Security Insights: What it Takes to Protect the Institution and its CustomersInterview With Debbie Wheeler, CISO Fifth Third BankCorp Information Security Media Group (ISMG), publisher of BankInfoSecurity.com and CUInfosecurity.com, recently posed a few questions to Debbie Wheeler, Chief Information Security Officer for Fifth Third Bancorp headquartered in Cincinnati, Ohio with approximately $111 billion in assets under management. In her current role she is responsible for establishing policy, standards and governance over the implementation of Information Security controls and procedures, as well as end user education and training for the Bancorp.
Upasana Gupta: What are the proactive approaches a security leader at a bank needs to take to secure business and reduce risk?
Debbie Wheeler: First, the security leader needs to understand the business and the goals the business has, or wants to achieve. Working in a collaborative fashion, the security lead and the business leads need to agree on what degree of risk is acceptable, or what the business can or is willing to live with and what it is not. Often times, what the business says they are willing to live with will be more risk than a security leader is comfortable with! But having the discussions and establishing ongoing communications about trends in security and matching those with trends in the business or industry is key to establishing a balance between security and business risk.
Gupta: How do you go ahead and ensure that you provide adequate security, invest in security? And at the same time, meet your customers demands and take a proactive risk based decision and approach?
Wheeler: Understanding the industry segment that your business participates in and the regulatory environment that governs that segment is key to establishing baseline controls that need to be in place. Helping the business to understand that certain regulatory controls are the "entry costs" for participating in that business segment is crucial to obtaining funding for the initial rollout of a security program. It's also critical as a security leader to be informed on trends and directions in both your industry and in the security field. You want to ensure you are aware of security trends and are helping the business prepare to address them through ongoing investment in security technology and process improvement. Customers want to know that the information they have entrusted to your care is secure; they have tremendous power in driving the investments that companies make in their security program. When companies fail to listen to customers needs and demands, the government steps in and puts regulations in place. This is driving a lot of investment in security that certain business verticals must make.
Gupta: What steps are banking institutions taking to safeguard themselves from fraud?
Wheeler: Fraud happens in two primary ways:
1) When resources internal to a bank take advantage of their position, their access or processes to commit fraud, and
2) When customers fail to educate themselves about the risks associated with their activities online, or fail to take the necessary steps to protect their information.
Banks spend millions of dollars annually to ensure that technology, such as fraud detection systems and perimeter and application security controls, as well as access controls, are in place. Screening and background checking as well as credit checks against employees are commonplace to ensure that the workforce serving the customer is unlikely to take advantage of their position or access. Customers need to make investments, too, in order to prevent becoming victims of fraud. Simple steps like shredding unwanted mail or old bills before disposing of them and ensuring computer systems used to access online banking and bill pay are secure and free of malware before using them cost little but go a long way towards protecting a customer's information and keeping them from becoming the next fraud victim.