In edition 95 (June 2011) of the SIC magazine (Security in IT and Communications) there is an in-depth interview conducted by its director, José de la Peña Muñoz, with the CISO (Chief Information Security Officer) of Grupo BBVA, Santiago Moral Rubio, of which we have reproduced an extensive summary below:
- For some time now you have been championing the birth of a new discipline, which is known as TRM: what is it and how does it affect information security management?
As organisations increase their consumption of IT, that is, as their dependence on IT grows, new interrelated realities emerge, the management of which requires the use of finely tuned techniques. What do we have today? On the one hand, the requirement to comply with a set of regulations; and on the other hand, the need to internally set the risk structure we wish to work with. And it is here in this area of analysis of the complex ecosystem of organisational operations where an extremely interesting fact becomes evident: That business risks translate into information systems.
Within this framework, it is necessary to have dual verification of any business process. And this will always be carried out on information systems; for this reason there is a continuum which is very difficult to divide between what controls and risks we manage through these Information Systems, and what risks we manage by governing the information systems that provide support to the business.
The management of this continuum is what we at BBVA have started to call TRM: Technological Risk Management, which covers all the risks we have to manage using Information Systems, plus all those we control in the technical substratum that supports the businesses. It is inefficient to manage both worlds separately since their integrated management provides synergies and improvements in the organisation’s risk level.
- So, is Technological Risk Management a more general universe than the now classic Technology Risk Management?
Technological Risk Management can be understood as the management of those risks that the Information Systems Area brings to the organisation, merely by existing. They are very deeply rooted in the role of IT security departments, because a high percentage (between 60% and 70%, depending on the activity sector) are historically associated with information security: Continuity, confidentiality and integrity. And that’s where they end. Therefore this is the part of Governance and Risk Control that together with compliance with specific regulations is provided by Information Systems.
But when multinational growth becomes clear, and this is our experience, you start to realise that Information Systems are managing risks that are not an intrinsic part of the Area.
Within this philosophy, the same risk management system that is used for businesses should also be used for Information Systems. And vice versa. But this doesn’t tend to happen. However, the more we make the two worlds converge, the clearer the role of the TRM continuum becomes, which is also rooted in historic security functions: Events management, knowledge of events, evidence and intelligence.
- How many global regulations does Grupo BBVA have to comply with?
A financial institution that operates in Europe and in America has to deal with about seven hundred IT laws and regulations. In fact, managing compliance with these rules and regulations at BBVA justifies the existence of a specific information system.
- Is there a technological substratum for supporting the TRM function?
I think two approximations have been identified. One is made up of business GRC systems which are trying to open the field to include technological risks. Here we have two or three market leaders and their tools are very process oriented: Business process design, risk identification and management of its life cycle.
The other has a very technical profile and goes from the world of vulnerabilities and threats to risk management: Weaknesses in machines, weaknesses in applications, weaknesses in identification processes… In general it tends to be based on log management systems together with active databases, providing risk indicators which are not really process-focussed.
What’s happening is that these two worlds are starting to come together. And this is good news, because the risk position of an organisation is determined by the sum of these two areas. The industry has now reached a critical point.
At BBVA we are looking into how to join these two realities and we can’t look to previous experience, either in the financial sector or other sectors, as there are no tools today that include the business process risk for a temporary discrepancy in an account and a vulnerability not covered by a patch. For this reason we’re working on creating a control framework for integrating these two spheres as far as is feasible.
- Do you think that the CISO is a suitable directive for putting the TRM approach into practice?
It is one of the ones that can do so. What we can take from historical information security areas is the in-depth knowledge of the risk status of infrastructures. Now that we have to join this knowledge with “business” knowledge, I think that the CISO is one of the candidates with the most to offer in this new role. But a business risk professional moving towards technological risk could also play a brilliant role.
In our case we’re working with the corporate risk units to provide them with cross-sector knowledge.
For example: To manage reputation or image risks, companies hire services that look for information on the state of opinion in the media which present their image, brands, news…. The technologies which are used for this task are, in essence, those used by security professionals to find out what’s being done on the network to threaten infrastructures…; for this reason I believe that it’s all about having good administrators of logs, evidence and intelligence systems above them in order to supply useful information to the corporate risk management structures.
