Financial services in the early 21st century Shareholder value and security information management

Today, citizens of the United States and Europe are responsible for managing more money than at any time in our world’s history. And the emergence of China and India in terms of both the workforce and the global marketplace is reshaping the context in which we do business. As Thomas Friedman points out in The World is Flat: A Brief History of the 21st Century, the citizens of India and China are joining the workforce and doubling the world’s ‘middle class’, along with the world’s need for financial services. Simultaneously, the emergence of the internet as a viable delivery platform has enabled financial service institutions to offer efficient, personalized, affordable, round-the-clock services to enormously dispersed audiences.

These undeniable global forces create a stage on which the stakes are high. Increased revenue, profit and shareholder growth await properly prepared and integrated financial services institutions. For those who stumble or stall, the Flat World will pass them by.

But what is the case for security information management as a requirement for information security and, by association, for growth in shareholder value? There are some important issues for us to consider.

Risks to citizens and markets draws government response

When we consider information security, we must discuss its close companion, compliance. The truth is that identity theft, fraudulent financial reporting, improper IT controls, information security vulnerabilities and general forms of information system fraud produce genuine risks and cause devastating losses.

Measurable losses include business disruption, legal sanction, alienation of customers and, of course, literal financial loss. But the most damaging losses involve damaged reputations, tarnished institutional credibility and the withering effect those consequences have on stakeholders’ confidence in our financial markets.

The well-intentioned response from our governments has been to invoke legislative replies to address prevalent types of risk. Examples of legislation pertinent to the financial services industry include Gramm-Leach-Bliley, Sarbanes-Oxley, Basel II and the California State Bill 1386. Generally, these regulations are intended to protect citizens and sustain credibility in our markets and institutions.

While increased regulation may seem onerous at times, financial institutions should strive for more than compliance. In fact, an institution can benefit enormously if it can closely align compliance, information security, operations and the executive viewpoint. Alignment creates a sense of leadership, direction and lasting consistency that permeates an institution’s culture.

Reputation is determined by responsiveness

Interestingly, the manner in which an institution handles the post-incident investigation and communication processes – rather than the incident itself – primarily determines the impact on the institution’s reputation. In other words, the institution’s post-incident conduct ultimately reveals its pre-incident preparation.

As personal computer users, we all deal with spyware, popups and viruses, and we’ve learned to anticipate these and other threats waged on our personal computers and take precautions. We’ve learned, therefore, to expect problems, but also to have solutions available to protect our computers and our information. Thus, we’ve installed our favorite security software, which minimizes incidents and better prepares us for when they inevitably do occur.

Likewise, we expect our financial institutions to take prudent measures against security threats and have well defined investigation tools and procedures for when they, inevitably, do occur.

Security monitoring and streamlined investigation

A financial institution must ultimately find a balance between security and expense, and indeed between convenience and profit. While expected, risks – despite budget constraints – must be addressed to ensure end-user convenience in a reasonable operating environment. With these concerns in mind, it is vital that institutions be able to prudently monitor for common security incidents and to rapidly investigate incidents as they occur.

However, complicated computer networks and a lack of solutions have prevented institutions from automating the processes related to monitoring and investigating security incidents across their enterprises. The challenge, of course, is that billions of dollars of transactions flow across the networks of financial institutions, which depend on a myriad of servers, applications, security devices, databases, access servers and the like. These systems are numerous, are often geographically dispersed, and produce audit reports in many different formats. Finally, there is an overwhelming amount of audit data (an ‘epic tide’) produced by the systems. The result is that we need an easy way to capture, manage, analyze and audit information produced by the systems.

The emergence of security information management

Recently, security information management (SIM) solutions have emerged as vital responses precisely because they enable organizations to carry out and synthesize these tasks. SIM solutions can be flexible and scaleable enough to deal with all the different systems and manage the vast amount of audit data. Security information management has enabled institutions to monitor for security incidents and investigate incidents as they occur. And, SIM solutions can be easy and affordable to maintain relative to the alternative manual processes. Thus, SIM solutions have emerged as central to sustainable information security and compliance. And in turn, SIMs are essential elements of ensuring ongoing institutional credibility.

Application and insider risks drive new requirements

Over the past few years, networks and systems have been hardened with intrusion detection and prevention solutions, anti-virus solutions, spam control, patch management, firewalls, authentication, authorization, encryption and other technologies. In this environment, SIMs play the role of centralizing, managing, analyzing, auditing and archiving the data produced by the various network and server components. SIM solutions can monitor and audit for attacks of many forms, such as blended information security attacks or time-based attacks, which are conducted against systems in geographically dispersed locations. SIMs therefore centralize and operationally simplify the vast amount of security data that today’s financial institutions produce.

Interestingly, the most damaging and common information security threats are moving ‘up the stack’ to applications and insiders. While the perimeters of our networks have been hardened, applications are complex to completely secure, in part because human beings are nearly impossible to predict (and are very imaginative). Emerging information security incidents that can be highly damaging include selling customer records to a competitor, redirecting customer shipments for sale by a third party, identity theft (involving many techniques), manipulation of financial reports, and even collaborative fraud rings involving insiders and outsiders. It is only prudent that financial institutions identify these types of risks in their business and take steps to monitor for them and have tools and processes for when they occur.

SIM solutions must therefore be highly flexible for handling audit information from applications and network access points so that they can monitor for escalation of privileges, creation of super-user accounts and login failures to our important systems and access points. They should also provide the foundation for monitoring and auditing the complicated forms of application and insider security threats described above. Ultimately, financial services institutions – and indeed their stakeholders – will benefit profoundly by integrating SIM solutions into the fabric of their business.

Sidebar:

Sidebar: