Banks' human resources departments learn how to hire, provision users, set policy and develop a culture around information security.
As a result of unprecedented security threats, two unlikely partners have been brought closer together: human resources (HR) and information technology (IT). The resulting knowledge transfer between HR and IT may help the IT department gain insights on how best to incorporate written policies into corporate networks. Also, human resources may learn a few lessons pertaining to organizational architecture.
"It used to be that human resources was pretty much a customer of IT in the organization," says John Payne, chairman and CEO of Preventsys (Carlsbad, Calif.), a provider of network security audit and remediation systems. Now, the communications are becoming more frequent and occurring at a higher level.
The relationship has evolved because information security concerns infuse virtually everything involving the management of human capital, including hiring and firing, training, assigning decision rights, setting compensation and evaluating performance. Bank Systems & Technology spoke recently with several knowledgeable information security professionals about how this trend might impact the financial services industry.
The theft of proprietary information was the single greatest loss category identified in the CSI/FBI 2003 Computer Crime and Security Survey, costing U.S. businesses more than $70 million dollars in direct costs alone. Stanching the loss calls for specialists. "It's impossible to fill [data security needs] with one or two key hires," says Joerg Ferchau, president and CEO of iS3 (Cupertino, Calif.), which provides centralized security management for payments systems. "You really need to have a team."
But the team doesn't have to be in-house. For example, SecureWorks (Atlanta) provides outsourced Internet security, including firewall management, vulnerability assessment, or network security, for more than 400 banking clients, from de novo banks to $40 billion institutions. The advice from Mike Cote, SecureWorks' CEO, is to "get someone who focuses on [security] for a living" to do the job right.
Indeed, joining a bank might not be the best career move for an information security professional. "What's their career path?" asks Cote. "You're probably not going to become the bank president if you were running the security organization within a bank."
Nevertheless, says iS3's Ferchau, "You can't have enough knowledge internally, ever."
Security professionals at financial institutions can help HR ensure employees don't become risks, especially as recruiting methods evolve. On the Internet, the employment pool is open. "The world of e-recruiting is an area that's doubled every single year for the last five years," says Jason Averbook, director of global product marketing for human capital management, PeopleSoft (Pleasanton, Calif.). But the increased number of applicants comes with greater screening responsibilities. Technology can help HR professionals screen candidates more quickly, for instance. "Within financial services specifically, some of the things that are often asked for are SEC searches, fingerprint reconciliation and credit history examinations," says Averbook. "These screenings are done now within a day to a day and a half. In the past, it would take weeks to months to get this type of screening done."
But HR's involvement with security doesn't necessarily end with the welcome packet. For employees in sensitive positions, ongoing psychological testing also makes sense. Indeed, when employees go home at night, they might be racking up huge gambling debts or otherwise placing themselves in compromising situations. "In the military, they look for things like financial need-if something drastic happens in their life, that person may become less trustworthy," says Rick Tracy, senior vice president at Xacta (Ashburn, Va.), a risk assessment technology firm with clients including several credit unions. In civilian professions, however, it's harder to do continuous security clearance to make sure there are no malicious insiders, says Tracy.
Help is on the way. The U.S. Secret Service and Carnegie Mellon's CERT Coordination Center have been looking closely at the insider threat issue, and plan to deliver a report that might help the industry come up with adequate responses. "For example, it may be that, say, 70 percent of all insiders were able to compromise networks because they were allowed access to places they weren't supposed to be," says John Frazzini, vice president of intelligence operations, at iDefense (Reston, Va), which provides its clients with executive summaries and daily risk reports on cyber-threats.