This week, Stephen Ibaraki has an exclusive interview with Bashir Fancy.
Bashir Fancy is a senior executive with extensive and progressive risk management, financial, operations, systems, customer service, product management, audit and governance experience globally. Mr. Fancy specializes in strategic planning and taking a pro-active, holistic approach in a fast paced financial, credit card and retail business. He has successfully managed development and implementation of large and small systems involving many countries. Mr. Fancy was responsible for developing both Issuer and Acquiring system ground up. Mr. Fancy has in depth and extensive knowledge of the credit card business and is frequently called upon on a global basis to provide advice. His leadership skills continue to generate significant bottom-line contributions and value added creations for organizations.
Mr. Fancy is now the Managing Director of Corporate Solutions & Services Inc. having recently left Deloitte & Touché LLP as a Senior Executive Advisor.
Prior to joining Deloitte, Mr. Fancy was the Executive Vice President of Risk Management & Security for Visa International, as well as the global head of Internal Audit. Mr. Fancy has had tremendous success in developing and implementing Fraud Prevention programs for Visa and their "member banks". Mr. Fancy was a key player in the development of the "Account Information Security (AIS) standards", which has now come to be known as PCI-DSS standards. Mr. Fancy managed the payment division of SNS (3rd party processor) which provided point of sale and back office credit card processing for all major Canadian banks.
Mr. Fancy has held senior management positions at Citibank, Air Canada, Supermarket Group (major retailer), after having started his accounting career at West Wake and Price, with the majority of the group becoming part of PWC.
Mr. Fancy has won many awards including:
The latest blog on the interview can be found in the IT Managers Connection (IMC) forum where you can provide your comments in an interactive dialogue.
Interview Time Index (MM:SS) and Topic
|:00:25:|| ||Bashir, thank you for sharing your work and experiences with our audience.|
|:00:34:|| ||Can you further profile your background? |
"....When I got involved in the auditing profession, my bosses at the time and I realized that I had the tendency to see a lot of things that otherwise people did not see. I started to connect dots to look at a picture differently, and when I used to audit that helped me quite a lot to identify and to get to the root causes of problems...."
|:02:32:|| ||Can you quickly list your major past roles?|
"....It started with the auditing profession....that was in Europe....When I came to Canada I helped to set up a customer service for Air Canada in the automated area....I then moved to the product management side and the IT side....Then I moved into banking from the airline industry....Risk management....Internal audit at Visa International....Corporate Solutions...."
|:07:25:|| ||Can you talk about PCI Compliance?|
"....The main reason why we started down this path of coming up with compliance was we found that the fraud was starting to occur globally not only for VISA, but also for MasterCard and everybody else. The challenges were multiple because this fraud was not happening because it was one-off type person doing it, but this was organized crime and it was linked to different countries....One of the problems that we found in Canada alone was that a lot of the organizations assumed this cost to be the costs of doing business and while they were willing to do some things, they were reluctant to tackle it head on in terms of trying to stop it in the first place...."
|:11:54:|| ||What was your role in this compliance standard?|
"....I was one of the very few key people who started this and to develop the standard....My role was to try and push it through as one of the 3 or 4 key individuals that made this thing happen...."
|:13:22:|| ||What are some of the challenges for Corporations in achieving PCI Compliance?|
"....Lack of understanding in terms of standards....Communication about compliance within an organization....Lack of controls across the organization....Lack of enterprise-wide responsibility was a big challenge....Compliance fatigue....Outsourcing of some of the processes....Data classification (you have to understand what it is that is sensitive that you have to protect)....Compensating controls were not used....People having access to data that they shouldn't have access to...."
|:27:08:|| ||What are some lessons learned that you can share from your career history that is relevant here?|
"....When an organization is told that they have to be PCI compliant, part of the problem is that they have looked at PCI as a standalone when in fact it's not....Organizations track the dollars they write off on their books. They do not track the dollars that it costs them to manage....We come from a paper-based business. The mindset we have to change is that if we put information out and if we collect information, we'd better make sure that it is protected. That has not been happening and that is why we've seen a lot of the challenges....We have seen organizations getting hacked because they thought they were compliant but they were not really compliant. They had addressed a few issues, but they had not gone to the root causes and fixed the problems. That is part of the challenge...."
|:36:24:|| ||What are your current roles and how do you measure success?|
"....Organizations call me with issues and problems that they want to rectify....The critical factors are that your costs, if anything, should come down. One of the things that I do is to help organizations understand the flow....You look at the numbers and you look at the model of how it should be and you start to identify the gaps....You use the framework as the basis for measuring and monitoring for your security. This must become an ongoing process. It is a dynamic security policy because the threat landscape changes every day...."
|:48:20:|| ||Bashir chooses some pivotal moments and some lessons to share.|
"....I was going after the root causes and not the symptoms. That was the key. I was trying to understand exactly what was happening...."
|:56:45:|| ||What are the five top best practices to manage fraud?|
"....Do not store any data that they do not need....Protect the data they collect....Do not allow access to information to people who do not need it....Do a background check. I recommend that it is done at least once a year....Make sure roles and responsibilities are clearly segregated...."
