FST meets the World Bank’s CISO Jim Nelms to discuss security, complexity and a whole lot more.
Jim Nelms is the Chief Information Security Officer of the Treasury of the World Bank. As such, he is responsible for the information security infrastructure for the Treasury as well as all related financial services, including computer and network systems, business systems, web-based applications, e-commerce and online trading systems. Jim manages a team of information security specialists that provide information security services such as cryptography, digital signatures, access control, reliability testing, intrusion detection, firewalls, penetration studies, security event detection and evasive action. His 25 years of expertise come from his consulting experience to over 250 companies, conducting over 500 classes/seminars, and publishing over 150 technical journals on areas of information systems and security.
With such a range of experience of the global financial ecosystem, FST was delighted to chew the fat with Nelms on the state of the industry, and his perspective on the future. What are the challenges facing the industry we ask? “One of the biggest developments in the financial industry over the next few years will be the convergence of information security and risk management,” says Nelms.
In the past, he explains, information security has been thought of as technology problem. “Business people know a lot more about operational risk, and generally leave information security to the IT people. However, if you look at what has happened over the last five years, the complexity of the financial instruments we deal with has increased to the point that they can no longer be performed or managed manually; technology is required.” And naturally once you introduce a new variable to the mix, you also bring an associated risk. In this case the risk “associated with using that technology in the field of operational risk”.
Nelms argues that recent regulations such as Sarbanes Oxley have tried instil good practices in the industry’s use of technology. He points out that all technology systems are built on five layers: there’s a network level, an operating system, a database, some sort of middleware, and the application itself. “All operational risk exists in the application processes and procedures – which leaves the other four layers below that producing risk based on technology,” he argues. “CISOs are consequently having to deal with managing risk from a remediation or mitigation standpoint as they would with operational risk. Those are business problems, and approaching them from a bottom-up perspective as a technician is not going to gain as much momentum as you would if you were to deal with them top-down as a business problem.”
Nelms thinks that change though is coming to the industry. “I think people are really going to have to start thinking less in terms of ‘information security’ and more in terms of risk management based on the technology risks that are inherent in processing complex financial instruments.”
Identity and access management
A key topic for any CISO in the financial services world is identity and access management. Often this is thought of in terms of customers accessing sensitive account data from outside the enterprise. However, Nelms suggests that it is equally important to pay attention of internal access management issues. “Identity and access management play key roles in the governance process for risk management. Without some basic identity management controls, you lose the uniqueness of reference for individuals – after all, if you’re going to hold someone accountable for a particular function then you have to unequivocally identify that person.”
Identity access management in Nelms view has two primary pieces: the identity or authentication of an individual, and then the authorisation of what that person is allowed to perform (also called provisioning or entitlements). A key step he argues “is the segregation of these pieces from the application”. Removing the authentication/authorization piece from the application means it becomes much more resilient, more robust and is longer lasting than if it were residing within the application itself.
This has several advantages. “We’re seeing the lifecycle of financial services applications getting shorter all the time because of the need to move with the market,” he says. “If you build your authentication/authorization mechanisms into every application then you need to rebuild it each time you change that application. Your staff hasn’t changed, what they can do hasn’t changed, so the identity and access management function should be static with the business in which they report. Only the application should change.”
Business driven technology
Complexity is a huge issue within the financial services space, and this is a function of the technology, according to Nelms. “The inter-relationships between systems and businesses are governed by how technical minds have determined the business process flow should occur,” he argues. Although Nelms acknowledges that giving this governance back to the business units won’t necessarily make the complexity go away, it will allow the business units to determine the level of complexity they are comfortable with. As Nelms points out “there is a cost associated with complexity, and that makes it a business not a technical decision.”
Nelms is clear that technology should serve the business, not the other way round. “What we have to admit is that IT departments are just custodians. We don’t own any data, we don’t own any systems or networks; what we do is provide services.” In his view, as the services provided by technology have become so embedded into the business lines, the knowledge of the business has come to reside largely in the IT group. “They’re the ones writing the specifications and the codes, and so the business is driven by what IT can provide to the user.”
