Sunday, August 18, 2019

Thoughts after the 2019 GRC Conference

For three years in a row, I've been invited to speak at an IIA (Institute of Internal Auditors) event. This year, I spoke at the 2019 GRC Conference which ISACA co-sponsored. It took place at a breath-taking resort in Fort Lauderdale, Florida. Thanks to Sheena Majette, Ashley Jones and the rest of the fantastic IIA crew, it was an event to remember.

I'd like to share with you my thoughts about this event while still fresh on my mind.

Venue: The venue was stunning to say the least. I wish I could wake up to this type of scenery every day of the week. On the professional front, the conference center was well-organized with the right levels of lighting, AC and good placement of screens. The staff both from IIA and the hotel was very attentive and caring. Wi-fi coverage was strong, and the hotel served good food.

2019 GRC Conference in Fort Lauderdale - enjoying the scenery before my speech

Speakers: The line-up of speakers was impressive. The event featured two well-known keynote speakers (Simon Bailey and Patrick Schwerdtfeger) both of whom I had the pleasure of watching at previous conferences.

Simon is an upbeat and inspirational motivator with a long pedigree in corporate life. He transformed himself into one of the sought-after speakers I enjoy watching on stage. He talks about how to be the best version of ourselves and offers various techniques to achieve our full potential.

Patrick is a futurist and has an optimistic view about how technology could improve and change our lives. He talked about Machine Learning, Virtual Currency, and Automation among many other topics. He stressed that government regulation may be the only trailing piece holding back mass adoption of many technologies (automated driving, bankless transactions etc.) that are already here.

There were two other sessions that stood out to me:

The first was led by Iman Joshua who gave an energetic speech about Risk Scoring Models and how they could be used to drive stakeholder engagement in corporations. While her ideas and examples were real and actionable, the way she delivered her speech made the difference for me. She connected immediately with her audience by joking about how to say her name without butchering it and never looked back. On the more technical side, she offered good ideas in terms of how to measure success of software security by focusing on key metrics such as "defect density" and gamifying how this information is shared with software development teams and senior leaders.

The second one featured Game of Thrones of which I am a big fan (who isn't?). Pam Nigro did an excellent job in comparing and contrasting cybersecurity issues to the popular HBO show. Examples she used were not only entertaining but also spot-on. Granted you would not appreciate it as much if you know nothing about the GoT, but there were so many parallels that resonated with me personally. For example, compromised insiders have been a real threat at GoT as well as in cybersecurity. Lord "Littlefinger" Baelish and Lord Varys "The Spider" are depicted as master manipulators on the show and are extremely adept at obtaining information by forming alliances with insiders. We all know that most cyber threats of today are caused by company insiders - especially IT administrators who have privileged access to the organization's crown jewels.

My Speech: I talked about Continuous Security Validation on the first day of the conference. If you're interested in the content, please take a look at a short blog post I wrote on the ISACA Now portal.

Being an analytics and measurement guy, I measure the success of my talks as follows:

- How many people showed up (Rating: 5/5): IIA gave me the biggest venue (Great Hall 4) where all the main sessions and keynotes took place. While I will get the official attendance numbers in a few weeks, my estimate is that 300-350 people turned out, which is a very healthy number.

2019 GRC Conference - checking out the venue the day before my speech

- How did the technology (audio etc.) stack up (Rating: 5/5): No issues with audio, slides, clicker... What I really loved was that I had two prompters in front of the stage facing me - one showing my current slide and the other displaying the next. In the middle of them was a timer which was counting me down. Overall, it was flawless - thanks to IIA's Samantha Lazo and her team for taking care of the technology.

- How was my content (Rating: 4/5): I must admit that I struggle from time to time with putting together the right level of content for an audience with varying degrees of knowledge in my topic. Questions I always think about before a session: Do I skip the theory and go right to the examples? Do I go in depth in one concept and neglect the others?

