“It seems that every year, the importance of information security — particularly for financial institutions — grows more crucial….How does an organization protect its information while opening itself up to customers and partners for revenue growth? And how does an organization balance its stakeholder demands while managing the cost of security solutions to prevent IT attacks?” This excerpt from Deloitte Touche Tohmatsu’s 2004 Global Security Survey highlights the security challenges this sector faces. Deloitte colleague and security services manager Marc MacKinnon referred to the findings of this second annual survey in recounting to Susan Maclean business continuity strategies for Canadian financial services firms.
IT Focus: Events like last summer’s computing problems at RBC, CIBC and TD Bank Financial Group attract a lot of attention. Has security and business continuity come more to the forefront or has it just been more reported on by the media?
Marc MacKinnon: There are a couple of things. In 2003, 39 per cent of the survey participants admitted they had been breached internally or externally. Last year that number more than doubled to 88 per cent. There is a lot of questioning as to why. Is it because security is becoming more forefront? A lot of organizations questioned were breached [in 2003], even if they said they weren’t. They just didn’t know about it. As they pay more attention, they are monitoring more than the effectiveness of their program but also how it is coping. So, the number of breaches that they see is increasing. Secondly, from our survey, we’ve seen that a lot of people are more comfortable reporting on breaches as well. They know that it is a common experience. Worms and viruses are a problem so they’re not so likely to hide it anymore. It is to their advantage to say, “Hey, we’ve been hit and we’re not the only one.”
IT Focus: How do financial firms deal with this?
MacKinnon: We are seeing a lot of organizations looking at the security strategy they have to ensure it is aligned with their IT and corporate strategies. A lot of financial institutions are trying to not only meet the increased regulations but also enact better practices and go toward security certification and such.
We see an increase in outlook of security certification such as the BS7799 in order to be in compliance with the ISO 17799. Basically it allows them to demonstrate to others that they’ve undergone due diligence or they have a lot of controls in place to not only meet legislation like Sarbanes-Oxley but as well just to protect the data that they have and the information from a confidentiality, integrity and availability perspective. The organization will look at what they have in place in terms of policies and procedures, communication, training and awareness and will map themselves to that, doing a gap analysis.
IT Focus: What other actions are prevalent?
MacKinnon: In order to protect yourself against viruses and worms you need to understand what assets you own where they can hide. We see a lot of organizations moving toward asset management, going toward creating these asset registries, which will put them in a better position for risk assessment. From that risk assessment, the ISO standard provides guidance on what controls help protect assets.
The survey identified that security is getting more exposure internally. They say it is moving from the war room to the boardroom. As we know, upper management is constantly challenged trying to drive profitability, increase growth and innovation within the firm — but it is really becoming a lot more difficult as organizations are becoming more open and extended. There are now interdependencies on other organizations outside their borders that do not fall under their direct control. This openness increases the organization’s dependence on a global financial and communication infrastructure. With this reliance comes new vulnerabilities or interdependence risks. Interdependence risks can amplify risks that were once considered acceptable.
Although risk is inherent in an organization’s existence, it can either paralyze a potentially successful growth strategy or, if managed properly, it can set the stage for profitable growth. To do this, organizations need to build more resilient business and operating models, understand their vulnerabilities, mitigation options and economic tradeoffs. Certifications that focus on risk management such as BS7799 allow an organization to utilize a systematic approach to manage risks and provide a consolidated view of risks to the executive team. This allows them to better understand the organization’s interdependencies.
IT Focus: Any other trends?
MacKinnon: One of the biggest trends, and this is a global trend, is around the security training and awareness. In order to have policies and procedures work throughout the financial institutions, all the people need to be aware of them. A lot of financial institutions are trying to identify innovative ways that will attract people’s attention to get that training and awareness throughout the organization. They’re doing all sorts of different types of things from security videos to posters to “lunch ’n learns.” They’re also coupling that with better policies and procedures — and holding people accountable to them.
IT Focus: In what way are companies holding people accountable to security policies?
MacKinnon: A lot of organizations had ad hoc policies in the past. Now they’re trying to make policies and procedures comprehensive throughout the organization. They’ll link the rules and responsibilities to job descriptions. Then they’ll back the policies by procedures. Then they develop key performance indicators to measure how effective their security programs are. The number of breaches, the number of computing incidents per internal users — those would be the measures.
If they do find that people are abusing things or they have created an incident, based on the policy, whatever disciplinary actions they have within that, they will hold them accountable and it could be anything from dismissal to unpaid leave.
IT Focus: A recent Veritas Software survey cited companies on average not doing enough about security. Since it was not restricted to the financial services vertical, it would not reflect companies in this sector, which is noted for being serious about security, right?
MacKinnon: They are serious but they are not doing enough about it. They are starting this year. In our survey we found in a couple of areas companies were either doing a really good job or a really poor job. There are more organizations doing a poor job. Again, that was based on the 2004 data. Now in our 2005 fiscal year here, since our survey came out in March, even in Canada here a lot of our clients are in engagements around security training and awareness. We’ve seen that people have looked for and identified that gap and now are wanting to pay attention to it.
IT Focus: Do you see any significant technology emerging?
MacKinnon: ID management and vulnerability management are two of the bigger ones. A lot of organizations saw the value before but it was hard to demonstrate the return on investment. Technologies are great; they help prevent viruses and worms coming into the organization, but if they don’t update things like signature files.…You can stop it before it enters the organization’s boundaries and you can make your people aware. It really does go hand in hand.
From the survey we found a lot of large organizations have bigger budgets and they’re buying all sorts of techno-logy — which is great because they are taking it from multiple angles. But some of the smaller financial institutions are being more strategic with the money they have. Their budgets are smaller so they are assessing what technologies they need and how to couple that with knowledge and awareness of their people.
IT Focus: How do organizations match employee awareness and security technology?
MacKinnon: Mass awareness campaigns. One of the key things to remember is you need to basically make everyone aware in the organization, not just within the security or within the IT function. One thing you can do to make them aware when surfing the Net is if they go to a site they are not supposed to go to, they will be blocked and a company policy on Web usage will appear. It basically says, “To read the policy, click here.” There are a lot of innovative ways people are coming up with right now.
IT Focus: Are these strategies successful?
MacKinnon: That has yet to be seen. I can say that from the answers given in the survey and doing the correlations, the ones that indicate they have training and awareness programs do feel that their security program is more in line with what they are trying to achieve.
— Maclean, freelance writer/editor, covers a wide range of IT applications. She is based in Guelph, Ont. and can be reached at www.sumac.net.