Banks need to approach their data privacy and security from a risk point of view, according to experts with New York-based Deloitte. The firm held a webcast Tuesday that discussed how financial institutions can transform themselves from being compliance-driven organizations to risk-driven organizations, two models that are distinct, Edward Powers, a principal with the firm's security and privacy practice, said.
Over the last six to eight months, Powers said he has seen a continued sensitive to risk among financial institutions. "At the same time, I've seen significant moves to downsize budgets and human resources. This is creating strain. Most organizations are now optimizing around the things that are most urgent."
To help banks find a balance, Powers suggested they become "risk-intelligent enterprises." What this means is that rather than allowing factors like budgets, laws and regulations, and stakeholders to push the organization to simply meet the minimum requirements by law, a risk-intelligent enterprise takes a more proactive approach to managing security needs. Data becomes the focal point of this model.
"A compliance-based approach to data management creates gaps, redundancies and inefficiencies," Powers explained to attendees. "This may reflect the current regulatory environment but not your organization's current posture. You end up reinventing the wheel and building redundancies."
He said that for a bank to become a risk-intelligent enterprise, it must incorporate three attributes: 1. Asset inventories and the need to understand the data, along with the data flows. 2. Creating a risk catalogue with a common risk language that takes into account legal requirements, and internal and external standards and policies. 3. Becoming serious about third-party oversight so that the bank's service providers are held to the same standards of data security as the bank.
"A risk-intelligent enterprise is communications-centric. The organization has a common reporting language," Powers remarked. "It is intended to align the business requirements, compliance requirements and vulnerability management to eliminate overlap and create an efficient risk management environment."
"Data is an asset," added Richard Baich, also a principal with Deloitte. "It's the most central asset, besides people, that the financial services industry values. You have to understand data is not just owned by IT or the data warehouse."