How does the cyber security governance process work at SunTrust and how does it interoperate with IT governance and corporate governance?
Those approaches being used in the organization.
So how does cyber security governance interact with IT governance and corporate governance?
So running any business is all about managing risk. Because the gap between risk and your operation, frankly, in there is business. So what we do is we have subject matter experts that are positioned on how information security works and what kind of threats we face. Then they're overseen by operational risk people who take a risk perspective and then both of those organizations or constituencies are overseen by your audit function. All those three things converge at a board of directors at a CEO level to make sure that not only is someone accountable for the process, to keep things safe, that someone is overwatching them to make sure that there is balance and they're not taking too much risk. And the fist two are observed by audit, that'll work for your executive, and in many cases, your board of directors, to make sure that those processes that they've asserted are operating, are actually operating correctly, and efficiently. So I would think that risk management within a banking organization is quite different from risk management in a lot of other industries. If you think about how these things fit together, sort of secure organization level strategy, IT governance and cyber security within a bank.
Can you articulate maybe one or two things that are just going to be very specific to your industry?
If you think about what a bank has to do, it has to be entrusted through your information and wants you to be able to transact like deposits, pay bills, and things of that nature. So for example, if the bank wants to take an online deposit, well there's some people who might open an account that try to make a false deposits. So you might set limits say, on how much can be deposited or maybe how much can be withdrawn on a certain day based on risk factors that you balance against convenience or frankly, inconvenience when you prevent a transaction from taking place. It's incumbent upon a bank or any financial institution really to make sure that we're providing the top level of convenience using digital technology. Letting your customer do what they need to do to be part of the financial system, but yet keeping it safe.
Right, if you could advise anyone of the two or three key things to consider in managing cyber security, the cyber security governance process specifically, what would that be? What would your advice be?
When I think about advice you'd give to anyone today and it's very challenging in the age where we're seeing specialized practitioners emerge. The first thing is to advise anyone that compliance doesn't necessarily equal security. You can download a check box on things you should do to manage security from the web. Or you could look to a federal statute or other outside framework. But just checking the boxes isn't going to give you security. You have to look for the spirit of what you're trying to accomplish and make sure you're meeting the spirit of your objective of keeping things safe. The second bit of advice would be, constantly vigilant. Bad guys are very inventive and creative, and frankly, working on a pure incentive compensation program. You have to think ahead of them and be right more often than they are. >> Great advice.
No comments:
Post a Comment