In 1983, I published a set of guidelines designed to protect data (aka electronic money) as gazillions of bytes traveled through copper and chips. Ah, those were the good old days. I was confident I had every threat pinned down to 39 rules. At the time, 39 was about 30 more than the ordinary CIO had identified, and what was worse was most CIOs weren't even worried about any breaches because they relied on one pervasive safety net called "It won't happen to us."CIOs are better at the task of securing IT these days, but the "openness" of self-service, "friendlier" technologies, and an increasingly larger population of electronic "Bonnies & Clydes" will all contribute to putting the safety of banks back to the nineties, instead of ahead of the bad guys. And what with the crunches that are hurting many banks these days, CIOs aren't stepping up to the plate to insist on more funding to protect against what might happen.
Solution: Nagging persistency from the CIO to the guardians of Noninterest Expense and Risk Management.
When I worked for a bank in the seventies, I was known by the bank's executive management as one royal P.I.T.A. The third time was the charm, but my fourth, fifth and sixth times got me what I wanted. CIOs need to adopt my persistent approach because "subsecurity" will hurt banks a whole lot more than subprime. And some bank CEOs need to be hit over the head several times before they get it, even though they are the ones that will be charged, at least by the press, with mismanagement (or nonmanagement) after the threat hits.
The following story, from 1981, is about a very alert bank CEO and a very insecure CIO. A $5 billion bank in New Orleans was governed at the time by a CEO who had great intellectual capacity, and the perfect amount of paranoia. Yes, folks, a certain amount of paranoia is a good thing for bank CEOs, as Andy Grove told the world in his book, "Only the Paranoid Survive." After returning from an executive seminar, probably held at a luxurious resort by a prestigious IT guru such as Gartner, the bank's CEO hired me to look for security breaches in the bank's IT department. When I showed up for work, I noticed a few peculiarities. The security guard at the executive suite frisked me before I could enter. When I got to the CEO's office I had trouble concentrating on his instructions for good reason. There was a 357 Magnum on his desk whose barrel was pointed right at my heart. When he introduced me to the CIO, that guy was totally hostile. It was beads of sweat on his forehead, rather than the 357, that gave me reason to wonder what I was getting into. But, like any other consultant, I took the job because I needed the money, and in truth there were two more reasons. I enjoyed the challenge, and I knew every top restaurant in New Orleans from my previous life as a contractor at NASA's Computer Center at the Michaud Saturn Five Project.
On the second day of my project, the CIO instructed the Security Department to charge me officially with a breach of security. They claimed I was in the computer room without my badge, even though my badge was on my shirt pocket rather than my suit coat pocket. Confessing to a discomfort about being someplace where I wasn't welcomed, I decided to cast off my three months of New Orleans cuisine, and told the EVP of Operations it would be best if I left. Without the CIO's confidence, I would be worthless.
If I haven't convinced you yet of the veracity of this story, this should do it. Problem solving in New Orleans is handled by going to lunch. So the three of us sat in the main dining room of the Fairmont Hotel where two guys were popping Tums while I was happily selecting my "last supper." At the end of it all, I casually asked my "clients," "What should I tell the guy who hired me why I am quitting?" By the time my rum-based bread pudding arrived I was back on the job, and we were all buddy-buddy.
Sometimes consultants get lucky. While examining exception reports it was glaringly obvious that the CD portfolio showed daily increasing OD balances. When I asked the reconciliation clerk what that was all about she responded with, "Don't worry about that, baby, we're beta testing the Hogan CD system and that ain't real." It was real enough for the customer to cash in on hundreds of thousands of dollars of luxury purchases, a Rolls Royce, and Vegas joy trips, before the bank charged him with over $700k of fraud. There were 39 guidelines on my list. Number 25 appealed to me because, in this era of risk assessment in banking, I wanted to see if I was alert enough to have covered all the bases. This is what #25 said:
"Usually, the effectiveness of a computer security audit is realized only after the violation occurs."