Run Your Information Security Program Like A Business - Insights from Worldâ€™s First CISO â€“ Steve Katz
Steve Katz is a true luminary among the information security community. Known as the worldâ€™s first chief information security officer, Katz is widely regarded as one of the disciplineâ€™s thought leaders. In addition to his role since 1985 as a senior security executive for J.P. Morgan, Citibank/Citigroup and most recently Merrill Lynch, he has been a force at both industry and government levels in raising the visibility and shaping the direction of the security industry. He also serves as executive advisor to Deloitteâ€™s security practice. Steve is well-known and deeply respected within both the financial services and securities industries and has testified to Congress on information security issues and was appointed as the financial services sector coordinator for critical infrastructure protection by the Secretary of the Treasury, and has spoken at numerous industry conferences. He also has served as founder and chairman of the Financial Services Information Sharing and Analysis Center, chairman of the American Bankers Association Information Systems Security Committee, vice chair Financial Services Roundtable Bits Security and Risk Assessment Committee, and member of both the New York Clearinghouse Bankâ€™s Data Security Officers Committee and the Securities Industry Association Information Security Committee. And, most recently, last October he was honored with the Information Security Executive - ISE - Luminary Leadership Award from the Executive Alliance.
LINDA MCGLASSON: The past 25 years yielded a significant shift in priorities at financial institutions, especially in regard to risk management and information security, youâ€™ve been there to see it all unfold. Would you do anything differently knowing what you know now?
STEVE KATZ: The technology in the world of information security and the world of networking has changed dramatically in the last 25 years. If you think about it, the PC is fairly new. The PC as we know it didnâ€™t exist until 1985 or so, and local area networks and business department computing was really just getting underway. And the paradigm, then, was finding effective ways to keep people out of technology. In a sense, you would just lock the doors. And you have really strong barriers and really strong gateways between yourself and the outside world. And the outside world really being almost anybody who was not directly related to technology, or was not directly related to getting into a mainframe, which left a really small audience.
Barriers have dropped, borders have broken down, and information security which was one time primarily a technologically focused effort, has really become a business-focused effort. And I think if there is anything that could have been changed, and I think we are seeing a great deal of that change today, is moving more business-related tools and courses into the college level and graduate level programs for technology and manager information. At the same token, move more security courses into the business administration programs at the various universities. I think first and foremost the successful information security officer of today has to see himself as a representative of a business, and providing tools that will facilitate the offering of new business products and services. The idea is to find an effective way of continuing to say yes, as opposed to being the border guard and continually saying no.
LINDA MCGLASSON: Describe for those in our audience who are not aware of your amazing background how you got the title, â€œThe worldâ€™s first CISO.â€ What was the situation like for you when you walked in the door at Citibank/Citigroup and some of the other organizations that you have led?
STEVE KATZ: When I started getting directly involved in the corporate world of information security, it was in data security, and that was at J.P. Morgan & Company. I was their data security officer. As we moved into the late â€˜80â€™s, early â€˜90â€™s, we changed that to information security. In 1994 Citibank was hacked by a team of Russian hackers and they broke into one of their financial systems. That wasnâ€™t on the Internet; it was actually done on a dial up DEC system. As one of the byproducts of the break-in, John Reed was the CEO of Citicorp at the time, put together a task force of his senior managers from across the corporation, and asked them to figure out what had to be done to prevent a reoccurrence. And one of the key things they came up with, (and I will be forever pleased with), is that they decided that the information security function which had been distributed across Citibank and Citicorp, and had been integrally part of the technology world, should be elevated to an executive-level position. And they came up with the title â€œChief Information Security Officerâ€ when I was interviewed and hired into Citi that was when the title was offered to me. I reported to the Chief Technology Officer - and he reported directly into John Reed. The day I was hired at Citi, I was literally two down from the CEO and was able to make routine presentations to Citigroupâ€™s risk management committee and Citigroupâ€™s operating committee. So, it was viewed as a highly visible, incredibly business-focused position that had the eyes and ears of the executive managing team of Citigroup - or Citicorp at the time.
