Bridging the gap with Asia

Jose Luis Navarro Llorens

(Director de BBVA IT&OP Asia)

Lunes, 20 junio, 2011

Hello.

This is Asia. And any adjective that you associate with this continent is probably true: enormous, diverse, traditional, strong growth, complex, fascinating, etc. And all of these adjectives are also appropriate for defining the challenges that we face at BBVA IT&OP Asia (BBVA’s Technology and Operations team in Asia).

That’s why, in my first post in BBVAtech, I want to tell you (albeit very briefly) about what we are doing here, in BBVA IT&OP Asia:

BBVA, in its retail banking arm, is expanding its presence in Asia by creating joint ventures with local firms and with different levels of shareholding, depending on the specific case and area.

In this context, the job of BBVA IT&OP Asia – our job – is to meet the technological and operational needs of these new companies, from their conception through to their operation.

However, the support that we provide to these companies is conditional upon the differentiating value that we can provide in Asia from BBVA IT&OP. Do you know what that is?

Software? No. In the majority of cases we look for local software that is adapted to the market and accepts Asian characters. Based on previous experience, adapting software to an Asian market is very laborious and contributes little value.

Methodology? Only partially. Despite the fact that a standard methodology such as BBVA’s is recognised and valued, it is not fully applicable. In fact, in general local suppliers and our partners do not understand how to follow it, so new ideas have to be introduced gradually, and only the bare minimum in order to control the project. For example, in one project we tried to introduce the concept of signing-off the functional design by the end user in order to control the scope of the project, but the software supplier disagreed and was prepared to accept any request from the user and at any time – for free.

Work philosophy? Sometimes. I recently heard the following viewpoint that explains it: since the majority of the banks in China have been around for less than 20 years (they haven’t even been through a complete mortgage cycle), and this coincides with the technological revolution, to talk about IT projects that take 2-3 years to implement software, which lasts for 10 years of more, seems impossible to them.

Critical mass? No. In every project and company, the majority of people that make up the IT and OP teams come from our partners and are local, since it is easier for them to contract resources as locals. For example, in India they told us that it is cheaper to employ more people than to automate the document archive system.

Experience? Yes. The real value that our partners seek and need is the experience that we have in developing similar businesses. If you think about this, for these developing countries, business experience is the only thing that they cannot provide us with. In the area of IT&OP, it is just as important to have sufficient people as having the appropriate experience. It is the application of this experience to information technology and operations where we can compensate for the deficiencies that our local partner may have.

Flexibility and patience? Yes. It seems incredible the doors that we have opened with our Asian colleagues simply by persevering and accepting that there are other ways of working; by playing down the importance and impact of our ideas and trying to reach a compromise with the ideas of others. For me, this is the key to success in Asia, or to put it another way – to not failing.

In short, we provide experience and knowledge of the business applied to IT&OP. We try to contribute as much methodology as possible, without forcing our partners outside of their comfort zones. We are aware that the first experience of working together on a joint venture is with our area and we have to be capable of projecting a positive message.

As you can see if you have read my colleagues’ previous posts, our work in Asia today is very different to the work we do in other parts of the world. Some day we will be with them in the “Premier League”; but for now, … patience, work and flexibility.

Have you got any experiences of Asia that you would like to share? Is there anything you would like to know about in more detail? I look forward to hearing your comments and opinions. Thanks.

(2 votes, average: 5,00 out of 5)

Loading ...

4 respuestas a Bridging the gap with Asia

Vicky Chan (BBVA IT&OP Asia) dice:

Martes, 21 junio, 2011 en 9:45

Apart from what has been written in Blog, China, even ASIA, is a developing country/area. Its business model keeps changing and we need to design the system of IT and Operation in a more flexible way so that it can has the scability to adapt in the changing environment.

Although I am Chinese and Hong Kong is part of China, I still need to understand the China market starting from zero. China is a special country and it has its own way to develop the system. The first thing I need to do is to understand their way of doing the things, and then, I need to spend the effort to explain why we need to do it in this way.

To sum up, working in China or other Asia Countries is a amazing experience for me. Do you want to join us as part of the team to work in ASIA? If you did, you could let Pepe know and we would search the opportunity for you to join our team.

Responder
Vicky Chan (BBVA IT&OP Asia) dice:

Martes, 21 junio, 2011 en 9:50

China and Asia is a special country and Area that you can explore many new experience in your life.

