In Depth

Sharon O'Bryan: Called to Account

Some security executives see protecting their company's assets as a way to earn a living. ABN Amro's Sharon O'Bryan sees it as her mission.

By Simone Kaplan

Page 4

At the same time O'Bryan was revamping the technology risk management division, ABN Amro was going through its own labor pains. Like the technology risk group, the Dutch bank used to be regionally oriented, with operations spread around the globe. Two years ago, the company reorganized itself into three strategic business units: consumer and commercial clients, wholesale client services, and private clients and asset management. O'Bryan needed to fit the risk group's responsibilities into the company's new structure, a task which O'Bryan took in stride. "We just had to be light on our toes and change the strategic plan regularly," she says. Do the Right ThingO'Bryan is not one to simply navigate her way through changeshe actively seeks it out, particularly when she perceives that something is wrong. "I'm very much a do-the-right-thing person," she says of herself. "I won't sit by if something needs to be fixed." One of the projects in which she has been most actively involved is the creation of a framework for monitoring the risk management practices of third-party outsourcing providers. During her years as an IT auditor, she noticed a loophole in industry auditing procedures that allowed a lot of financial companies to avoid examining the IT and security risk-management policies of outsourcers (for more on outsourcing, see "Tying the Knot," Page 40). That a loophole existed wasn't surprisingthe regulations governing outsourcing risk management were published in 1988, long before data security became the issue it is today.

O'Bryan observed that, at audit time, industry and federal regulators almost never asked her clients for a list of outsourced services so that they could examine how the companies managed risk. Since it was her job to audit the technology infrastructure of her 102 financial clients so that they could sign off on financial statements, the loophole was very apparent. She knew regulators weren't doing anything wrong because looking in-depth at data security controls was outside the scope of their audit responsibilities. But other than simply verifying the presence of security measures, there was virtually no data privacy oversight for information handled by outsourcers. Companies were not required to demonstrate the breadth of data security coverage or whether their in-house security was integrated with that of their outsourcers. As a result, she says, few organizations performed the necessary analysis of security controls they relied on, and fewer, if any, actually tested those controls. The financial institutions shrugged it off for the most part, she says, because they thought data security was the outsourcer's responsibility, not theirs. "What we needed was documentation showing how information is shared between companies and outsourcers, how their networks interface and how the data is being protected," she says.