Podcast Transcript of Debbie Wheeler, Fifth Third Bank CISO

Podcast Transcript of Debbie Wheeler, Fifth Third Bank CISO
Richard Swart: Hi, this is Richard Swart with Information Security Media Group. Today Iâll be speaking with Debbie Wheeler, CISO of Fifth Third Bank. How are you doing this morning, Debbie?

Debbie Wheeler: Iâm doing well. Thank you.

See Also: Webinar | Key Trends in Payments Intelligence - Machine Learning for Fraud Prevention

Swart: I appreciate you taking time to talk to us today. Iâd like talk about some of your experience. I know you have an extensive background in information security, and youâve also spent quite a bit of time there at Fifth Third Bank working on issues around identity access management. I was wondering if you would tell our listeners, what are the critical success factors for an identity and access management program.

Wheeler: Iâd have to start with understanding what roles the organization uses or needs. Thatâs probably first and foremost. And some of the conversations that Fifth Third has had with some other financial organizations that are attempting to implement identity and access management programs, specifically around provisioning; roles are the number one concern thatâs raised over and over again. Fifth Third started about four years ago defining the roles that they were going to use to provision access, and having that structure in place has allowed us to very rapidly deploy over 200 applications to a centralized provisioning product from which we delegate and administer access and entitlement. I think the biggest challenges in trying to obtain or administer an access and identity management program are really selling the value to senior management.

Swart: What are some of the management challenges youâve faced, including end user and training issues?

Wheeler: This isnât a program thatâs going to generate revenue. Itâs not a program thatâs highly visible unless you are a new employee who is patiently waiting for access to be granted for applications that you needed to get into two or three days ago. Technically itâs just, it doesnât have a lot of visibility within an organization, and because of that, itâs hard to get funding at times, and itâs hard to demonstrate the value add of having a provisioning tool in place.

Swart: What other risks are demanding most of your attention right now?

Wheeler: Thereâre several risks, I think, that demand a lot of attention from myself and my staff. And some of them donât necessarily have to do with the bank, but have everything to do with our customers. Weâre seeing an increase in our social engineering attempts against customers. Obviously phishing has been a significant concern for many customers. And weâre just seeing a rise in the amount of malicious code that targets the home computer user. Our experience so far with the home user is that they just are not as diligent about maintaining the state of security of their computer systems as say the bank or some other large financial organization is. As a result, they have a tendency to have a lot of malware on their systems, unbeknownst to them, that captures their keystrokes, captures their credentials, and can be used against them to access their account. And itâs not until theyâve had a breach against their account thatâs even realized. That there may be a problem with their computer system. And usually they come to that realization as weâre walking through over the phone with them some things that they can check to validate whether or not their system is secure. Thatâs probably the biggest challenge we have is educating our users about proper security for their home computers as well as just being available to them and guiding them, providing them with guidance and education and awareness. From the bankâs perspective, kind of taking a look inward, I think our largest challenges are going to be in the application security space. And in doing secure source code reviews with our application development teams. So those are probably the two largest challenges that I have right now.

Swart: Have you actually implemented web vulnerability analysis tools or static analysis tools?

Wheeler: No, weâve not implemented them internally. Typically, what we do with programs that weâre just getting off the ground, we utilize third-party resources. So, we have a couple of trusted vendors right now that weâre using to do some source code reviews for us. Weâve also utilized some third-party vendors to do training and education for our application development teams on secure source code development.

Swart: Interesting approach. Well, how has the Fifth Third dealt with data leakage problems and what lessons have you learned that you might be able to share with our listeners?

Wheeler: Weâve spent quite a bit of time talking to vendors about data leakage prevention over the course of the last nine months. And weâve really used 2007 as a year to evaluate technologies as well as put a road map together for what we want to do in 2008. So, in terms of actually implementing any technology for data leakage, we have not done that. Weâve done some preliminary things with some of our devices at our perimeter, looking at Social Security numbers and bank account numbers and any other pieces of customer confidential information that might be attempting to leave the organization. But weâve done enough analysis to know that there could be a problem, and we are putting our plans in place for addressing that in 2008. And right now our plans are to target the e-mail space and removable devices first. In talking with vendors, weâve found that because weâve spent so much time this year really analyzing this space, the problems in general, the various channels which could be affected by data loss, weâve been able to come up with a pretty rock solid plan for attacking this over the next three years, starting with e-mail and USB devices in 2008, and then moving beyond that in â09 and then in â10. And what weâre hearing from our vendors is that our approach is probably the most solid approach that theyâve seen. So, itâs just going to be a matter of getting the funding and carrying that off then in 2008.