Responder
Chen Jing dice:

Miércoles, 22 junio, 2011 en 3:18

For me as a Chinese, it is always fascinating to read the perspective of foreigners working in China, and many of the viewpoints shed lots of light on our daily professional life when bridging this gap with Asia. In a huge and promising market as China, Know-how and experience are definitely important and respected. However, it is more arts than hard science to get them across the culture wall and communication gap, landing intacted. As said in the article, flexibility and patience are the virtues, and you will see the fruits.

Responder
YC Chan dice:

Jueves, 23 junio, 2011 en 10:10

I’m not sure if I can term you following sentence as your vision for the Asia IT&Op team:

Quote:
“Some day we will be with them (out partners of Asia) in the “Premier League”
Unquote:

But I like it very much indeed. I believe it would not be too long for us to achieve it.

Responder

Deja un comentario Cancelar respuesta

“Usernames and passwords will become a thing of the past”

Santiago Moral Rubio

(CISO del Grupo BBVA)

Lunes, 13 junio, 2011

In edition 95 (June 2011) of the SIC magazine (Security in IT and Communications) there is an in-depth interview conducted by its director, José de la Peña Muñoz, with the CISO (Chief Information Security Officer) of Grupo BBVA, Santiago Moral Rubio, of which we have reproduced an extensive summary below:

- For some time now you have been championing the birth of a new discipline, which is known as TRM: what is it and how does it affect information security management?

As organisations increase their consumption of IT, that is, as their dependence on IT grows, new interrelated realities emerge, the management of which requires the use of finely tuned techniques. What do we have today? On the one hand, the requirement to comply with a set of regulations; and on the other hand, the need to internally set the risk structure we wish to work with. And it is here in this area of analysis of the complex ecosystem of organisational operations where an extremely interesting fact becomes evident: That business risks translate into information systems.

Within this framework, it is necessary to have dual verification of any business process. And this will always be carried out on information systems; for this reason there is a continuum which is very difficult to divide between what controls and risks we manage through these Information Systems, and what risks we manage by governing the information systems that provide support to the business.

The management of this continuum is what we at BBVA have started to call TRM: Technological Risk Management, which covers all the risks we have to manage using Information Systems, plus all those we control in the technical substratum that supports the businesses. It is inefficient to manage both worlds separately since their integrated management provides synergies and improvements in the organisation’s risk level.

- So, is Technological Risk Management a more general universe than the now classic Technology Risk Management?

Technological Risk Management can be understood as the management of those risks that the Information Systems Area brings to the organisation, merely by existing. They are very deeply rooted in the role of IT security departments, because a high percentage (between 60% and 70%, depending on the activity sector) are historically associated with information security: Continuity, confidentiality and integrity. And that’s where they end. Therefore this is the part of Governance and Risk Control that together with compliance with specific regulations is provided by Information Systems.

But when multinational growth becomes clear, and this is our experience, you start to realise that Information Systems are managing risks that are not an intrinsic part of the Area.

Within this philosophy, the same risk management system that is used for businesses should also be used for Information Systems. And vice versa. But this doesn’t tend to happen. However, the more we make the two worlds converge, the clearer the role of the TRM continuum becomes, which is also rooted in historic security functions: Events management, knowledge of events, evidence and intelligence.

- How many global regulations does Grupo BBVA have to comply with?

A financial institution that operates in Europe and in America has to deal with about seven hundred IT laws and regulations. In fact, managing compliance with these rules and regulations at BBVA justifies the existence of a specific information system.

- Is there a technological substratum for supporting the TRM function?

I think two approximations have been identified. One is made up of business GRC systems which are trying to open the field to include technological risks. Here we have two or three market leaders and their tools are very process oriented: Business process design, risk identification and management of its life cycle.

The other has a very technical profile and goes from the world of vulnerabilities and threats to risk management: Weaknesses in machines, weaknesses in applications, weaknesses in identification processes… In general it tends to be based on log management systems together with active databases, providing risk indicators which are not really process-focussed.

What’s happening is that these two worlds are starting to come together. And this is good news, because the risk position of an organisation is determined by the sum of these two areas. The industry has now reached a critical point.

At BBVA we are looking into how to join these two realities and we can’t look to previous experience, either in the financial sector or other sectors, as there are no tools today that include the business process risk for a temporary discrepancy in an account and a vulnerability not covered by a patch. For this reason we’re working on creating a control framework for integrating these two spheres as far as is feasible.