In this particular speech, I went for a 55-45 split and spent about 55% of my time introducing concepts and frameworks such as ATT&CK MITRE and OCTAVE. The remaining time was spent on practical examples and getting questions from the audience.

The next time, I may cut down the theory a bit more and go for a 50-50 split.

2019 GRC Conference - My speech is underway

- How was the audience engagement (Rating 4.5/5): Overall, I'm happy with how much the audience was engaged with my session. Due to the size of the room, I had to defer the live questions to the end, but was able to live-poll the audience by the very advanced "raise your hand" technique throughout the session. I am still evaluating whether I should switch to the live-polling apps. Maybe next time...

At the end, I allotted 12 minutes for questions of which I received and answered four well-thought-out ones. I also took several questions from participants who walked over to the stage at the end. People not walking out on you is usually a good sign.

2019 GRC Conference - A healthy turnout for Continuous Security Validation 

- How was my time management (Rating 5/5): When I was a less experienced speaker, I used to run out of time before being able to take questions. Thanks to the timer counting me down and some advance planning on my part, I wrapped up my content with plenty of time for questions. I think I nailed time management this time 😃

- How was my delivery (Rating: TBD): I got good feedback from several folks that came to talk to me after my session. However, I will wait for the IIA to give me my official score card before I start patting myself on the back. I hope the results will be similar to those from 2017, making a top-rated speaker and earning me a spot at the next All-Star Conference - an invitation-only event for top speakers. Fingers crossed...

My takeaways:
  • I love attending events in Florida and can't believe this was my first conference in Florida since my days with EY. For the record, the last conference I attended in Florida before this one was in 2009. 
  • Future is here. All of us in IT, Security, Risk Management or Audit need to quickly adapt to it or we'll be left behind. 
  • People seem to be interested in the concept of Continuous Security Validation, but there are not many companies that have started using it in a mature way. Case in point when I asked my audience about how many people know of ATT&CK MITRE, about half (150 or so) raised their hand. When I followed up with "who is actually using it", only a handful gave an affirmative hand-raise.
  • Personal Note: I feel I need to think about how I can incorporate more well-known anecdotes into my speeches.
PS: Photo credits go to Zeynep Mulayim of my team. She is not only a great leader in risk management at SVB, but she provides me with much needed support during these events.


Sunday, June 30, 2019

Continuous Security Validation

I will be speaking at the upcoming GRC Conference in Fort Lauderdale, Florida on August 12, 2019. This conference is co-sponsored by ISACA and IIA, and this will be my third time speaking there.

My topic is "Continuous Security Validation" which, if implemented right, can really help an organization stress-test its cyber security stance and make corrections before it's too late.

Continuous Security Validation is a more comprehensive approach than traditional control testing, because it allows an organization (think of internal red teams) to take an attacker's point of view and simulate cyber attacks using various real-life scenarios. Key parameters of this approach include the following: 



In advance of the GRC Conference, ISACA asked me to write a short post for the ISACA Now Blog. Feel free to check it out if you're interested in learning more about Continuous Security Validation. The post provides a basic overview of this somewhat newer concept. I am planning on going deeper in my session.

Of course, it'd be great if you could drop by my session in case you're attending this conference.

Cheers,

Berk




Thursday, November 22, 2018

Three Lines of Defense & Cyber Risk

I’ve been reading and thinking a lot about the role each Line of Defense should play when it comes to cyber risk.

The Three Lines of Defense concept has been around for a long time. It provides a logical separation for organizational functions that sit in different parts of the company and have distinct (at least on paper) roles. It's a staple in highly regulated industries such as financial services.

As a reminder: 
  • The majority of an organization belongs to the first line. These are the groups that manage processes, take risks, and operate controls. Examples include Information Technology, Finance, Sales, Marketing, and Human Resources. 
  • A company’s compliance and risk functions that provide independent risk oversight constitute the second line. A good example is the Enterprise Risk Management function. 
  • The Internal Audit (IA) group that independently tests and validates the work of the first and second line is considered the third line.

