Why Insource Forensics?
Making the Business Case for Internal Forensics/eDiscovery Team
It takes time to create a top-notch, effective investigation team, Thompson says. "I think long-term, it's developing that relationship with post-secondary institutions to ensure that the skill sets that we need on an ongoing basis are being trained and we can take talent from those institutions as they become available," he says."We've trained up some of our key talent in forensics, just in terms of getting them the proper training to get them certified as forensic experts," says Thompson in an interview with Information Security Media Group's Tom Field [transcript below].
In an exclusive discussion about forensics and ediscovery, Thompson discusses:
- The benefits of insourcing a forensics team;
- Changes brought by consumerization and cloud computing;
- Advice for organizations looking to develop internal forensics and ediscovery teams.
An IT and security professional with 23 years industry experience in industries ranging from telecommunications to the financial services industry, Thompson has held various senior-level information security management positions, including head of global IS security and CISO for Manulife Financial Corp. He achieved his CISSP accreditation from ISC2 in December 2001. Thompson is a graduate of the Richard Ivey School of Business Executive Leadership Program at the University of Western Ontario.
TOM FIELD: To start out with, why don't you tell us a little bit about yourself, your work and your institution please?
GREG THOMPSON: I'm vice president of enterprise security services here at Scotiabank. Scotiabank is Canada's largest international bank. We operate in 50-plus countries. The work that I do - I run the enterprise security services function which is a really broad title obviously. It does cover a broad range of services. My group handles everything from our corporate security policies and standards and that drills right down into technical standards and best practices. I manage the network security and technical security services function, which covers everything from anti-spam, anti-virus and Trojan detection and prevention, and the security operations center. I also run the business-continuity function at Scotiabank globally, so I have a small group of professionals based out of Toronto that coordinate all planning and testing of business-continuity activities, and we're extending our business-continuity program to include more close linkages to our disaster-recovery program, which obviously has a far more IT flavor.
Certainly, the reason why we're talking today is I run the computer forensics and civil litigation unit for Scotiabank, and we have a small team of professionals here in Toronto that handle everything from ediscovery to civil, and some linkages to criminal investigations as it relates to everything from fraud to litigation, and as you can imagine that keeps us quite busy.
Top Trends in eDiscovery
FIELD: For an organization your size, forensics and ediscovery has to be a huge topic. What are some of the top trends that you're seeing with your group?
THOMPSON: When we say trends ... I think about: what are the things in the industry that are driving change? Certainly moving business applications to the cloud is a trend that we're seeing that has huge implications for electronic discovery and for forensics in general. I'm also seeing just with the explosion of consumerization and social networks, and certainly corporations' adoption of social-networking type of technologies, things like ediscovery become a little more challenging. We're communicating over various mediums now, and I'm not sure the laws or the security technology have quite caught up to that. Something I've spoken to the media before on is the trend toward insourcing a lot of the forensic-investigation activity. I know in the past a lot of organizations, because it's such a highly specialized field, felt that it was prudent to outsource the forensic-investigation activities simply because it was probably the most prudent thing to do at the time. What I'm finding certainly now in an organization my size is that the cost benefit is starting to sway back towards seriously considering insourcing and we've done a little bit of that.
FIELD: I want to talk about cloud as a discrete topic, and right now talk about the other changes you've discussed, the insourcing and some of the consumerization changes that you're responding to. Give us a sense of how your team is responding to these changing times.
THOMPSON: We've dealt with investigations as it relates to doing forensic investigations that involve third parties, and you know the cloud is such - I'll dare to say - an overused term these days. When I think of cloud, my starting point of understanding is that we've outsourced something to a third party. We've lost a degree of control. The cloud presents some challenges in terms of understanding the cloud provider's infrastructure. In the past, if we had an investigation where we were looking into bank-owned systems, it was quite easy for us to understand the architecture data flows and this type of thing to be able to conduct a thorough investigation. When we're dealing with cloud providers or any third-party service provider where we access their infrastructure over the Internet, this upstream intelligence piece is something that becomes very important to us. We need to rely on our ISPs and our partners that provide network services to us to provide some insight in terms of net flows. We need to heavily rely on and stipulate with our third parties the types of things we need to know from an infrastructure perspective to allow us to conduct investigations that will have integrity. In other words, we need to know where our data is and that becomes the ongoing challenge in terms of cloud computing.
Adapting to Insourcing, Outsourcing Trends
FIELD: Then in terms of the other changes you discussed, consumerization and then the trend toward insourcing versus outsourcing, how are you and your team adapting to those changes?
THOMPSON: Now, we're doing a lot of talking on the subject, if you will. We're trying to educate our IT support units and our business lines to firstly allow them to digest what the real risks are. The motivation for business lines to move to the cloud is obvious. There are some cost savings involved. There's some flexibility and a nimbleness you get with the ability to ramp up and ramp down infrastructure and services as you need it.
The challenge from an IT-security perspective is, again, you've lost a degree of control around the data and so the discussion we're having really is more around getting people to start thinking about implementing controls a lot closer to the data, and that becomes very important when we start talking about consumerization. If an executive decides that he needs to have an iPad to do his job, we need to start thinking about ways to control the data that's on that iPad, and it may not necessarily control the data, but certainly secure it and protect it from unauthorized disclosure.
