Banking or Security - Which Leadership Skill Set Does Your Institution Need Most?Leaders Weigh in on the Qualities They Seek in Their Next CISO
We posed this question to a group of industry experts and professionals, sparking a wide range of responses.
One thing is certain: The CISO's role has evolved over the past several years. According to "The 2008 (ISC)2 Global Information Security Workforce Study" educated, qualified and experienced information security professionals are viewed as the answer to security challenges facing all organizations.
But where do financial institutions get these educated and qualified pros? And which qualities do they seek first?
This question was of particular interest to Gary Pradel, Vice President and CTO of the First National Bank of Naperville a branch of the First National Bank of Brookfield, IL. Pradel first came to work at a bank with no previous banking background, but had experience in IT project management.
Pradel's choice? The IT guy to train on banking and all of its complexities. "Hands down," he says. His reasoning: "The majority of what I believe the CISO needs to know is technology. The bank is filled with experts on banking who will gladly step in and teach the technical professional what he or she needs to know about banking."
He believes that the information security professional will probably never be an expert in both banking and technology, "but he or she doesn't need to be," Pradel says. "The smart and successful CISO understands the significance of two important factors: teamwork and humility." By working as a team with those in the bank who understand banking and specifically regulations, Pradel explains the CISO is far more likely to accomplish each objective with the skills necessary to build a solid solution.
The other factor, humility, is crucial, he says. "I've seen far too many technically savvy professionals who feel that they have to flex their 'mental muscles' by showing they understand TCP/IP rather than be willing to say they don't understand GLBA." There is a tremendous amount to learn about the banking industry, "and being willing to say you have a lot to learn is essential."
Hiring a CISO who knows more about technology than banking is a far better option, in Pradel's opinion, than the other way around. "That is, as long as that person is willing and able to learn about banking from the internal experts at the bank."
It's like asking an Architect to work for your bank, he explains. "They can certainly learn from the bank staff about what is required to do banking activities, such as teller operations. But if a banker had to learn the arts and science of designing buildings, it would be a rougher road." No one else in the bank could help the Architect learn which building materials work best, while there is a large collection of knowledgeable people who could help the Architect understand that the tellers need to be able to see and communicate with the customers in the drive up lanes. "Where to put the columns and tubes becomes the job of the Architect who understands the physical structural requirements to ensure the safety and longevity of the structure," he says.
Pradel works in a small community bank he describes as a "microcosm of a banking." The bank's technology team works quite well together. Pradel's Chief Technology Officer understands general business, banking, and technology issues, and knows the overall goals of the bank. "We have an Information Technology expert who understands computers, networks, and what systems work best." The third essential member is the Bank Operations and Chief Security Officer who knows the inner workings of the bank and banking regulations. Combined, Pradel says the team is able to tackle complex compliance and banking issues by pooling their collective knowledge.
Others agree with Pradel's choice. Cheryl Fatnassi of Opportunities Credit Union, Burlington, VT says "Definitely I'd choose to hire an IT professional to train on banking."
Jim Watts, Chief Information Officer of the Royal Credit Union in Eau Claire, WI, says it depends on who is doing the hiring. "I am a banker who has some level of information security knowledge, so I would hire the opposite, an IT professional who I can train on banking."
Darren MaGee, Information Technology and Security Manager, Atlantic Community Bank, Bluffton, SC is sure that an IT professional can make a good CISO at an institution. The bank he works at only two years old with $90 million in assets. Since he comes from an IT background outside of the financial services industry, he has been learning the ropes about banking. "I'm able to use a lot of my IT skills. I learned a lot more about security when I joined the bank," MaGee says, adding the bank is now SOX and FFIEC compliant.
MaGee says he would most definitely hire another IT professional into the bank. "With the IT skills, they have the computer knowledge. I can teach them about the banking business, so I would definitely hire an IT guy." MaGee also notes the transition from banking to IT positions is happening. "I've seen a lot of tellers upgrade into an IT position. With the right training courses they can grow into a position."
The "one man army" at Citizen Bank in Mount Vernon, KY is Dennis Weiskircher, IT Manager and Security Officer. He says he's been able to add headcount to his team in past positions and would choose a candidate with technology and security knowledge over specific banking knowledge. "This may be due to the fact that I came from outside the banking world and had to learn the regulatory and compliance issues that affect technology and information security in a banking environment," Weiskircher says. His banking experience, however, predates GLBA and the additional complexities that it added to traditional banking.
In Weiskircher's opinion, "far too many institutions find someone, either from within their institution or from without, with extensive banking and compliance experience, but very little technology savvy other than what your typical end user possesses. This results in many poor decisions made in selecting technology and security solutions, or heavy reliance on vendors to provide adequate guidance." He has witnessed several institutions where the end result was large capital expenditures on technology that made them feel good, "but left them both unprotected and non-compliant."
