FAIR Institute Board Member Bill Barouski served as Executive VP and CISO for the Federal Reserve System until mid-2015, overseeing information security for the US central bank, including incident response, as well as information security architecture, standards, policies and programs.
In previous roles at the Fed, he managed the bank’s nationwide electronic payments and information delivery network, national sales and marketing strategies.
Bill is currently the Deputy CISO at Northern Trust Corporation in Chicago, a leading provider of asset servicing, fund administration, investment management, banking and fiduciary solutions for corporations, institutions and affluent individuals.
Tell us about your job and your range of duties.
I have a wide range of duties that incorporate our regional information security officers, security awareness programs, enterprise client engagement, and comprehensive data protection.
Is Northern Trust using the FAIR model?
We are using and adopting the FAIR model, albeit in an early ‘prove it’ stage. We are implementing FAIR in both our information security and technology risk function, framing the argument for security investment.
How did you get interested in FAIR?
I started this journey at the Fed, where I was the CISO but also the IT risk officer. Like many organizations, we were evaluating new approaches to risk management and considering many models. It was really then serendipity -- that is what I call Jack Jones – that brought me to FAIR and the RiskLens folks and all that followed.
What was appealing to you about FAIR?
It was really just the purity and the simplicity of the model that had a significant amount of appeal.
What do you see as a key challenge for the CISO profession now?
It’s the ability to have real time information and I don’t mean just metrics, so it’s beyond FAIR. It’s real-time information that can be translated into risk information and communicated to business and senior level executives.
What would you say is the state of risk awareness among CISOs?
There’s a difference between the state of risk awareness which I would say is acute and the agreement that a model such as FAIR is either right or works better than other existing ones that might be ingrained in organizations. It’s like any IT: People are politically and emotionally invested!
It seems that CISOs and Boards of Directors are heading into a period of increased government regulation on cybersecurity. Where do you see the regulatory environment going?
I’m a huge fan of the letter that FSSCC recently sent to the top US regulators!
[The Financial Services Sector Coordinating Council (FSSCC), the financial industry’s coordinating group for homeland security, wrote the letter as a comment on the proposed Enhanced Cyber Risk Management Standards issued by the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation. Read the FSSC letter.]
Really, it’s a plea for what they call ‘harmonization’ of regulatory cyber frameworks. There were 43 different cyber frameworks in 2014 by US regulators. So to me that harmonization is huge because it allows us cyber fighters to focus more intently on the adversaries than on compliance.
What would you say to young people starting out as cybersecurity risk analysts?
Learn technology and cyber capabilities well and keep an open mind to different approaches. Being ‘street smart’ and yet agnostic to a technology will go a long way. Openly debate the value of any technology and of course, any framework.
You’ve had a career at high levels in government and the private sector. Any accomplishment you are particularly proud of?
Nothing about me. I think one of the greatest joys I get is educating others on the quality of individuals that serve and protect this country of ours. I do that in client engagement sessions. We’re in a serious business but we’re also surrounded by incredibly gifted and capable civil servants and other individuals that serve this country in cyber and other types of protection. I’m really proud to be surrounded by those people. I saw them in every aspect of what I did at the Fed but that’s not so visible in the private sector. To know that you’re surrounded with that talent is very satisfying.