Making of an Auditor: featuring Nathan Johns, CISA, Senior Audit Manager, with Crowe Chizek and Co., LLC
Richard Swart: Hi. This is Richard Swart with Information Security & Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we will be speaking with Mr. Nathan Johns. Nathan is an executive with Crowe Chizek and Company, LLC risk services delivery unit, with over 15 years experience in a variety of internal audit risk management leadership and regulatory positions. He has a comprehensive internal audit and risk management background in large financial services institutions, working closely with senior management to address risks and evaluate and implement controls. Before joining Crowe Chizek, Mr. Johns was the chief of the information technology section for the FDIC.
Nathan Johns: Good afternoon.
Swart: Can you tell us a little bit about your position with the FDIC before you joined Crowe Chizek?
Johns: Sure. I was in charge of IT examinations nationwide for the FDIC, and that entailed pretty much everything that the examiners use when they go out to do an IT examination at a bank, from examination procedures to the guidance to the banking industry to staffing decisions to training and education for the examiners.
Swart: Quite a comprehensive role. In that role, what was your experience as to what was the best sort of training? What are best practices in training?
Johns: The best practices that we used in training, probably the best training method we had was training on the job. We had a program where we partnered up examiners with more experienced examiners almost in a shadowing kind of role or a coaching kind of role, and really the hands-on training was better â€“ was probably the best training.
That being said, we had an extensive training strategy that we had in place; and, depending on â€“ we had actually gone out and surveyed the banks to determine the different levels of technology that they use, and we tried matching up our examiners to the financial institutions. And so we had a training program then that took the common characteristics of those banks and said, okay, what does an examiner need, what skills do they need to examine those institutions? And so we had a training program with courses coupled with the on-the-job training to try and provide them with those skill sets based upon which group they, either them or their supervisors, wanted them to belong to.
Swart: What were some of the best practices for those training that they decide for job shadowing?
Johns: Okay. Some of the things that we did, we coupled classroom training with online training. The classroom training really had the better retention because it was more actual hands-on, very involved between both actual instructions and the doing. So it had a good retention, but they had forgotten by the time they got out to use those skills. So we coupled that with online courses that they could use more as a just-in-time type of training.
Okay. Itâ€™s been nine months since we had the course. You can go online; take a course almost as a refresher. They get the information current in their minds right as theyâ€™re walking in the door to see the technology. So the flexibility was really key.
Swart: So what would your advice be to other IT security executives who have to allocate their budgets? What should their priorities be these days?
Johns: I think a lot of the priorities need to be not so much â€“ especially if youâ€™re talking about auditing and where youâ€™re going to run into a lot of different technologies and youâ€™re not going to be focusing on a single technology day in and day out, but itâ€™s going to be more on the process and the framework and the structure. You can learn the technologies or have a general understanding of the different technologies and the security around those technologies; but if you understand a good proper framework, whether it be COBIT or ISO or any of the other frameworks that are out there, then it becomes very easy to adapt to different technologies and apply the specifics to that framework.
So, I think spending time not so much on individual technologies but on grasping frameworks is where youâ€™re going to get more bang for your buck.
Swart: In your experience, do financial institutions ever use the NIST guidelines? Is that getting much traction?
Johns: I think thereâ€™s varying degrees. I donâ€™t think â€“ I havenâ€™t seen a lot of institutions that are using the NIST guidelines per say, but the NIST guidelines do factor into a lot of these different standards that are out there. I mean, at the end of the day COBIT and ISO and all those have borrowed, or in places at least borrowed, from the NIST guidelines. And I think that a lot of the risk assessment and risk-based approaches that are out there also borrow heavily from the NIST guidelines as well. So, I donâ€™t think thereâ€™s a direct use of it, but I think thereâ€™s this kind of second tier correlation that you see with the NIST guidelines.
Swart: Okay, thank you. What about special certifications; which ones are the most important and how would you recommend that organizations prepare their employees to sit for those examinations?
