Focus On: Operations
Measuring Operational Risk: Part Science, Part Art | Licensing Ops Execs: Great Idea, Bad Execution? | Reducing Operational Errors With OTC Derivatives | A DAY IN THE BACK OFFICE:
Eliminating Operational Risk at a Transfer Agency | Giving a Single Name a Single Identity | TOP OPS EXEC: Timothy Doar, CME Clearing | TOP OPS EXEC: Mike Fish, SWIFT | TOP OPS EXEC: Patrick Kirby, DTCC | TOP OPS EXEC: John McCorvey, Gar Wood Securities | TOP OPS EXEC: Jeff Gooch, MarkitServ | TOP OPS EXEC: James Malgieri, BNY Mellon | TOP OPS EXEC: Hans Hufschmid, GlobeOp Financial Services | TOP OPS EXEC: Conrad Kozak, JPMorgan Chase
TOP OPS EXEC: Mike Fish, SWIFT
May 4, 2011
NAME: Mike Fish
COMPANY: Society for Worldwide Interbank Financial Telecommunications.
KEY FOCUS: Tightly control communications over Internet.
Customers in remote parts of the world have not always found it easy to connect to the communications services of the Society for Worldwide Interbank Financial Telecommunications (SWIFT).
They’ve had to arrange – and pay for – dedicated phone lines to send and receive messages about financial transactions.
Enter Mike Fish, SWIFT’s CIO since 2006 who arrived at the firm in 1999 from Ameritech where he was a network engineer. The answer was to employ the Internet, which promised lower cost and ease of access.
But it also raises security concerns – because anyone on the planet can potentially pick off communications traveling over this most public of networks.
For most messages over the Internet, wrapping messages in the Hypertext Transfer Protocol Secure (HTTPS) protocol would be sufficient. But financial messages transferring large sums of money pose naturally higher challenges, because they are targets of a higher order.
The member-owned cooperative, servicing 9000 financial and corporate organizations, already used “private tunneling” technology that walled off messages passing through its private network. Encryption devices were placed at a customer location and at SWIFT’s central operating center, to make it impossible to read messages as they moved from one to the other. The technology was retrofitted for the Internet.
“Using these devices, we created a virtual private network, or secure tunnel that rides over the Internet but is encrypted,” said Fish
Trained as a civil engineer, Fish says that taught him structured thinking, design and an eye for critical detail. These skills apply equally to building a bridge across the Mississippi River and constructing and operating computer messaging systems, he says. “An engineering mindset is critical for the CIO of SWIFT,” he says.
SWIFT’s disciplined approach to risk management focuses on operations and technology. The organization uses “various frameworks” such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to identify the necessary controls across its technology platform, services and staff. Fish points to the firm’s “four eyes” requirement, requiring two people to concur before taking a critical operational action.
Once controls are identified, management performs ongoing risk assessments when it believes the firm is exposed to new or increased risks, such as advances in technology or product enhancements. If there’s a likely impact, management determines additional controls needed to mitigate the risk to “business as usual level” levels, Fish says.
“We then monitor the environment for emerging threats, and when we get an understanding of those threats we go into the defined control structure and figure out what changes are necessary,” Fish said.
Adapting the tunneling technology to the Internet followed that approach, which it also applies to mitigate the threat of attacks. Malware and other malicious programs can penetrate computing systems in attempts to gain access to secure information or disrupt operations.