Few, however, will suspect that intrigue and deception lie behind this seemingly innocuous communication, or that it may come from the information risk team instead.. Stephen Bonner, a p
Trang 1Many office workers the world over will be familiar with an e-mail
from the premises team about routine carpet cleaning during
the evening or over the weekend Few, however, will suspect
that intrigue and deception lie behind this seemingly innocuous
communication, or that it may come from the information risk team
instead
Stephen Bonner, a partner in KPMG’s Information Protection and
Business Resilience unit and a former head of information risk
management at Barclays, has survived a number of crisis days during
his career
On one occasion, while he was working at an investment bank, it
emerged that organised criminals had bribed the building security
staff to turn off the surveillance cameras, so they could enter the
operations floor
The criminals used that access to attach keyboard logging devices onto
the computers the bank used to process fund transfers They came close
to stealing £650m (US$1.1bn), but a misconfigured transfer alerted Mr
Bonner and his team to the plot
The episode called for some diligent risk management Mr Bonner
needed to locate and remove the physical loggers, but did not want to
let the employees know that that is what they were doing in case one of them was involved in the plot Staff were therefore told that they could not work in the evening because the carpet was being cleaned One of Mr Bonner’s information security team asked what they should
do if the criminals showed up that evening He told them to pretend to
be real carpet cleaners; the last thing he wanted was for his team to confront the criminals physically
“I’ve worked with many information risk teams, and they’re very bright people, very hard working, but they’re not the kind of people you want
in a fight with organised crime,” Mr Bonner explains “We tend to be better with laptops.”
Although not all crises are so dramatic, it is not always clear from the start how serious they are In another example from Mr Bonner’s career, an employee had complained that someone was logging into their work applications during the night and leaving garbled messages
Mr Bonner and his team looked for evidence of an external party hacking into the employee’s machine, but were left baffled It eventually emerged that the messages were the result of a cleaner giving the employee’s keyboard a particularly vigorous dusting
“We misunderstood that right from the start, but you learn from those kinds of things,” Mr Bonner says
Business server
It is during a crisis that information risk managers come into their own, according to Mr Bonner “That’s when you’d hit the big red button and bring everyone in to deal with it,” he says
Of course, the opportunity to resolve a crisis—however big or small— does not arise every day But there are other, equally rewarding, contributions an information risk manager can make
For Jitender Arora, an information security and risk executive for a major banking and financial services firm, the most enjoyable part
of the role is working with colleagues to develop a new system or application Regular whiteboard sessions help him to understand risks with colleagues, find potential loopholes and attack vectors
One of the challenges of the role is to make sure that information risk
is considered as early on in a project as possible, Mr Arora explains
“Ideally risk managers would be brought in at the start of a project but it’s not always the case,” he says
A dAy in the life of An informAtion risk mAnAger
managing information requires a head for a crisis, an appetite for collaboration and
openness to innovation
Written by The Economist Intelligence Unit
S P O N S O R E D B Y :
Trang 2Another is to engage colleagues in the topic, and not merely see information risk as a compliance burden “It’s frustrating when people start seeing you as a tick in the box exercise and they are only interested
in sign off and not a productive conversation,” Mr Arora says Indeed, Mr Arora believes that an information risk manager’s biggest contribution to an organisation is to allow innovation by taking a balanced view of the information risk “If I can support innovative ideas that help the organisation make money, at the expense of some controls, that is one way I can really help the business.”
For example, Mr Arora’s predecessors at his current employer had decided that installing self-service terminals in certain locations was too risky But seeing that this was an opportunity for the company to innovate and expand its reach, Mr Arora found a way to mitigate the risks “If I can help them with risks in more meaningful ways, then, in
a way, I have done my job.”
The field of information security evolves at an incredible pace, and keeping up to date is another challenge for information risk managers
“There is no end to the research an information risk manager must do
or be aware of,” says Carl Blackett, the group data security officer at the ATPI Group, a travel management company “This can range from a new vulnerability which needs to be risk assessed to a news article about a data breach and the resulting impact or a new piece of legislation which needs to be complied with.”
They also keep up to speed with what is happening within their own organisation This might involve a daily review of all relevant activity, including updates on tasks assigned through the day, or conducting regular reviews of policy or processes to ensure the yearly risk management plan is being upheld
However, this kind of work cannot get in the way of addressing emergencies as they occur “Risks can arise at any time of the day,” Mr Blackett explains “Usually the information risk manager is available
on a 24/7 basis.”
Risk managers have a tough, varied job But thanks to the growing business and media interest in security, now is the time for them to thrive, says KPMG’s Mr Bonner “If you can’t do the job in this climate then you’re in the wrong role,” he says “We have the attention, focus and funding to make a difference.”