The importance of having ‘best practice’ in security can never be underestimated. Security specialist Jon Cosson gives his advice on how CIOs and CISOs can achieve this in the financial services sector.
The First Steps to Defence in Depth
When it comes to ‘best practice’ in security at financial services (FS) companies, then it comes down to a strategy that focuses on defence in depth and layering your defences around your critical assets.
This can be successfully achieved by embedding security into technology across the entire enterprise.
In some cases, technology in an enterprise has been deployed with security as an afterthought. The key element to a robust state is that security needs to be part of the fabric of an organisation and it needs to be embedded in every process.
This means the security needs to start when new products are introduced. This also applies to those that are core to the business such as infrastructure and server data. As the server infrastructure is developed, security is right at the forefront and woven in.
For the last ten years the focus of IT has been around regulation. A way to deal with this challenge is to adopt a regulatory framework. The game plan is to have a measurable framework and embed technology into that framework. This creates layers to ensure you have the most robust defence as possible.
Once security is embedded, then it’s about how you deploy. The world is so fast moving, you don’t want to think about it, you just want it there.
The Weakest Link
There are several main security threats to FS companies.
- Firstly, many attackers focus on the weakest part of an organisation, which comprises the users and clients.
- Threats come in many guises, such as social engineering or using tech as a pivot.
- Hackers are targeting vulnerable customers and we see that an increasing number are bypassing the organisation and going directly for the weak underbelly.
To see off these dangers it’s good to have a risk register and take guidance from peers. We work with the UK’s National Cyber Security Centre and the City of London police. By combining our expertise and experience with theirs, we can determine where the threats are coming from.
Next, it is important to understand what your critical assets are. You need to have an information asset register and build controls around that.
Striking a Balance for Innovation and Customer Experience
CISOs are under intense pressure to deliver security while enabling innovation and improving the customer experience. To ask how the right balance can be maintained is the million-dollar question. The answer comes down to flexibility and ease of use.
Let’s take what’s happening around the world now with the coronavirus. This has required a huge amount of flexibility from organisations. They must think how they can deploy staff in the most effective way to limit the risk of the spread of coronavirus.
I have staff working from home or at a disaster recovery site, whether that’s in London or around the country on a virtual network. This situation is like Pandora’s box. Once this has been opened, you are not going to be able to put it back. Some people have witnessed a whole new way of working and will realise the power of working from home.
In such a major incident like this, the first thing an organisation wants to do is speak with the IT department. They ask if the business can cope, if it can deliver, and whether the business can continue. All this can only be delivered with a secure environment. Which means the real power for FS lies in security.
That’s because security is a business enabler and CISOs need to be at the table for decision making within their organisations.
Let’s face it, CISOs have become a differentiator for several reasons.
- They are no longer an oversight.
- They bring security in depth and security first design.
- Their customers may be other financial institutions – such as banks and financial entities – who also have a robust security posture.
If we consider fintech innovation and improving customer experience, then the benchmark for this is born in the cloud. Companies want to innovate to stay ahead of the competition, and they do this by unleashing exciting digital products and services.
This desire resulted in a cloud-first strategy that was really driven by public cloud adoption to respond to that disruption. Later, CISOs were asked to secure it.
However, things have changed, and organisations are looking at hybrid and seeing the benefit of on-prem.
We know that DevOps is more about agile development, but DevSecOps is now really the mantra for cloud data development – and it’s a term that’s coming into the vernacular.
When I analyse the public cloud, I am hesitant about moving to that option. I would only consider moving in if I could move out as quickly as I could move in.
Yet there is an alternative. With hybrid we can leverage the power of the public cloud while keeping the data in check and protect the core assets. This provides exceptional levels of flexibility.
Control the Cloud
If we contemplate best practice and the cloud, I personally like to know where my data is and have it under my control. This provides every conceivable benefit and offers an excellent data management strategy. We leverage it when we need to and from a security perspective, I can put controls around it and put in layers of security.
This is where the hybrid cloud model comes in. FS companies that want to move to this model need to think about the right plan to execute this shift successfully.
First, you need planning. You need to look at the cost benefit analysis. Ask why you need to move to cloud, what is your primary goal, and make sure it’s fully costed.
The cloud economics also need to be modelled. A strong model with the help of a cloud economist can help organisations rationalise where something may be based and what the requirements are.
The reality in FS is that we are looking at a hybrid world – and the regulators are quite vocal in this area as well.
It’s critical to look at the whole supply chain. Ask about the outsourcing commitments and hold them to account. It’s very hard to do that with a huge cloud provider, especially if all your eggs are in one basket.
A final thing to consider is that you need to look at the future and see what resources you will have. By examining how your data will grow and what you will deploy, this will greatly assist in delivering the best practice for security.
Jon Cosson is Head of IT and Chief Information Security Officer at wealth manager, JM Finn. He also chairs the Cyber Security Group for the Personal Investment Management and Financial Advice Association, whose member organisations manage more than a trillion pounds in assets.