Five lessons we can learn from financial services and compliance
Banks and financial services organisations have been a prime target for hackers for a very long time, and as a result of this the industry has had to adhere to security compliance regulations for a lot longer than most other sectors.
However, as cybercrime has become more widespread and hackers are looking to exploit almost any organisation with a connection to the internet, compliance regulations have become more common and are now placed upon most other industries.
This has of course been met with a mixed response because compliance is something which you cannot escape from, it requires expenditure but doesn’t actually generate revenue, and if organisations fail to comply they could face hefty fines. In order to achieve compliance, organisations need to look at it as more than a simple a tick-in-a-box exercise – they need to develop a process which will work in sync with the entire company to help improve security. Organisations must also realise that while compliance won’t make you secure, if they’re not secure their organisation will not be compliant.
All of this can of course turn the process of achieving security compliance into a daunting task for many IT teams. However, by looking at how the financial industry approaches compliance, organisations can learn methods to determine what issues should be covered first to mitigate the greatest risks.
Below are five lessons we can learn from financial services and compliance, which organisations should look at to help them achieve compliance:
Embrace a structured, top-down approach to risk management. Use that risk model to create a stack-ranked view of your business services, applications, and infrastructure so you can prioritise.
While financial services companies are definitely among the most regulated, they use security as a model to enable top-down risk analysis for the business. When all of the components come together, with people working with real exercises and data in different forms, there is a significant step from compliance to a risk framework.
You can look at this more holistically and treat it as a business risk problem, not just “security’s problem.” A key success factor is in selecting a framework that allows you to use it frequently, and which is not overly complex.
Consider using the recently improved COBIT risk IT framework or ISO 27001, as these approaches makes it easier to deal with overall business risk, and not approaching it as an IT-only exercise. After all, we’re dealing with a business risk problem so, like financial services, we must understand how to mitigate risk and how to educate the business regarding how their success hinges on IT’s groundwork. These frameworks will guide you toward the selection and implementation of security controls to mitigate your key risks.
In security parlance, we articulate “control objectives,” which are the conditions we mean to satisfy as we implement security controls. For example, offer a control objective to ensure that customer data is never tampered with and focus your implementation work on understanding how to satisfactorily achieve your objective. There are multiple ways to approach this, but it is up to each element of the business to determine who is responsible, what part each plays in achieving the objective, and to ask the questions to ensure that the approach will scale to meet the demands of the business.
Align your security spending and resources to match the shape of your risk – ensure you spend more on the things that are most important to the success of your business, and less on things that don’t have as much impact.
One of the significant concerns of business is achieving balance in their risk and security approaches. In other words, they want to align spending in a way that is consistent with the value of what’s being protected, as well as the consequences if a security incident or service-impacting event were to occur.
Put another way, everyone owns various types of property but you don’t want to invest the same amount of your resource to protect everything you own. You intuitively know which of your belongings you’re comfortable leaving on the front lawn overnight and which you want to make sure are locked up safe and sound at the end of the day.
That thought process is akin to applying a business risk framework – you can drive yourself crazy by treating everything equally, or objectively apply your limited resource in a business oriented way through effective risk “scoping”.
One crucial element in this process is to “show your work” by articulating the criteria and decision process you are using to evaluate risk. This kind of transparency enables others in the organization to evaluate risk on their own while coming to similar answers about the relative risk of assets involved in the business. A repeatable, objective model is essential not only for scaling as the business grows; it also allows you to delegate accountability for risk through many levels of the organization.
Use compliance as a lever to unlock funding for your most important security projects. Nothing gets budget like an ultimatum with the potential for negative consequences.
Another important lesson involves “scoping,” in which we strive to create logical boundaries that enable us to manage segments of our infrastructure according to risk. Look at PCI DSS, which was about applying good security practises in the environment to protect credit card data. As guidance from the PCI Council has evolved over the last decade, there has been a deliberate emphasis on scoping in the environment to help reduce the footprint of systems involved in credit card transactions. This scoping process has made it easier to invest for PCI, as fewer systems are involved which enables a less costly and resource-intensive approach to security.
In evaluating scope, risk, and cost this objective approach enables businesses to evaluate whether they would rather pay to resolve an issue or decide if they are happy to pay the fine. In some circumstances, this approach has negative consequences, but in many organizations it has actually improved the situation by making compliance more of a collaborative, business-focused exercise where you have to sit in a war room and discuss risk in a cross-functional way.
Once the business agrees on the top priorities to be funded, as well as the implications of non-compliance, the budget discussion becomes much easier.
In scoping, one area that is often overlooked involves risks associated with a third party. If you have external payment processors, or leverage banks in a model in which a third-party clearing house manages everyone’s data inevitably there will be complex overlaps. Remember that you are still responsible for keeping your customer data safe, even if you outsource processing to another party. Incorporate the third-party into your risk assessment so you aren’t blind sided, and assign control objectives to them so you can govern how they handle your data.
Use compliance to keep the pressure on and drive continuous improvement. Regular compliance audits ensure that you evaluate where you are on a periodic basis, which helps keep the momentum behind improvement activities – establish some kind of forced cadence to get the same effect in your organisation.
Security is a prominent part of risk management and security often identifies the lion’s share of risk, but it is incumbent on the business to actually accept risk. Making this risk acceptance process productive is about taking your security assessment and articulating it in the context of your risk profile, and helping the business understand key risks, what the consequences of a breach would be, and the cost of various options to mitigate the key risks. Done well, risk management is an enabler for making business decisions, achieving buy-in, and increasing business performance.
Integrate external perspectives into your “world view” of security so can respond and adapt to changing conditions outside of your organisation’s direct control.
Businesses have traditionally been more focused on availability as it is easier to achieve and measure than compliance, leaving security as an afterthought.
While it was easier to put IT in the back room and ignore them in the past, it now forms a key part of your business. As more businesses have to deal with compliance, and as more non-technical business leaders are exposed to data breaches and denial of service attacks through the media, this conversation is becoming easier.
Information security is increasingly recognised as being part of what makes a business work. To emphasise this fact, don’t dwell on internal issues specific to IT. Rather, highlight incidents happening to your peers and competitors, focusing the discussion on “what if this happened to us?” and drive a deliberate strategy for how your business will manage the risk. That changes the tone of the discussion and recasts the role IT has within the business.