Information security professionals can hardly be blamed if they’re ambivalent about digital disruption and digital transformation. On one hand, they’re getting traction with disruptive security technologies, whose automated, real-time capabilities help transform the security function. On the other, they’re facing mounting cybersecurity challenges as their organizations leverage IoT, AI, social tools, and mobility to become more efficient, effective, and engaging, said Don Anderson, a presenter at Sage’s 2017 CyberCrime Symposium.
As CIO for the Federal Reserve Bank of Boston, one of 12 district banks that comprise the Federal Reserve System, Anderson should know. He and his counterparts oversee the IT systems — including monetary policy and other critical applications — that drive the Federal Reserve, which processes $20 trillion in transactions daily. As the nation’s central bank, the Fed navigates a mine-filled cyber-landscape as it brings new sensors, devices, and systems online, works with banking disruptors that favor speed over security, and protects the data of the banks it reviews.
In his presentation, Anderson emphasized the importance of cybersecurity in the face of digital disruption and transformation. Over the last two years, he’s worked with several financial technology (fintech) start-ups, whose innovative intelligence often outpaces their cyber-smarts. “We want to understand their model because they’re trying to disrupt and even replace banks,” he said. “While they’re doing some great work, they’re focused on technology and revenues, not cybersecurity.”
Banking Big on Cyber-Tools and InfoSec / Business Alignment
Not surprisingly, the Fed spends a significant amount — a third of its entire budget — on its IT infrastructure and systems, including the technologies that secure them. “We’re very focused on cybersecurity, so we spend a lot of money on security products,” said Anderson. “We probably have every product under the sun.”
Among the Boston Fed’s cybersecurity priorities are third-party and insider risk management. With no insight into cyber-risk, organizations in financial services, a heavily regulated industry, won’t be operating for long. Anderson provided recommendations, and a cyber-risk management roadmap, to help attendees improve their risk profile.
Ensure security teams understand the business.
Two years ago, Anderson hired a new CISO as part of an initiative to ensure his security teams closely partnered with business line stakeholders to understand their operations, systems, missions, and objectives. Now, they can proactively secure the technologies that business users require, rather than react when they discover a line-of-business has deployed a new system. Thanks to this close partnership, Anderson said, the Fed has achieved better overall security.
- Focus on key capabilities, not key controls. As partners, security and business leaders work together to ensure secure operations for various LOBs and at every stage of new IT initiatives. They should focus on outcomes, not on the controls that enable them. Anderson cited policy exception requests for required security controls as one area of improvement. “Since this alignment, policy exceptions have dropped through the floor,” he said.
- Develop both technology and business knowledge. CISOs that develop business acumen to support their tech knowledge create thriving partnerships.
Focus on cybersecurity risks, not compliance.
While the Fed is a compliance-driven organization, compliance doesn’t mean a strong cybersecurity posture. A third-party vendor, for instance, might be 100%-compliant, but still have weak cyber-practices. “We’re moving to a cloud-based ERP system, but we can’t hand the provider a 1,000-page security manual and tell them to comply with every requirement,” said Anderson. A far more-effective approach is for security leads to ask the provider to identify the top security issues of a specific deployment.
Measure cyber-risk consistently.
Every organization, regardless of size, looks at risk differently. If its operations are distributed throughout the country, as the Federal Reserve is, a lot of people are making decisions that affect cyber-risk. One business unit may rank the cyber-risk of a move as low, but the IT team running the mission-critical applications affected may consider it a high-risk change.
To address this, the Fed had adopted a cyber-risk measurement model that allows security teams to measure the impact of a specific action and assign it a risk number. Business leaders, Anderson said, appreciate this new approach, because they can process a simple score much faster than they can a report.
Prioritize IT assets to apply cybersecurity controls.
Two years ago, Fed IT leaders prioritized the organization’s portfolio of applications. Out of nearly 7,000 applications, they identified the 50 systems most critical to operations and reviewed each in detail. Now, when a new vulnerability comes out, they can quickly assess their exposure across these key applications.
Fed stakeholders practice cybersecurity preparedness by modeling various cyber-attack scenarios. In forecasting exercises, they select key business processes and within a grid, plot possible adversaries, along with their cyber-weapon capabilities, motivation, and attack likelihood. They do similar forecasts for significant economic, political, and other events ripe for cyber-attack, and try to predict how they might impact the Federal Reserve. “It’s important that organizations understand the potential impact of different attacks,” Anderson said.
This is the sixth post in our series presenting key takeaways from our 2017 CyberCrime Symposium, held November 2-3, 2017. The program was packed with an incredible line-up of speakers discussing the latest tools and techniques being used by cybercriminals, and most importantly, what attendees could do to enhance their organization's cyber resiliency. If you couldn’t get a seat at the event — centered on the need to “Think Global, Act Local” — or want a refresher on various sessions, this is a not-to-be-missed series!