While banking is a complex industry, the requirements of GLBA are very similar to what a person would encounter in an environment covered by SOX, HIPPA, or PCI requirements, Weiskircher notes, "Meaning that an individual with experience meeting the demands of these regulations would make a fairly easy transition into the banking world." He echoes others leaning toward hiring an IT professional, "Learning the inner working of banking, in my opinion, is a lot easier to learn than a banker having to become knowledgeable in firewalls, IDS/IPS, network administrations, database security, role based security, or securing a wireless network."
In the end, he says he would look for a technology professional with good business sense. "I would hire someone who understands technology, security and how it interacts with and affects the business can more easily adapt to the change in industry than forcing a business/banking executive to try to become tech savvy enough to provide an operating environment that is effective, secure and compliant."
Looking from his perspective as senior vice president of information technology for Central Bank in Houston, TX, Mike Martone says the answer to the question of who to hire really depends on, to use the regulatory terminology, the "size and complexity of the institution."
In a larger or more complex bank, the technical nature of the security required would require hiring a candidate who understands information security from the start. "Having the technical expertise is critical for ensuring proper oversight of the design, implementation, and maintenance of systems that ensure the safety of non public personal information," he says. Ideally this CISO would be surrounded by individuals more focused on banking's unique operating posture and compliance standards.
In smaller community banks, or where critical systems are outsourced, hiring a candidate who understands bank compliance and has experience with the way end users use technology would be a better choice, in Martone's opinion. In this case outsourcing the implementation and maintenance of any complex security systems would reduce the technical learning curve by shifting the responsibility to one of vendor management. "This would free the CISO to focus on understanding the compliance requirements such as evaluating the risks, selecting and managing the vendors, and properly documenting and reporting to the board," he says.
Good Communicators Only Need Apply
Being able to communicate effectively is key for an IT professional joining a bank as its CISO, says Jennifer Spadavecchia, Vice President of Technology Risk Recruiting at Alta Associates, a Flemington NJ-based information security recruitment firm. Her choice would be to hire an IT professional to train in banking. If a banker learns information security, the focus on risk won't be there, she says. "The banker to CISO would be focused on the accessibility and availability and what's driving their business, but they might not necessarily understand all the risks and the complications that technology presents," says Spadavecchia.
Communication skills are a must for the CISO who is coming from outside the banking industry. "As you learn about the bank and all of its complexities, you can better articulate the risks and understand how to tell senior management how they can secure those risks and mitigate them," she explains.
The shift toward the effective communicator with strong management skills has been happening for some time. "Effective communication skills are now essential to being successful, along with strong management skills," she says. The CISO is viewed as someone who can communicate the risks out there to the business in such a way that management understands. "The successful CISO is that person who can step into a board of directors meeting and speak to them on their level and in their language," Spadavecchia notes.
The shift has been happening not just in financial institutions, other businesses are looking for those information security professionals who have the experience and aren't just "into the bits and bytes but have more of a 'risk focus'," she says. They must do this at the same time communicating that information security "IS" part of the business and emphasize why it is so important because most business leaders don't focus on security. "They [business leaders] want their services, their money, and their availability. They don't view security as important, just another hurdle to overcome," Spadavecchia notes.
The CISO's Choice: Banker
Stephen Katz former CISO at CitiBank and Merrill Lynch, says he would choose Option 1 -- the banker who understands IT security, but who is a banker first. "To make a program work you have to spend a lot of time working with bank professionals and senior management to make them understand what needs to happen," Katz says.
Katz disagrees that a CISO needs in-depth IT knowledge, saying rather that they need to know and be comfortable enough in banking regulations "so they can speak with regulators." He adds, "If the CISO can't have a solid, in-depth conversation with the bankers and business managers, business executives and the CEO, they're never going to get their program off the ground, get the funding for it, and they'll never get people to understand why it's important to them." A CISO needs business skills first; IT skills can be learned. "CISOs need the expertise, but they don't really need to be a deep technologist."
Katz recalls examples of some of the solid people out in the financial services industry who have come up through the business ranks, and some who have come up through the audit ranks where they spent a great deal of time in banking. They understand how to have an intelligent conversation with the CEO and CFO. If the CFO is standing in the elevator and the CEO steps on, they will have a really meaningful conversation during their trip of several floors. "Generally speaking, if the CISO gets on the elevator with either of them, all he wants to do is get off the elevator," Katz says.
CISOs need to know how to say what is important about their jobs, Katz claims. "A CISO is not just a technologist trying to shut everyone out of their systems. They have to understand the critical role they play in protecting the reputation and confidence that the institution has." In order to do that, he says, they have to understand they're not there just to check off boxes.
If an IT person is brought in and trained on banking, "They're never going to learn it," Katz says. It is a critical decision for an institution who it chooses for the CISO position. The CISO is almost running "a business within a business," Katz says, where they are the chief security evangelist. "If they don't understand the products and services the institution offers, they can't do their job. They can't expect the business managers to understand what the security department does either, unless they're shown."
Regulations such as Gramm Leach Bliley and ID Theft Red Flags puts the CISO in the institution's boardroom, where Katz says it becomes immediately clear that "Information security is a business risk management issue, it's not a technology issue."