LINDA MCGLASSON: You were really in the hot seat.
STEVE KATZ: In the hot seat and we faced a tremendous challenge. When I came into Citi, it was myself, and two other people reporting to me. We were told to go ahead and make a program happen. Much of what we take for granted today in terms of security awareness did not exist. Much of what we take for granted today in terms of security incident response teams really didnâ€™t exist. Much of what we have in place today in terms of building trust permits and building permit systems, developing life cycles, didnâ€™t exist. And much of what we take for granted today in terms of attack and penetration testing programs didnâ€™t exist. The beauty of it I was given carte blanche to make it happen. Still had to fight for every budget penny that we had, but when I left Citi, our group of three really grew into a group of almost 500 people doing information security-related functions across the company. And it was high visibility at the most senior levels of Citigroup and Citicorp. I was there at the beginning and loved, and still love every minute of it.
LINDA MCGLASSON: What kind of work are you doing with your consulting group?
STEVE KATZ: Work really focuses into a number of different areas. I am an executive advisor to Deloitteâ€™s security practice and help them build an extended practice to work with a number of their client companies, which allows me to draw on the experiences I have had at Merrill and J.P. Another effort I have is The Roundtable Network, and we conduct executive roundtables with security executives across the country, and we will probably do 25 to 30 executive roundtables this year. And third, and one of the areas where I have the greatest amount of challenge and fun, is working with a number of new security products and services companies, and helping young companies become bigger and better companies, and doing either direct consulting with Citi on advisory boards and sitting on boards of directors. So, itâ€™s a matter of staying current and staying on top of what is going on in the industry, and also provides me with a means of getting out and working with the heads of technology risk and heads of information security across the United States. I was the first CISO, but the titles you see more and more of today is, heads of technology risk, which is just a whole different focus than - from what we had when I left the corporate world five years ago.
LINDA MCGLASSON: In your estimation, how far have the information security and financial services industry come in creating â€œtotal securityâ€ and how far do you see that we have still to go?
STEVE KATZ: I think one of the best things that has happened is that we have sort of stepped away from the term, â€œtotal securityâ€ and we really look at essentially risk-based security. There is recognition now that you really canâ€™t secure everything. And financial industry, more than any other industry, is a risk-based industry. Every time a bank takes a position in investment instruments or extends credit cards loans, they understand that there is a risk that that loan will not get paid back, or the investment instrument will tank. We have now begun to look at technology risk and security risk as something where perfection cannot be achieved. And you try and take a look at what areas provide you with the greatest level of risk, and what can you do to mitigate that risk, recognizing that you will never drive that risk to absolute zero. It says that we have to sit back and understand what are the alternatives we have in place to effectually protect the confidentiality, integrity and availability of information, and then make a decision as to how much we are willing to invest to offset that risk. And in some cases, recognizing that you will spend lots of money to prevent customer outrage, because that tends to be really critical. Are you going to spend less money, you know, protecting certain risk areas because you recognize that the amount that you could potentially lose or the impact on shareholders, the impact to their trust may not be as great as in other areas, and there isnâ€™t an infinite amount of money or an infinite amount of supplies or an infinite amount of people that will allow you to protect everything with the same degree of focus. So I think the basic thing is, you recognize that you put a process in place today that works. You forecast results, you attempt to achieve results as best as possible, and know that you have done a good job of working with the board of directors, which is a new concept, working with executive managers, which is a new concept, and briefing them on where you are and what levels of risk are being accepted, what levels of risk are being mitigated, and educating these folks understand that, just like credit risk and market risk, there is no 100% perfect solution.
LINDA MCGLASSON: Changing the corporate culture and financial institutions has been a long uphill battle at times, especially when it comes to enforcing security policies among employees. What did you find that worked in the organizations where you were in charge?
