Security Management: Leading the Virtual TeamInterview with Lane Gittins of America First Credit Union Institutions of all sizes struggle with staffing resources - having enough hands available to tend to information security matters. At America First Credit Union in Riverdale, Utah, Lane Gittins, the Systems Security Manager, has learned to overcome this challenge by working in a consultative style - directing a cross-functional team whose members come from across the institution and don't all report to him. Following is a transcript of Editorial Director Tom Field's recent conversation with Gittins on:
TOM FIELD: Hi this is Tom Field, Editorial Director with Information Security Media Group. Today I am talking with Lane Gittins, System Security Manager with America First Credit Union, Riverdale, Utah, and the topic today is asking the question about information security -- a one-man band or a three-ring circus. Lane, in your case, which is it, the one-man band or the three-ring circus?
LANE GITTINS: Well, when I first started this I thought this is a one-man band and, boy, the responsibilities are laying heavy on my shoulders. But I have found more and more that it is a team effort, and I might be the ring master, but it is a three-ring circus and lots going on.
FIELD: Hey Lane, give me a little bit of background on your situation -- how you came to be at the credit union and what you are managing today.
GITTINS: Okay. I've worked for America First Credit Union for 27 years. Started off in the programming department when we were just a small IT group, maybe three or four of us, and it has grown into quite a large organization where America First is about the 10th largest credit union in the country, and I've evolved from being in the programming area, heading up the Y2K project and because of regulations and requirements, I evolved into being over systems security, so I am the responsible, accountable person for the administration of our information security program. I always describe it as I have about a inch deep of knowledge and about a mile wide, so I am not the guy that is the hands-on, I'm not the guru's or the real smart guys that are doing all the heavy lifting and the dirty work, but I am responsible and held accountable for the information security, the data security here at that credit union.
FIELD: And you really have to rely on a lot of other people to do the job with you, correct?
GITTINS: Absolutely. There is no way this job could be done without having team effort.
FIELD: So let's talk about this notion of a one-man band or a three-ring circus. How do you tackle this broad job before you with the limited resources that you have?
GITTINS: Well, one thing I have found that has helped me a lot is that initially we set up what we call our information security team. It started off small, we gathered a few key people from different departments and went from there. But that has been a real value to have a team like that. We do have other teams here at the credit union that involve different employees, a security response team, I do meet with committees from the Board of Directors, we call it our IT Committee and we meet with them and report to them regularly. And as well I work a lot with the physical security department, they set up a fraud summit, which I am a member of and do a lot of work with our internal audit department as well and we have found great success.
I think originally the idea of my job -- at least a lot of the guys in IT thought I was the guy that would ward off the internal auditors and keep them at bay, but more and more we have found that the best success we've had in IT security is involving our internal audit staff and having them be on our team and regular participators and contributors to what we are doing.
FIELD: Sure. Now you've talked about this as being sort of like surgery, that it takes a team effort. What kind of a team do you really have to put together? It must be challenging, especially because a lot of these people don't report directly to you.
GITTINS: Well, my reference back to surgery and you and I've had a little discussion about this, I just recently went through a bout with skin cancer. Now, it's basal cell carcinoma, and if you are going to have skin cancer it is a good one to have, but recently had to go through a surgery called Mohs Surgery, where it is really a highly team effort operation so to speak. You have a specially trained team with a physican, several surgical assistants, you've got a technician who prepared the tissue for microscopic examination, and then you have the office staff. And the same thing, it just seemed to tie in so well with what we are doing here at America First in terms of information security; that we have to have a highly trained team; we have to have a team that is very skilled and very qualified to handle different aspects of information security.
FIELD: Okay. So give me a sense of sort of how you lead this team. You are not really a one-man band; you are kind of leading the circus. How do you direct this sort of virtual team?
GITTINS: Well, we gather for regular meetings. It depends on what the issue of the day is, but I think a point that needs to be made as well is that my direct manager, the Senior Vice President of Information Systems, our CIO so to speak, is also on the team and he helps guide the efforts as well, although I am the team leader. We will meet usually on a monthly basis, sometimes more often depending on the issue, and one thing I like about this team is nobody is afraid to talk. Nobody is afraid to bring up bad ideas. There seems to be a trust amongst ourselves and a climate that welcomes innovative thinking and problem solving.
Now, there will be a time where we might all gather and we might break into smaller groups. Sometimes we might even ask the internal auditors to not come to a meeting because sometime, as everyone knows, you won't get everybody's exact feelings unless they're feeling like they are not going to be audited over it and that they might be able to speak freely, but we do a lot of brainstorming, a lot of talking and that is where the value comes and that is essentially how we lead, is letting the team drive the effort and have open discussions.
FIELD: Now question, this always sort of comes up -- they define consulting as influencing people that don't report to you. How do you lead a team where a lot of members don't report directly to you?
GITTINS: I've got a lot of support from the management group in IS. We work as peers, and I meet with them regularly as well. We meet in smaller management teams under the direction of our CIO and it just seems to work out well. We seem to have a good, cohesive group and they support me very much with what we are doing and send either themselves or one of their responsible quality hard-working guys to my meeting to be able to coordinate that.
FIELD: Now day-in, day-out, what do you find the biggest challenges are that you and your team are dealing with?
