A day in the life of an information risk manager
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (267.73 KB, 2 trang )
A day in the life of an information risk manager
Managing information requires a head for a crisis, an appetite for collaboration and
openness to innovation
Written by The Economist Intelligence Unit
M
any office workers the world over will be familiar with an e-mail
from the premises team about routine carpet cleaning during
the evening or over the weekend. Few, however, will suspect
that intrigue and deception lie behind this seemingly innocuous
communication, or that it may come from the information risk team
instead.
Stephen Bonner, a partner in KPMG’s Information Protection and
Business Resilience unit and a former head of information risk
management at Barclays, has survived a number of crisis days during
his career.
On one occasion, while he was working at an investment bank, it
emerged that organised criminals had bribed the building security
staff to turn off the surveillance cameras, so they could enter the
operations floor.
The criminals used that access to attach keyboard logging devices onto
the computers the bank used to process fund transfers. They came close
to stealing £650m (US$1.1bn), but a misconfigured transfer alerted Mr
Bonner and his team to the plot.
The episode called for some diligent risk management. Mr Bonner
needed to locate and remove the physical loggers, but did not want to
SPONSORED BY:
let the employees know that that is what they were doing in case one of
them was involved in the plot. Staff were therefore told that they could
not work in the evening because the carpet was being cleaned.
One of Mr Bonner’s information security team asked what they should
do if the criminals showed up that evening. He told them to pretend to
be real carpet cleaners; the last thing he wanted was for his team to
confront the criminals physically.
“I’ve worked with many information risk teams, and they’re very bright
people, very hard working, but they’re not the kind of people you want
in a fight with organised crime,” Mr Bonner explains. “We tend to be
better with laptops.”
Although not all crises are so dramatic, it is not always clear from
the start how serious they are. In another example from Mr Bonner’s
career, an employee had complained that someone was logging into
their work applications during the night and leaving garbled messages.
Mr Bonner and his team looked for evidence of an external party hacking
into the employee’s machine, but were left baffled. It eventually
emerged that the messages were the result of a cleaner giving the
employee’s keyboard a particularly vigorous dusting.
“We misunderstood that right from the start, but you learn from those
kinds of things,” Mr Bonner says.
Business server
It is during a crisis that information risk managers come into their own,
according to Mr Bonner. “That’s when you’d hit the big red button and
bring everyone in to deal with it,” he says.
Of course, the opportunity to resolve a crisis—however big or small—
does not arise every day. But there are other, equally rewarding,
contributions an information risk manager can make.
For Jitender Arora, an information security and risk executive for a
major banking and financial services firm, the most enjoyable part
of the role is working with colleagues to develop a new system or
application. Regular whiteboard sessions help him to understand risks
with colleagues, find potential loopholes and attack vectors.
One of the challenges of the role is to make sure that information risk
is considered as early on in a project as possible, Mr Arora explains.
“Ideally risk managers would be brought in at the start of a project but
it’s not always the case,” he says.
Another is to engage colleagues in the topic, and not merely see
information risk as a compliance burden. “It’s frustrating when people
start seeing you as a tick in the box exercise and they are only interested
in sign off and not a productive conversation,” Mr Arora says.
Indeed, Mr Arora believes that an information risk manager’s biggest
contribution to an organisation is to allow innovation by taking a
balanced view of the information risk. “If I can support innovative
ideas that help the organisation make money, at the expense of some
controls, that is one way I can really help the business.”
For example, Mr Arora’s predecessors at his current employer had
decided that installing self-service terminals in certain locations was
too risky. But seeing that this was an opportunity for the company to
innovate and expand its reach, Mr Arora found a way to mitigate the
risks. “If I can help them with risks in more meaningful ways, then, in
a way, I have done my job.”
The field of information security evolves at an incredible pace, and
keeping up to date is another challenge for information risk managers.
“There is no end to the research an information risk manager must do
or be aware of,” says Carl Blackett, the group data security officer at the
ATPI Group, a travel management company. “This can range from a new
vulnerability which needs to be risk assessed to a news article about a
data breach and the resulting impact or a new piece of legislation which
needs to be complied with.”
They also keep up to speed with what is happening within their own
organisation. This might involve a daily review of all relevant activity,
including updates on tasks assigned through the day, or conducting
regular reviews of policy or processes to ensure the yearly risk
management plan is being upheld.
However, this kind of work cannot get in the way of addressing
emergencies as they occur. “Risks can arise at any time of the day,” Mr
Blackett explains. “Usually the information risk manager is available
on a 24/7 basis.”
Risk managers have a tough, varied job. But thanks to the growing
business and media interest in security, now is the time for them to
thrive, says KPMG’s Mr Bonner. “If you can’t do the job in this climate
then you’re in the wrong role,” he says. “We have the attention, focus
and funding to make a difference.”
