4 minutes
As a C-suite executive for your credit union, you have just spent a great deal of money on the latest security boxes and antivirus software to keep the hackers out of your financial institution. (JP Morgan spent $250 million, according to Bloomberg.) You go to bed every night assured that no hacker will have access to your members’ data. Then, one day, you wake up and discover that your members’ records were compromised.
This real scenario could happen to any credit union; it happened to JP Morgan. With such a large annual IT budget, one wonders how much money one has to spend to create an impenetrable wall around members’ data. This begs the question: Is it how much money one spends or is it how one spends it? Or perhaps it’s not how one spends it, but how the company governs its data through security policies and practices?
Your security policies determine your spending. What you choose to spend on and how much, should depend on your credit union’s security policies. For example, if your security policies dictate that all customer information must be encrypted, it would be a good idea to research the key management and encryption hardware and software out there that meets your minimum security level and access policies.
In this case, it may even be worthy to determine whether one person’s credentials can have access to everything. This is known as access policy management. Or, if your security policies state no “BYOD” (Bring Your Own Devices), but your executives want to use their personal iPads at work, it might be a good idea to research which of the mobile device management vendors (companies that administer mobile devices, such as smartphones, tablets, laptops and desktop computers, such as AirWatch http://www.air-watch.com, will accomplish your specific use cases.
In addition to driving your spending levels for a particular type of technology, your security policies should guide which specific solutions to purchase. Some consultants will say you need a security “roadmap,” or schedule, to get you to where you need to be in terms of securing your credit union, given your budget. But if your roadmap is starting to look like it will take way too long to accomplish, you either are not prioritizing correctly or your security defenses may be at serious risk.
Since your IT budget will be much smaller than those of many of your bank competitors, you’ll have to take a hard look at your security policies with senior management and IT executives and involve the board as necessary.
Is what you pay for what you get? JP Morgan could probably have afforded the best security devices and software there is to buy. It could have used layers and layers of security software/hardware combinations so that when hackers penetrate one layer, they’d have to get through another one. But still, JP Morgan was hacked. (For those interested, JP Morgan was hacked because one of its servers was not protected by MFA, so all the hackers had to acquire was a username and password to access.) So in this case, it wasn’t about the money or solution (solution existed but for some reason was not applied), but about the right security policies and enforcing those policies through regular audits and tests. JP Morgan did have multi-factor authentication but this article suggests that one server was not patched correctly.
Do your research, but don’t put all your eggs in one basket. When it comes to security, an integrated approach using one vendor’s solutions will make sure everything works well together. On the other hand, a diversified approach will make sure that if one vendor fails to detect a threat, the other may catch it. It is known in the industry which security vendors are good at which functions, so do your research. You’ll want to identify which vendors truly specialize in one security function, and which, if any, are truly “great all-around.” Third-party analysts or research reports may offer suggestions, but the best suggestion is to take advantage of offers to demo or have a trial period of actually using a particular solution before committing to purchasing it.
Steps to Security Success
|
Security requires intense upkeep. By now your head should be spinning. The security industry is growing rapidly, and malware/viruses have taken different shapes and forms to outsmart the security vendors. As a result, security solutions are taking different forms as well.
As with anything in technology, what you buy today might become obsolete in the very near future. But your security policies will probably outlive any piece of vendor solution. Your security policy is a living, breathing document maintained and executed by the staff or third parties, and imbibed in the culture of the company.
Edwin Mach is vice chairman of the board of $1.1 billion Meriwest Credit Union in Silicon Valley, Calif. He formerly worked in the security technology space. For a sample list of security policies, please feel free to reach out at mach.strategy@gmail.com.
