There is an uneasy feeling on the streets among bankers today that is slowly yet steadily churning their guts. The winds of a new war are blowing, and, like generals reviewing a ragtag militia, executives are feeling woefully unprepared for battle. Information security and protecting customer information have been headline priorities for bankers for more than a decade, but the once-rote tactics and drills encouraged by experts and regulators are now taking on a new meaning for bankers.
The chances of significant information security breaches, financial losses and high-stakes reputation risk seem more real to bankers at the end of 2012 than ever before. Recent stories are almost surreal in their impact and magnitude:
- Major U.S. banks are hit with denial of service attacks that cripple their Internet sites, with some suspecting Iranian involvement.
- A stealthy and wickedly powerful Flame virus morphs several times into variants like Stuxnet, Mini Flame and now the Gauss virus, which has already been identified in Middle East banks.
- Unencrypted data tapes lost in transit by TD Bank result in disclosure to more than a quarter million customers and stoke controversy on how long the company took to initiate notification procedures.
- Regulators issue a stern letter to one of the industry’s largest technology providers following a data breach citing lax information security organization and processes.
As the cyber war environment heats up, most bank executives trained in the fine arts of lending, finance and retail branches are asking, “What the hell am I supposed to be doing at my bank about this?”
The answer to this question can be addressed by using warfare as a metaphor. There is a potential enemy out there that could do damage, has no concern for our interests and may possess capabilities that we cannot presently match. And just because our armaments are not tattered and burning today does not mean something horrific might not be lurking only a few months away. Most importantly, bank executives cannot shuck this off as a delegated challenge for the techies in the basement – the next wave of this war is about how well the top organizes for the long fight. There are five key pillars of warfare that Gonzo executives should review in their organizations and upgrade pronto.
Pillar #1: Intelligence and monitoring
Warfare is fed by intelligence, and leaders build their plans from monitoring information. Bank executives should reflect for a minute, “Do I even know what type of monitoring we are doing in our organization and what the procedures are?” Additionally, effective intelligence is outward looking and far reaching. Bank executives should be wondering if any systematic monitoring of trends regarding security, data breaches and fraud is being conducted in their organizations. Do your I.T. folks know about Gauss? Have they consulted experts? Project-heavy and resource-stretched I.T. staffs who can barely keep their heads above water are clearly at risk of falling out of the loop.
Pillar #2: Leadership and clear lines of authority
Want to have a good laugh? Ask the average bank executive to name both his Information Security Officer and his Chief Privacy Officer. The names won’t roll off the tongue like they would for the Chief Financial Officer or Chief Credit Officer. Candidly, most banks have responded to regulatory requirements for information security and privacy accountability by having some busy operations, I.T. or compliance manager wear this title as one of her many hats. While a CFO is obviously required to close the books monthly and deliver a budget, and the CCO is instinctually expected to craft a credit policy, most bank executives would struggle to identify the expected “deliverables” for ISOs and CPOs – except for boring policies no one reads or cares about. The first step in being prepared for a more serious cyber war is to assess, focus on and better elevate these critical positions. There are growing professional organizations that can foster better development of these management positions, but they need the bright political light and support of top executives.
Pillar #3: Regular briefing and plan development in the bunker
All the classic war movies portray a Western scout riding up on a panting horse or a gritty corporal skidding up in a Jeep to deliver the news from the battlefield. Bank executives should ask themselves, “How often have I received a briefing on our information security position and battle plan this year?” This managerial behavior is an improvement that can easily be implemented as we speak in banks of any size. More formal security and privacy briefings and discussion of “battle” initiatives can be covered by the bank’s Enterprise Risk Committee or as periodic agenda items at senior management meetings. The important thing is to create a regular process, reporting framework and deliverables to make sure it happens. Like any risk, there will be tradeoffs regarding potential impact and the resources required to mitigate such risks. The growing magnitude of information security means these should be deliberated at higher levels in the typical banking organization.
Pillar #4: Focus and esprit among the troops
Most security officers grumble that it’s nearly impossible to get adequate attention for fortifying their organizations’ defenses among employees. It’s akin to a war movie where an enemy is approaching but the G.I.s are drinking, laughing and playing cards in the mess tent. The ease with which banks can be socially engineered by their own hired security experts is comical at first and nausea-inducing in the end. Unfortunately, employees associate the internal “brand” of Information Security today with annoying e-mail attachment limits and too-frequent password changes. We haven’t executed the creative and clever approaches to develop a more risk-focused culture without it seeming bureaucratic. Some Gonzo bankers are getting serious about building more security-aware cultures. One organization has found it effective to put a “penalty cone” on the desk of an employee who errantly leaves customer information unprotected or violates a policy. This Scarlett Letter of a cone cannot be removed until the employee’s supervisor is made aware. Another organization has incorporated effective “war stories” about actual bank security breaches and fraud losses into its employee training program. A stronger culture around security will not happen by accident: it’s time to make a list of tactics your bank will use to move the behavioral dial.
Pillar #5: Alliances to face a common opponent
Here’s a difficult question for bank executives to answer: “How are my forces working with other allies to share information and resources to defeat our enemy?” While there have been fledgling attempts at peer groups and information sharing among security and privacy officers, it’s time for the trade groups and influential bank executives to take it up a notch.
While it does not need to be public, more serious efforts need to be made to build smart and nimble INTERPOL for bankers. It might even be fun to have a secret handshake and code word (“Jingle Bells – Batman Smells”) to identify fellow agents. In the meantime, bank executives should be encouraging their security and privacy officers to participate in industry peer groups and to build an informal network of the smartest eggs out there to face these challenges.
It would be just plain wrong to write an article with a warfare metaphor and not quote Sun Tsu from the Art of War. So here goes:
“Know thy self, know thy enemy. A thousand battles, a thousand victories.” –Sun Tzu
For bank executives, don’t freeze up on this topic just because you don’t have deep technical knowledge regarding information security. (I personally fall at the shallow end of that gene pool.) Instead, remember the job of the executive is to define challenges, face reality and marshal focus and resources to win. Ask yourself if your bank has done that sufficiently and responsibly as we potentially face a more serious cyber war.
Are you staging a top-down defense against cyber crime?
Is your organization’s Information Security Program and overall I.T. Plan ready for the future?
Are the institution’s chief executives comfortable that the bank’s I.S. Program will adequately protect it and your customers and be acceptable in the emerging regulatory environment?
Cornerstone Advisors can shed insight into the overall effectiveness of your Information Security Program and help craft a comprehensive Strategic Technology Plan for your organization. And we can assist your organization in implementing our findings and recommendations.
Contact us today to learn more.