Berthold Kerl, Managing Director, Head of Information & Technology Risk Governance, Deutsche Bank AG
April 18, 2012 9:30
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Berthold Kerl, Managing Director, Head of Information & Technology Risk Governance, Deutsche Bank AG
April 18, 2012 9:30
Berthold Kerl, Managing Director, Head of Information & Technology Risk Governance, Deutsche Bank AG
April 18, 2012 9:30
Well, we, we move along now to our next presentation. Thank you very much. Third of our morning, morning, clean keynotes. We have be told Carol Head of information, technology, risk governance from Deutche bank. And Mr. Carol is here. Good morning, sir. Thanks. Thank you very much. Good morning everybody. I'm I'm now here at the European identity conference for the, for the third time, and I'm really impressed how it has developed a big audience. I was told 600 participants overall, very nice location, very nice hotel.
Somebody told me that yesterday, even the players from bio Munich stayed here before they left to their game. My son will be impressed when I tell him and great game. I hope you all enjoyed it regardless, which, which team you supported?
Well, I'm actually not here to talk about football or soccer. Also, I could do that for hours. My topic today is to talk about information security governance in banks in Deutsche bank in particular, and the particular, the special, my special focus of the speech today will be how to deliver actionable recommendation to management, because that's typically a big challenge.
Now, normally before you start with your presentation, you have to give everybody the impression that your topic is important. And I, I, I, I had luck because my, my, my Dr. Gin already helped me a lot to, to convince everybody that this is an important topic, but I will add a couple of facts. Why is it important? And these are all publicly available information. So there's no secret behind that information security matters and especially the new form cyber crime matters.
There's one example city group in 2011, their network was penetrated and hackers were able to access personal identification information of around 200,000 of city banks, clients. And in depend, well, obviously there was a big reputational damage, but in addition to that also financial damage quite significant size 7 million estimated obviously non aim bank was also attacked by hackers who also got access to confidential client information and steal between 1000 and, and 3000 pounds. Opposite was the British bank from the accounts.
And again, it was big reputational damage, but also a financial damage because they had to reimburse in full another example of a little bit different kind goes more in the direction of data leakage. A member of staff lost a laptop with confidential client information.
And again, it was of course, as you can imagine, a big reputational problem for them. But now in addition to that, they got a half define from UK regulation, the FSA. And I know because I, I, I, I'm a little bit also in contact with the security guys over there that since then they really take information security much, much more serious than before my last example here, a Japanese bank.
And this was also an example of a targeted attack, where they used cleaning personal to introduce keynote loggers, key loggers devices in the back of the keyboard to get hold of passwords, which they then used to, to steal, to steal money. So also quite sophisticated already. You need some sort of organization to do something like that. And I did not include the very famous examples in banks of, and Jim Taylor at the beginning of the session already mentioned them association with a loss of whatever 5 billion and, and the most recent one last year UBS.
And in both cases, actually, it was interesting that it was somebody who worked in the back office, moved into the front office and obviously did not lose the access rights he had beforehand. So an interesting and interesting case. So I believe information security is on the agenda is on the agenda of the board and therefore we have to deal with it. And of course the very new one cyber attacks in my predecessor already mentioned that they increase. We have obviously the very organized ones, even organized by state Russia, China, others as well targeting, for example, critical infrastructure.
We have organized crime. I already gave some examples of these and we have hackers hop east, but also groups likes anonymous who publicly even announce that they will attack banks and that they do it via our customers. They do it via our people.
They will, what, what is also interesting. They can do it also via our physical infrastructure, because now whether it's the, the whole facility management of a big building, it's all software, you know, and, and therefore potentially vulnerable. And they do it also why our third parties, which also play an important role in our supply chain. Now this is obviously is very, a very interesting topic and, and creates lots of attention management attention.
It's, it's fancy. So lots of people look at this, but we should not forget about the traditional threats, the internal threats. And also here we have some, some specific new challenges.
Of course, our working environment requires that we increasingly share information amongst others and, and, and share, and do this very quickly. So our, our new CEO CEO or announced CEO is, is known as answering emails even at night.
So, so this is, this of course is influencing the culture of a company. And, and, and, and everybody wants to share information very, very fast with others, again, with colleagues, with vendors, but also with clients. And that obviously conflicts in many cases with the confidentiality requirement of the related data. So that's a challenge. The other thing I, I already mentioned as well, was third parties.
I think companies like us and Deutsche bank is probably not very different to many other companies, at least not, not different to many other banks rely on one third of the, of the human workforce on, on externals. That's obviously a, a big challenge and, and the fluctuation, the attrition of the externals is significantly higher as it is with, with internals, with which all which you all know is, is, is the challenge in itself.
So, so, so this needs to be managed from an information security perspective. And certainly we have to deal with the, with new technology. We were very used to the solid Blackberry environment. For example, for years now, everybody wants to have iPhones and iPads bring own devices, et cetera. And that adds a significant amount of complexity to the company and makes information security much, much more difficult as before. So lots of challenges. And I have one question to all of you, is it possible to protect a company, a bank to 100% of all of this is this possible?
