Martin Laing, CIO of Societe Generale's Australian business and a 24-year IT veteran, told delegates at an Alphawest leaders' forum last week that CIOs should "employ the tactics of the sales force of our suppliers" to drive home the threat failures in day-to-day processes present to organisations.
Laing said such operational failures could be highly damaging: "Think of the effect of not making [payments via the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging and interface system] for a few hours, or a senior executive being caught viewing undesirable Internet sites and having that splashed across tomorrow's tabloids".
He said the finance sector's requirement of instantaneous performance and high level of interfacing between complex systems, combined with rapid change, demanded CIOs be "creative" in maintaining control over operational risk.
"We must create an internal FUD [fear, uncertainty and doubt] factor that will demonstrate what we are protecting ourselves against," Laing said.
"There is potential that our decision makers may be aware of some of the risks that exist, but this is not enough.
"We need to create the [FUD] and report on the risks and vulnerabilities that exist, and present to our board that direct action is required."
Laing put a number of questions to delegates that could help them determine whether operational risk resourcing and prioritisation was treated seriously enough by their organisations.
"Do you have a chief security officer? What is their hierarchical position?," Laing asked attendees. "Are they on the board? Do they report to the CIO, or are they still at the front desk?"
"Do you have a budget specifically for ORM, or is it hidden in your IT infrastructure costs? Do you have the correct number of resources assigned to ORM?"
He cited Gartner's recommendation that 3.5 percent of the IT budget in financial services should be dedicated to security alone -- excluding disaster recovery and business continuity planning. Yet he questioned how many financial services providers actually allocated that proportion.
"We must continually show [management] that cutting corners is no longer acceptable behaviour," he said.
IT executives had to convey to management that issues such as disaster recovery and business continuity should not just be the province of the IT department, according to Laing. Final responsibility should lie with company management.
"[It's] very important that the management responsibility for your DR/BCP [disaster recovery/business continuity process] is held outside the IT department.
"Yes, IT will be part of the management team, and should be. But IT, like every other department of your bank, [must be] seen as a contributor in addition to a participant."
If a senior executive is caught viewing undesirable Internet sites, how is that an IT security problem, or even a technology problem? It's an HR problem. Anyone who's dumb enough to surf porn at work deserves to be caught and fired. Survival of the least stupid.