GITTINS: I think some of the challenges we have had are to just react. One thing is I compare this again to the surgery that I went through. The surgery that I went through, they try and remove minimal skin. They just don't, as I like to say, they don't throw the baby out with the bath water, they take it a little bit at a time. And that's I think one of the challenges we have had, and I always joke about even with the managers of the non-IT departments. I joke with them that if we really wanted to lock down information security here at the credit union we could lock all of our branches, we could discontinue home banking and all of the other great Internet, web-based offerings that we have and we could throw the baby out with the bath water, and then information security would be locked down well.
That's the thing that I have found is our biggest challenge is we don't want to just lock the doors and throw away the keys. We want to enable the projects that are going on here at the credit union. We want to add value to the credit union. And so it is not--we talk a lot about risk assessment. It is a risk assessment process, but not a risk elimination process. If we are not taking some risks here are the credit union, then we are not going to have success. So I think that is our biggest challenge is to balance our risk assessment with the goals of the credit union.
FIELD: Sounds like security awareness must be a big part of what you do.
GITTINS: It is. We do some. We have a corporate university, we have a great online environment as well as a hand-on in-person training organizations department, and they have facilitated a lot of what we do with security awareness. As well as I try and get out with some of our branches and some of departments on an as needed basis. We've created a climate of security that welcomes people. They know who the point guard is you know, who to call if there is a problem, if there is a question and so that has provided us with some success in that area of security awareness.
FIELD: I was going to ask you that. What would you say have been sort of your biggest successes with this? This virtual team in this three-ring circus culture.
GITTINS: One of our biggest successes came as part of our security response team. I think many people become aware of some of the data leaks, some of the companies that have had problems with storing of credit card information and things of that nature and how that data has been compromised. And we had a situation, a very familiar one that many people probably dealt with, where we've had reported to us that potential of 40,000 of our credit cards being at risk. And that first initial reaction of almost all of us as we met was, well, we better reissue all those cards. But, as many other financial institutions found out in this particular situation, first there wasn't enough plastic in the world for every financial institution to do a big reissue of the many credit cards that had been exposed; and second, the impact that would have had on all of our members on our credit union, would have been substantial.
We were seeing new stories of other financial institutions who had customers who were being delayed maybe seven, 10 days, maybe even up to two weeks where they didn't have access to their credit card. And I don't know about you, Tom, but I know in my house if the credit card wasn't available for two weeks that would be a disaster that we might not ever be able to recover from.
FIELD: You're exactly right!
GITTINS: So, we took a long look at that, and it was a very heated, very open discussion and there were opinions on both ends of the spectrum, but the final solution ended up being we put those cards on a higher risk alert, we put them on a watch list where they were being watched very closely and did not reissue one of those cards. And we found that we did not experience any financial loss as a result of that.
And to me that was a great example of this team effort. People cooperating together, having open and honest discussions, trust. We are taking a risk, but we valued the input of everyone on the team and then as a team made a decision together and I think in that particular case that was probably one of our great successes.
FIELD: That is excellent. Now as you know, at institutions of all sizes, there are are challenges similar to yours. Lack of resources, limited resources, the limited number of personnel you can devote to security. What do you find to be sort of the biggest ongoing challenge of the available resources that you have, and the team members at your disposal?
GITTINS: I think the biggest challenge is, as we grow larger, having the team members, it is a personnel issue. Keeping key people happy. Keeping people on board. Making them feel like they are a valuable contributing member of the team. I think that has probably been our biggest challenge.
FIELD: Now for institutions that are facing this same challenge that you are right now, where you are either the one-man band or you are the ring master, what bit of advice would you give them to sort of create the culture of security that you have in the success of this extended team?
GITTINS: Recently, I came across a book and I think being the father of school age children I was very intrigued with this book, it is called Lead, Follow or Get Out of the Way by Robert D. Ramsey and it was about being a more effective leader in schools. But as I looked at that I thought, boy, that applies so much to what I am dealing with on a day by day basis. I am almost a principal, like we've said, the three-ring, or the ringmaster of a three-ring circus it is being like the principal of a junior high. There is a lot going on and a lot of decisions to be made, but one thing that Robert Ramsey points out is to not make decisions in a vacuum. And I thought that was very good and it has applied to what you and I have talked about today, Tom. That, you know, we involve our board of directors, our senior management, we have these teams.
We turn to our colleagues both in and out of the organization, turn to websites as yours for information and associations where we can get the best ideas and again, we also--what Robert Ramsey mentioned in his book, is that the best administrators can constantly keep their antennae tuned to pick up worthwhile ideas. And that is the one thing that I have noticed is this is an ever-changing environment.
This whole thing of information security, the bad guys are constantly learning and getting better at this, and so we need to promote innovative thinking. We need to be a little, you know, think out of the box so to speak and tap into some of the staff creativity that is available to us and sort out the good ideas, incorporate some of them into the decision-making process and do it quickly.
Going back to my analogy with the skin cancer surgery, it was an outpatient surgery. This doesn't always have to take a long time. We can make decision and we can do these risk assessments in a short period of time, and I think last but not least ...well, two points. One, it has to be okay to fail. People have to feel like its okay to have a bad idea, its okay to be in the minority in our team meetings. And the other one we always joke about, all our internal audit staff has a saying, In God We Trust--All Others We Audit. And sometimes we have to chide them a little bit about that and remind them that we do have to trust each other. There has to be a trust factor where we believe people are working in our best interest and go from there.
FIELD: Lane, that is really well said and I appreciate your time and your insights today.
GITTINS: Thank you, Tom.
FIELD: We've been talking with Lane Gittins, Systems Security Manager with America First Credit Union in Riverdale, Utah. For Information Security Media Group, I'm Tom Field. Thank you very much.