Today's financial services chief information security officers (CISOs) are being confronted with new challenges every day. In fact, as the battlefield has shifted from perimeter-based security to information-centric security, the job description of a successful CISO also has changed. To be successful today, CISOs must become chief information management officers.
While securing the infrastructure undoubtedly is necessary, this measure alone is insufficient. By protecting only the infrastructure, a company's most precious asset -- data -- is neglected. A better approach to information security takes fundamental information management -- such as consolidation, classification, backup, recovery and archiving -- into account.
Directives such as the FFIEC's Internet banking guidance have brought attention to consumer identity protection. But information security executives also should be attuned to other issues, specifically related to how financial institutions (FIs) protect partner information, intellectual property and private customer data throughout the entire information life cycle.
Moving Beyond Perimeter Protection
Despite massive investments in information security technology and services, less than one in five financial services companies feel that all their information is adequately protected. Why? Because investments often have focused on building a hard exterior without truly addressing the need to make sure that the information itself is secure. Information is dynamic, moving from place to place, and is subject to access by many legitimate people in various places; as such, it does not conform to the limitations of perimeter-based security. And while many FIs recognize that a security gap exists -- and know there is a definite business need to fill that gap -- many don't realize that the bridge to secure information needs to be built on an information-centric security strategy.
This gap in knowledge is understandable. For years, security solutions were rolled out with the primary goal of locking out unauthorized users. Virtual perimeters were created -- the intangible equivalent to an armed guard or a locked vault -- to protect the infrastructure in which sensitive information was housed. Unfortunately, just as a bank worker with a key to the physical vault may have illegally taken bars of gold in the past, today's insiders could use their knowledge to access sensitive personal, partner or company information.
In addition, in today's world information rarely remains solely within the FI's perimeter. PDAs, laptops and other mobile devices enable employees and others to remove data from the hardened interior, thus negating perimeter defenses. And if a PDA or laptop holding critical information fell into the wrong hands, how would the information be protected?
When confidential information is breached, companies face a number of serious issues, including lost customer confidence, media scrutiny, damaged reputation and the consequences of noncompliance with regulations. As attacks on the information, as opposed to the perimeter, grow -- and as the legal and financial implications of breaches grow -- the vendor and financial services communities need to step up and address both the issues and potential consequences of not housing and handling information securely.
The harsh reality is that while perimeter defenses are absolutely necessary, such solutions alone are simply not enough to protect a company's information. Returning to the bank analogy, consider this: Would you ever post a guard at the door but leave a pile of cash unprotected in the middle of the building? Of course not. But in today's world, that is essentially what happens in many organizations.