Security Training for Board MembersBest-Practices for Getting Across the Right Messages
The board members at a financial institution are responsible for oversight and implementation of a sound security program, including the overall guidance and direction of setting a cultural value related to risk awareness, driving policy and strategy, defining a global risk profile and creating security initiatives and priorities for the banking organization. They are the drivers that define and signify security, and as such have very little time at their disposal for training and education.
"Training the board members on security issues at any financial institution is a real challenge and is a double edge sword of very little time and high level of commitment" says Kenneth Newman, VP of Security at American Savings Bank in Hawaii. Therefore, effective training for board members need to be simple, short and conducted on an annual or semi annual basis.
The key training board messages and approach should include:
- A thorough understanding of changes in regulatory issues and impacts and changes in business as it relates to the overall practices at a bank or financial institution.
- An effective understanding of security as it relates to the enterprise risk model from a high level.
- Realistic feedback on what the highest risk policy and processes are? And where are the security vulnerabilities within the institution?
- Understand the impact of security failures on the business and the potential effect on stakeholders, competition etc. What are the real costs involved?
- Communicate the consequences of security incidents and repercussions of inadequate training in terms of loss of revenues and lack of customer and investor confidence.
- Focus in ensuring that security initiatives and improvements are measured and monitored on a regular basis and all are part of an evaluation process.
- Drive the point of personal and individual responsibility that each board member and employee has in terms of owning and participating in the training and education process.
"Take it seriously, its real and they can be significant repercussions if not done well," says Tom Festing, senior risk and training manager based in Indianapolis at Crowe Chizek and Company LLC, while discussing the issue of training for board members. He further adds the "must have" action items for board members:
- Develop and implement an effective security policy and procedure, ensuring that proper security tasks and initiatives are assigned to management appropriately
- Have up-to-date knowledge on the regulatory and business practices that govern the institution's day-to-day operating environment
- Develop high level of awareness regarding risk and security exposure
- Never believe that security policies and procedures are 100% secure, and ensure a back up plan is always in place with regards to security events and incidents. Also, be aware of the actual cost and impact of these security breaches and incidents to management and institution reputation.
- Adopt a hands-on role in managing and getting involved with security related decisions
- Define who is responsible for security in their institution and pushing this responsibility to the individual employee level.
- Monitor management's performance in effectively managing security risks
- Develop crisis management practices
- Make security training and education a way of life in their organization