Ever Vigilant: Neuberger Berman CISO Robert Ganim

Waters profiles Neuberger Berman's first ever chief information security officer

On a Thursday morning in early October, Bob Ganim picked up the newspaper before heading to work. Much of what he was reading about, though, wasn’t “news” to him. No, these headlines were quite familiar.

The first person diagnosed with the Ebola virus on US soil was close to death. In Hong Kong, the “Umbrella Revolution” was growing. And the US government had just become aware of Shellshock, a two-decades-old vulnerability for Linux, Mac OS X and Unix-based systems.

These three seemingly disparate events would not connect for most, but that’s what makes Ganim unique. He is Neuberger Berman’s first-ever chief information security officer, or CISO. He’s also the asset manager’s global director of business continuity planning (BCP). Most national and world events spill onto Ganim’s desk to varying degrees.

“In some ways, the fact that these events made the front pages has made my job slightly easier because people have accepted them as major concerns. It’s not just an insurance policy or an afterthought—it’s front and center. The need for information security should not be a surprise to anyone now,” he says.

The scale of Ganim’s job can be daunting. Neuberger Berman has an office in Dallas—Ground Zero for the Ebola scare in the US. It also has an office in Hong Kong, where the protests for election reform with China have unfolded. And when your job involves information security, every hacker headline is a major concern, since client information is an asset manager’s lifeblood. The Shellshock bug was just the latest threat.

“I can never feel totally comfortable with what we have in place. To me, any security professional who says, ‘We’re done; we’re fine; we’re safe,’—the day they say that, the next day they’re going to suffer the mother of all breaches.”

“That Thursday, I was involved with every headline in the newspaper as both a CISO and global head of BCP,” he recalls. “With Ebola, we regularly review our pandemic plan and recently it was time for this year’s review to make sure the plan was current, to make sure everyone was up to speed, and to ensure that we had the supplies we needed. With Shellshock, we have a process to keep our software up to date with necessary patches. We also make sure our vendors do the same. In Hong Kong, the protests may have settled down, but that can happen anywhere, so our BCP covers any type of major event in any global location where we have an office. We must be ready for anything”

From the Ashes
While Neuberger Berman is a 75-year-old investment manager, it was lucky to survive past October 2008—not because of poor performance but because in 2003, Lehman Brothers bought the venerable asset manager at the same time that it acquired Lincoln Capital Management and Crossroads Group in an effort to grow quickly.

Lehman Brothers’ asset man­agement business as a whole—and Neuberger Berman, in general—outperformed benchmarks and was well regarded throughout the industry. But when the investment bank went bust in what became the height of the global financial crisis, Lehman almost dragged Neuberger Berman into the abyss, but it was able to survive thanks to a management buyout. Neuberger Berman will be wholly-employee owned in 2015.

Running independently, and with its hands washed of Lehman Brothers, Neuberger Berman—which today manages $250 billion—had to rebuild itself. Climbing out of Lehman’s ruins, the firm needed to create the position of chief information security officer and provide that individual with a team.

Ganim has worked for Neuberger Berman since 2000. Originally, he was a technology auditor—a position he has filled at various institutions since he graduated from Baruch College in 1983—evaluating platforms, processes and security. Were policies and standards being met? Was the business being involved in IT decisions? He worked on infrastructure, development and maintenance. He was the logical choice to build the CISO division.

“We had several very talented security engineers in IT from the Lehman days and we had a lot of the know-how from the tech side, but we needed to build the whole security program to make it firm-wide, with policies, standards and monitoring, and overall governance,” he says.

In the beginning, Ganim split his time among legal and compliance, operations, human resources, the various business units and, naturally, IT. That, actually, hasn’t changed much.

“I anticipated that the majority of my time would be spent with IT, but I ended up spending a lot of time in other areas as well—and still do. As I learned, everybody in the firm needs to be involved,” he says. “A CISO needs to fully understand the firm’s business, the environment it operates in, and the firm’s culture and risk appetite. This is all necessary to build a solid information security program.”

Not only was he tasked with building the CISO role—a position that has only recently taken hold at financial institutions—but in November 2011, Ganim was also handed the responsibility for re-building the BCP unit, as well.

“I place a high value on ‘being prepared’ against any unforeseen events that may have an adverse impact on my organization,” he says. “I consider Neuberger Berman’s information security program and its business continuity planning to be solid business practices that should be embedded within all work processes. Unforeseen events, whether man-made or natural, can negatively impact any firm.”

The Two P’s
Ask Caroline, Ganim’s wife of 29 years, what her husband’s greatest strength is and she’ll say “persistence.’ When they first met, Caroline rebuffed his initial attempts at landing a first date. But Bob was undeterred. “I guess I finally wore her down,” he recalls.

Ganim, though, doesn’t quite use the word persistent. Rather, he goes with, “prepared.” Perhaps it’s prepared persistence, or persistently prepared.

Whatever it is, the word “prepared” is relative in the world of security. There are always steps to be taken to be at the ready and there are always ways to stay ahead of the pack. But the simple fact is that the attackers and hackers will always have the advantage of surprise—of being the first piece moved on a chess board.

There are pandemics and protests and floods—and they are significant hurdles to overcome—but information security is king in finance.

It’s a delicate balancing act: You can’t be so rigid in your controls that you slow down the business. A laissez-faire attitude will spell certain doom. You need multiple layers of defense, Ganim says, so that if an attack is occurring you can quickly recognize it and address the issue before information is lost. Identify the breach, find it, get rid of it, and figure out what can be done to make sure it doesn’t happen again.

Learn. Be prepared. Be persistent.