Let’s start with the line that is easiest to understand in general: The third line! 

Not many would argue in terms of what role Internal Audit should play in terms of helping the company manage its cyber risk. Depending on the size and complexity of the company, the IA group would include cyber risk in its own audit risk universe and perform periodic audits aimed at assessing cyber risk levels at the organization. 

The cyber audits may focus on systems, network or business processes such as online banking. Specific audits may be designed to review emerging technologies such as the use of Cloud Computing or Artificial Intelligence. 

These audits assess the effectiveness of the work of the first or second line and will result in audit reports usually asking the process/system/business owners to add or improve certain controls. 

It gets trickier when we move to first and second line because not all companies have the same titles, reporting lines and roles. 

Let's look at some common challenges associated with first and second line related to cyber risk management: 

Challenge #1: To which function does the Chief Information Security Officer (CISO) report?

According K logix, more than 50% of CISOs report into the Chief Information Officer (CIO); 15% to the Chief Executive Officer (CEO) and the rest to the Chief Operating Officer (COO) or the Risk groups. 

As we know, IT is considered a first line function. For this reason, CISOs who report into the CIOs reside in the first line. The pros and cons of this structure are well-documented. 

Pros include being part of the technology team which translates into being part of technology and security decision making process. This could result in faster implementation of cyber risk mitigation solutions.

Cons could include potential conflict of interest between CIOs and CISOs. For instance, CIOs may decide - much to the CISO's chagrin - that cyber risk mitigation should take a backseat to improving outcomes other business units are pushing for.

Challenge #2: Does the company have a dedicated person/team managing cyber risk in the second line (i.e. in the Chief Risk Officer (CRO) organization)?

It depends on the company’s size, complexity and industry. Bigger companies in financial services or health care usually have dedicated focus on cyber risk in the second line - usually in the CRO organization. They are three scenarios I have seen most frequently: 

  • Mature companies -  mostly in regulated industries - have started creating and filling C-level roles for Chief Technology Risk Officers (CTRO) reporting directly to CROs. CTRO is responsible for second line oversight for technology and cyber risk by providing effective challenge to the first line.  S/he takes part in key decisions related to mitigating or accepting cyber risk and makes sure that the decisions taken by the organization are in line with its risk appetite.
  • Smaller companies or those which may not rely much on technology may not need a CTRO right away, but may still want some level of second line oversight. In that case, they could run their cyber risk second line of defense programs as part of their operational risk group or Enterprise Risk Management functions. 
  • Finally, some organizations may not want to invest any resources in the second line to oversee cyber risk. More often than not, the lack of specific focus on cyber risk in the second line may result in these companies relying heavily on the first line and the decisions made by CISOs and CIOs. 

Challenge #3: What is the level of collaboration among the CTRO, CISO, CIO and CRO? 

The level of collaboration will depend on the company’s culture, the individuals filling those roles and other factors (such as regulators and Board).

I will go with the assumption that CIO and CISO are part of the first line, and CRO and CTRO belong to the second (i.e. first scenario above).

The beauty of this model, if executed right, is that CRO and CTRO could provide essential support to the CIO and CISO in getting funding to mitigate key cyber risks. 

This offers a stark contrast to the viewpoint that the second line’s main function is to only provide effective challenge, which could be interpreted as “saying no” to what the CIO or CISO would like to do. An effective partnership between first and second line functions could set the company apart from others in managing cyber risk.

Challenge #4: How strong are the Lines of Defense as a whole?   

Many say that the company’s cyber defenses are as strong as its weakest link. However, if the company has successfully implemented a layered security approach with good compensating controls, it will be quite difficult to cause harm to that organization even though some cyber controls may get compromised. This is because other controls would pick up the slack. 

We can apply a similar concept to the Lines of Defense. Ideally, we would like all Three Lines to be strong in dealing with cyber risk. 

But, this is rarely the case. 