STEVE KATZ: I think the first thing is, people were very good at looking at security awareness as something that the security group will do and provide to the staff workers, and the worker bees of the company. And that is critically important. But what is equally as important was to put together an effective security awareness education and training program that went from the board of directors to the executive fleet through the senior management fleet to the middle management fleet so that they understood why - what we were doing and trying to do was important to the business. And one of the key things that we did - and actually I have a couple of videos at Citigroup - the awareness program, where we had the chairman of Citi stand up and said that Citibank, Citigroup only had two products: money and trust. And if you didnâ€™t sell the trust, you werenâ€™t going to sell the money. And we tried to make sure that everyone understood that we had a trust commitment to our customers, to our business partners and to employees, and it is up to us each individually to make sure that we work to maintain that trust commitment, and that all we are trying to do is put together programs that would allow us to live with our trust to our customer base. And here were certain tools that will allow that to happen.
It was really very much of developing awareness education and training from the very top of the corporation right down through to every last person whose feet had stepped in the corporation. It has to recognize that security was a direct responsibility that they had to live up to, and making them aware of why it was important to do that. And the awareness campaigns went beyond just the videos and just the annual taking security tests. They really tried to make them understand why sharing passwords was the wrong thing, why giving unauthorized information was the wrong thing, and why they should avoid trying to getting access to information they werenâ€™t meant to have in the first place. But it was really one of trying to implicate a culture of doing something that is important to the customer base, and here was another tool that allows us to do that.
LINDA MCGLASSON: Basically making it part of their everyday business actions that they would take.
STEVE KATZ: Part of their business actions and part of their business consciousness.
LINDA MCGLASSON: If you were approached by someone just starting out in the information security department at a mid-sized financial institution, what kind of advice would you offer them, and would you want to be a CISO or a risk management head starting out now?
STEVE KATZ: Iâ€™ve got to tell you, there is, as far as Iâ€™m concerned - and it may be a totally prejudiced view - there is not a better, more exciting, more uplifting career that you could possibly have than the one you have in information security. The people who do information security for a living are dedicated, committed and generally passionate about what they do, and they recognize that they are making a difference. I think if somebody is looking to move into that role, recognize that you are in that role to make a difference to the business you are supporting. You are in that role to also put together a business within a business. Technology is just one component.
We talk about people, process and technology; you have to make a reality in what you do. Itâ€™s a three-legged stool - and you have to balance the people, process and technology. You cannot have any tool without the third. And these are important things to focus on: Recognize that you are running a business within a business. Your role as the head of security - in addition to everything else you might be doing - a key role as the head of security is to be the chief security evangelist of the corporation, to make sure that you go out and meet with the business heads with various levels within the corporation so that - and create a level of credibility with them so that when a request comes through, or an answer comes through, they will be able to turn around and say, â€œGee, I know that person and heâ€™s pretty rational. Iâ€™m not sure he said that, or if he said that or she said that, there must be a reason for it.â€ So first be the CEO of this mini corporation called information security or technology risk. Put together a set of metrics that allow you to forecast results on a month-to-month basis. Translate those results, measure actuals to forecast, and have a really good process for analysis. Learn to put together a two-year rolling plan where you are taking a look at your forecasting further out, but youâ€™re always looking two years out so that your eye never comes off the ball. Itâ€™s that old - if you go to that old clichÃ© of, security is a journey, not a destination, just make sure you recognize it as a journey, not a destination. You continue looking at targets, milestones and tasks two years out in comparing where you are.
The next thing you need is a really good security marketing program, which is your security education training and awareness program. Then you need a technology program to make sure that all the technological tools that are you need are in place. Then you use folks who can help you put together an open governance process which is the ability to have results and responsibilities go from the top of the corporation on down. Then you are putting together an investigations and incident response program that really is the operations arm of the security area. Another possibility you will have within the security group is active control and administration. Make sure that you have people who are willing to get in there and work in the security operations area. Youâ€™re looking at marketing, sales, finance, metrics, operations, and forensics and incident response. And run it like a business. Your audience and your funders -- your board of directors, should very well be a security committee that is made of seasoned business executives across the company, and they are the ones who will be the on your board, they are the ones you are going to have to be accountable to, and they are the ones to whom you will present your results, and they are the ones who will be the ones to whom you will go to for funding.
