05:45 PM
Jonathan Gossels, President, SystemExperts
Jonathan Gossels, President, SystemExperts
Connect Directly

Banks Must be Mindful of Security When Cutting Costs

Complicating efforts to reduce costs, security risks don't go away just because IT budgets are under pressure.

Many banks may be walking a slippery slope when it comes to maintaining security levels during the financial crisis. These days, established security budgets offer no safe haven. The key issues are people, managing with less, managing with uncertain budgets, and trying to keep the security and compliance wheels on the bus. Forget security initiatives -- for most bank IT organizations, the focus is survival.

When organizations are in crisis, they often make across-the-board cuts rather than prioritizing reductions based on risk or business impact. Thus security teams face the reality of losing staff members whose actions have been vital to the institution's operational security and regulatory compliance.

IT, security and compliance organizations have historically been understaffed. Consequently, when reductions in head count are needed, it is easy to lose critical operational and institutional knowledge. So when forced to reduce operational security staff, take the time to think it through and clearly articulate the business impact of the reductions.

As banks shed personnel, a strain is imposed on the organizations' identity and access management systems and processes. Accounts and privileges for each terminated employee must be removed. But unlike during previous recessions, this time layoffs are occurring at all levels and at an unprecedented speed. It is easy for an organization to find itself in a situation where key players in control processes governing user account creation/removal have themselves been terminated. When staff reductions impact user provisioning, it is important to sequence those reductions so the approval workflow never breaks.

Control processes such as audit or security controls tend to be labor-intensive and are often early victims in cost-cutting initiatives. Think how tempting it is to lay off the low-level paper pusher (LLPP). The problem is that among the many routine tasks the LLPP performed were several that were vital to the organization's achieving regulatory compliance. Reducing control processes may impact the ability of an organization to recognize something going wrong at an operational level in a timely manner. After all, there was a legitimate business reason why those controls were implemented in the first place.

The tension here is that business reality forces companies to reduce staff quickly. Therefore vital functions need to be identified and passed on to survivors before terminations take place. Often, by the time the vital functions have been addressed, the net cost savings may be far less than anticipated.

Managing With Less

The general challenge, of course, is managing with less. It is more important than ever to have a strong business justification for all activities and a good risk assessment process in place to understand the business impact of any reductions, and to consider alternative approaches to achieving your security requirements. The challenge of the current crisis is that suspending new security initiatives is often not enough; many organizations are reducing previously approved budgets or instituting spending freezes. But it is nearly impossible to maintain an institution's level of security in the face of uncertain and constantly changing budgets.

Security issues are a mere shadow of the larger challenges financial institutions are facing. Tough business decisions dominate the agenda. Ultimately, however, organizations that make tough decisions -- and enable their IT and security teams to help -- have a better chance of survival than those that dither. The operational cuts you would make in an organization that needs to be fully functioning six months down the road are entirely different from those for an organization surviving day to day in preparation for a hasty merger, for example. If the underlying business is sound, security teams need to help the rest of the organization understand that security risks don't go away just because budgets are tight.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.