“Don’t make the mistake of feeling so overwhelmed that you just throw your hands up in the air and ask, ‘Why bother?’ Don’t make the mistake of being so rigid and controlling with policies to the point that it might impede your organization’s ability to do what they do best—and that is to serve your clients,” he says. “The most resilient, successful organizations will be the ones that are both realistic and proactive regarding the threats and risks that might leave their organization vulnerable.”

Tech Discloses All
The philosopher Sophocles once said, “Do nothing secretly, for time sees and hears all things, and discloses all.” During a presentation on information security at a recent event hosted by Waters, Ganim put a modern twist on that idea: “Technology—like time—sees and hears all things, and discloses all.”

It is estimated that by 2015, the Earth’s population will reach 7.3 billion and there will be 15 billion devices connected to the internet. By 2020, those numbers will spike to 7.5 billion people and 50 billion devices, which equates to an average of about seven devices per person. This is thanks to advancements in cellular and tablet technology, but also because of the Internet of Things, where even everyday appliances will have internet connectivity and will “think” on their own.

This also creates a daunting challenge for a CISO.

Every successful information security program involves three things: people, processes and technology. Those three components will help to ensure the most important part of the job—knowing where the firm’s data is at all times. Neuberger Berman manages equities, fixed income, private equity and hedge fund portfolios. It has offices in 17 countries and over 2,000 staff members. This is all to say that it is a substantial operation and a business that relies not only on internal solutions, but also on third-party vendors and service providers, and it has obligations to regulatory organizations wrapping around the globe.

A Constant Threat
Not only does Ganim have to work with the firm’s immediate third parties, but he also has to worry about the vendors of his vendors, or what he calls fourth-party risk. It is, after all, the client’s data, and Neuberger Berman is responsible for that data wherever it may reside.

“As we start looking at different vendors to bring in, before anything is signed there’s a workflow where we conduct a review for anything that is security related,” he says. “We’re learning what the process is going to be for capturing the data, where it is going, what is being done with it, who can access it and how it is being stored at a vendor. We also do a review of the vendor and make sure we feel they have the right security controls in place, at the outset and during a relationship, including a review of their third parties. Even if it’s the best outside vendor there is, there are always risks.”

Additionally, new vulnerabilities, bugs and holes are always being found. So far this year, there have been three major discoveries of such instances: the Heartbleed vulnerability, the Shellshock bug and the Poodle hole. All of these—and many, many more—require attention.

Ganim says once a security vulnerability is published, his team looks to verify that the systems are not impacted and they make any necessary changes. They do the same with their vendors.

Also, when new products hit the market, they evaluate them to see if they will work for Neuberger Berman’s environment. And they are constantly looking to bolster that environment and see if there are lessons that can be learned from various security breaches reported in the media, such as recent incidents of sensitive user data theft at Home Depot and Target retail stores, as well as Google Gmail accounts.

“We don’t take anything for granted,” Ganim says.

Always on Watch
New vulnerabilities will always be unearthed and hacks of retail giants disclosed. There will always be protest. The next great contagion will always be right around the corner.

It’s Ganim’s job to worry about those things. It’s IT’s job to make sure the systems run smoothly even in times of strife. It’s the business’ job to make sure the returns flow in, so that everyone has a job. It’s an ecosystem of reliance.

“Although we can’t predict when or where an event will take place, we do know that if it is ‘possible,’ we must prepare as if it were ‘probable.’ Therefore, we always have to be prepared for something different tomorrow; I can never feel totally comfortable with what we have in place. To me, any security professional who says, ‘We’re done; we’re fine; we’re safe,’—the day they say that, the next day they’re going to suffer the mother of all breaches. You can never feel that comfortable. Be comfortable that you have the right approach, but always understand that there’s something new tomorrow and you have to be ready for it and continue to be vigilant.”

Pick up tomorrow’s paper, and it’s likely that Ganim will be addressing at least a few of those headlines. That is, after all, his job—to be ever vigilant.
 

Robert Ganim Fundamental Data

Greatest Influence: “In my youth my dad constantly told me, ‘Always be prepared.’ Way back then, that statement usually fell on deaf ears. With age, though, I have since come to understand the wisdom of his words. As the speed of unsettling events unfold faster and faster in today’s world, the need to be prepared has become a philosophy to live by—both personally and professionally.”  

Words to Live By: “Although we can’t predict when or where an event may take place, we do know that if it is ‘possible,’ we must prepare as if it were ‘probable.’”

Greatest Mistake: “Perhaps my greatest mistake was believing that my Bachelor of Business degree in computer systems literally meant I was destined to be a programmer. Upon graduating, I had convinced myself that I would be hired as a programmer. This sort of mentality almost kept me from accepting the role of IT auditor at Citibank. I ‘reluctantly’ took this position—which at the time had just come into existence—and since then have not ever regretted this landmark career decision. What I learned is that sometimes we limit ourselves to roles or tasks just because they are easy to define and perhaps simply what is expected of us. I do believe this is a lesson that has helped me in my role as CISO. I expect change and embrace it every single day.”

Different Reports: As CISO, Ganim reports to the head of operational risk. He reports to the global head of infrastructure for his business continuity planning role. He interacts regularly with the various CTOs and business leaders throughout the organization.

Greatest Success: The fact that Ganim has spent his entire career as a “change agent” in the risk and control arena—e.g., IT auditor and chief information security officer—is what he considers his greatest business success. Convincing his wife Caroline to marry him is his greatest personal achievement.

 

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe

You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.

You need to sign in to use this feature. If you don’t have a WatersTechnology account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here