The same holds true if we're embracing social-media technologies. We need to enact processes and controls that allow us a degree of control without necessarily stifling the innovation that's coming down the pipe. So really it's a balancing act for us, and if I could be blunt about it, so far I think security is a little bit on the losing end of that battle. And at this point in time, from a security perspective, I think there should be a call for innovation. We're seeing innovation happen so quickly from a consumer perspective, and from a security perspective I see a lot of innovation coming from our adversaries in organized crime. I'm not sure I'm seeing the same level of innovation coming from our technology partners and our security professionals. That's something that we're really kind of beating the drum on here.
FIELD: One of the areas that you brought up was the notion of insourcing versus outsourcing, and certainly there are so many good arguments for outsourcing different products and services. What's the argument for in-souring forensics and ediscovery?
THOMPSON: The primary argument for us - I can't speak for the industry - is it's a cost-benefit piece. We built a team here that has the technical and the legal competencies. In other words, they can stand up in court if need be. We have professionals here that can fill that role for us. With that team and with enabling technology that we're deploying here, we estimate that we're going to save thousands of dollars, hundreds of thousands in some cases, in various litigations just by virtue of the fact that we can process our discovery orders and we can do a lot of that stuff in-house a little more efficiently, and certainly there are cost savings along the way. Our business case for implementing the enabling technologies that I mentioned really becomes self-funding when you compare it with what we would otherwise have to pay for a third party to do the same type of work.
Challenges for Banking Institutions
FIELD: Some of what we've talked about, cloud, consumerization, these are common challenges for organizations of all sizes. When it comes to forensics and ediscovery, what do you find to be some of the challenges that are specific to banking institutions?
THOMPSON: What banking institutions have in common, especially large ones like ours, is that our systems are highly complex. Most of our users have access to multiple systems. Data is stored in multiple locations. I think the challenge for banking institutions might be quite similar to other large institutions, but certainly from a banking perspective, it's understanding where our data is; knowing that when we go to court and we testify that to the best of our knowledge we have discovered everything that's possibly discoverable, that typically is our number-one challenge just because of the complexity and the way our network and our systems are dispersed globally. That type of thing really poses a challenge for us. We've all read the stories of various institutions that have gone to court saying that they've presented everything that they could possibly find only to find a month later that they found a storage room containing a hundred tapes, or two hundred tapes, containing all sorts of data that would have been useful for the case.
We struggle with that. We're no different that anybody else and having that control of the data is number one for us. As well, from a banking perspective - and I'm sure this is happening a lot more in the U.S. than it has been in the past - regulations have gotten tighter, especially around retention requirements and this type of thing. I think from a banking perspective, what might make us a little more unique than other organizations certainly is the degree to which we're regulated.
Developing the Forensics Team
FIELD: You talked a bit about the advantages of having an internal team versus outsourcing, and you've talked about your team. How have you developed this internal forensics ediscovery team? Where did you find your individuals? How have you got the skills that they've needed?
THOMPSON: We've done it in three key ways, actually. The gentleman that leads the team is actually a long-time Scotia banker. He has an information-security background and network background, and gravitated toward the investigative field. Over the last couple of years we've done a couple of things. We've trained up some of our key talent in forensics, just in terms of getting them the proper training to get them certified as forensic experts, and we've hired. It's been kind of a combination. It's kind of like building a professional sports team. You build from within, you acquire key talent and you practice like heck and you build a team that you can stand behind. That's kind of what we're doing, and we're by no means finished building the team. We expect that as we roll out our internal service, the demand will get even higher and we'll have to expand our team, and we're already starting to see some of the fruits of that labor.
FIELD: For organizations that are looking to develop their own internal forensics ediscovery teams, what advice would you give to them? How should they go about it?
THOMPSON: I can tell you the way we did it and it's worked well for us. We worked very closely with some of the post-secondary institutions in the Toronto area. If I were to give some advice, I would certainly make sure that the teams responsible for building the team, or the individuals responsible for building the team, reach out to the local universities. Find out which ones are offering training and certification in this space. I would also be looking for some key talent that you could hire that could step in and provide some instant credibility. It's a difficult thing I know but they're out there.
In fact, we worked very closely with some large consulting firms. The one individual that we hired was one of their key consultants that did a lot of the ediscovery cases. There's not a single thing. It really takes time, and for me, I think long-term it's developing that relationship with post-secondary institutions to ensure that the skill sets that we need on an ongoing basis are being trained and we can take talent from those institutions as they become available. That's probably a real key thing for us.
Get involved in the security training space. There are a number of very credible training organizations that provide ediscovery and forensics training that will equip security professionals with the skills and background required to be able to stand up in court as an expert. That's what it really revolves around for us. I'm overlooking a lot of stuff here, but one of the things that helped us in our team is I mentioned the fellow that leads the team. What he brings to the table is some deep knowledge of bank systems and so when we're doing ediscovery, he's the guy that knows which stones to turn over, and then he relies on his team who have a lot of the heavy training in forensics to do the work that can stand up in court. Really knowing where to look is key and then doing the job right from there helps us out.