Debbie Wheeler, CISO of Fifth Third Bank: Effective Risk Management
Debbie Wheeler: Iâ€™m doing well. Thank you.
Swart: I appreciate you taking time to talk to us today. Iâ€™d like talk about some of your experience. I know you have an extensive background in information security, and youâ€™ve also spent quite a bit of time there at Fifth Third Bank working on issues around identity access management. I was wondering if you would tell our listeners, what are the critical success factors for an identity and access management program.
Wheeler: Iâ€™d have to start with understanding what roles the organization uses or needs. Thatâ€™s probably first and foremost. And some of the conversations that Fifth Third has had with some other financial organizations that are attempting to implement identity and access management programs, specifically around provisioning; roles are the number one concern thatâ€™s raised over and over again. Fifth Third started about four years ago defining the roles that they were going to use to provision access, and having that structure in place has allowed us to very rapidly deploy over 200 applications to a centralized provisioning product from which we delegate and administer access and entitlement. I think the biggest challenges in trying to obtain or administer an access and identity management program are really selling the value to senior management.
Swart: What are some of the management challenges youâ€™ve faced, including end user and training issues?
Wheeler: This isnâ€™t a program thatâ€™s going to generate revenue. Itâ€™s not a program thatâ€™s highly visible unless you are a new employee who is patiently waiting for access to be granted for applications that you needed to get into two or three days ago. Technically itâ€™s just, it doesnâ€™t have a lot of visibility within an organization, and because of that, itâ€™s hard to get funding at times, and itâ€™s hard to demonstrate the value add of having a provisioning tool in place.
Swart: What other risks are demanding most of your attention right now?
Wheeler: Thereâ€™re several risks, I think, that demand a lot of attention from myself and my staff. And some of them donâ€™t necessarily have to do with the bank, but have everything to do with our customers. Weâ€™re seeing an increase in our social engineering attempts against customers. Obviously phishing has been a significant concern for many customers. And weâ€™re just seeing a rise in the amount of malicious code that targets the home computer user. Our experience so far with the home user is that they just are not as diligent about maintaining the state of security of their computer systems as say the bank or some other large financial organization is. As a result, they have a tendency to have a lot of malware on their systems, unbeknownst to them, that captures their keystrokes, captures their credentials, and can be used against them to access their account. And itâ€™s not until theyâ€™ve had a breach against their account thatâ€™s even realized. That there may be a problem with their computer system. And usually they come to that realization as weâ€™re walking through over the phone with them some things that they can check to validate whether or not their system is secure. Thatâ€™s probably the biggest challenge we have is educating our users about proper security for their home computers as well as just being available to them and guiding them, providing them with guidance and education and awareness. From the bankâ€™s perspective, kind of taking a look inward, I think our largest challenges are going to be in the application security space. And in doing secure source code reviews with our application development teams. So those are probably the two largest challenges that I have right now.
Swart: Have you actually implemented web vulnerability analysis tools or static analysis tools?
Wheeler: No, weâ€™ve not implemented them internally. Typically, what we do with programs that weâ€™re just getting off the ground, we utilize third-party resources. So, we have a couple of trusted vendors right now that weâ€™re using to do some source code reviews for us. Weâ€™ve also utilized some third-party vendors to do training and education for our application development teams on secure source code development.
Swart: Interesting approach. Well, how has the Fifth Third dealt with data leakage problems and what lessons have you learned that you might be able to share with our listeners?
Wheeler: Weâ€™ve spent quite a bit of time talking to vendors about data leakage prevention over the course of the last nine months. And weâ€™ve really used 2007 as a year to evaluate technologies as well as put a road map together for what we want to do in 2008. So, in terms of actually implementing any technology for data leakage, we have not done that. Weâ€™ve done some preliminary things with some of our devices at our perimeter, looking at Social Security numbers and bank account numbers and any other pieces of customer confidential information that might be attempting to leave the organization. But weâ€™ve done enough analysis to know that there could be a problem, and we are putting our plans in place for addressing that in 2008. And right now our plans are to target the e-mail space and removable devices first. In talking with vendors, weâ€™ve found that because weâ€™ve spent so much time this year really analyzing this space, the problems in general, the various channels which could be affected by data loss, weâ€™ve been able to come up with a pretty rock solid plan for attacking this over the next three years, starting with e-mail and USB devices in 2008, and then moving beyond that in â€™09 and then in â€™10. And what weâ€™re hearing from our vendors is that our approach is probably the most solid approach that theyâ€™ve seen. So, itâ€™s just going to be a matter of getting the funding and carrying that off then in 2008.