I personally would tend to say probably not, if it will be at least very expensive. And, and the question now is who decides how much money you would like to spend on your protection level? Who is it?
Is this, it is this information, security governance. Is this somebody in the board? Who is it?
And, and how do, how do they do it? That's also an interesting question. Pepsi is valuable to look a little bit on the evolution of the information security function.
And again, I don't think that Deutsche bank is a very exceptional example here. Probably it started off with, with concentrating on security operations, it mostly owned this and was responsible to do that. It has to do with patching with, well, reducing somehow the risk very undefined. Next step obviously was to introduce policies, to think about metrics, to measure compliance and, and design controls probably from a cross benefit perspective, but still information security function took the blame when something went wrong.
What we should be striving to from my personal opinion is what I call the true or what it's not mine mentioned, by the way it's, it's coming from a term from, from I the true risk management. What does this mean? That means we have to make sure that we, that we make the business part of that decision process, that we make them understand the risks that we make them understand the costs that we help them to take decisions. How much money do they wanna spend to reduce the risk and whether a remaining risk, the risk is acceptable at a certain point in time.
And of course that is a very dynamic process because as you all know, in the cyber space, we have a new situation almost every day. And in the, in the next couple of slides, I would like to give you an idea how we tried to follow this kind of approach. We are definitely not yet at the end of that process, but this is at least the objective we are aiming to before I do that, I probably have to give you a little bit of an idea about Deutche bank and how it is organized.
So I won't bore you with a number of slides, just two, but I, I do think it is helpful to better understand what I am telling afterwards. And of course that is the organization. As of today, it may change in one, two months from now, but this is still what it is like. Obviously we, the Deutsche bank is, is, is, is, is one of the biggest banks worldwide with 90,000 internal staff, another whatever 30, 40,000 externals and is, and that's important is, is, is, is organized in what we call divisions or sometimes also businesses.
And the two main ones obviously is the investment banking side and, and the private clients and asset management side, the two businesses, the main two businesses are supported by a number of functions, example, CEO, of course finance it, but also legal HR, et cetera. And then we have regional management. Why do we have regional management? Because Dutch bank is located in over 70 countries globally here on this slide, you would see only selected locations. And you can imagine to protect an organization like this, where information is in the center of our business.
There is no banking without data. There is no banking without information is a very big challenge.
So, and, and I don't think we don't think that this can be done by just one person sometimes called CSO. Now, how do we do that?
Firstly, I think we, we came up with some, with some very core principles, The Global head of, of, of a, of a, of a business. And also the global head of a function has to accept the responsibility, being responsible for information security. He's the person ultimately responsible, obviously global head typically has other tasks as well. So he needs support. And what we mandate is that in each division and function, a chief piece or chief business information security officer has to be nominated.
And that's obviously a full time professional, independent on the size of the organization of the complexity of the organization. This person is supported by a number of business information, security officers or technical information security officers. So in total, we have to cover the entire, the entire organization. We have more than 10 of these chief BSOs. You could probably look at them as the CSOs for each division and function and overall group wide over a thousand Besos and also over 500 TSOs. So it's quite big army, obviously the Besos and TSOs are typically not full-time people.
Otherwise it would be a little bit too expensive and too over the top, but, but actually that model is, is currently under evaluation. Now, if you implement something like this, the danger is that now each division and function will come up with their own information security management system.
And, and if you don't coordinate that they will all look different. So what we did, we, we introduced a committee, what we call group information, security committee, group ISAC, and obviously in that committee, every chief BSO has a seat has to say, And, and that is true for the businesses as well as the functions. And we also have non-voting members from, from support groups, such as data protections, such, such as legal, such as audit, such as my team, for example, risk governance, to advice, to contribute, to help.
It's also important to mention on the left hand side, a support group would be called information security office. And this office not only prepares the meetings takes care of the agenda and the topics and make sure that the data is ready to be discussed, but they also do a lot of groundwork behind the scenes to support the decision making process. And obviously in that, in, in that committee, we coordinate certain things which are of group wide interest.
So for example, the group wide information security policy, the group wide information security strategy group, wide controls group, wide standards, et cetera. And of course also metrics and reports of, of, of, of group wide nature. But also we report back issues coming from the division and function itself. So while this committee is now the, let's say our replacement or replacement of the sea of, of Deutsche bank and has the ultimate responsibility of information security of the group, it would not take away the accountability for the divisions and functions.
Now, how does this all hang together? Obviously, I already mentioned that on the, on the group level, we, we take principle decisions on the overall framework, how it works. We of course also identify controls and standards where there is no need or should not be a need to have differences between let's say the retail bank on the one hand side and, and, and the investment bank somewhere else.
