Security specialist Andy Bates offers his diverse range of insights and recommendations on how a ‘security-first design’ can bring innovation to an FinServ organisation.
A good level of maturity
The reality we face today is that cyberattacks have become daily news across most business sectors.
Most security people in the FS space know they’re going to be attacked on a daily – if not hourly – basis. Quite simply, they face a ‘when’ not ‘if’ scenario.
The situation is certainly not hopeless as I have seen a good level of maturity in FS over the past few years. Let’s face it, they have got a lot money to steal. Organisations have shored up their borders and this maturity is ahead of other industries.
FS security professionals often talk about a ‘security-first’ design when it comes to building their applications, be it on-prem or in the cloud. For companies looking to get robust or ‘best practice’ security in place there are several factors to consider.
Cloud is an important point. Initially the FS and government sectors were quite scared of this option, but now there is a general acknowledgment that the faster you can move to the cloud, the better off you are.
If I can use a timely health metaphor, I’d recommend doing the simple equivalent of washing your hands. No need for complexity – other solutions out there are on par with brain surgery and using antibiotics.
Keep it straightforward and use DMARC (Domain-based Message Authentication, Reporting and Conformance). It’s an email authentication protocol – and it’s an easy thing to do.
This will give email domain owners the ability to protect their domain from unauthorised use, aka email spoofing. If it’s not done, it sends a signal to the bad guys about that organisation’s information maturity status.
Drilling for the post-attack scenario
If a CISO assumes they will receive an attack, there are several steps they should have in place to ensure robust and effective post-attack recoverability to minimise any damage.
There is nothing like running a simulation and a drill beforehand. Yes, the technical choices are that you should back things up, be aware of ransomware, and have two copies of everything.
But in a post-attack scenario, the ability to have people who have been drilled in what to do is worth its weight in gold.
All it takes are a few bits of laminated paper to show that this is the attack plan in a security incident. The individual needs to follow those steps – and I see it as very important.
The human condition – such as in either a military or emergency blue light scenario – really needs that reflex reaction to cope with such a situation.
Sometimes you don’t want people thinking on their feet too much. You want them to run through the manual. Therefore, rehearse before the attack, check the manual, ensure it does what it says it does, and get people to stick to the plan.
Tackling the skills shortage
There are many challenges ahead for information security experts such as cloud security, increasing regulations and skills shortage. I perceive the lack of skills as the most pressing, but one that can be countered.
When it comes to good information insurance it’s down to 80% people and 20% technology. A good place to start is to use artificial intelligence (AI) to maximise your personnel resources.
We know the bad guys have been using AI to mount their cyber campaigns for several years now – and there is a fight fire with fire argument to be had.
It’s also wise to not get into this mantra of hiring people with computer skills and degrees. At my organisation we hired 18-year-olds and taught them about cyber matters. We also brought back two return-to-work ladies of a ‘certain age’. These people bring in a wholly new diverse set of thinking – and it all helps if we’re trying to outthink the criminal community.
I am not saying we should hire converted criminals, that’s a little too risky because we don’t know when they have converted. But I believe it’s better to try to avoid hiring people like ourselves and aim for a diverse mix.
Don’t be afraid of start-ups
Information security professionals will often be looking to build a solid data protection plan, but which still affords innovation.
One option is to turn to other organisations out there. Sometimes big companies are afraid of start-ups as they don’t have the ‘heritage’, but if you give them a try on a limited scale it’s a good way to augment the foundations for what you’re trying to achieve.
To outwit criminals, you need to think like one – or at least think differently. And working with start-ups is a good way to think outside the box.
You also need to talk to your peer groups and those outside that category – even if you have a large department working on security.
From my personal experience, I have found people will share stuff. If I get enough CISOs in a room with a white board – and enough coffee – and once they realise they are all fighting the same battle, they will share best practices, documents and information.
It can be noisy with all this information, so you have to pick and choose. But innovation is not about reinventing the wheel or what somebody’s invented already. I have seen so many CISOs who start from ground zero with a blank piece of paper.
It is far easier to talk to people in the industry. If person A helps person B, they in turn will help person C. This means we will all benefit – and you will enable a ‘security-first design’ and innovative experience at your FS organisation.
Andy Bates is the Executive Director of the Global Cyber Alliance, an international, cross-sector non-profit dedicated to confronting systemic cyber risks.