Need for an Information Security Practitioner at a Financial Institution
The focus on information security is not just a passing phase"we have seen it sustained over the past couple of years, and it continues to grow. So you can now begin to place yourself in a position to become that ideal security professional as this role evolves and expands more so for banking and financial institutions where information security plays a critical role because banks are committed to the security of their customer's financial and personal information. Again, financial institutions have to abide by privacy, customer trust and information security laws and regulations which have increased significantly in the past 5-6 years. In addition to this, the risk of financial loss, security breaches is something which is on the rise and steps need to be taken to address these very significant security issues plaguing the banking industry particularly.
The global environment in which financial institutions now operate brings with it a whole new set of challenges. Details of breaches publicized this year will suggest that financially motivated, targeted attacks are increasing and the criminal profile is shifting - from random disorganized hackers to well funded organized crime groups. As threats to financial institutions widen from technical and infrastructure threats to those affecting applications, data and people, the role of new security functions is also evolving from being IT focused to becoming a business centric issue.
Data leakage/Loss (the TJ Maxx incident) has exposed deeply grounded and long-term problems in the way financial institutions have been managing their sensitive customer data. Identity theft is typically associated with credit card and mail fraud. New methods, such as spear-phishing (targeted and convincing email attacks) are constantly emerging. Advanced versions include the use of phishing and pharming (persuading people to disclose sensitive information through phony emails and web sites) and use of malicious spyware and hacking to obtain sensitive information.
This brings us to the heightened need for an effective information security practitioner in a bank or a financial institution.
Who is an effective security practitioner at a bank? Let us look at a sample information security officer job description/ roles and responsibilities and the ideal background required for this challenging position.
Sample Job Description:
This is a senior security officer position in a financial institution reporting directly to senior management. The senior security officer oversees and coordinates security efforts across the bank including departments such as information technology, human resources, communications, legal, finance management and other groups, and identifies and establishes security initiatives and standards through out the organization. The Information security officer is responsible for planning, directing and coordinating the bank's information security policies, setting procedures and guidelines to ensure that all information systems are functional, secure and safeguarded throughout the bank and are in compliance with privacy, customer trust and information security laws and regulations applicable to financial institutions. The senior security officer is responsible for working with key individuals throughout the organization to develop business cases for new security projects and in the risk assessment of existing and planned information systems.
Additionally, the Information security officer is responsible for providing leadership as well as insuring the technical and administrative support for the development of Disaster Recovery and Business Continuity programs for the bank. Direct reports will include security engineers/ analysts and other technical staff members.
An information security officer should approach their role determined to make a difference to the business they are supporting. This advice comes from someone who knows how to make a difference, Steve Katz, who was the first Chief Information Security Officer (CISO) of a major financial institution, Citigroup, back in the mid 1990s. "There is not a better, more exciting more uplifting career that you could possibly have than the one you have in information security," Katz said, making the information security career path an easy choice. He added, "the people who do information security for a living are dedicated, committed and generally passionate about what they do, and they recognize that they are making a difference."
- Monitor access to all systems and maintains access control profiles on computer network and systems. Track documentation of access authorizations to all resources.
- Develop and/or maintain appropriate Segregation of Duties within and across applications.
- Research and investigate measures that address data security risks and potential losses for reporting purposes.
- Install, modify, enhance and maintain data system security software.
- Work on determining acceptable risk levels for the enterprise and ensuring the IT environments are adequately protected from potential risks and threats.
- Participate in development and implementation of the appropriate and effective controls to mitigate identified threats and risks.
- Follow-up on detected security issues and implement solutions to reduce security risks
- Assist in the research, development, communication, maintaining and working with the operational units on the enforcement of IT security architecture, policies, procedures, solutions and standards.
- Oversee incident response planning as well as the investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary
- Support improved data security awareness and education including on-call availability.
- Responsible for staying abreast of the latest industry security practices and technologies
- Meet with Business Owners to analyze, document and define requirements associated with new development or maintenance and enhancements to existing security roles and permissions. Review completed roles/permissions with users to ensure requirements are fully met.
- Deliver services that meet regulatory specifications. Work with internal and external auditors to document and confirm that all security administrative duties are properly performed as well as demonstrate overall compliance.
- A Bachelors degree in computer science or related field, minimum 8+ years of progressive experience in information Security and banking industry
- Must be an intelligent and persuasive leader who can serve as an effective member of the senior management team and who is able to communicate security-related concepts to a broad range of technical and non-technical staff. Acting as a bridge between IT and business process owners.
- Certification is required, such as CISA, CISM or CISSP (or willingness to pursue), to access our in-depth guide to certifications please visit
- In-depth knowledge and experience in the following information security areas:
- Information security assessment and auditing procedures, from both technical and business perspectives, and the use of formal methodologies such as NSA IAM
- Vulnerability scanning and auditing tools
- Enterprise-scale network and host-based IDS architectures
- Enterprise-scale firewall architectures
- E-commerce application security
- Computer investigation and forensics methods and technologies
- Secure messaging architectures
- Strong Knowledge of regulatory bodies, and the regulations and guidance issued by these bodies, overseeing banks, credit unions, and financial services organizations, such as the FDIC, FinCEN, Federal Reserve Board, Office of Thrift Supervision, and NCUA.
- Strong knowledge of privacy laws, such as GLBA, SB1386, SOX
- Must possess strong project management and leadership aptitude; demonstrated professionalism in managing multiple projects and resources effectively.
- Should have experience with business continuity planning, auditing, and risk management, as well as contract and vendor negotiation.
- Outstanding communications skills - must be proficient communicating across all levels of the organization as well as building successful relationships.
The following link provides a guide to information security certifications which may be of use in deciding what path your career will take: In-Depth Guide to Information Security Certifications