- Do you think that the CISO is a suitable directive for putting the TRM approach into practice?

It is one of the ones that can do so. What we can take from historical information security areas is the in-depth knowledge of the risk status of infrastructures. Now that we have to join this knowledge with “business” knowledge, I think that the CISO is one of the candidates with the most to offer in this new role. But a business risk professional moving towards technological risk could also play a brilliant role.

In our case we’re working with the corporate risk units to provide them with cross-sector knowledge.

For example: To manage reputation or image risks, companies hire services that look for information on the state of opinion in the media which present their image, brands, news…. The technologies which are used for this task are, in essence, those used by security professionals to find out what’s being done on the network to threaten infrastructures…; for this reason I believe that it’s all about having good administrators of logs, evidence and intelligence systems above them in order to supply useful information to the corporate risk management structures.

- BBVA sponsors a Technological Risk Management Research Centre. Why?

This is a measure launched by BBVA in conjunction with the Universidad Rey Juan Carlos, which is assigned to the field of creating knowledge management spaces in a globalised world. The initiative has been going for a year now and we’re going to celebrate with a Summer Course in Aranjuez (from 4 to 8 July) dedicated to “The technological fight against organised fraud”.

However, we also want other financial institutions and organisations from other sectors (energy, telco…) to participate in the Centre, institutions that make intensive use of IT and wish to get ahead in the application of IT risk management, as it has been designed to be a neutral space for industry, initially Spanish industry, to share knowledge; further down the road we’ll see what happens.

- How can other financial institutions and companies from other sectors become involved in the Centre?

We have already made informal contact and in September this year we are launching a formal round of meetings with companies that have shown an interest in taking part in the Centre’s initiatives. What we have yet to define is what sort of relationship these industries will have with the Centre, although, a priori, we already have three categories in mind: Multilateral projects in which we will all share knowledge and results; Unilateral projects (where knowledge is always shared), in which one industry decides to come up with an improvement for that industry; and the creation of spin offs.

- What research projects have been launched by the Centre?

During the Centre’s first year of life, we have launched four lines of research.

The first focuses on cryptography. We are working on format preserving algorithms. The aim is to get realistic set ups that enable us to carry out the encryption of small-scale information: Names, addresses, card numbers, PIN… Here we have some implementations for the financial sector. But the research is also available to other industries who are involved with the Centre who can adapt it to their needs and interests.

The second area of research we are looking into is risk management methodologies. For some time we have been working on the Casandra method. Basically, the approach we are taking is to focus on risk analysis based on the profitability for the attacker and not on the loss suffered by the victim. This shift in perspective enables us to use Game Theory and Negotiation Theory.

The third area looks at natural identification. We’re working on biometrics to find a way of enabling citizens to be identified on information systems in a more natural way than they have been up to now. We believe that usernames and passwords will become a thing of the past. We’re absolutely certain that the telephone and the person will become the basis of the Network identification strategy and this means we’re working hard on developing face and voice recognition techniques, a mixture of these, source device identification…

The fourth area we’re looking into is focused firmly on risk; here we’re working on algorithms that are able to link investment levels with expected availability levels over a number of years.

- Are you planning to launch a fifth area of research at the Centre dedicated to studying people’s behaviour?

There is a line of work which stems from the refinements we are making to our Casandra methodology; this line focuses on developing pattern search systems. What I want to do is know that when I’m dealing with you on the Internet, it’s really you I’m dealing with and not someone who is acting like you. We are working with artificial intelligence systems and Spanish and US market technologies and the results are turning out well.

- What is the most notable change from the launch of the Logical Security Management Plan which came out in 2002 to the Information Security Management Plan launched in 2010?

That something that rarely happened a few years ago, that is, intentional attacks, is now a part of everyday life. And also the mobility paradigm. For this reason in this new Plan we’re focusing on managing intentionality; and positioning in the mobility world offered by the internet, without lowering security.

- A final question: if you found yourself in the lift with the Chief Executive of Grupo BBVA and he asked you if the efforts the company is putting into information security are justified, how would you respond?

We periodically inform Executive Management of the results we obtain in our area. The best indicator of the department’s results to date is that in 2002 we created the Management Plan and, once the results had been seen and analysed, in 2010 they showed us they had been satisfactory and we went on to launch another strategic plan which will enable us to maintain our position and move ahead in the future to become a global benchmark.