Many times, one of the lines is stronger than the others and may have to pull most of the weight in mitigating cyber risk. If one of the remaining two lines provides some level of support to the strong line, this may indeed work in the short to medium run. 

In the longer run – especially for bigger and global organizations, the company should ensure that each line pulls its weight. 

To summarize: 
  • CIOs and CISOs are usually the first line. They manage technology/security teams, ongoing cyber and technology operations. They take decisions on cyber risk on a daily basis.
  • CROs and CTROs generally sit in the second line. They support the CIO and CISO by providing them with a framework (policies, risk appetites etc.) with which to manage cyber risk. They ensure that decisions related to accepting or mitigating cyber risk fall within the organization's agreed-upon risk appetite. They provide support in explaining importance of security to executive audiences and in securing funding to mitigate cyber risk.
  • IA, the third line, validates the effectiveness of both first and second line by performing periodic audits in cyber risk domains.
  • Mature companies, who can effectively leverage all three Lines, will fare better in the long run in managing their cyber risk.  
Do you agree? 

Sunday, May 6, 2018

I spoke at ISACA 2018 North America CACS Conference

Last week, I spoke at ISACA's North America CACS Conference in Chicago. CACS is short for Computer Audit, Control and Security and is a key event that draws its audience from all over North America.

I named my session "IT Risk Management for Everyone" and focused my message on how to involve everyone in managing risk activities in any given organization.

I am a firm believer that risk management is not a stand-alone function or process performed by professionals who have security, risk, audit or governance in their titles. Managing an organization's risk is everyone's job. 

I started off by providing the attendees with my view of how IT Risk Management should be organized. Then, I talked about ways to engage a larger set of individuals in a company. 

I am planning on covering the specifics of the content later on, but let me comment on how the session went.

Overall, I am very happy with:

(1) the number of attendees: It was a packed room with about 150+ people in attendance
(2) the level of engagement: I received many interesting questions and comments throughout the session and at the end
(3) my fifteen minutes of fame: I was surprised that several attendees stayed late to shake my hand and commend me on my speech or ask specific questions. After my session, I was stopped many times by people saying "Thank you". 

Thanks ISACA for giving me this opportunity. 

Berk speaking at ISACA CACS Conference in Chicago - May 2018

Berk speaking at ISACA CACS Conference in Chicago - May 2018

Berk speaking at ISACA CACS Conference in Chicago - May 2018


Monday, February 19, 2018

We are all Risk Managers!

Image result for IT risk management
<<At Silicon Valley Bank, I actively work on increasing the risk awareness among our global workforce - specifically among those who work in IT. One of the methods I use to reach a large audience is by publishing a quarterly newsletter. Through surveys, we found that our audience prefers short and non-technical pieces.  With that in mind, I wrote the following introductory article about IT risk management. I expect that I will follow up with another article that goes into further details about this topic.>>
We drive slower when it rains. We look both ways when we cross the street. We take medicine when we feel ill.
Risk management is simply a tool that helps us weigh options, consider alternatives and make decisions. The reason why we drive slower when it rains because we know it reduces the odds of us getting into an accident.

Is risk management all about trying to prevent “bad stuff” from happening?

Absolutely not…Risk management also enables us to better evaluate the upside of the options available to us and choose the one that is best in line with our goals.

Ok… But what about IT risk management?

It’s natural to wonder why we should care about IT Risk Management; understanding key concepts could help with that: 

o   IT Risk: Any risk stemming from the use of or exposure to information technology
o   IT Risk Management: Processes and structures to identify, assess, report and address IT risk
o   IT Controls: Activities we perform to mitigate one or more risks

Let’s explore why IT risk management is becoming more important every day.

Nowadays, it’s hard to imagine any company that does not use technology for most of its main processes, transactions and manufacturing. You probably heard the news about the well-publicized hacks, data losses, and system crashes impacting major companies. Evident from these events, inadequate IT Risk Management could result in lost revenues and business opportunities, inefficiencies, fraud/credit losses, damage to the company reputation and lost client relationships.

