KPMGâ€™s Dan Manley on IT and Security Governance
RICHARD SWART: Hi. This is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we will be speaking with Dan Manley, who is a Senior Manager at KPMGâ€™s Risk Advisory Services Information Protection Practice. He has over 19 years of experience, and has both a CISSP and a CISM. Good morning, Dan.
DAN MANLEY: Good morning, Richard.
SWART: There are a lot of issues that are gaining prominence in IT management today, and one of the most interesting seems to be IT governance. I was wondering if you could summarize IT governance and why it is getting so much attention lately.
MANLEY: Richard, IT governance helps make sure that companies have the right systems and software in place to accomplish corporate goals. It drives efficiency and effectiveness of controls in a consistent manner, essentially making sure that the IT department and the operations department are dancing the same dance. IT governance can help align the IT strategy with the business strategy. As a result, KPMG has observed that companies are having more effective conversations related to risk management and the financial investment needs they require to develop a specific operating capability that meets the needs of the business within the overall organizational structure. Itâ€™s getting a lot of attention right now, because the marketplace environment has changed so significantly, and business models continue to evolve, as a result of merger and acquisition activity, alliances and outsourcing. More than ever, companies need to take stock of what IT capabilities exist in the organization, how it operates, how it is controlled and whether it needs to be monitored on an ongoing basis.
SWART: What about the governance decision-making? Have you found any patterns, in terms of the most effective structures for IT governance, to make effective and timely decisions in companies?
MANLEY: I would say that there is no specific pattern, or trend, for a particular organization to optimize the decision-making. In todayâ€™s business world, where infrastructure tends to be centralized, but application development continues to be decentralized, organizations need to define a framework, structure and a pattern that really makes sense within the context of their organization.
SWART: Well, Dan, what impact does IT governance have on companies, and does it really make a difference?
MANLEY: Good IT governance can have a tremendous impact on helping organizations to create value at an operational, financial, and regulatory level. In KPMGâ€™s view, IT governance represents the essence of risk management. It can help make sure that technology architecture, systems, processes and controls are designed to meet the business needs without overinvesting or exposing the organization to operational or regulatory risk that may not have otherwise been anticipated. In financial services, take an example where an application service provider may be engaged to support a particular line of business. In todayâ€™s IT governance world, banks are actively engaging IT to evaluate the application service providers, to identify ways to get more from the ASP relationship, while they maintain an appropriate level of controls. Ten years ago, a business executive may have met an ASP service provider at a business conference, had a series of discussions about their individual services, and then engaged the ASP in a contract without any consideration of how to involve IT. There was often no risk assessment related to the security infrastructure or business continuity capabilities, and usually no thought given to how the ASP may affect the companyâ€™s infrastructure. And yet, the IT department was affected, to integrate and operate with the ASP on an ongoing model, to meet the defined service levels. So, Iâ€™d say there has been a sea of change. IT departments now provide great leadership in all aspects of IT governance and the issues of risk and controls, to be able to add value to the business.
SWART: In talking about control frameworks, there are also a huge number of issues related to the regulatory environment we are operating under -- Sarbanes-Oxley, Gramm-Leach-Bliley, the Patriot Act, etc. Many of these regulations have forced senior managers and executives to deal with information security itself. What are some best practices that you can recommend to your clients regarding creating an IT governance process that effectively deals with IT security challenges.
MANLEY: Companies need a common framework and a model that is both reusable and sustainable, with specific objective metrics that can be monitored on an ongoing basis. Companies can achieve this by leveraging industry models, like ISO standards and Cobit, to accelerate the definition of the control structures and help expedite the adoption within the organization. Organizations should start with a risk assessment that can objectively rationalize common business requirements across the multiple regulations. The assessment should create objective thresholds that make sense to the business. For example, take a business impact assessment related to business continuity. Rather than having criteria that are measured in terms of high, medium or low, the company might want to define financial impacts using objective criteria, such as greater than $250,000, between $250,000 and $1,000,000, and greater than $1,000,000. This sort of objective criteria will make it easier to have a fact-based discussion with the business on the level of recovery capability that is required. I would add that in todayâ€™s business world, weâ€™re moving at a rapid pace, which means certain business routines may need to be performed more frequently than that have historically. Again, a business impact assessment has historically been done on an annual basis, but that probably doesnâ€™t make sense in todayâ€™s business world, and may need to be done more frequently as the overall business architectures evolve to meet the needs of the customer base, and the competitive advantage for the company within the market.