This is the best indicator and we say so to the same professionals who formed the team in 2002. And I can also say that Information Security, in which I have the collaboration of a first class team of professionals, has the firm support of the entire management chain of Grupo BBVA.

***************************************

Now that you know a bit more about what we do in the Information Security team and what our priorities are, we’d like to know what you think. We look forward to hearing your comments.

Ah!! We almost forgot: If you’d like the PDF of the full interview, you can email us at bbva.tech@grupobbva.com

***************************************

(No Ratings Yet)

Loading ...

Los comentarios están cerrados.

Technology and common sense

Mirtha Zamudio Rodriguez

(Directora de Medios de BBVA Continental. Perú)

Lunes, 6 junio, 2011

Hello. One of the most difficult challenges in my professional career has been taking responsibility for the Resources Area of BBVA Continental, but since I like a challenge, I live every day to the full in the world of technology.

We all know of the advances and permanent improvements in modern life from using powerful technology tools.

It is a situation that puts us in an increasingly wide-ranging, diverse and complex market of products and services and makes us feel like we are a “train full of solutions in search of problems” that offers and sells but also loads and unloads new products and services at each station – or innovation and technological obsolescence as it is known.

At which station do we buy the solution to our problem? How do we know that this solution will not be unloaded at the next station and a new one will be put on board?

Our support includes IT specialists that use their knowledge and experience to analyse and plan in order to offer us the most appropriate technological solution – but remember, most specialist professionals, whatever their profession, are biased towards what they know best – and we don’t always need a purely technological solution, whether for cost or other reasons ( migration, security, dissemination, training, etc.).

The other type of support – our own – is common sense, which allows us to make judgements in the majority of daily cases that we deal with in our jobs. Without getting into a philosophical debate, this can be described as the ability to perceive external objects and to make a reasonable judgement using our “database” of knowledge and experience acquired from the values and customs of our own communities and regions where we grow as people and professionals.

It is our perception of a situation and the relevant factors that influence its solution, which leads us to reflection and analysis, which in turn is enriched with the contribution from the team that collaborates with us. We therefore evaluate alternatives with a perspective that enables us to find solutions that are appropriate for our local environment and resources, which are often less costly, less complex, better and accepted more quickly by personnel and clients.

Given all of this, I believe that technology must be closely related to common sense, so that we place ourselves in our users’ shoes to understand them better, and so that we position ourselves in the environment in which we manage our resources so that we can offer immediate solutions that demonstrate our interest in their problems, and when the situation arises, ensure that our users are waiting for the arrival of the train with the most appropriate solution to their requirements.

At BBVA Continental we want to develop our strategic plan by working in a different way, not only with the necessary technical knowledge, but with common sense, which is the only instrument that encourages discussion and the identification of the most appropriate actions to find a viable solution and to define a specific objective. It also opens the door to awareness and flexibility, which we need for work and to improve our performance.

To supplement this approach, in my Resources team at BBVA Continental we have enthusiastically been promoting five values that I consider to be fundamental and that are closely associated with common sense, which will enable us to exceed expectations:

Team work: multiplies our results, in which each member plays a part with opportunity and quality, so that we share our reasoning and plans in search of collective solutions.
Transparency: we should be aware of what is going on and how it happens as this will give us the opportunity to correct problems and be successful.
Respect: at a professional level all of us should give our best work. We are important to the jobs we do, but our best contribution is giving the respect that everyone that we work with deserves.
Genuine communication: express yourself directly to achieve the purpose of communication; in other words, transmit an idea, influence other people’s thinking, exchange concepts, reach an agreement. If communication is not genuine it is ineffective, it doesn’t achieve its objective and it generate misunderstandings, which in turn causes inefficiencies and problems in general.
Proactivity: never put off to tomorrow what you can do today – which is essential for an attitude for achieving your goals, for making progress, for taking part, for doing something personally and with passion.

I would like to end with the following thought:

The process of transforming an idea into reality is a human process, involving specialists and generalists, a process in which decisions must be made that enable the initial objectives to be achieved and the risks to be mitigated.

However, often there is insufficient information to take these decisions – about what to do and how to do it. This is where common sense comes in and strengthens the IT solutions.

Do you agree? Tell me what do you think.

(1 votes, average: 4,00 out of 5)

Loading ...