In IT, we have responsibilities ranging from keeping our technology systems up and running to implementing new systems and processes. We run majority of our technology related processes and controls (patching, backups etc.) ourselves in the background. In addition to these, many of the bank’s processes (reconciliations, dual signatures, authentication to systems etc.) have major dependencies on technology that we support.

To make the best risk-based decisions for our organization, all these activities should follow a certain rigor. Following our established processes and controls helps us effectively manage our risk. In that regard, we all contribute to managing our risk by following our processes, finding issues and addressing them.

The next time when you think about risk, just remember:  You are a risk manager… We all are!

Thursday, November 23, 2017

How to protect against malware!


I recently answered a question in Quora about how to protect against malware and wanted to share it here as well. Here it goes: 
Overall, I would recommend a multi-layered approach for an enterprise in mitigating the risk of malware as follows:
  1. Train your user community: It’s a well-known fact that people are your weakest link when it comes to information security risk. Security awareness training will help reduce the likelihood of someone clicking on a malicious link or visiting a harmful site that contains malware.
  2. Implement the right tools: Examples of commonly used tools to help mitigate the risk of malware include Symantec AltirisNovell ZENworks, and Microsoft System Center Configuration Manager.
  3. Improve your email filtering: This will help the organization filter out phishing emails containing attachments or links which attackers would like to use to inflict your systems with malware.
  4. Create a reliable system asset inventory: If you have a good idea of what assets are in your environment, you’d be much better prepared to protect them. This sounds like a no-brainer, but a lot of enterprises struggle with creating, maintaining and updating their system asset inventory.
  5. Patch all your systems: Most malware attacks exploit known vulnerabilities in your network, operating systems, applications and databases etc. Implement a formal program that focuses on patching all key systems in your environment. Be mindful to include systems you may not be patching traditionally such as printers, because attackers may use the vulnerabilities on unpatched systems to infiltrate your network.
  6. Detect early: Chances are you will encounter malware in your environment at some point regardless of what protections you put in place. In that case, regular vulnerability/malware/virus scanning will prove to be useful in detecting and addressing malware (and other) issues early on.
  7. Validate with a third party: Hire an independent third party to perform penetration tests so that you can validate if your anti-malware controls (among other controls) are working effectively.
What else do you do in your organization? 

Sunday, October 29, 2017

We surveyed 100+ people on IT Controls, Governance Frameworks and Standards!



When I was younger, I liked Family Feud. (You got me - I still watch it on occasion). When the host started each question with: "We surveyed 100 people and the top answers are on the board", I kept wondering about how they found those 100 people.

My imagination ran wild.

Could it be that the same 100 people were answering all the questions? Did the show lock them in a room with no windows until all questions were answered?

I recently had a chance to run my version of the Family Feud polls.

Before my speech in August 2017 about "IT Governance" at the Governance, Risk & Compliance (GRC) conference organized jointly by the Institute of Internal Auditors (IIA) and Information Systems Audit & Control Association (ISACA) in Dallas, Texas, the organizers alerted me of a mobile polling tool we could use to live-poll the audience.

I jumped on the opportunity.

In October, I spoke on the same topic at ISACA's Cyber Nexus (CSX) Security Conference in Washington, DC and used the same polling tool.

According to the official numbers:
  • 225 people listened to my speech at the GRC Conference; about 110 people answered the live surveys. 
  • 130 people listened to my speech at the CSX Conference; about 43 people answered the live surveys. 
  • Attendees for both sessions represented various sectors including financial services, healthcare, government and utilities. 
  • Among them were GRC professionals, auditors, banking regulators, CISOs, CIOs etc. Most of them were from the US, but I also met some folks who attended from Brazil, South Africa and Ghana.
  • What you see below is the combined polling results from those two sessions. 
We surveyed a 100+ people and the top answers are on the board...





There are no major surprises from my perspective.

Here are my observations:
  • Many enterprises perform risk assessments. 
  • Several companies use COBIT, COSO, ITIL and NIST frameworks.
  • Majority of the organizations have a control library.

