliance
“Obviously, SOX compliance is still a big focus for us, and the costs are ongoing. From an operational risk perspective, I think we’re getting too close to using the terms compliance and security as interchangeable, and they’re not. Compliance is just compliance; it enforces good policies, good practices and good procedures, although it can provide better security because of the improved processes that should have been implemented anyway as part of best practice. You can be completely compliant and still very unsecure – a strong compliance initiative is certainly not the ‘Emperor’s new security program’.”

IT investment
“Moving forward, the big project for us over the next 18 months will be identity access management. The authentication piece can easily be solved on a point solution basis – we’ve had everything from token-based to biometric solutions proven and working at different points for a number of years now. However, institutionalizing that and being able to roll that out on an enterprise-wide level to prevent everything from individual identity theft to banking fraud is a key challenge.

“Compliance will continue to be a big focus for us too. We’ll also be looking more closely at international standards such as the BS77990 set of standards for recommended information security management practices and how that plays into the ISO 20000 standard for IT service management.

“The other big push for us is going to be re-aligning IT delivery and governance with the business units that IT supports on a much more granular basis than we have previously.”