Sharon O’Bryan: Called to Account

You’re in good hands with Sharon O’Bryan.

That may sound like an advertising slogan or a political promise, but O’Bryan isn’t campaigning for anything. She’s the senior vice president and chief information security officer for Dutch banking giant ABN Amro’s North American division, and she loves her job. To her, protecting her clients’ cash and sensitive information is much more than a way to earn a paycheck. It’s a calling.

“Security is so intrinsic to what we do for our clients,” she says, her voice filled with conviction. “This is people’s livelihood that I’m protecting. It’s their ability to send their children to college, to pay for their daughters’ weddings. It’s a very big deal.”

O’Bryan is passionate about security. She is also very honest about the challenges of being a CISO. Professionally, like many of her peers, O’Bryan faces a continually changing landscape that requires deft strategic planning and a nimble mind. On a larger scale, she must navigate the heavily regulated waters of the financial services industry, in which every action, every goal must be documented for corporate and federal auditors. She frequently visits Washington, D.C., where she represents her company on the financial services branch of Presidential Cybersecurity Adviser Richard Clarke’s Critical Infrastructure Protection Board and is a major player in Bits, the technology arm of the Financial Services Roundtable, an industry lobbying group. “Staying on top of security technology and the nature of security threats, which change constantly, isn’t easy,” she admits. “But then, you know the saying, the only thing that’s constant is change.”

Considering how much she has going on, it’s amazing that O’Bryan has time to talk at all. Since she joined ABN Amro four years ago (after several years as an IT auditor for two Big Five accounting consultancies), she’s revamped the security architecture of her company’s technology risk management group and helped her staff adjust to a global corporate reorganization. Not only that, but ABN Amro, which has 3,400 branches in 60 countries, is so active on the mergers and acquisitions front that O’Bryan is continually applying security standards to systems newly integrated into the company’s network. Sometimes she feels like the company’s landscape changes on a daily basis. As CISO, she’s not in charge of the company’s physical security arena, but she still has to make sure the two groups don’t duplicate efforts in their common goal of protecting the business.

To top it all off, the CEO and the CIO of ABN Amro’s North American division are both retiring, and O’Bryan doesn’t know to whom she’ll be reporting in the long run. Fortunately, she likes that kind of pressure.

“I do better under duress,” O’Bryan says. “It’s like when you go to a restaurant, and you’re the only customer there. Ironically, the quality of service is terrible. If you want another cup of coffee, you can’t find the waitress because she’s off in a corner somewhere smoking. But if the place is busy, your service is better because the waitress has to be on the ball. It’s the same with me. When I’ve got an overwhelming number of things to do, I get all fired up.” Which explains how, despite the demands on her time and energy, the atmosphere in O’Bryan’s office above the Chicago Loop is amazingly controlled. Amid neatly framed family photos and carefully organized papers, O’Bryan appears to be the essence of level-headed business acumen and IT expertise. Her zest for the job is immediately apparent in her strong handshake and the unwavering eye contact she levels on visitors. She frequently faces the challenge of merging systems from multiple companies that ABN Amro has acquired into her own and making sure they stand up to her rigorous security standards and requirements. “Sometimes I come into work and wonder, Well, what will the company look like today?” she says. Merge AheadO’Bryan heads the technology risk management team, which is known within the company for handling the security side of systems integration quickly and well. If the acquired company’s security doesn’t meet O’Bryan’s standards, she delays hooking it up to ABN Amro’s network until it’s in compliance. “You can’t mix an unprotected system with a trusted network,” she says. The process is particularly difficult if the new company’s system is dependent on a single software program whose security settings can’t be changed. O’Bryan reasons that “if you change their technology in those situations, then you have changed the success of their organization, and there’s no cost-benefit to bringing them into the fold.” Her solution is simple and circumspect: Segregate unsafe systems. She and her team create an oasis of computers linked to the ABN Amro network. The computers are placed in a secure room, and whenever someone needs to interact with the ABN corporate network, he has to work with the special computers. “If you can’t have a shared environment, that’s what you have to do,” she says.

O’Bryan applies the same determination to every project she faces. Recently, she completed a total reorganization of the security architecture part of the technology risk management group. The overhaul began three years ago, after she joined ABN Amro and discovered that the security organization was all over the map. Literally. “It was a giant pot of stew,” she recalls. The security organization was underfunded and understaffed, comprising only 12 people who were scattered throughout other infrastructure groups around the country. When O’Bryan arrived, the company had decided to go forward with a single sign-on technology that would allow network users to access multiple applications after entering a single password. But the North American division’s network was a complex patchwork of systems mushed together from frequent mergers and acquisitions, and there were few security standards in place. O’Bryan decided that the technology couldn’t support the company’s integrated systems and shelved the project. “The technology wasn’t quite there yet, and your network environment must be very clean for a project like that to be effective without opening you up to attack,” she says.

After putting the project on hold, she sat down with her CIO to gauge his level of support for a formal set of security standard projects. She then presented the executive board of ABN Amro North America with a meticulous plan detailing her ideal approach to increasing security efficiency and effectivenesscreating a centralized technology risk management group to oversee a common set of security policiesand the executive team gave her the thumb’s up. Then she began the next phase of the reorganization. Most of the existing risk management and continuity planning staff was dispersed and decentralized, reporting to different bosses and working in reaction-based environments rather than under a tactical or strategic plan. O’Bryan plucked her staffers out of their pseudo-exile and brought most of them to the Chicago area (she still has people in Michigan and New York), where they could work as a team. Together, the group came up with a thorough approach to technology risk that began at the strategic level and extended all the way down to daily, mundane procedural tasks such as issuing network access IDs.

