The industry may be trying to face down an economic crisis, but that still doesn't mean the old specter of security isn't looming over financial services executives' heads.
According to Patrick Peck, SVP, Booz Allen Hamilton (McLean, Va.), managing cyber security and how to protect the enterprise is still front and center on the minds of his clients. During a presentation yesterday called "Cyber: Are You Ready for What's Next?," Peck told attendees of the annual SIFMA Technology Conference & Exhibit in New York that the threats still exist and they'll only worsen. Ultimately, the key to succeeding against them is to establish a three-way cooperative between industry, government and academia to intercept threats more quickly.
At one point, Peck showed a video of Michael McConnell, an SVP at Booz Allen and the former director of national intelligence under President Bush. McConnell noted that if the 9-11 terrorists had instead chosen to hack into a major bank and destroy all the data in that bank, the global damage would have far exceeded the tragedies of the World Trade Center, Pentagon and Flight 93.
"The global financial system is not based on a gold standard," McConnell noted. "It's based on confidence." Once that confidence is shaken, there is a cascading effect, as has been illustrated throughout this financial crisis.
To properly address cyber threats to the banking system and the nation's infrastructure, he said companies have to remember to look beyond technology solutions at policy, culture and the company's operating profile.
Peck followed this up with an example of a simulation Booz Allen performed that involved taking 230 leaders from industry, government and society (such as academics, the media) and watched how they reacted to the simulated cyber threat. What really struck Peck was that people couldn't clearly understand the lines of authority in an emergency. "People didn't know who to go to, where policy was coming from," he explained. "We recommend establishing a single voice around cyber education."
He noted this is what President Obama is doing with the establishment of a cyber authority within the Dept. of Homeland Security. "Cyber is too complex for one authority to handle alone," he said. There is a growing array of state and nonstate members seeking to attack American government and commercial interests—including financial institutions. "The nation must act quickly to protect our national infrastructure," Peck commented.
Co-presenter Scott Kaine, also from Booz Allen, suggested banks and others be mindful of the threats from within as well as outside of the organization, since 80 percent of risk is from insider threats. "You need the basic blocking and tackling and the key is training—from the C-level down to customer services reps," he noted.
A continuous risk process that is revisited regularly is required if a financial institution is to protect itself from cyber threats, both current and future, Kaine said. This starts with the budget process. The funding for IT and security should not be relegated to the bottom like it often is. Banks are trying to cut costs. If money is shaved off the IT security budget, how much risk is being introduced to the organization? "You have to know this," he said. "Do a risk assessment more than once a year and allocate the budget according to those risks."
Something that might encourage this practice is a bill being floated in the Senate that would require businesses to adhere to the same security standards as government agencies. "Do your IT folks know about this?" Kaine posed to attendees. "They're going to need to know the ramifications of this policy."
Regardless of whether the Cybersecurity Act of 2009 is passed, information security people at banks need to act first. They need to use the technology at their disposal to look outside the organization so that when patterns of illicit cyber activity emerge in other parts of the world, they are forewarned and better able to repel the threat once it reaches their organizations' borders. "Work with your ISP, managed security players and government," Kaine said. "Your role is to be proactive."