By Art Gillis
Long before IT developed into a distributed architecture, the idea of protecting the bank's data was rather simple. Lock down the computer center. The idea was probably based on an old banking rule. Put the cash in the vault every night. My bank took it a step further and buried the "vault." That's right, our computer center was under an apple orchard located about 20 miles from downtown Providence. The data center was indeed impressive. Enough food for 30 days, showers to wash off the radiation, mattresses under the raised floor for comfortable sleeping, and try to get in the place. In the five years I worked for the bank, I had seen it only once. The guy in charge of security was modeled after a Barny Fife. No matter what one's credentials were, he had to know why you were there that day, and impressing prospective customers was not an acceptable reason.
We were never attacked by the Russians or even the local "Sopranos," and after the bank's cost analysts did their thing it was decided to abandon the "bunker" in favor of a far less-expensive modern facility in an industrial park that had bellied up, aka OREO on the bank's balance sheet.
Please don't assume that I was against this practical view of how much a bank should spend on data security. It hit me when I realized that our extreme security was only as good as a Dodge Dart and one of twenty-something (we had only two SSNs) Brown University students who distributed the work back and forth to the protected data center. The good news was we never lost a piece of data, nor were we ever late delivering even in severe New England weather. And the students never got speeding tickets even though we did not insist on drug testing. The bad news is that technology got more sophisticated, and we lost our grip on securing the "vault." Data security costs about 10 percent of a bank's IT budget. Spend it wisely.