The following are the top things that any financial services firm should be actively considering when it comes to IT security:
1. Identification and protection of critical data
Personally identifiable information (PII) in the case of consumer-facing companies, trading data in the case of exchange organizations, and governmental and regulatory data in case of inter-governmental or backend processing companies. The challenge is constantly keeping track of where this data is and how to encrypt it while keeping the keys separate and utilizing best practices for key management is … key (no pun intended). In fact, security guru Bruce Schneier‘s commentary about the explosion of cheap and ubiquitous storage makes data collection a breeze, the need to identify the critical from non-critical data, classify it and secure it after the fact is the approaching nightmare.
2. Navigating in a constantly changing regulatory environment
Being nimble and proactive to navigate the ever-changing regulatory framework. Top of mind is GDPR (General Data Protection Regulation) – an EU mandate going into effect in May 2018. The implications of financial services firms to operate under this regulatory framework is enormous – cost of non-compliance even more so – 4% of gross revenue!! An example of this is to honor an end-customer’s request to hand over all personal information tied to him or her and destroy any remnants of the same. This requires enormous visibility into tracking every user’s data unambiguously and protect the same and be able to shred that data upon request. A recent blog post of mine ‘demystifies’ this mandate in layman’s terms.
3. Understanding the insider ‘threat’
If the recent AWS snafu was any indication, the best run organizations have a weak link – the human. The insider threat need not just be malice driven, negligence is equally potent to disrupt the business. Therefore, putting in safeguards to limit the scope and privileges that key administrators have can aid in preventing this. Being able to audit logs for everything from a forensics perspective post-facto is also critical. An article that I penned on exactly this topic appears here.
While the above tips are certainly not rocket science, the ability to straddle the tactical with the need for good information security hygiene is sometimes lost and the latter gets compromised as a result. Any organization that wants to prevent itself becoming front page news (in the derogatory sense) should embrace the topics of data identification, mapping a path to GDPR compliance, and assessing the insider threat carefully and unemotionally.
About Ashwin Krishnan
Ashwin Krishnan is a technology industry expert with over two decades of experience in cybersecurity and cloud technologies. The author of Mobile Security for Dummies, Ashwin is currently a Senior Vice President of Products and Strategy at HyTrust, a late stage security startup. A recognized thought leader, his speaking engagements include Mobile World Congress, RSA Security Conference, VMWorld, Telecom Industry Association, and Product Camp Silicon Valley.