A day in the life of an information risk manager Managing information requires a head for a crisis, an appetite for collaboration and openness to innovation Written by The Economist Intelligence Unit M any office workers the world over will be familiar with an e-mail from the premises team about routine carpet cleaning during the evening or over the weekend Few, however, will suspect that intrigue and deception lie behind this seemingly innocuous communication, or that it may come from the information risk team instead Stephen Bonner, a partner in KPMG’s Information Protection and Business Resilience unit and a former head of information risk management at Barclays, has survived a number of crisis days during his career On one occasion, while he was working at an investment bank, it emerged that organised criminals had bribed the building security staff to turn off the surveillance cameras, so they could enter the operations floor The criminals used that access to attach keyboard logging devices onto the computers the bank used to process fund transfers They came close to stealing £650m (US$1.1bn), but a misconfigured transfer alerted Mr Bonner and his team to the plot The episode called for some diligent risk management Mr Bonner needed to locate and remove the physical loggers, but did not want to SPONSORED BY: let the employees know that that is what they were doing in case one of them was involved in the plot Staff were therefore told that they could not work in the evening because the carpet was being cleaned One of Mr Bonner’s information security team asked what they should if the criminals showed up that evening He told them to pretend to be real carpet cleaners; the last thing he wanted was for his team to confront the criminals physically “I’ve worked with many information risk teams, and they’re very bright people, very hard working, but they’re not the kind of people you want in a fight with organised crime,” Mr Bonner explains “We tend to be better with laptops.” Although not all crises are so dramatic, it is not always clear from the start how serious they are In another example from Mr Bonner’s career, an employee had complained that someone was logging into their work applications during the night and leaving garbled messages Mr Bonner and his team looked for evidence of an external party hacking into the employee’s machine, but were left baffled It eventually emerged that the messages were the result of a cleaner giving the employee’s keyboard a particularly vigorous dusting “We misunderstood that right from the start, but you learn from those kinds of things,” Mr Bonner says Business server It is during a crisis that information risk managers come into their own, according to Mr Bonner “That’s when you’d hit the big red button and bring everyone in to deal with it,” he says Of course, the opportunity to resolve a crisis—however big or small— does not arise every day But there are other, equally rewarding, contributions an information risk manager can make For Jitender Arora, an information security and risk executive for a major banking and financial services firm, the most enjoyable part of the role is working with colleagues to develop a new system or application Regular whiteboard sessions help him to understand risks with colleagues, find potential loopholes and attack vectors One of the challenges of the role is to make sure that information risk is considered as early on in a project as possible, Mr Arora explains “Ideally risk managers would be brought in at the start of a project but it’s not always the case,” he says Another is to engage colleagues in the topic, and not merely see information risk as a compliance burden “It’s frustrating when people start seeing you as a tick in the box exercise and they are only interested in sign off and not a productive conversation,” Mr Arora says Indeed, Mr Arora believes that an information risk manager’s biggest contribution to an organisation is to allow innovation by taking a balanced view of the information risk “If I can support innovative ideas that help the organisation make money, at the expense of some controls, that is one way I can really help the business.” For example, Mr Arora’s predecessors at his current employer had decided that installing self-service terminals in certain locations was too risky But seeing that this was an opportunity for the company to innovate and expand its reach, Mr Arora found a way to mitigate the risks “If I can help them with risks in more meaningful ways, then, in a way, I have done my job.” The field of information security evolves at an incredible pace, and keeping up to date is another challenge for information risk managers “There is no end to the research an information risk manager must or be aware of,” says Carl Blackett, the group data security officer at the ATPI Group, a travel management company “This can range from a new vulnerability which needs to be risk assessed to a news article about a data breach and the resulting impact or a new piece of legislation which needs to be complied with.” They also keep up to speed with what is happening within their own organisation This might involve a daily review of all relevant activity, including updates on tasks assigned through the day, or conducting regular reviews of policy or processes to ensure the yearly risk management plan is being upheld However, this kind of work cannot get in the way of addressing emergencies as they occur “Risks can arise at any time of the day,” Mr Blackett explains “Usually the information risk manager is available on a 24/7 basis.” Risk managers have a tough, varied job But thanks to the growing business and media interest in security, now is the time for them to thrive, says KPMG’s Mr Bonner “If you can’t the job in this climate then you’re in the wrong role,” he says “We have the attention, focus and funding to make a difference.” ... explains “Usually the information risk manager is available on a 24/7 basis.” Risk managers have a tough, varied job But thanks to the growing business and media interest in security, now is the. .. job.” The field of information security evolves at an incredible pace, and keeping up to date is another challenge for information risk managers “There is no end to the research an information risk. .. this was an opportunity for the company to innovate and expand its reach, Mr Arora found a way to mitigate the risks “If I can help them with risks in more meaningful ways, then, in a way, I have