Swart: Youâ€™re definitely taking a long-term perspective. Iâ€™d like to tap your experience a little bit. What are some of the biggest changes that youâ€™ve seen in information security during your career in banking?
Wheeler: Probably the biggest change is the focus on risk. As opposed to when I started in this field, the focus was on information security was about controls and saying no and telling users what they could not do. Now the focus is really more on risk and evaluating each and every risk and determining whether or not the organization can deal with that level of risk. Whether itâ€™s more expensive to implement a control versus taking your chances with the risk and perhaps the fines for the loss that might result from that. So, weâ€™ve really gone from security being solely about saying no and implementing tough controls to security being about risk evaluation and trying to strike the proper balance between allowing the business to absorb some level of risk and also protecting the business from taking on too much risk.
Swart: What about the profile of the information security function and how information security relates to governance? How has that changed?
Wheeler: I think again it involves that whole risk approach. From a governance perspective weâ€™re still about policy and standards, and we still are about reviewing compliance with policy and standards. But where weâ€™ve seen the biggest shift is in what we do once that review is completed. In sitting down and talking with the business about the level of risk that theyâ€™re willing to take and whether or not controls are required, and what level of controls are required. In the past, I think there were some very stringent controls that were always offered to a business unit upon a risk evaluation or upon some degree of compliance evaluation. There wasnâ€™t a lot of risk approach or tactic that was used to determine whether the controls were appropriate or whether they were overkill for a given situation. And now weâ€™re seeing a lot more focus on controls appropriate to the level of risk.
Swart: Weâ€™re going to turn back to end users for a minute. You know one of the major risks that you identified was the client side malware and youâ€™ve mentioned the fact that many of the times theyâ€™ll call in and your staff will walk them through some issues with their computers. Obviously, youâ€™re investing a lot of time and resources in working with your end users. How have you gotten management commitment for that, and also what have been the best approaches youâ€™ve found for educating your end users?
Wheeler: Well, I think weâ€™re in the business we are in because of our customers. So, the support from senior management has been unquestioned. They understand that if they want to retain good customers, everybody has to be willing to step up to the plate and offer the customer whatever support and guidance they need. And weâ€™re seeing that with the security space as well. Itâ€™s no longer about simply protecting the bankâ€™s assets; itâ€™s about being able to reach out or be reachable by the customer and help the customer understand what they need to do to secure their assets and their identity. So, weâ€™ve had a number of opportunities over the course of the last year to reach out into the community. Weâ€™ve done a number of security awareness events at our branches where weâ€™ve had opportunity to actually meet with and talk to customers about things they can do at home to properly secure their computer. Weâ€™ve offered them software packages that they can load. Weâ€™ve given out brochures. Weâ€™ve given out magnets with contact information. Anything that we can do to get in front of the customer and reinforce good security practices for their home use, weâ€™re evaluating and getting out there and trying to enforce. Weâ€™ve done a number of mailings to customers. Weâ€™ve done a number of pop-ups and other forms of communication via our internet channel. Weâ€™ve made a lot of material available to our customers on the internet, so when they log in for internet banking, they have the option of going into the security center and looking at a variety of material that weâ€™ve got posted out there about identity theft, check fraud, phishing, other forms of e-scams, as well as malware. And then proper security practices for use on their home systems. And thatâ€™s pretty much how we try to address end user awareness, customer awareness, and make ourselves available.
Swart: You guys are doing an exceptional job. What do you know now that you wish you knew when you started out in this field?
