Chertoff Group Security Series Educates Financial Services Institutions about Cybercrime

Justin Orcutt, Regional Sales Manager

Last week I attended The Chertoff Group’s Security Series on Building Resiliency for Financial Services Sector. The event was attended by over 200 CISOs, CIOs, and CTOs from some of the top financial institutions in the country. The speakers and panelists hold positions that put them on the front line of the war against cybercrime. They provided insight into what they’re doing to protect their organizations, how they see the industry evolving, and firsthand knowledge about emerging threats. The information presented was in line with everything I see our customers currently doing to protect data.

Attendees agreed that a more consolidated effort must be made to combat cyber security. There was a significant amount of discussion on how FS-ISAC has improved the sharing of breach information and threat data. For those unfamiliar, FS-ISAC is the global financial industry’s go-to resource for cyber and physical threat intelligence analysis and information sharing according to their website. It’s a resource that financial services firms should leverage to stay ahead of cybercrime.  FS-ISAC is a valuable resource but first, organizations need to understand all types of risk. Financial services institutions are good at understanding ‘financial’ risk but they still have a long way to go with understanding cyber risk. However, the industry is certainly ahead of other industries in terms of combatting cybercrime and maintaining the public’s trust.

The forum highlighted some key issues:

  1. Get and stay connected: Know your peers and share information about what’s going on and any new threats you see. Know law enforcement and who you may need to call if you experience a potential breach. If you don’t use these resources, you may be fighting the battle alone with no tools, resources, or knowledge to combat threats. It’s like having a sword fight in the dark.
  2. Know your data: You need to understand the data that resides on your systems – how you classify that data and where the data is located within your network. This is one of the first steps to protecting data from a breach. Organizations need to know their data so they can put themselves in the shoes of an attacker, which can help identify specific gaps. With quickly evolving technology, the age of data propagation is here to stay.
  3. Measure your risk: Everyone is at risk but is everyone’s risk equal? No. You need to evaluate the vulnerabilities and threats specific to your organization and determine the likely impact. When doing so, consider the confidentiality, integrity and availability of the data. All of this should help produce a risk ranking that can be used to set risk-reduction controls. John Rostern, VP at Coalfire, wrote an informative blog on this topic.
  4. Security needs to be elevated to the C-Suite- Large financial institutions typically have a Chief Information Security Officer and have done a good job making security a high-level issue. The CISO needs to meet with the board to discuss risks and what the organization is doing to manage and reduce risk. Smaller organizations have been put on notice that they need to establish this position through the SEC’s Cyber Security Initiative. This initiative is also an excellent guide for what they can do to protect their data.
  5. Know how downstream vendors impact security: This is related to measuring your risk. An important topic at the event was the risk of having non-compliant downstream vendors. Today we live in a world that is so intertwined. You’re collecting massive amounts of data from multiple resources at a speed that makes it difficult to manage on your own. You need to know who comes in contact with your data since a breach can impact your operations, brand reputation, or your company’s value. There are many different ways to manage vendors but at the very least you should be monitoring your vendors’ security and compliance, including third-party attestations, samples of policies and procedures, and more.

When evaluating vendors you can use the 12 main sections listed in ISO 27002:2005 as a guide.

  1. Risk assessment and treatment
  2. Security policy
  3. Organization of information security
  4. Asset management
  5. Human resource security
  6. Physical and environmental security
  7. Communications and operations management
  8. Access control
  9. Information systems acquisition, development and maintenance
  10. Information security incident management
  11. Business continuity management
  12. Compliance

The event was a wakeup call to many of the attendees but for others it was a reminder of their everyday battles. As I left the event I couldn’t help but think of the recent breaches and what could have been done differently.

Justin Orcutt


Justin Orcutt — Regional Sales Manager

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS