Gary Kern, CIO, MutualBank

... and we are out.

Great Event...  Thanks everyone!

good day to all

thanks :)

Thanks Gary!

Thank you for joining us Gary. Thanks Mary for hosting. Thanks all for joining!

Thank you Gary

Phew - it's been interesting!   Thanx to all!

Thanks for the very clear and full responses.

Thanks for your time and insight, Gary!

Gary, it's been a pleasure to hear from you. Thank you for your time.

Part of the user acknowledgement is they agree to keep up with security patches - but it would end up being more a reactionary tool if they didn't...

Any final questions for Gary?

@Victor - that is one of the worries   we are actively looking into tools that will help us increase our visibility into remote devices.  Wish to say we were "there" but we aren't

Security is certainly up there on concerns list.  But again, it's part of something that increases every year with the needs, along with compliance, yet my budget and staffing don't

Ah good question, victor.

Gary,
@Nicole "Gary, what's your policy for employees using Droids?"
Saw response to this, and was trying to add to it.
Especially if I have a rooted Droid???

And the bigger question is do you monitor that the these devices are patched and up to date, like IT does for the PCs?

Re: compliance issues - I certainly think Financial Services & Health Care are the 2 industries hit hardest with compliance.   Makes it harder to "make a profit" that's for sure!

@Gary -- In this case it was after-hours so blcoking wasn't really an issue.  Makes me wonder if it's a suitable application of gamification for learning?

@Kim - I think a lot of compliance things are somewhat mandatory annually, but not sure about information security (yet) - but I think it soon will be.

@smkinoshita - I'm one that likes an environment where people can "play" with technology - it gets people more comfortable with it.  That's why I hate blocking things that I don't absolutely have to.

Is security your highest concern in your position, or are there other concerns that trump it?

Gary, I wonder how common mandatory security courses are for staff in a banking environment.  Are you ahead of the curve here?

Gary, are any specific regulations for financial firms harder to comply with than others? Do the regulations vary in complexity and "issues" caused for IT?

Gotcha, thanks Gary.

All bank compliance, including info security, is taken online annually by all employees.  Different courses for different roles, but Info Sec is required for everyone.

@Gary -- OK, this is a off topic, but I once introduced a manager friend of mine to Real Time Strategy games.  He was fascinated by its resource management and its "Fog of War" game play mechanics, probably due to work parallels.

Gary, regarding the mandatory info security classes at your organization, do employees have to take them just once? Periodically?

ALL employees sign an annual "Acceptable Technology Usage" document.  Wireless/remote users have a separate one that depending on level of access may require additional approval.

@Kim - we have, but rarely (please don't make me jinx us).  Never for a MAJOR incident.  We have had some phishing, and thankfully got servers taken down rather quickly (even when in Europe) so as much 'lucky' as a good plan - but regardless, we at least knew what we wanted to do without thinking through the "fog of war"

@Nicole "Gary, what's your policy for employees using Droids?"

Especially if I have a rooted Droid???

Droids - they need to Administrative Officer approval and to sign an Personal device wireless agreement.  Also need to allow us to enforce lockup interval and potentially wipe device if lost or employee terminated.

@Gary: do employees have to sign your policy documents regarding IT device use and/or social networking?

You've never had to use your security incident plan? 

Thanx @Joanne - sleep well!

Gary, what's your policy for employees using Droids? 

PHISHING attack or Data Breach -- now that I know it keeps you up (and most likely your peers), I can get a better night's sleep!  Thank you!

I think those fears would keep me up at night too.

Have I missed any Q's?  Repost if I didn't get to you...  or you want further embellishment

Online Banking - covered by our CORE provider (FISERV), and they help us with 2nd tier support.  Our 8-5 call center at the bank is pretty good with basic issues.

Keeps me up - wondering if we are the specific target of a PHISHING attack or Data Breach.  You can never be 100% secure, so we try to have a good incident response plan in place - but hope we never have to use it!

RE: Open Networks - we are probably more liberal in what we allow (probably driven by me) as I feel the more you see and interact with, the more ideas and opportunities arise.  We try to use "abuse" as a Management or Performance issue as opposed to overt blocking for all.  we do block the basics (porn, gambling,etc.)   Did that cover your point?

I agree!

Gary, what topic "keeps you up at night" the most when it comes to security, if at all?

Gary, do you outsource support for online banking?

Mandatory info security classes -- very smart! ALL organizations should do that.

RE: Basic IT education - that is one of our targets as well.  For the last few years we've been adding mandatory "Info Security" classes and details to our "End User Acknowledgement" to cover those thngs.  Education is tough as we also feel compelled to educate our CUSTOMERS who are using online banking or mobile - as the bank typically gets hit even if it's user caused.

(Jinx.)

@Joanne Goldman -- again, good point. 

@Gary: Are employees required to sign off on documents of policy, such as about device use and/or social media use?

Gary, any policies about using open networks?

iPhone owners need to install the TRACKER app and inform us immediately if lost.  We then make an assessment on "wipe" procedures

@smkinoshita, I think those topics would need to be covered in an orientation class so a company doesn't assume people know about them and regret not training people later.

That doesn't include applications, but I think that gets a little more customized based on the company.

Do you have mandatory tracking of iPhones in case they're lost or stolen?

RE: Devices - may depend on level of access needed as well.  For example, for VPN access we ONLY allow company owned devices to do that.

OK, let me rephrase then:  when I say "Basic I.T.", I think at a bare minimum all business people need to be aware of phishing, strong passwords, social media policies & the fact that anything published online is there and public forever, the importance of respecting and protecting the privacy of company and clients.

DEVICES:  we suggest iPhone or Droids only.   

Haha, good answer, Gary. Thanks.

@nicole - I came from shops where the IT organization was as big as the entire bank, and the stress was much higher... that's one of the things that drove me to the community bank, a bit better "quality of life".  So actually the days got better just by being here!

@Gary: Can you name any devices you actually recommend to new hires?

And welcome to all Internet Evolutionaries here!

Gary: I read the other day that the new federal CIO said the first 40 days he was in office were his worst days on the job ever. Did you have a "worst ever" period when you first assumed the role?

Saw an earlier post about recommending devices - we try to do that, and then a little bit of "other devices will be by best effort"

Welcome, Gary! Thank you for joining us today.

Thanx Kim- a bit nerve wracking to "try to be interesting"  

@Joanne Goldman -- good point.

@Kim, Agreed, but it's really important for people to have a holistic view of the business both for decision making and respectful interaction with other departments.

All: Gary (gckern) is already on the board here with us, so please ask him your questions!

Hey Gary, great presentation.

Please repost or ask your questions - have a long queue I may not catch up with!

Almost made it!

@smkinoshita, Basic IT can mean different things at different companies. There should be onboarding classes for proprietary software or other classes to help people succeed.

Signing in!

Awareness of the entire business environment is very demanding.

On that note, basic I.T. is a required course for all business studies at Fanshawe College.

I think basic I.T. skills should be mandatory for business.

CFWalters, I thought I read that the federal government made the transition from BlackBerry to iPhone.

@Nicole, Okay

Government uses Blackberries, but someone told me that they may be going to a different smartphone.  Still those who have Blackberries are few and far between, and only the higher ranking gov personnel.

Joanne, if Mary doesn't ask him on air please feel free to ask Gary when he joins us on the chat.

Do they offer suggested devices to new hires? 

That's impossible to manage (re: what employees are doing w/devices despite the security settings).

Genie's out of the bottle on BYOD.  Quite right.  We're not all going back to locked down Blackberries.

Awilliams: the check deposit feature.

Anyone else have questions for Gary while we're still on air?

what's your favorate?

It's a useful feature right now... it's my favorite thing on the Chase app.

Refresh will work, Joanne.

No problem here.

Audio a little choppy.  I'm sure the March Madness tourney is taxing all networks today.

OK good.

Can't hear anything.

smk, just hit refresh.

Die but now working for me!

Freshing fixed it.

@CFWalters, Outsourcing can be anything not done inhouse.  It can be hiring an advertising agency rather than having an inhouse staff, or IT consultants to do a software implementation.

No, my audio suddenly died.

After refresh audio is fine

Everyone hearing the audio OK?

Refresh your pages.

Hang tight, I think we had a technical glitch.

@CFWalters I'm not sure if outsourcing is really the same as off shoring...

Ta-da.

There's your question, smk.

Typically outsourcing consists of going overseas?  How does that benefit the US?

Ah, like Nigel F. wrote for us, this is where marketing and IT have to join forces.

Outsourcing can be a great solution for small businesses to scale.

It occurs to me that this is something we've seen with enterprise legal services for years: a small inhouse team primarily concerned with engaging and running outside contractors (law firms).

@Kim:  Do nothing, or hire experts.  It also comes down to trust.

Continuing to refine the process is better than waiting until something bad happens to ask important questions.

@Joanne: I guess it's more secure than not doing it at all (if you can't afford to do it inhouse).

@Kim, which poses the question:  How secure is outsourcing your security?

Great: paper and pencil!

Good one, smk. I have sent it to Gary through mind signal. Let's see what happens.

I've heard (via All Analtyics, a sister site of IE) that fraud detection can be done using social network analytics.  Gary, do you have any thoughts on that?

Interesting that security would be outsourced.

Howdy, victor, welcome.

Great to have you, batye.

Hello, Internet Evolutioners :)

If anyone has questions for Gary, share 'em here. We will send him a mind signal with the question and see if he receives it.

Hi

Awilliams. We welcome you.

Hello radioland!

Too true, Joanne! Welcome!

If you're just joining us, say hello!

@Nicole, Good to be here -- and alive!

And we're liiiive.

Hello, hello.  Hello.

Great, we'll definitely get to that then.

Curious as to what it's like from the company's point of view.

Yup!

Are you looking to ask Gary about outsourcing, smk?

In contrast, my wife works for a California-based company -- she's a heck of a lot more than 2-3 hours away.

:)

I'm actually interested in using the Internet to outsource.  I've heard of several people around me locally who work for companies 2-3 hours away remotely.

Pong!

Ping! 

hello to all :)

Thank you in advance for your time and response.

My question is in firewall administration and security.  Can you describe what MutualBank does to ensure servers are scanned and remediated to satisfy Payment Card Industry standards?  What triggers remediation?

How many listeners/followers do you anticipate?

Test typing

Here is where we will be chatting with CIO Gary Kern tomorrow, Thursday, March 15, at 2 PM ET.

Here is where we will chat with Gary Kern on Thursday, March 15, at 2 PM ET. Looking forward to it!