Wheeler: Oh, goodness. I guess I wish I knew how resistant organizations are to security. Itâ€™s a control. People have a hard time seeing the value add. And I wish I knew that when I started and could maybe have better prepared myself for the arguments that I would be presented with over the course of my career. Around what value itâ€™s going to bring to the organization. Or you know, why should I spend money on this when I could spend money on this over here and Iâ€™m actually going to be able to generate revenue from this. I think every good security practitioner needs to be prepared for those arguments and needs to know coming into this field that those are the types of arguments theyâ€™re going to be met with as soon as they walk in that front door.
Swart: My one last question is what advice would you give to someone starting out in this field? Iâ€™m also particularly interested in advice to women. Youâ€™re one of the, not one of the few, but women are the minority in the leadership ranks of information security in our country. What encouragement or advice would you give someone just starting out?
Wheeler: I think the first piece of advice I would give to anyone starting out or wanting to get into the information security field is one, understand the business that youâ€™re going to be working in. So if youâ€™re going to work in financial services, try to get as much information and knowledge about the business of financial services. Not necessarily security. The same is true for health care. Understand the business youâ€™re going to be operating within, because then youâ€™ll understand what their drivers are and how security plays a role in that business. Securityâ€™s never going to drive the business. At least not in financial services. Not in health care. But is a key partner to the business. And then secondly, get as much of a technical background as you possibly can. I had the good fortune early on in my career to kind of start out in the operations area, moved into the help desk area. Did PC support for quite a while. And networking support for quite a while. Iâ€™ve only been in security for the last 12 years, but Iâ€™ve spent probably a good 10 or 12 years prior to that building the technology background that has really enable me to understand the challenges of security from a technology perspective while also learning the business challenges.
Swart: Just speaking off the cuff, it almost sounds like a tall order. Is it easy for you as an executive to find people that have that mix of technical skills and business acumen?
Wheeler: Not at all. Not at all. At my last position, the challenge that we had was we were firing up an IT organization that had previously been comprised solely of outsourced resources. And trying to build that IT department in house over a very short period of time resulting in hiring a lot of very, very technically savvy individuals who had absolutely no background in banking. And the challenge that created for the organization was you had almost 2,000 technical people trying to put the best technical solutions in place without any consideration for what the business needed out of those technical solutions. And that resulted ultimately in the organization creating what they called a Business of Banking class and requiring every IT person in the organization to go through that. And it was kind of a crash course in what is banking, and who are the customers youâ€™re trying to service. And what are their needs? And how do you take those needs into consideration when youâ€™re developing technical solutions? And even in my position here at Fifth Third, I find that to be true. I find that people think that they can come right into the security field, usually right out of college having had no practical background or experience in technology, let alone in financial services. And the challenge that presents is they come into this field thinking that itâ€™s very black and white. They can either say yes to something or no to something. And they donâ€™t understand the challenges of the business. They donâ€™t understand the challenges of IT, and that there are never any black and white answers. There are lots of shades of gray, but itâ€™s never very clear in terms of things being black or things being white.
Swart: Well, excellent advice, and I know that many of our listeners are probably struggling with that exact same challenge, trying to find people with that business acumen. Too many of the security programs are very focused solely on encryption technologies and network technologies and weâ€™re not addressing our business needs to any extent. So.
Wheeler: Yeah, and the challenge of that, when they get so very focused on leading bleeding edge technologies is itâ€™s very rare to find companies out there that have the budget to invest in some of those bleeding edge technologies. And I donâ€™t think that thatâ€™s something that always makes its way into the classroom. Thereâ€™s a cost and thereâ€™s a balance to implementing technologies to encrypt information or to do any other type of a control within an organization. And when you have security individuals who understand the business challenges as well as the technology challenges, chances are youâ€™ve got a much better balanced individual who can offer much better balanced solutions to the organization.
Swart: Well I appreciate your time today, Debbie. Itâ€™s been great information.
Wheeler: Thank you.
Swart: Thank you for listening to another podcast with Information Security Media Group. For other podcasts or for other educational content regarding information security for the banking or finance industry, please go to www.bankinfosecurity.com or www.cuinfosecurity.com.