SWART: Thatâ€™s good advice. Well, switch gears for a second, Dan. Letâ€™s talk about financial services. When you do consulting with executives of banks, credit unions or thrifts about managing their processes, what advise do you give them about identity theft and ensuring their customersâ€™ data privacy.
MANLEY: Financial service companies really need to have a plan, Richard. Executives need to know where the customer data is within the organization, what systems it resides in, and which vendors have access to that information. Executives need to know where and how the data is moving, and specifically, what controls exist to protect that data. In todayâ€™s business world, ensuring customer privacy is a difficult task. In my experience, when an incident occurs, it often takes considerable research and analysis to determine which customers and data have been impacted. Since timely notification is required in the event of a breach, itâ€™s more important than ever to build systems and controls that inventory customer data transmissions and catalog the associated controls that protect that data. Organizations need a coordinated approach, with input from business operations, the privacy office, legal and information technology to build a structured process with controls for adequate privacy and protection of customers. Then, when an incident occurs, company leadership, privacy officers and legal counsel can have a fact-based discussion about the due diligence that has been performed, what controls are in place, and as a result, who was impacted, as they design an appropriate response, to inform their customers, and also make an effort to remediate the situation moving forward.
SWART: Well, Dan, youâ€™ve been in IT security for about 19 years. Can you talk to us about how the field has changed in the past few years, and what implications do these changes have on how to manage an organizationâ€™s IT security function?
MANLEY: There has been tremendous change over the last 19 years. My observation is that there are now more threats, more systems and more change than anyone ever could have imagined when I started out in this industry. As a result, there is an increased expectation for IT professionals to take on a leadership role. They need to take initiative and demonstrate that they are also business leaders. Folks need to be careful not to talk in technical jargon. They need to converse in language that the business partners can understand, meaning, the IT professionals need to focus on communicating what are the risks, what is the impact to the business, and how can business objectives be met while managing the risk to the broader organization. Many professionals have a historical perception they are going to need to overcome, but with a meaningful business dialogue, a focus on actionable next steps, and the professional commitment to do what is right, IT security professionals can and will be accepted for the value they bring to the broader organization.
SWART: Well, Dan, you mention that an IT security professional has to now become a business leader, yet the vast majority of IT security professionals came up through the ranks of IT, computer science, network engineering, something like that. What are essential skills that an IT security person must have nowadays in business to allow them to succeed?
MANLEY: IT professionals need to develop skills related to the business, and understanding how the business process adds value to how a company makes money. They can develop these skills through professional education and taking business courses. But, frankly, investing the personal time to meet with business partners, to have a thoughtful discussion about what the process is they are supporting, what controls are in place, and how that drives value in creating revenue and controlling costs, is important. I would also say that IT professionals need to invest the time to understand what are the business regulations governing that particular business process. As IT professionals, we are frequently very comfortable to understand what are the relevant IT regulations, but making sure you are having a discussion with your business partners, to understand the business regulations is very important. IT professionals shouldnâ€™t feel that this is something they need to do on their own. Putting out a hand to your business partner and saying, â€œI need your help to learn more about your business,â€ is very important. It can help the IT professional to overcome any perceptions that may exist from individuals in their previous position, or any missteps that have been taken in the past.
SWART: Thatâ€™s excellent advice. Well, lastly, Dan, Iâ€™d like to leave our listeners with at least one key lesson, or success factor that you have learned. So, I was wondering, is there one problem or issue that keeps rearing its head that you might have perspective on meeting, based on your experience over the years?
MANLEY: In my experience, each company is different, in terms of their customer base, scale, culture and organizations. This may seem obvious, but you need to communicate and collaborate, to design an IT governance structure and framework that makes the most sense for your organization. I correlate it to not every house in my neighborhood has the same floor plan, nor do they have the same finish. I have different needs with my family than my neighbor does with theirs. Businesses and companies are the same. So, when bank executives, or financial service executives are dealing with their advisors, they need to engage professionals that will invest the time to understand their specific challenges, and will make relevant recommendations within the context of their unique business environment. This will help to add greater value to the organization as a whole, and help to accelerate the implementation and adoption within the company.