How do financial firms assess information security risk? And how do they make investment decisions against that risk? Last December, Anthony Portera T’07 tried to find out. While many of his classmates hit the ski slopes or sandy beaches, Portera used his winter break to join the Information Risk in the Professional Services (IRPS) team in their field study on financial institutions. Led by Tuck professor M. Eric Johnson and Dartmouth computer science professor Sean Smith, the study was funded in part by research grants from the National Institute of Standards and Technology and the Department of Homeland Security.
“More than any other industry, financial services face the most creative and seemingly endless parade of threats,” says Johnson, director of Tuck’s Center for Digital Strategies. “The potential rewards keep thieves working overtime to exploit any weakness.”
For the month of December, Portera paired up with team member Sara Sinclair, a Dartmouth PhD candidate in computer science, to interview information-security professionals from retail and investment banks in New York City. Sinclair focused on the technical details and design initiatives within each firm, while Portera examined the organizational dynamics driving security innovation and how to foster innovation in protecting others from risk.“
By its nature, security often focuses on closing barn doors after a breach,” Portera notes. “This study examines how firms anticipate risk and whether investments in information security risk management could be a source of value creation or a competitive advantage.”
One of the firms Portera profiled stood out for its excellence in innovation. What made this firm’s security organization so extraordinary was its culture of anticipating and mitigating risk and its openness to collaboration. It also included individuals with backgrounds in both technical and nontechnical fields but not necessarily security. Eemployees learned security on the job and were expected to be fluent in both the IT needs and the business activities of the firm.
“Managers can’t just assign a budget to information security and hope it goes away,” Johnson says. “This is an area that requires understanding organizational needs and fostering a culture to engage and innovate on those needs.” Portera agrees: “Whether it’s a small-size organization that needs to simply be thoughtful about the packages it buys or it’s large enough that there’s an option to build custom solutions, cultural sensitivity, discipline, and openness to collaboration are necessary to mitigate risk appropriately.”
Portera says the study was a valuable way to spend his winter break. “I got a fascinating, in-depth view into the technical activities of the world’s leading financial institutions. It has enriched my perspective as a future manager.”
