Where to begin?
This question is echoing throughout the information security functions of financial services industry (FSI) organizations. Chief information security officers (CISOs) and their staffs face growing pressure to strengthen IT security and data privacy in a highly dynamic and potentially risky environment.
To best answer the “Where to begin?” question, a useful starting point is understanding the top security and privacy issues on which leading CISOs are focusing. And, because there are so many information security risks confronting CISOs and other IT-security executives, prioritization is critical.
The frequently overlapping security issues discussed herein are culled from our interactions with FSI CISOs and their teams. By addressing these priorities, CISOs can help enable their security capabilities to be less reactive and more responsive.
- Breach readiness
- DDoS prevention
- Data loss prevention
- Vulnerability management
- Security operations center effectiveness
The following priorities must not only be addressed; they should be managed in a way that supports the development of a security architecture capable of adapting to new and emerging threats:
- Breach readiness: Given the rise in advanced persistent threats (APTs), breach readiness represents the top IT security concern. Leading FSI IT security executives espouse a mindset that a breach is a matter of when, not if. While investing in the tools necessary to fortify breach readiness is a requirement, IT security executives with more advanced breach readiness capabilities are spending less time on investment decisions and more time ensuring that their staffs and other employees are receiving sufficient training and preparation.
- DDoS prevention: Responding to distributed denial of service attacks (DDoS) represents a key component of overall breach readiness. However, DDoS prevention also requires its own set of highly specific controls. These attacks are increasing in frequency and also are mutating. As one IT security blogger put it, “Today, DDoS attacks are thicker than fleas on a hound dog, and are more complex than ever.”2 Recently, bad actors have been adapting their DDoS attacks to exploit holes in network time protocol (NTP) servers. From January to February 2014, NTP amplification DDoS attacks against customers of the world’s leading DDoS protection service increased by a massive 371 percent.3
- Data loss prevention: Data loss prevention (DLP) is garnering attention from both a solution and strategy perspective. From a strategic standpoint, IT security executives want to ensure the DLP program is adapting as the enterprise expands into new markets. From a solution standpoint, IT security executives are discovering that there is not a silver-bullet tool that can meet all DLP requirements. Fortifying DLP programs requires comprehensive scrutiny of major systems as well as network architecture and governance processes to ensure everything is configured properly to protect data. One key component of a strong DLP program is data labeling, particularly with communications. Organizations are now expected to have the capability to identify communications of a certain data classification. Like DLP, effectively designing and implementing this capability is a challenge given the complexity of configuring IT systems as well as ensuring that policies and procedures support the data labeling solution.
- Vulnerability management: Regulators continue to hone in on information security issues; as they do, vulnerability management is falling into their crosshairs. For example, U.S. Federal Reserve regulators are expressing greater concerns about the controls surrounding business managed applications (BMAs). This scrutiny is driving CISOs and their teams to identify, assess and remediate a wide range of vulnerabilities, including those related to data security, IT asset management and server configuration, among many other areas.
- Security operations center (SOC) effectiveness: The effectiveness of an SOC is a major influence on an FSI organization’s breach readiness. Many IT security executives are immersed in event monitoring, security training, systems profiling and other means of strengthening their SOCs. More than ever, it’s also critical for SOCs to be integrated with the organization’s lines of business – audit, corporate communications, physical security, business continuity management, and more. Such integration and cooperation give management confidence that the organization is prepared to respond expediently to incidents. In addition, training represents an increasingly important focal point of SOC improvement. Effective training – which involves identifying who is to be trained, what type of training they need and how frequently it should be provided – can greatly increase the speed and effectiveness with which the organization responds to security incidents, providing confidence that analysts have the right tools to understand and perform the correct analysis.
While nearly every FSI IT security function is addressing these issues, the most mature security functions are doing so in a more “mature” way. This maturity is manifested in going beyond reacting to these issues, to cultivating a larger-picture understanding of how these concerns relate to each other, how their potential effects compare and, as a result, which issues require immediate attention (and more resources).
Armed with the knowledge that comes with higher organizational maturity, FSI IT security teams will more effectively engage with their partners at the enterprise level. Security teams that are building on this new knowledge can proactively team with other business areas, increasing enterprise support for the security team’s vision and goals and, ultimately, the state of readiness across the enterprise.