LINDA MCGLASSON: There seems to be a disconnect between regulators and financial institutions in terms of interpreting regulation requirements. What would you personally like to see in terms of sharing best practices and expectations between regulatory bodies and those financial institutions?
STEVE KATZ: Please forgive me a very personal prejudice, but I would advise every security professional around, do not ever use the term â€œbest practice.â€ There is no best practice, and if youâ€™re trying to say you have one, you are held to a level that, you extend your best and somebody will always be better. You want to come up with a sound and prudent and acceptable practice. So I totally steer away from the term, â€œbest practice.â€ I want something sound, something acceptable, something effective, something prudent. The other is, there are multiple ways to deal with your regulators: (a) they are your regulators, they will examine your program and they will continue to force you to become better. So it is almost like playing football and every time you get close to the goalpost, they sort of move the goalpost a little bit. Thatâ€™s not necessarily a bad thing. I think when Alfred Sloan formed General Motors, he had a sign over his desk that said, â€œWhen you stop getting better, you stop being good.â€ And I think to a certain extent the regulators want to make sure that we keep on being good by trying to make us better.
The other is to recognize that you do not have to have an adversarial relationship with the regulators. I think it is important to sit back and recognize they have some pretty good ideas. And while they canâ€™t write standards and canâ€™t write practices for us, they can provide a fairly good sounding board for what we are trying to do, and since the regulators tend to talk to the counterparts of other organizations, you are going to get pretty decent insight as to what some other companies are doing. Generally they are looking to maintain the safety and soundness of the institutions they are examining, and they generally are looking for things that will have a material impact on the safety and soundness of the institution. But they are also looking to us to put together a really focused program, and I think the rolling two-year plan that I mentioned before is something that you want to routinely go over with these guys, because it lets them know that you as a security professional are really looking forward and trying to keep the program moving forward, and that you are trying to move the goalpost as fast as they do, if not faster, and that you are really looking to provide a safe and sound environment for the technology and processes and people that are dealing with information security and with data.
LINDA MCGLASSON: Where do you see the biggest threat to cyber security at financial institutions? Is it coming from outside the firewall, or is it coming from within? STEVE KATZ: If you think about it, the only thing an outsider tries to do when they go to break into a system is to become an insider. And, you know, that is almost self-evident when you think about it. When you try to guess an ID and password and try to break into a system, you are trying to become an insider. What you have with a real insider is somebody who is not only an insider, but generally is knowledgeable, who either through intent or through accident, they probably can and will expose the corporation to more potential damage than outsider would. I think it is always a matter of figuring out how we deal with things inside the firewall, but also recognize we have opened our companies totally. The term â€œinsiderâ€ and â€œoutsiderâ€ really gets very, very blurry. A contractor we bring in, do we look at him as an insider or an outsider? Naturally, heâ€™s an outsider who is an insider. Then we go out to third parties, and letâ€™s say weâ€™re going to outsource processing to you and outsource application development to you, weâ€™re going to outsource services to you. And I know yesterday you were an outsider, but today you are an insider. And then the third party turns around and they subcontract out further, and then that subcontractor brings an outside contractor. So, the line between employee and contractor really blurs. We then turn around and say we want our customers to be able to access our technology, products and services from anywhere at anytime, anyhow they want to do it. This whole thought about insider and outsider really blurs, and when I say the insider is a greater threat, we are really saying that everyone becomes a threat. The person who is on the payroll and the person who has worked closely with our technology is a person who is a knowledgeable insider and probably poses a greater threat. But with the boundaries disappearing and the borders disappearing, it is impossible to say where outside ends and the inside begins. It is sort of like taking a look at a glass and saying, what is the inside of the glass and what is the outside of the glass, itâ€™s sort of one and the same.