Here is my wish list: 
  • More companies should consider implementing a governance framework. 
  • Organizations should focus on control self-testing and process maturity assessments.
  • A broader adoption of best-practice frameworks such as OCTAVE, TOGAF, Risk IT, PMBOK, and Balanced Scorecard could benefit many organizations. 
What do you think?

Sunday, October 22, 2017

How to set up a first line of defense & governance function – Part 2

Governance Guru: Berk Algan on Governance, Risk and Compliance
In Part 1, I shared my thoughts on the three lines of defense model and listed key prerequisites for building an exceptional first line of defense function. I highlighted executive commitment and hiring the right resources as building blocks and shared ideas with regards to some techniques I use for interviewing candidates for the first line.

Part 2 focuses on specific actions I recommend for setting up a first line of defense function. As I mentioned earlier, a lot of these ideas could be leveraged to build and improve all three lines.

1. Create Your Roadmap:

Everyone in the company is excited about what was promised to them: An exceptional first line of defense function.

Your budget to build your function is approved. You hired a few new resources from the industry and convinced some good fellows to come over from other departments and join your team.

Life is good, but now what…

If “going with the flow” sounds like a good approach, think again. One of the key components of effective governance is knowing and articulating where you are going. At the risk of sounding like a consultant (heck – I used to be one), you should develop a roadmap and a timeline. 

I like roadmaps because they serve as a good communication tool for your team, executives or anybody interested in understanding how you’re building your function. A roadmap will show everyone else the progress you’re making. Also, it will help you course-correct faster if things are not going so well.

Your entire roadmap may span multiple years. 

A good roadmap should include interim milestones which, when achieved, will give everyone hope that things are on track. Life is too short not to celebrate our achievements – no matter how small they may be. 


2. Choose & Define Your Governance Framework:

I am a fan of frameworks.

A framework gives you the structure with which you can build your processes. It also gives a venue to define and articulate your scope of coverage. 

Best-practice frameworks such as COSO and COBIT 5.0 will help you think through what needs to be included and excluded in the scope of your function and roadmap. They will also make your life much easier when you communicate with external parties such as your regulators because most of them will already be familiar with most of them.

The framework I particularly prefer for IT Governance is the one from ISACA’s IT Governance Institute (ITGI), which can be used in conjunction with COBIT 5.0 - also from ISACA: 
Image result for itgi framework
A word of caution. A framework is as good as what you make of it. Adopting an entire framework as is could prove to be too big an undertaking for many companies. You should only use the parts that make sense to your organization and consider customizing it to fit your particular needs.

Finally, you may want to use a combination of frameworks to address different processes (ITIL for IT Service Management; PMBOK for project management; NIST 800-53 for information security etc.). 

3. Document, document & document (really):

Let me first catch you up on a couple of my definitions:

When I refer to documents, I’m talking about policies, procedures, standards, frameworks etc. Your own definition or scope could be different.

In layman’s terms, controls are the activities performed by people or systems to address risks. For example, looking both ways when crossing the street is a control that could save your life.

Over the course of my career, I advised and audited companies ranging from small pre-IPO start-ups to Fortune 10 giants. Regardless of the size or complexity of the organization, all of them benefited from formalization around their documents and controls (many times at my urging). The bigger the company, the more obvious the need around documentation.

How about smaller companies such as start-ups?

For starters, things happen and people leave. An IT director of a former client (small high-tech company) once told me that his team did not know how to properly maintain and upgrade an in-house developed software because the engineer (let’s call him Jim) who coded it had left the company. 

You guessed it – Jim did not bother documenting how the software worked, nor was he ever asked to. Jim was also not the only one not documenting stuff. Documentation was not part of the company culture which was all about going fast to the market and getting ready for an IPO.

Remember every organization will likely have to face an audit or go through regulatory scrutiny at some point of its journey. 

