Ask the project owners these five questions before the team gets started.
As a follow-up to my Branch Network Transformation: 5 Questions For Credit Unions blog, I want to expand upon how credit unions should think about security during a digital, branch or network transformation. Since honesty is always the best policy, we suggest you pose the following five questions to the project owners or leads before launching a transformative effort.
1) Is the credit union leadership aware of the security risks of this transformation/project?
Regardless of the size or scope of the project, an executive sponsor must be attached and made aware of the security risks associated with the undertaking. This provides the executive sponsor with the knowledge needed to convey risks to the rest of the leadership team as well as provide the project team with the air cover it will need to accomplish the project milestones.
2) Are you confident that the security risks have been methodically examined?
The executive sponsor needs to consider the business and technology risks for this effort using a repeatable and defensible approach. Have you and the other members of the project team talked about this and communicated it to the executive sponsor? Auditors tend to ascribe less confidence in “gut feel” decisions than in those that have been meticulously documented, researched and measured against the business goals of the organization.
3) If security risks are identified, does the team have the knowledge/ability to adequately resolve them?
A large part of the risk analysis should align with the organization’s current abilities to address—or in risk parlance, “treat”—the identified risks. For those risks that the organization cannot adequately address or resolve, a detailed plan must be created to transfer the risk. This transfer could include the purchase of cyber insurance or the outsourcing of monitoring to a trusted partner.
4) If a security or privacy issue were to occur as a result of this transformation, do you have a mitigation plan in place?
Your project team should always have a mitigation and response plan for the most likely security or privacy issues resulting from any transformation. The last thing you want to do is create the mitigation, response and communications steps in the midst of an incident.
5) If a security or privacy issue were to occur as a result of this transformation, what would it do to the credit union’s brand?
Brand impact, both positive and negative, should always be discussed during the initial project planning phase. Although most organizations tend to focus on the positives resulting from a successful transformation, it may be more advantageous to focus on the fallout from a security or privacy issue resulting from the successful implementation. You should always have a communication plan in place to deal with the fallout from any transformation-related issues to protect the brand.
To obtain the best results from this exercise, you’ll find it best to answer the above questions as honestly as possible. Hopefully, these steps will help you avoid any adverse effects during your next transformation project.
Andrew Hay, CISSP, is chief operating officer of Lares, Denver.