Swart: Youâre definitely taking a long-term perspective. Iâd like to tap your experience a little bit. What are some of the biggest changes that youâve seen in information security during your career in banking?

Wheeler: Probably the biggest change is the focus on risk. As opposed to when I started in this field, the focus was on information security was about controls and saying no and telling users what they could not do. Now the focus is really more on risk and evaluating each and every risk and determining whether or not the organization can deal with that level of risk. Whether itâs more expensive to implement a control versus taking your chances with the risk and perhaps the fines for the loss that might result from that. So, weâve really gone from security being solely about saying no and implementing tough controls to security being about risk evaluation and trying to strike the proper balance between allowing the business to absorb some level of risk and also protecting the business from taking on too much risk.

Swart: What about the profile of the information security function and how information security relates to governance? How has that changed?

Wheeler: I think again it involves that whole risk approach. From a governance perspective weâre still about policy and standards, and we still are about reviewing compliance with policy and standards. But where weâve seen the biggest shift is in what we do once that review is completed. In sitting down and talking with the business about the level of risk that theyâre willing to take and whether or not controls are required, and what level of controls are required. In the past, I think there were some very stringent controls that were always offered to a business unit upon a risk evaluation or upon some degree of compliance evaluation. There wasnât a lot of risk approach or tactic that was used to determine whether the controls were appropriate or whether they were overkill for a given situation. And now weâre seeing a lot more focus on controls appropriate to the level of risk.

Swart: Weâre going to turn back to end users for a minute. You know one of the major risks that you identified was the client side malware and youâve mentioned the fact that many of the times theyâll call in and your staff will walk them through some issues with their computers. Obviously, youâre investing a lot of time and resources in working with your end users. How have you gotten management commitment for that, and also what have been the best approaches youâve found for educating your end users?

Wheeler: Well, I think weâre in the business we are in because of our customers. So, the support from senior management has been unquestioned. They understand that if they want to retain good customers, everybody has to be willing to step up to the plate and offer the customer whatever support and guidance they need. And weâre seeing that with the security space as well. Itâs no longer about simply protecting the bankâs assets; itâs about being able to reach out or be reachable by the customer and help the customer understand what they need to do to secure their assets and their identity. So, weâve had a number of opportunities over the course of the last year to reach out into the community. Weâve done a number of security awareness events at our branches where weâve had opportunity to actually meet with and talk to customers about things they can do at home to properly secure their computer. Weâve offered them software packages that they can load. Weâve given out brochures. Weâve given out magnets with contact information. Anything that we can do to get in front of the customer and reinforce good security practices for their home use, weâre evaluating and getting out there and trying to enforce. Weâve done a number of mailings to customers. Weâve done a number of pop-ups and other forms of communication via our internet channel. Weâve made a lot of material available to our customers on the internet, so when they log in for internet banking, they have the option of going into the security center and looking at a variety of material that weâve got posted out there about identity theft, check fraud, phishing, other forms of e-scams, as well as malware. And then proper security practices for use on their home systems. And thatâs pretty much how we try to address end user awareness, customer awareness, and make ourselves available.

Swart: You guys are doing an exceptional job. What do you know now that you wish you knew when you started out in this field?

Wheeler: Oh, goodness. I guess I wish I knew how resistant organizations are to security. Itâs a control. People have a hard time seeing the value add. And I wish I knew that when I started and could maybe have better prepared myself for the arguments that I would be presented with over the course of my career. Around what value itâs going to bring to the organization. Or you know, why should I spend money on this when I could spend money on this over here and Iâm actually going to be able to generate revenue from this. I think every good security practitioner needs to be prepared for those arguments and needs to know coming into this field that those are the types of arguments theyâre going to be met with as soon as they walk in that front door.