You  would like to start collecting credit card payments; then you need to think about compliance with PCI. You would like to serve European consumers; you’d better be ready for rigid European privacy regulations (does GDPR ring a bell?). You want to do business with government; you may need to start reading about FISMA.

A common theme about any regulatory requirement is that they all will require you to have documentation. If you have good documentation, you’ll be one step ahead in meeting those requirements and passing your audits.

To get ahead of these challenges, you may want to consider creating a formal program around documents. At the very least, having your key processes documented in written policies/ procedures/ standards will make your organization less dependent on individuals performing those tasks. If you also assign a formal documents program owner providing regular guidance and oversight, you would be in a great shape. 

Many public companies only limit their control libraries to SOX 404 controls, but my recommendation is to create a library that goes beyond the basic regulatory requirements. Creating an expanded control library will help you document control ownership and many other key attributes for additional areas of your business. It will also give you the means to spot-check or self-test those controls and remediate issues early. 

4. Perform Self-testing & Self-Assessments:

One of my current roles is to interact as the main IT point of contact with our IT regulators who perform periodic examinations of how we use and implement technology services and processes. In an “IT Exam”, regulators check the bank’s compliance against the Federal Financial Institutions Examination Council (FFIEC) Guidelines and other relevant regulations. The exam results in a long write-up accompanied by a report card telling us how we did.   

If you’ve been through one of those examinations, consider yourself lucky (seriously), because it is a great learning experience.

Many years of going through the “exams” has taught me that regulators’ interpretation of the three lines of defense model is much stricter than that of most organizations.

Here is a sample question you would dread answering: “We heard that your Internal Audit group (third line) has identified some issues. Can you please tell us why you (first line) had not found them before Internal Audit?”

There is really no good answer to this question at that point. Even if the answer is that you actually knew about the same issues sooner, the next question you will hear will be “Why haven’t you fixed it before Internal Audit came in?”  

Here is where regulators are coming from. They want the company to have good processes so that the issues surface much closer to the first line of defense who is responsible for operating the controls. 

A good first line should find and fix most meaty problems and fix them as quickly as possible. Self-testing of your controls (now that you have a control library) and self-assessments (risk or process maturity assessments) performed by the first line of defense will come handy in that quest. 

If you’re doing all the above, you deserve a pat on the back. There is always more you could do, but you should feel proud to have already built many key elements of an exceptional first line of defense function. 

Monday, October 16, 2017

How to set up a first line of defense & governance function – Part 1

The three lines of defense model is not new, but I don’t think it’s understood or applied consistently. Many companies from not-so-heavily-regulated industries and privately-held enterprises do not care much about the three lines until they hit a certain level of complexity, move into a regulated industry/jurisdiction or become public. On the other end of the spectrum, most organizations operating in regulated industries such as financial services and health care find themselves in a dire need to have clearly defined and functional lines of defense. No matter their particular situation, companies generally struggle with establishing, operating and enhancing these lines.
In the traditional three lines model, a company’s compliance and risk functions that provide independent risk oversight constitute the second line; its Internal Audit group is the third line. Everyone else belongs to the first line including the front-line employees operating controls, processing transactions and taking everyday risks as part of their job. In IT, database administrators and software developers are two examples of front-line employees. ISACA has a good article on this topic, if you’d like to brush up on the lines.

Organizationally, I reside in a first line function in SVB’s IT group where I run the IT Governance, Risk, Compliance (IT GRC) team. However, my team transcends the responsibilities for a first line, as we perform roles typically associated with a second line function such as setting risk management standards, monitoring results, and challenging outcomes. For that reason, I’d like to think of my team as the “Line 1.5”. KPMG has a good video explaining this newer concept.

At my bank, I regularly interact with the third line (Internal Audit), Enterprise Risk Management, Corporate Compliance, our banking regulators along with other first and second line functions. In my previous roles as an external auditor/consultant, I had an outsider’s perspective while I was advising my clients on the lines. All these helped me accumulate enough appreciation for the best practices and challenges associated with the three lines.