So where we have global standards, the, the, the, the group Isaac is responsible, but as you can imagine, the, the need of, let's say, private wealth management in Switzerland to take one example, compared to a retail branch in Munich, or compared to the global cash and trade business in Singapore, and take a last example, equities business in New York is, are very different.
And to cater for these differences, we have the flexibility now on the divisional level to come up with their own information, security management systems and make sure that, that the, the needs and, and our standards fit to the business. So for example, we had 1, 1, 1 example in, in terms of information classification where we, after a long discussion process implemented a solution, which was fine for the majority of the businesses, but then late in the process, we found out that in the us, it won't work. It's not practical, it can't do it.
So we had to think about something different and this kind of structure would support that we already had had mentioned regulators and in a global organization like us, we don't have just one, of course, we have many over 70 in theory, the main ones are, are here on the slide. So the fat in the us, of course, our lead regulator in Germany, the, the buffin financial services agents in the UK, monetary monetary authority in Singapore, or the FSA in Japan, just to mention a few.
And, and as I said, it's, it's many more problem is the regulation is obviously not completely allowed. So what the effect wants is not completely identical with what the Baffin wants and so on and so forth, which course is a problem. Of course. So I now introduce the divisional dimension to you couple of minutes ago. Now we have the regional dimension to our requirements, which we need to manage all of them after the financial crisis had, have now a much, much stronger focus on information security requirements increase in, in, in two dimension, the death and breath.
And, and not only that, that the requirements are posed against us, the regulators come now in much, much more often more frequently to check to give you an example in the fed has constantly 20 people sitting inside Deutsche bank in, in the us. And I've not seen so many Baffin visits in, in the last three years as in the last three or four months.
So that's, that's of course, something we need to manage now, how do we manage that? And, and, and how, how can decisions be supported? And I've just one example here coming from the it and access governance area. Obviously the driver for, for our, for the, for the, for the, for final decision are regular regulatory requirements. You can't go be, be below them, but also the business requirements And whatever problem you look at, typically, you will have a range of options.
You can start very, very low key with very little support with a very federated governance model, or you can go very central, very regulated, very automated, et cetera. And obviously whether you go more, right, you will see more cost more effort, but you will also see a different support model to the business, and also a different governance approach. And where in this, in this area, you land is is, is something which needs to be thoroughly discussed with the business.
Because when you go more left this poses more responsibility to the decentral organization, and they have to know that less support, more responsibility. If you go right, the opposite is the case. You take away responsibility from them, give them much, much more support, but they will have to pay for it. And that's important for everybody to know and understand. I talked about the group ISAC and what are we doing in the group, Isaac.
And, and we have a standard agenda there. And, and the main categories of this agenda are, are here on this slide, of course, on a regular basis. We talk about our incidents. So we talk about our technical in incidents. We talk about incidents coming from data, privacy, et cetera. And what we check of course is what happened? What have we done, or are we doing to mitigate the problem itself? But Even more importantly, what is necessary to be done to avoid something happening like this in the future?
All right, then obviously we have also, as a regular agenda item is risks where we scan the future environment to see what are the new risks are the impact for, to Deutsche bank and what is it, what we have to do to prepare us for that.
And finally, we of course check on is compliance where we, and I will elaborate a little bit more on the next slide on that, where we check to what extent we are compliant with regulation and with our policies and, and whether we have to adjust controls, et cetera, all of these three, the outcome of, of all of these three could be that we say something needs to happen. We have, we need to set up a project and an initiative, whatever to make sure that something like that can't happen in the future, this will be decided as well.
And the, the, the committee also monitors the progress of these initiatives. We also believe that ISO helps to meet regulatory requirements. I'm not saying that because I'm a very big fan of, of ISO. I think the, it can, it's good.
It's very, it takes care of some sort of comprehensive approach. There's for sure, room for improvement.
However, what we are seeing is many, many regulators now are also using this the structure. So it helps in our communication with them.
And, and therefore we've decided to align our approach to ISO. So our reporting is aligned to the 11 ISO domains and, and we will make sure that we cover them on a regular basis, how we do that. So we have a reporting schedule, which takes care that all the dimensions are being reported. At least once a year, there are easy dimensions, like information, security policies. It's not necessary to talk about this more than once a year. There are other dimensions like access control or incident reporting, et cetera, where, which we have on, on the agenda every month.
And, and therefore, we obviously, when you look at, at the domains, that's a very, very high level you have, of course, then the controller chapters below that. And, and you, you have to find a KPI hierarchy with quite basic KPIs at the beginning. And then once this is, is all in place, you can go deeper and more detailed. And as I said, we are definitely not yet in all dimensions on the very bottom of, of it, but that is the overall approach.
This is, this is work in progress and however, already in place. And, and when we believe that that's, that's a good way to communicate with the business, to participate, participate in the decision making process and, and help them to understand the risks and who has to decide whether it's acceptable to drive down slope. He has to evaluate all necessary informations, the avalanche report and other things. And once he came, he come to a positive decision. He may then decide to go ahead. Thank you. Thank you very much.