|:01:03:32:|| ||Provide some ways in which we should manage risk effectively?|
"....Understand what the risks are that an organization faces....Once you know the risks you have to score them for the possibility and probability for fraud....Score these risks in terms of the highest risks that can impact your brand, financial, regulatory, etc. and isolate areas that really need to be dealt with and make sure that those are the ones that come first....Good communication across the enterprise and education awareness....Use a risk-based approach, not a checklist approach...."
|:01:10:31:|| ||From your experiences, what are the disruptive technologies and how will they have impact?|
"....Smartphones are changing every single day with more functionality....Mobile wallets....Voice print....Cloud computing....If you are secure and your security is very good, it will be a significant competitive advantage for the organization that has that...."
|:01:20:12:|| ||What are some innovations in your areas of expertise that should we be watching for in the next five years? |
"....Authentication is very critical and is starting to change....When you tokenize it is because you don't want that information available to people. Tokenizing itself does not solve the problem, how you do it will be critical....One of the things that is coming out of smartphones is one-time passwords or one-time tickets to conduct the business...."
|:01:26:29:|| ||With regards to security, what are your recommendations?|
"....It has to be an incremental and layered approach....Do not declare a victory because as effective as we are, criminals are equally savvy....It has to be dynamic....Security has to be across the organization and you have to embed that in everything you do otherwise your success will be minimized...."
|:01:30:35:|| ||What role can Internal Audit play to assist mitigates the risks?|
"....I introduced something called the Proactive development review....What you want to do is to have a department that is tied to Internal Audit but does not audit people. Their job is to be available to the business and their job is not to stop the people from doing what they need to do but to help them to do their job more securely, efficiently, more cost effectively and in a timely manner. It's a proactive partnership and it allows for early identification of problems...."
|:01:33:55:|| ||Bashir explains how the above can become part of best practices.|
|:01:39:24:|| ||How can these programs be made sustainable?|
"....Ensure you fully identify your enterprise security requirements....Make sure you embed that framework into all the relevant business processes....Inventory exactly the data you have and you need to protect....Now conduct a security risk assessment and prioritize and risk-rank everything....Systematically assess all the critical systems and applications that are in your environment and are part of the security framework — identify the gaps and the solutions you need to achieve and how do you remediate....Make this process on-going...."
|:01:42:26:|| ||What is the best methodology for strategy and why?|
"....Do once and satisfy many, that is the approach you want to take. You can do that if you have this holistic approach and all of the things are in one place...."
|:01:45:34:|| ||What is the best methodology for managing change?|
"....When you are dealing with a compliance issue I would identify the following: Is this issue mandatory versus is this an addressable requirement?....Is the issue progressive or is it isolated?....Is the issue already being addressed or can it be incorporated into an existing effort?....Can you do it now, how much will it cost, and what is the impact?....Am I coming up with a complex solution to this and is this going to be a challenge?....Retroactive remediation; do we go backwards to fix this thing or is fixing it forward the answer?....What governance controls are required?...."
|:01:51:35:|| ||Describe some areas of controversy in the areas that you work.|
"....PCI compliance....I would say this is controversial because in order to fix this problem one needs to understand why the standard is in place in the first place...."
|:01:55:49:|| ||Is computing professionalism necessary and why?|
"....We need professionalism — a common interest, a minimum standard that one must adhere to....If you have that type of approach, at least as an industry, anyone dealing with someone in the profession can understand that the person meets a certain bar...."
|:01:58:04:|| ||Bashir talks about the important role of professional certification.|
|:02:00:10:|| ||What is the value in professional associations for computing professionals?|
"....When you participate in the professional organization, you also share because there is a lot of networking with people in that profession. You learn from them and share experiences and there is mentoring. There's a tremendous benefit...."
|:02:02:27:|| ||Can you specifically talk about the value of CIPS?|
"....The fact that CIPS has government-mandated legislation behind it to be the voice of the IT industry also makes it very powerful for the value it brings to table, in terms of professionalism and certification and the fact that the bar is high for somebody to attain the I.S.P...."
|:02:04:58:|| ||What are your thoughts on computing as a recognized profession like medicine and law, with demonstrated professional development, adherence to a code of ethics, and recognized credentials?|
"....It gives a lot of comfort to the people on the other side who utilize the service to know that you are part of a standard and part of an association that will hold your feet to the fire to ensure that you are not only part of the profession, but you adhere to that consistently....The medical and legal profession have it so why would the technology profession not have it, when they hold the key to all the other professions because technology is so inherent and critical to everything else that we are talking about...."
|:02:07:30:|| ||Bashir talks about the specific challenges and opportunities that IT practitioners and businesses should embrace today and in five years. |
|:02:11:15:|| ||Bashir shares some very insightful stories from his extensive speaking, travels, and work.|
"....A quote from my dad: The relationships that you do not make will have impact on your life...."
|:02:24:49:|| ||If you were conducting this interview, what questions would you ask, and then what would be your answers?|
"....You asked some very good questions but some of the questions which I ask when I am reviewing things and when I'm called in to try and understand the problem or issues is that you start with the basics....The What?, the Why?, the How?, When? and Where?...It's incredible how much information you find out and most people don't do that...."