O’Bryan looked at how other banks handled security but kept a close eye on how closely industry best practices addressed her company’s needs. “Best practices are often set by much larger organizations, like Bank of America, and they might not make sense for us as a medium-size organization,” she explains. “Rather than apply blanket best practices to my company, I am more interested in looking at how those practices relate specifically to the infrastructure, applications and security controls we have in place.”

With the newly crafted standards in hand, she made sure the company’s network was scrubbed and the systems were functioning effectively. “We had to clean it up,” she says. The security staff grew: When O’Bryan began the overhaul, she had a staff of 12 and a budget of about $6 million. Three years later, she oversees 66 people and a budget of $18 million. And the evolution of the risk group is about to take another step. In early 2003, ABN Amro’s Chicago offices will move to a new building that’s still under construction. While the move entails a lot of change, O’Bryan isn’t worried about adjusting. In the new building, she’ll have her entire Chicago-area technology risk group on one floor (right now, half the group is in her Loop-area building and the other half is located 20 miles away, near O’Hare International Airport).

At the same time O’Bryan was revamping the technology risk management division, ABN Amro was going through its own labor pains. Like the technology risk group, the Dutch bank used to be regionally oriented, with operations spread around the globe. Two years ago, the company reorganized itself into three strategic business units: consumer and commercial clients, wholesale client services, and private clients and asset management. O’Bryan needed to fit the risk group’s responsibilities into the company’s new structure, a task which O’Bryan took in stride. “We just had to be light on our toes and change the strategic plan regularly,” she says. Do the Right ThingO’Bryan is not one to simply navigate her way through changeshe actively seeks it out, particularly when she perceives that something is wrong. “I’m very much a do-the-right-thing person,” she says of herself. “I won’t sit by if something needs to be fixed.” One of the projects in which she has been most actively involved is the creation of a framework for monitoring the risk management practices of third-party outsourcing providers. During her years as an IT auditor, she noticed a loophole in industry auditing procedures that allowed a lot of financial companies to avoid examining the IT and security risk-management policies of outsourcers (for more on outsourcing, see “Tying the Knot,” Page 40). That a loophole existed wasn’t surprisingthe regulations governing outsourcing risk management were published in 1988, long before data security became the issue it is today.

O’Bryan observed that, at audit time, industry and federal regulators almost never asked her clients for a list of outsourced services so that they could examine how the companies managed risk. Since it was her job to audit the technology infrastructure of her 102 financial clients so that they could sign off on financial statements, the loophole was very apparent. She knew regulators weren’t doing anything wrong because looking in-depth at data security controls was outside the scope of their audit responsibilities. But other than simply verifying the presence of security measures, there was virtually no data privacy oversight for information handled by outsourcers. Companies were not required to demonstrate the breadth of data security coverage or whether their in-house security was integrated with that of their outsourcers. As a result, she says, few organizations performed the necessary analysis of security controls they relied on, and fewer, if any, actually tested those controls. The financial institutions shrugged it off for the most part, she says, because they thought data security was the outsourcer’s responsibility, not theirs. “What we needed was documentation showing how information is shared between companies and outsourcers, how their networks interface and how the data is being protected,” she says.

O’Bryan felt the lack of data privacy oversight needed the attention of the entire financial services industry. As a member of Bits, the lobbying group founded by CEOs from the top 100 financial companies in the nation, she brought up the idea of creating an industrywide framework for governing risk management in outsourcing at a meeting. The other members of Bits agreed the issue demanded action and set to work creating the framework, a process that took a year. O’Bryan now cochairs the committee in charge of expanding the framework, which was ratified in 2001. The new regulations require financial companies to apply the same security measures to outsourced information as they would if the data was handled in-house. “You can outsource IT and business processing, but you can’t outsource the risk,” O’Bryan says. “That creates a challenge for service providers, many of whom are being forced into creating formal security and contingency planning policies of their own in order to service financial clients.” While the Bits framework has helped regulators increase their scrutiny of outsourced risk management, this issue remains somewhat unresolved, she says, because most business managers still believe they can outsource risk, an attitude that has to change for sound security to be achieved.

Not surprising, O’Bryan handles the challenge of forcing change upon an industry mired in tradition and regulation with aplomb. She does, after all, thrive on pressure and responsibility. Like many security executives, O’Bryan is a part-time student, but the degree she’s pursuing is probably unique in the IT security field. She’s in the process of earning a master’s in theology, her third advanced degree (she already holds an MBA and a master’s of information systems). And no, she’s not praying for secure networks.

In the future, she wants to work with teenagers to “help steer them in the right direction.” But that’s a few years off. Her immediate goals are to move closer to the strategic side of the business so she can become less involved with day-to-day operations. “I’m a strategist at heart, and I have a vision of what security should mean to the business,” she explains. At some point she’d like to do more industry lobbying in Washington, D.C., but for right now she’s happy commuting from her home 65 miles outside Chicago and helping protect the assets of ABN Amro’s worldwide clients.

“At the end of the day, that’s what feels good,” O’Bryan says.