Swart: My one last question is what advice would you give to someone starting out in this field? Iâm also particularly interested in advice to women. Youâre one of the, not one of the few, but women are the minority in the leadership ranks of information security in our country. What encouragement or advice would you give someone just starting out?

Wheeler: I think the first piece of advice I would give to anyone starting out or wanting to get into the information security field is one, understand the business that youâre going to be working in. So if youâre going to work in financial services, try to get as much information and knowledge about the business of financial services. Not necessarily security. The same is true for health care. Understand the business youâre going to be operating within, because then youâll understand what their drivers are and how security plays a role in that business. Securityâs never going to drive the business. At least not in financial services. Not in health care. But is a key partner to the business. And then secondly, get as much of a technical background as you possibly can. I had the good fortune early on in my career to kind of start out in the operations area, moved into the help desk area. Did PC support for quite a while. And networking support for quite a while. Iâve only been in security for the last 12 years, but Iâve spent probably a good 10 or 12 years prior to that building the technology background that has really enable me to understand the challenges of security from a technology perspective while also learning the business challenges.

Swart: Just speaking off the cuff, it almost sounds like a tall order. Is it easy for you as an executive to find people that have that mix of technical skills and business acumen?

Wheeler: Not at all. Not at all. At my last position, the challenge that we had was we were firing up an IT organization that had previously been comprised solely of outsourced resources. And trying to build that IT department in house over a very short period of time resulting in hiring a lot of very, very technically savvy individuals who had absolutely no background in banking. And the challenge that created for the organization was you had almost 2,000 technical people trying to put the best technical solutions in place without any consideration for what the business needed out of those technical solutions. And that resulted ultimately in the organization creating what they called a Business of Banking class and requiring every IT person in the organization to go through that. And it was kind of a crash course in what is banking, and who are the customers youâre trying to service. And what are their needs? And how do you take those needs into consideration when youâre developing technical solutions? And even in my position here at Fifth Third, I find that to be true. I find that people think that they can come right into the security field, usually right out of college having had no practical background or experience in technology, let alone in financial services. And the challenge that presents is they come into this field thinking that itâs very black and white. They can either say yes to something or no to something. And they donât understand the challenges of the business. They donât understand the challenges of IT, and that there are never any black and white answers. There are lots of shades of gray, but itâs never very clear in terms of things being black or things being white.

Swart: Well, excellent advice, and I know that many of our listeners are probably struggling with that exact same challenge, trying to find people with that business acumen. Too many of the security programs are very focused solely on encryption technologies and network technologies and weâre not addressing our business needs to any extent. So.

Wheeler: Yeah, and the challenge of that, when they get so very focused on leading bleeding edge technologies is itâs very rare to find companies out there that have the budget to invest in some of those bleeding edge technologies. And I donât think that thatâs something that always makes its way into the classroom. Thereâs a cost and thereâs a balance to implementing technologies to encrypt information or to do any other type of a control within an organization. And when you have security individuals who understand the business challenges as well as the technology challenges, chances are youâve got a much better balanced individual who can offer much better balanced solutions to the organization.

Swart: Well I appreciate your time today, Debbie. Itâs been great information.

Wheeler: Thank you.

Swart: Thank you for listening to another podcast with Information Security Media Group. For other podcasts or for other educational content regarding information security for the banking or finance industry, please go to www.bankinfosecurity.com or www.cuinfosecurity.com.


About the Author

Richard Swart

Richard Swart

Editorial Contributor

Richard Swart is a contributing writer for BankInfoSecurity.com and CUInfoSecurity.com. Swart is currently pursuing Ph.D. in Management Information Systems at Utah State University. His areas of expertise include Information Security program management, including all aspects of governance, risk management and auditing. Recently, he led a nationwide research project comparing the Information Security competencies and skills needed in the industry versus the academic programs. Swart routinely interviews banking regulators, industry leaders and other Information Security practitioners for BankInfoSecurity.com and CUInfoSecurity.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.