Safe and Sound?

I’ve been in technology in the financial services for pretty much all of my career. About 11 years ago, I went into information security as a specialty and I’ve been very much involved with the industry on the national level with security and privacy issues. I’ve written a book and a number of articles and I’m a great believer in the private-public sector collaboration because I think we need to work together to secure the critical infrastructure worldwide.

What I look at is essentially two things. One is the security related to IT outsourcing. Every IT outsourcing project has a security component that you should be aware of. The other is the actual outsourcing of information security functions, which is where you have to be worried about the security of the security.

I take very much a risk-based approach. I try to delineate all of the risks that relate to outsourcing. I think many analyses that organizations do are lacking in considering some of the risks and some of the costs and benefits, both tangible and intangible. There are many intangible costs and benefits to an outsourcing relationship that may not be easy to quantify but should be included, at least in terms of comments and concerns and so forth.

I tend to say, “These are the risks. These are the costs and the benefits. What I do recommend is you do a full analysis and make a decision based on the knowledge that comes out of that.” And there are a number of risk components that I haven’t seen developed elsewhere. For example, I’m very conscious about the reliability of both the outsourcing firm and the outsourcee. You also need to consider things like the relative strength of each organization where one is large and one is small. All of these interactions play into the kinds risks involved and the kinds of analyses that you have to do.

But if financial organizations are considering this type of outsourcing, there are a number of issues to consider. For example, you have to consider the expertise of the outsourcer and whether the service provider can deliver the level of knowledge, both of the business and the technology that’s required. I think it’s important to retain some level of expertise within an organization. If not, there’s a danger that it will atrophy and leave. Remember, you have to oversee what’s being done, particularly in the highly regulated financial services industry. The regulators are putting the full liability and responsibility on the financial institutions even if all the information is handled by a third party. It’s commonly said that you can outsource the operation but you can’t outsource the reliability.

I think that’s key. You have to maintain the capability. You have to be aware of what I call function creep. Many outsourcing relationships start out at a certain level where perhaps security isn’t key, such as with the service provider looking at publicly available information. For example, I know of a case where the pricing of obscure securities was outsourced. The way you research that is go to public sources of information. When it comes to expanding that to specifically pricing securities held within the institution, that will likely require access to the financial institution’s computer systems. Once you give that access, it’s possible that there’s sensitive personal information that’s available on those systems. All of a sudden, it goes from a low risk, low security environment into one which about you have to be very careful.

I think that this function creep happens and a lot times the appropriate people within the organization are not notified. It doesn’t get back to the security professionals and security group, so that’s another issue.

Another aspect is you have to strategize and incorporate an end game strategy into any agreement with an outsourcing provider. How are you going to terminate this relationship? Under what conditions are you covered?

There have been situations where, for example, the outsourcing service provider will determine that they don’t want to be in that business, so you have to be able to extricate yourself from that. In other cases, you don’t have that luxury. They go out of business and that can cause all kinds of problems.

At the start of the century, some major outsourcers bellied up. I remember talking to one of the security officers from a financial institution and she said they were really scrambling. They didn’t have a backup.

Human nature

If somebody has bad intentions and they want to access your internal information to do damage or copy the information, a very common approach to that is to compromise the individual. That’s where you get things like phishing, farming and so forth. The individual opens the door not realizing it and then the bad guy comes in through the open door. The human element is part of the process and I don’t believe that security professionals are trained in this.

In fact, most technology people are pretty bad at understanding human psychology. We all know the old cliché that they prefer working with machines than with people. So I think that there should be people coming in with forensic psychology backgrounds and sociology backgrounds.

We need more and more of the social scientists who understand how people interact with systems. My feeling is that it is going to be vital to pull in these experts because I think that the human element is unquestionably a major area that hasn’t been looked at in anywhere near enough detail.

We tend to look at security systems in terms of catching bad behavior, but really what we should be doing is preventing people from getting into trouble. There’s no joy in letting somebody violate a rule and then punishing them. It would be much better if they were prevented from violating the rule in the first place.

For instance, take the re-use of IDs and passwords reuse of. That is definitely against policy because one of the primary things you want to know is who it is that’s accessed the system at any given time. That’s a major problem. What I’ve found is that in many cases people whom I’ve seen do that have said, “Well, it takes so long to get an ID and a password. It takes two weeks. I have to finish this project in five days. I just borrowed this password so I could get the job done.” The reality is that the true problem is your onboarding system is not efficient. You should be able to bring somebody on within hours, not within weeks. That’s why I prefer the preventative view rather than reactive approach. Don’t chastise people because they tried to get their job done. The system didn’t allow it and they came up with a way around it.

The internal threat

What happens the vast majority of times is that employees will do something in violation of a policy, for instance, send email to their home account with no intent of doing anything bad. In fact, the intent may be a good thing. But even if they want to work over the weekend so they get the job done in time, it’s still a violation and there’s still risk. Somebody could intercept that mail or somebody on their home computer might access it.

The reason why I believe that the insider threat is underestimated is that I’ve seen many occasions where institutions have put in place the monitoring software for outgoing email and access to various databases and so forth.

Each time they do that, they discover a whole new set of things that they never knew about before. They may not represent the major risk to the organization, but they really ought to know about it. The real risk there is that things are happening which you’re not able to monitor.

I think that in most cases it’s not an immediate threat. Most employees are honest people. They want to do their job, but not even knowing allows for the bad guys to get in without you knowing. I think that the biggest risk is not knowing the extent of your exposure.