LINDA MCGLASSON: What are your thoughts on stemming the data breach tidal wave? Is it more regulation? Whatâ€™s your advice to FIs to what they do to protect their customersâ€™ data?
STEVE KATZ: I am not the worldâ€™s biggest proponent of more regulation. Regulations are generally put together by committee. I am not sure they always fulfill the objectives that they have when they were originally drafted. I think they are very well intentioned, and I think the third or fourth generation of regulation tends to be a lot better than the original drafting of it. But I think the tidal wave that we are looking to stop requires an awful lot of education across the company and education of customers.
It also requires the use of products that allow you to know unequivocally that, when you get a communication from a particular financial institution, we are approaching 100% confidence; it really comes from that institution. I think you want to enhance the credibility of the product you are offering. We want our customers to do business with us. We want to make life easier for our customers. We want them to be able to transact with a mouse click, or we want them to be able to transact with voice response. We want to make sure that we really are dealing with our customers and our customers really have to make sure that they know they really are dealing with their FI. It is really up to FIs to come up with the tools to allow that to happen. But the tools have to pass what I lovingly call the â€œgrandmother test.â€ If it is going to be difficult for your grandmother to use a tool, you donâ€™t want the tool. And if it is going to be difficult for your grandmother to follow the instructions, you donâ€™t want those instructions. So itâ€™s really up to FIs to work with the vendor community to make sure that tools and practices are out there that will allow customers to securely transact and authenticate their business, effective mutual authentication for both the customer and the financial institution.
LINDA MCGLASSON: When you testified before the congressional subcommittee on the role of computer security and protecting the U.S. infrastructure in 1997, would you have predicted the state of information security we are now in 2007? Where have we made progress, and where do financial institutions still need to improve?
STEVE KATZ: I think weâ€™ve progressed far more than I would have dreamed ten years ago. We really have come a long way --- if you look back to the Internet, the Internet was virtually not even there ten years ago. I think Microsoft just viewed the Internet as a non-event. Broadband was non-existent. Now, you are looking at being able to log on to a network at incredibly fast speeds, incredibly fast downloads. And I work with the vendor community who have come up with some products that really help secure the confidentiality, integrity and integrity of information. They really effectively improved the ability to ensure controlled access to these technologies. Potential is there - and itâ€™s improving daily, aim is to provide seamless, secure connectivity between customer and financial services products, and doing it at speeds that we never even dared dream of five years ago, let alone ten years ago. And I think we have only just seen the beginning of it.
The PC was just coming to, you know, the scene, getting wide acceptance ten years ago. You now see more and more technology moving to mobile devices, and we now have to consider the implications and security of that. The number of opportunities to transact have really improved. The security has improved, although itâ€™s not as transparent as I think we would like it, but I think the transparency will be there. I think the ability to have mutual authentication is moving forward rapidly. The ability to ensure that we have total confidentiality between the financial institution and the customer at all times is improving as well.
LINDA MCGLASSON: What would be your words of advice to the banks and credit unions who are out there in the trenches? What would you like to say to them?
STEVE KATZ: Get involved. You are not isolated. As I mentioned, the information security community tends to be one where people just work together. If you are not part of the FS-ISAC, get involved in that. If you are not part of other security organizations, start to get involved. Look at, you know, look at ISSA. Look to get your staff certified. And actually get involved. Recognize you are one phone call away from someone who is going to give you a hand. The other thing I would also suggest people do is make sure that, as you are involved, you stay involved both at a local and at a national level. And the other thing which comes in along with that is, if you are a small financial institution or a medium-sized financial institution, there is a likelihood that you will be outsourcing a lot of operations work to service providers. Make sure you thoroughly understand the security that is available and in place at your service providers. And I would suggest with that if you have not already - if people have not already done so, take a look at the financial information shared assessment program at the BITS.org website, because there is a standard process there that companies can have in place that they can use to have their third parties assessed. Because, while you can outsource operations, you canâ€™t outsource responsibility for security. Do whatever you can to make sure that you are dealing with folks who have had their security programs assessed by an independent third party.