The intelligent enterprise needs to change this. “It’s about harmonization and collaboration,” says Nelms. “If a business owner says ‘I need A, B and C,’ a technical person should be able to say ‘Well, here are three technologies that can provide that, here’s the cost, and here’s how they will or will not integrate with what exists in the organization now,’ rather than just ‘here’s the solution.’” And the intelligent technology executive needs to change as well. “The role of the business-focused IT person is becoming more that of an advisor rather than a one-stop-shop.”
Nelms gives examples of some of the World’s Bank activities to illustrate how this business driven approach translates in practice on the day-to-day level. As an illustration he highlights its business continuity activities. “The approach has been largely IT-driven in the past,” says Nelms, “but last year the bank created a new business continuity group that looks at BC/DR as much more of a business issue. Obviously, IT is very involved in that because of the network and data issues, but the bank itself is now very focused on how to continue to work both in the short and long term given certain scenarios – single building failure, campus failure, single or multiple data center failures, and so on.”
This shift in focus mirrors a wider process that has been occurring throughout the World Bank’s activities Nelms explains. “The shift in focus for disaster recovery reflects some of the wider changes at the bank and the way things such as security and technology, are now viewed.” For example, disaster recovery used to be treated as a subset within the security department of the IT organization; but security itself is now thought of in terms of a risk management function rather than an IT one. “Both security and disaster recovery are truly business issues because they occupy top-of-mind for senior people within the organization – even as far up as board and executive-level – and involve making business-based decisions on what is important, what the parts of the bank need to be available at what times, what risks can be accepted, and so on,” Nelms muses.
With MiFID in looming in Europe, and Basell II working itself through the industry’s nervous system, compliance has been an issue for everyone in the last few years. The World Bank has been no exception, with Sarbanes Oxley compliance being a big focus. Nelms describes the cost of compliance with this regulation as “ongoing”. He has an interesting take on how compliance and security are becoming intertwined as concepts – in his view this is not necessarily the best bet.
“From an operational risk perspective, I think we’re getting too close to using the terms compliance and security as interchangeable, and they’re not,” he argues. “Compliance is just compliance; it enforces good policies, good practices and good procedures, although it can provide better security because of the improved processes that should have been implemented anyway as part of best practice. You can be completely compliant and still very unsecure – a strong compliance initiative is certainly not the ‘Emperor’s new security program’.”
We move on to discuss the World Bank’s IT activities going forward. “Moving forward, the big project we’ve been working on for the past year is identity access management.” Nelms outlines how while better authentication for staff can easily be solved using any number of point solutions – everything from token-based to biometric solutions have been proved for a number of years – the key challenge is embedding whatever solution across the company. “Institutionalizing that and being able to roll that out on an enterprise-wide level to prevent everything from individual identity theft to banking fraud is a key challenge.”
Ongoing compliance activities have also been a big focus. Nelms has been looking this year at international standards such as the BS77990 set of standards and how that plays into the ISO 20000 standard for IT service management. The other big effort has been in re-aligning IT delivery and governance with the business units. “We want IT support on a much more granular basis than it has been previously.”
This has meant taking a long, hard look at the bank’s IT architecture. As a public sector institution the World Bank has some different governance issues than most private financial services institutions. Nevertheless, Nelms outlines how the Bank faces many of the same challenge: how to deliver rapid deployment, how to deliver financial instruments, and how to get to the market edge without ripping out the IT group significantly. “We’ve been analyzing what the market is doing and what our counterparties and competitors are doing to respond to the need for rapid deployment of new financial instruments,” he explains.
The bank’s global nature is also a challenge. “Having to support an international organization and provide stability and reliability in 197 countries does provide some unique challenges in terms of how to deploy IT to unlike and very dissimilar technology environments. For instance, there are a different set of considerations for a technology deployment in a less-developed part of the world than there are for a deployment at headquarters in Washington DC.”
Ultimately though, despite these challenges and the bank’s slightly different mandate, Nelms is clear that the competitive pressures the World Bank faces are the same as those in the private sector. “We need to be able to provide financial services at a competitive rate and within a reasonable timeframe.”