Fortified Citi

FST talks with Frank Wu about the challenges of global security management and how new technologies are impacting the space.

“Right now, we are outsourcing mostly in basic functions. But on the architecture and assessment part, we don't do it”
-Frank Wu

What are some of the unique security challenges facing an organization of Citi's size and global reach?
Frank Wu. I believe the biggest challenge we have is because of the complexity and solutions that we have in Citi. We have somewhere around 10,000 different technologies currently deployed. In the past, we have tried to unify the solutions as a security policy across the board. It turned out that it just cannot be done in reality. We either applied it too hard or made it too loose. So right now, the biggest challenge is really how big the risk is for that particular implementation. 

From that perspective, we are converting into risk-based security. Everything is about looking at risk itself. If it's a high risk, we have to address that higher with more cost, more capital investment. If it's a lower risk with less potential impact, it really shouldn't be addressed as much. That's a good concept. The biggest challenge to us right now is we are still in the evolving stage of determining the risk. Often you don't know the risk until you know exactly how you want to manage it and deal with it. However, I believe we are headed in the right direction.

A strong security architecture clearly important for a firm like Citi. How are you garnering feedback on your architectures and your strategies to ensure that development is made in the correct fashion?
FW. In reality you never know. You only keep trying and trying to improve yourself, because security's a never-ending challenge. One year, you think you've hit it, and then another threat comes in. The threats keep building in sophistication, and every day brings something new. 

So you don't know you are good enough. You only get to the point where you feel comfortable. In terms of security architecture, it comes into multiple stages. That is a series of events that process along the entire deployment cycle and life cycle management. So from the beginning, when we engage with a vendor at the feasibility study stage, we really take the time we look at the solution ourselves and how far out it complies with our needs. 

Once we come into our lab environment, our engineers start to look at what we call Citi's cities specific implementations. That's a time where we actually looking closer at our compliance in item by item detail in terms of operations, in terms of the configurations, in terms of how it will be deployed, and the internal administrative a counter administrative log in support, SS accountability, all of those we look into. 

Then if those requirements are met, then we move into the production. I take it as security architecture from the process perspective. We also look at it from the enterprise environmental perspective, the infrastructure component and the communication itself. We check to make sure these are all aligned.

I think we can accept that perhaps everybody has security software now, but perhaps not the complete security solution. What do you think is missing?
FW. Everybody has security software, but I don't think there's one cohesive solution. Almost every company I believe tends to have a lot of point solutions. You will have a solution to protect the desktop. You will have another solution to protect entry points at the network premises. Then you have another solution at the end point is which the server itself. These three solutions may not come from some vendor, may not address identical stuff. So what that really means is we have a lot of the coverage overlapping, which can leave holes.

It takes a great deal of effort to know what is overlapping and what the missing points are. It takes a great deal of analysis, and a lot of time. I don't think there is a single solution at this point. 

I think the industry probably will not come to a very good solution until a lot of security companies are integrated under one umbrella. Right now, we have a lot of point solutions provided by smaller vendors, which results in a lot of niche solutions. You can stitch them together, but it doesn't mean it's a fabric. 

Difficult times can lead to both customers and providers neglecting innovation to an extent and just sticking with what they know. Has the financial turmoil had any impact on Citi's security architecture?
FW. It definitely has an impact. At the very least, it will slow down deployment. Security really is a matter of you will never get 100 percent coverage. So you may reach to 90 percent, but the last mile or 10 percent is very costly to do. Sometimes, we had to do manual process to compensate for it. 

As a result of the financial downturn, deployment of new technology tends to be slowed down.  Also, a lot of vendors become very unstable. You can end up hesitating to work with a new vendor because you don't know how long they are going to be around. 

It's not all about cutting heads and cutting costs. Often, it's about spending money in a wiser way. How are you looking to change Citi's security in the next two to three years? How are you driving in that direction?
FW. This is a big question. Three to five years is a very long time in the security space. But we are pretty much focusing on two domains. We look at it as infrastructure security and application security. So infrastructure security in terms of there is a platform network, storages, those kind of things. 

Then security at the administrative come up, security administrative solutions, comprises solutions, it's also be considered infrastructure. Application tends to concern the user interface for dealing with customers. We more looking into this tool and then trying to converge it into our risk management solutions. We are not going to use it to unify the assessment or approach for everything. That alone will probably take us a few years to do. 

New customer technologies, like Web 2.0 clearly have quite a prominent role to play in the future of banking. What challenges do they propose from your perspective?
FW. I am not so sure about Web 2.0 yet. To me it is still too new to know a whole lot about it. I'm more concerned about the amount of information and the bandwidth of the consumption and it seems to be - the first thing happens to me is you need handle more information. 

More information means more CPUs, more datacenters. People in the market, we always want something better, nicer, that's what 2.0 is all about. But from the data center perspective, you really want to have something that reduces the cycle, less CPU footprint, less heat fingerprint. On one end, you want to give a very good service to the customer. On the other end, you try to contain your resources because all of those come to cost. From the security perspective, I don't have a lot to say about Web 2.0 yet. It's just too new to me. 

As things like Blackberries and iPhones continue to grow in popularity, expectations are continually being reset by people who demand more, perhaps at a pace that outstrips business.  How should Financial Services respond?
FW. In this case, I tend to believe we are kind of slow. In the sense that we do have Blackberry. We widely spread Blackberry nearly to the point everybody I know has one.  However, our Blackberrys are central managed. You don't have all the functions and fancy features on the Blackberry. 

My Blackberry really only for email, it has limited browsing capability. That limits our exposure to the risks. The Blackberry to me is just an extension to my desktop. On the other hand, we lost a lot of fancy feature on the device itself. You have to make compromises.

Long-term, obviously, the next generation of employee is very much going to be coming in to work with his or her iPhone and perhaps expect be able to use it.
FW. They would like to, but I don't think that we will let them. Right now, our involvement, for example, you don't have any access to personal email. It has to be corporate email only. So you don't have to worry about an employee using a corporate computer connecting to Hotmail and then bringing something you don't want into the organization.

Many analysts of course are predicting increased IT outsourcing. Do you think this will ever impact on your function?
FW. Outsourcing has been happening for long time. But in Citi, most outsourcing in our world, we actually outsource to our overseas divisions. For example, we have a quite large, maybe more than 20,000 people in India, but they are our subsidiaries.  So it's internal outsourcing.  In terms of impacting my function, I don't see it this way. Right now, we outsourcing mostly in basic functions. But on the architecture and assessment part, we don't do it.

Head in the cloud

What the Cloud means for security

It's a good concept. Google and Verizon are both trying to go in that direction. However,  I have a lot of concerns about it. If you outsource resources to a Cloud computing vendor, you are talking about leaving your security and compliance to another person to handle.

That doesn't mean you are not obligated. You are still liable for your data, right? I tend to believe all the same industry will trust in the same vendor.  That means our peak will happen the same time. 

The idea of the Cloud computer provider makes me think of something like a utility company. But even utility companies have outages where they aren't able to meet demand. Cloud providers need to make sure that can't happen and that they can cope with peak loads. However, are they really going to want to do that if 80 percent of the year there is really low usage? 

If they make it that way, it's not going to reduce the cost.  But if we do Cloud computing within the enterprise, that could be different picture because we should be able to time our different business segments. Each segment has a different peak time.  Student and loan may have one peak cycle in the spring.  Everybody gets student loans.  And then credit card part may be a lot more in the end of year when everybody is doing their holiday shopping. They won't peak at same time.  If they share the same resources as a Cloud computing perspective, then you build a peak to meet one. You don't build peak for two.