How do companies manage risk senior-level managers and other decision makers don’t necessarily understand? That’s a question many companies face when it comes to managing IT risk. The problem is exacerbated if the CEO and chief information officer don’t communicate well. When one speaks business and the other IT, the risk management strategy can get lost in translation.
CU QUICK FACTS
data as of 12.31.13
HQ: Westbury, NY
12-MO SHARE GROWTH: 5.77%
12-MO LOAN GROWTH: 10.51%
New York-based NEFCU ($2.05B; Westbury, NY) runs a tight ship. Risk management is often top of mind and the credit union is formally adopting an enterprise risk management system this year. Risk management is a high priority for NEFCU, and the credit union’s chief information officer, John Deieso, makes sure everyone understands what they need to in order to help the institution manage risk to the best of its ability.
“Our vice president of IT tends to talk very technically about things going on in IT,” Deieso says. “I’ll generally come in and say, ‘for us common folk, what he means is XYZ.’ IT executives need to understand how to speak to business people in their language, not in IT language.”
Have A Broad Background
Deieso has been with NEFCU for more than 22 years and during that time has worked many positions in the credit union’s back office, call center, and branch network. For the past three-and-a-half years he has served as chief information officer, which at NEFCU is a broader role that encompasses more operations management than at most institutions. In addition to IT, the CIO oversees lending, the call center, and several back-office operations.
“One of the reasons I was chosen for this position was my tendency to be strong in IT yet be able to be that interpreter,” Deieso says. “I can get the IT people to understand what the business folks need, and I can get the business people to understand what IT is saying.”
IT At NEFCU
Responsibilities: Running the core, application management, network services, and security.
Meet The Coaches: Chief Information Officer, Vice President of IT.
Meet The Team: Eight full time employees in addition to system specialists who are stationed in other departments in the credit union and report through that department.
Good communication, however, requires more than an adept interpreter. NEFCU encourages communication among departments with weekly manager meetings, monthly department audits from an information security standpoint, and an information security webinar new hires watch upon arrival and long-serving employees review on a yearly basis.
“We’ve just revamped our information security training program to make it more user friendly,” Deieso says. “A new employee during new employee training is going to take a webinar and learn the approach we take to security at the credit union.”
Keep Departments Involved
The IT team also sends out tips and reminders on IT security subjects a few times every quarter. For example, a reminder might explain the importance of locking computers before walking away or the reasoning behind the credit union’s strong password requirements. These tips keep security top of mind for employees. Further, the tip sheets make the “why” a central component, which creates a credit union-wide understanding of IT security and eliminates the friction that can build when employees think IT is putting up barriers.
Each department conducts monthly information security audits to reduce unnecessary risks, then the credit union shares and studies each department’s results. Additionally, a third party security company also conducts a security audit and compares NEFCU’s scores to peer data.
“Those audit results are a jumping off point,” Deieso says. “I’m not worried as much about making sure everything is tight the day the auditor is here, but on a daily basis — no matter when somebody comes in — we are an institution that’s going to be locked down.”
IT Risk Management At NEFCU
IT security briefings and reminders at weekly meetings of the credit union’s manager.
Daily checklists within each department to ensure computers are locked down and sensitive information is secure.
Monthly department information security audits.
Information security webinar for new employees (also shown annually to all employees).
NEFCU tracks audits and assigns each a numeric score to give its leaders a better understanding of how the credit union is progressing year to year.
“We want to make sure we are always on the cutting edge of security, so we invest in information security pretty readily,” Deieso says. “We tend to be a fairly conservative credit union, and that comes into play when it comes to our lending policies, when it comes to our hiring policies, and when it comes across in our IT policies.”
So what risk keeps the CIO of a credit union with a sophisticated risk management system up at night? The possibility of human mistakes and missteps. To that end, NEFCU is implementing a project that limits employee access to no more than they need to do their job with the intention of reducing internal penetration risk.
“No matter how tight your networks are, no matter how much penetration testing you do, no matter how much you lock down the Internet or email, you’ve got people who are working at desks and have access to data,” Deieso says. “Hiring practices and communicating with employees are some of the best security practices you can have.”