Johns: There are a lot of different certifications out there, so, I mean, it really depends on the position that youâ€™re talking about. But probably two of the most useful and generic or widespread I guess certifications would be the CISSP, Certified Information Systems Security Professional, and the CISSA, the Certified Information Security Systems Auditor. And preparing for them, I think that review courses are obviously a very good idea. If you have enough people, you can get â€“ from a budget standpoint, hosting it in-house certainly has its benefits, if you have enough people taking the test.
But other things that I would suggest short of that is just taking a bunch of practice tests, just so you learn how they ask the questions, the types of material that theyâ€™ll be looking for. And the other thing is talk to people that already have the certification. A lot of times theyâ€™ll be able to provide tips that worked for them, things that they experienced while they were going through the certification, jobs and experiences that they think could help you prepare for taking the test.
Swart: And what advice would you give to someone whoâ€™s just starting their career in information security, specifically someone looking to work in a financial sector?
Johns: I would â€“ the biggest advice I would give to them is listen to people that are out there that have experience in this area, absorb as much as you can from them. Even if theyâ€™re just telling you a war story, there are probably very valuable experiences within that story. So be open. Listen to them. Be like a sponge; absorb all that variable information that their experiences have provided them. Donâ€™t make the same mistakes they did. Learn from what theyâ€™ve done. And plus on-the-job training, as I mentioned earlier, is invaluable. So learn from their experience; learn from what theyâ€™ve done, and basically use them as a mentor.
Swart: Well, youâ€™ve worked with a lot of young auditors just starting out in their career. What are common mistakes and what are some things that new auditors might need to look out for?
Johns: I think the biggest mistake that you see out there is going into an audit and assuming that you know more than the people that youâ€™re auditing. Chances are the people that youâ€™re auditing; they use this technology day in and day out. So become their friends. I mean, okay, thereâ€™s always a little bit of an adversarial role in auditing; however, they do know this technology very well. If you explain what youâ€™re trying to accomplish and the security youâ€™re trying to put in place, oftentimes they can actually help educate you as the auditor on that system, on the capabilities of it; and they may be able to come up with unique solutions to problems that youâ€™ve identified in ways that you had never thought of.
Swart: Iâ€™d like to tap your experience one more time. Youâ€™ve served on a number of FFIEC information technology committees and oversaw IT matters. What are some of the most pressing concerns that you saw in the FFIC from an IT security perspective and what do you think will be emerging as significant concerns over the next few years?
Johns: From an information security perspective, thereâ€™s a couple of things that are â€“ well, thereâ€™s a couple of things that are currently on the front burner, and thereâ€™s some things that I think will be coming onto the burner over the next couple of years. Obviously right now one of the hottest topics is protecting information, whether it be customer information or whether it be some business information or whether it be credit cards. With all the breaches that have occurred, all the press thatâ€™s been surrounding some of the information compromises, lawmakers all over the place are trying to make a determination if there needs to be additional laws. So it certainly puts pressure on the regulatory bodies to try and work within the framework thatâ€™s there to stop these things from happening.
That being said, the direction and some of the things that theyâ€™re considering in the future, which will probably be hot topics in upcoming years, are the increased use of encryption. As costs come down on encryption and as the technology becomes better and better, itâ€™s becoming harder for them not to increase the requirements around encryption. So I think thatâ€™s something weâ€™re going to be seeing more and more of from the regulators as a push towards stronger and more encryption.
Swart: So it sounds like someone starting off in their career should really ensure they have a solid foundation or use of these modern technologies for encryption.
Swart: All right. Well, thank you for your advice, Nathan. Itâ€™s been very interesting, and Iâ€™m sure our listeners will get great benefit from it.
Johns: Youâ€™re welcome.
Swart: Well, thank you for listening to the podcast of the Information Security and Media Group. To listen to a selection of other podcasts or to find other educational content regarding information security for the banking and finance industry, you can visit www.BankInfoSecurity.com or www.CUInfoSecurity.com.