- BBVA sponsors a Technological Risk Management Research Centre. Why?
This is a measure launched by BBVA in conjunction with the Universidad Rey Juan Carlos, which is assigned to the field of creating knowledge management spaces in a globalised world. The initiative has been going for a year now and we’re going to celebrate with a Summer Course in Aranjuez (from 4 to 8 July) dedicated to “The technological fight against organised fraud”.
However, we also want other financial institutions and organisations from other sectors (energy, telco…) to participate in the Centre, institutions that make intensive use of IT and wish to get ahead in the application of IT risk management, as it has been designed to be a neutral space for industry, initially Spanish industry, to share knowledge; further down the road we’ll see what happens.
- How can other financial institutions and companies from other sectors become involved in the Centre?
We have already made informal contact and in September this year we are launching a formal round of meetings with companies that have shown an interest in taking part in the Centre’s initiatives. What we have yet to define is what sort of relationship these industries will have with the Centre, although, a priori, we already have three categories in mind: Multilateral projects in which we will all share knowledge and results; Unilateral projects (where knowledge is always shared), in which one industry decides to come up with an improvement for that industry; and the creation of spin offs.
- What research projects have been launched by the Centre?
During the Centre’s first year of life, we have launched four lines of research.
The first focuses on cryptography. We are working on format preserving algorithms. The aim is to get realistic set ups that enable us to carry out the encryption of small-scale information: Names, addresses, card numbers, PIN… Here we have some implementations for the financial sector. But the research is also available to other industries who are involved with the Centre who can adapt it to their needs and interests.
The second area of research we are looking into is risk management methodologies. For some time we have been working on the Casandra method. Basically, the approach we are taking is to focus on risk analysis based on the profitability for the attacker and not on the loss suffered by the victim. This shift in perspective enables us to use Game Theory and Negotiation Theory.
The third area looks at natural identification. We’re working on biometrics to find a way of enabling citizens to be identified on information systems in a more natural way than they have been up to now. We believe that usernames and passwords will become a thing of the past. We’re absolutely certain that the telephone and the person will become the basis of the Network identification strategy and this means we’re working hard on developing face and voice recognition techniques, a mixture of these, source device identification…
The fourth area we’re looking into is focused firmly on risk; here we’re working on algorithms that are able to link investment levels with expected availability levels over a number of years.
- Are you planning to launch a fifth area of research at the Centre dedicated to studying people’s behaviour?
There is a line of work which stems from the refinements we are making to our Casandra methodology; this line focuses on developing pattern search systems. What I want to do is know that when I’m dealing with you on the Internet, it’s really you I’m dealing with and not someone who is acting like you. We are working with artificial intelligence systems and Spanish and US market technologies and the results are turning out well.
- What is the most notable change from the launch of the Logical Security Management Plan which came out in 2002 to the Information Security Management Plan launched in 2010?
That something that rarely happened a few years ago, that is, intentional attacks, is now a part of everyday life. And also the mobility paradigm. For this reason in this new Plan we’re focusing on managing intentionality; and positioning in the mobility world offered by the internet, without lowering security.
- A final question: if you found yourself in the lift with the Chief Executive of Grupo BBVA and he asked you if the efforts the company is putting into information security are justified, how would you respond?
We periodically inform Executive Management of the results we obtain in our area. The best indicator of the department’s results to date is that in 2002 we created the Management Plan and, once the results had been seen and analysed, in 2010 they showed us they had been satisfactory and we went on to launch another strategic plan which will enable us to maintain our position and move ahead in the future to become a global benchmark.
This is the best indicator and we say so to the same professionals who formed the team in 2002. And I can also say that Information Security, in which I have the collaboration of a first class team of professionals, has the firm support of the entire management chain of Grupo BBVA.
Now that you know a bit more about what we do in the Information Security team and what our priorities are, we’d like to know what you think. We look forward to hearing your comments.
Ah!! We almost forgot: If you’d like the PDF of the full interview, you can email us at email@example.com