Last week, I spoke at the 2017 Cyber Security Nexus (CSX) North America Conference in Washington, DC. My topic was called “Best Practices for Proactive IT Governance” that had a particular focus on establishing and improving a first line of defense function in IT. Most insights I shared are applicable to all three lines and different business units
Pre-requisites: 
Like with any other critical program or initiative impactful to the entire organization, the company needs to have the right tone at the top and support to build and improve the lines. This could be done as part of a specific “Lines” initiative or more likely, portions of each line could be established and improved as specific business or regulatory requirements arise. If you’re hearing executives talk about the lines and the company is shelling out funding to hire or re-position resources, rest assured that it is taking this concept seriously.

Now that you have the executive support and funding, you need to hire the right people from within the company or attract external candidates. It goes without saying that you need to define the exact skill set and number of resources you need and have a clear understanding of their roles and responsibilities.

Here is some generic advice when it comes to hiring for a first line function (can be applied to a second or third line). The top technical skills I would look for are risk management, compliance, audit, and data analytics. Experience with well-known industry frameworks such as COSO, COBIT and NIST is always preferred for IT.

I must admit that I prefer to place ex-auditors in these roles (only those who can convince me that they are ready to make the switch). Internal candidates that fit the bill should not be overlooked as their organizational knowledge and existing relationships could come handy. In terms of soft skills, relationship building and communication skills top my list.

Behavioral interviews for any position have been a long-time favorite, but you may want to dig deeper. During the interview process, I recommend that you weave in a realistic case study if your processes allow for it (No, I am not talking about the brain teasers like “How many piano tuners are there in the entire world?”).

During my Big 4 days, I was one of the primary interviewers for our Advisory Group and administered tons of case studies for campus recruits and experienced hires. Case studies were a critical component for us to evaluate how the candidate was able to structure his/her thoughts and provide a well-thought-out response to a usually tough-to-crack case. Yes, most candidates get nervous about case interviews, but wouldn’t you want to pick the ones who can handle a stressful situation?

Also, consider asking the candidates to write a short memo (could be combined with the case study) to test their formal writing skills, which usually don’t get validated in most interview processes I have seen. In my view, a first line professional needs to be exceptional in their documentation skills intended for distinct audiences (executives, regulators etc.).

Of course, you still need to interview them for other industry specific knowledge and soft skills applicable to your particular situation.

In Part 2, I will cover the next steps in creating a first line of defense function and discuss roadmaps, policies, controls, measurements, and self-assessments. 

Sunday, October 15, 2017

What is "Governance" anyways?

I regularly get asked what “Governance” in my job title means by colleagues and friends who find what I do obscure. They understand the risk and compliance components better, because they can associate them with other jobs they know.

The dictionary definition for Governance does not resonate well with many of them. (If you’re so inclined, check out Wikipedia’s definition

This year, I was invited to speak at a couple of national governance and risk conferences, and the title of my talk was “Best Practices for Proactive IT Governance”. This provided me with extra motivation to come up with an easier-to-understand definition for Governance. I felt the following simplified version resonated better with those who came to listen to me:

Governance is a set of practices that steer the organization in the right direction.

I went on to explain that Governance (especially, a good one) does the following:
  • Creates Structure by defining organizational reporting lines, oversight committees, rules, policies, and processes. A well-defined structure effectively sets the operating boundaries for the organization. 
  • Sets Direction by creating or aligning with the corporate strategy, and defining the short and long-term goals for the organization.
  • Defines & Assigns Responsibilities by providing a clear view of who is going to do what in the organization and who ultimately is accountable for the results.  
  • Measures & Acts on Outcomes by defining, analyzing and reporting performance metrics. Regular measurement helps the organization course-correct as quickly as possible. It's true that “you can’t manage what you don’t measure”.
Regardless of where you sit in the organization, you are probably involved with some or all of these practices at some level. That makes us part of the extended Governance family.

Does this definition resonate with you?