Chertoff Group Security Series Educates Financial Services Institutions about Cybercrime

September 15, 2014, Justin Orcutt, Regional Sales Manager

Last week I attended The Chertoff Group’s Security Series on Building Resiliency for Financial Services Sector. The event was attended by over 200 CISOs, CIOs, and CTOs from some of the top financial institutions in the country. The speakers and panelists hold positions that put them on the front line of the war against cybercrime. They provided insight into what they’re doing to protect their organizations, how they see the industry evolving, and firsthand knowledge about emerging threats. The information presented was in line with everything I see our customers currently doing to protect data.

Attendees agreed that a more consolidated effort must be made to combat cyber security. There was a significant amount of discussion on how FS-ISAC has improved the sharing of breach information and threat data. For those unfamiliar, FS-ISAC is the global financial industry’s go-to resource for cyber and physical threat intelligence analysis and information sharing according to their website. It’s a resource that financial services firms should leverage to stay ahead of cybercrime.  FS-ISAC is a valuable resource but first, organizations need to understand all types of risk. Financial services institutions are good at understanding ‘financial’ risk but they still have a long way to go with understanding cyber risk. However, the industry is certainly ahead of other industries in terms of combatting cybercrime and maintaining the public’s trust.

The forum highlighted some key issues:

  1. Get and stay connected: Know your peers and share information about what’s going on and any new threats you see. Know law enforcement and who you may need to call if you experience a potential breach. If you don’t use these resources, you may be fighting the battle alone with no tools, resources, or knowledge to combat threats. It’s like having a sword fight in the dark.
  2. Know your data: You need to understand the data that resides on your systems – how you classify that data and where the data is located within your network. This is one of the first steps to protecting data from a breach. Organizations need to know their data so they can put themselves in the shoes of an attacker, which can help identify specific gaps. With quickly evolving technology, the age of data propagation is here to stay.
  3. Measure your risk: Everyone is at risk but is everyone’s risk equal? No. You need to evaluate the vulnerabilities and threats specific to your organization and determine the likely impact. When doing so, consider the confidentiality, integrity and availability of the data. All of this should help produce a risk ranking that can be used to set risk-reduction controls. John Rostern, VP at Coalfire, wrote an informative blog on this topic.
  4. Security needs to be elevated to the C-Suite- Large financial institutions typically have a Chief Information Security Officer and have done a good job making security a high-level issue. The CISO needs to meet with the board to discuss risks and what the organization is doing to manage and reduce risk. Smaller organizations have been put on notice that they need to establish this position through the SEC’s Cyber Security Initiative. This initiative is also an excellent guide for what they can do to protect their data.
  5. Know how downstream vendors impact security: This is related to measuring your risk. An important topic at the event was the risk of having non-compliant downstream vendors. Today we live in a world that is so intertwined. You’re collecting massive amounts of data from multiple resources at a speed that makes it difficult to manage on your own. You need to know who comes in contact with your data since a breach can impact your operations, brand reputation, or your company’s value. There are many different ways to manage vendors but at the very least you should be monitoring your vendors’ security and compliance, including third-party attestations, samples of policies and procedures, and more.

When evaluating vendors you can use the 12 main sections listed in ISO 27002:2005 as a guide.

  1. Risk assessment and treatment
  2. Security policy
  3. Organization of information security
  4. Asset management
  5. Human resource security
  6. Physical and environmental security
  7. Communications and operations management
  8. Access control
  9. Information systems acquisition, development and maintenance
  10. Information security incident management
  11. Business continuity management
  12. Compliance

The event was a wakeup call to many of the attendees but for others it was a reminder of their everyday battles. As I left the event I couldn’t help but think of the recent breaches and what could have been done differently.

Justin Orcutt


Justin Orcutt — Regional Sales Manager

Recent Posts

Post Topics