Whether it's the Sasser worm or a hacker, security breaches are serious business in the financial-services industry. At this year's SIA Technology Management Show and Conference, security is getting some much-warranted attention during a panel discussion tomorrow afternoon. The "Hot Topics in Security" session will address an issue all financial-services firms are grappling with in one form or another.
Jonathan Gossels, president of SystemExperts Corp., and his colleague Brad Johnson, vice president of consulting at SystemExperts, will moderate the session, with panelists to include Rich Reybok, vice president, information security and privacy at Merrill Lynch, and Gordon Zacrep, manager of information security at The Vanguard Group. "The world of security has gone from relatively simple 10 years ago to very complex today," says SystemExperts' Gossels. "There are so many things firms have to worry about, from the network to the applications to the workstations, as well as regulatory issues and compliance."
The first "hot topic" that Gossels describes is what he calls "defense in depth," or the concept of how to secure the enterprise, which is continuously changing. "Wall Street firms used to think that the way to secure their network was to build a perimeter around their infrastructure using devices like firewalls to separate the Internet from their internal networks," he explains. "Now that is changing as firms have realized that, because of technological changes and changes to their business models, the notion of perimeter is harder to understand " there is no hard, fast perimeter at this point."
This leads to the notion of defense in depth, or making sure that every aspect of the enterprise has an appropriate security component. "The depth refers to places in the IT infrastructure where firms must build in security mechanisms and policy and not assume that the places next to them will take care of it," adds Johnson. The way networks work these days, the perimeter doesn't really exist. Firms must do more than necessary, just in case someone gets around the perimeter that has been put in place."
The second topic that Gossels will explore with the panel is the complexity of security facing the financial-services industry and how to manage it effectively. He points to the strategy being undertaken by Vanguard and Gordon Zacrep's team, which utilizes a dashboard approach to monitoring and understanding security across the enterprise.
According to Zacrep, Vanguard's in-house-built dashboard security system provides a database to input and monitor 34 different security components across the firm. Each of these components has an owner to keep track of the security issues, monitor them and review them on a monthly basis. In addition, the security reports generated are presented before the board of directors twice a year.
Zacrep's Information Security group is responsible for managing the security program through the dashboard. "Historically, there were different areas of the firm, such as internal audit, IT or the business owners, looking at security and forming different opinions on it," explains Zacrep. He adds that these inconsistencies led the CEO to ask for a unified view of security and the development of the dashboard. "With the dashboard, the three groups have to agree on the assessments that are going on during monthly meetings before it goes to senior management and the board of directors."
The 34 security components are effectively broken down into four main categories: operations security, application security, security architecture and organizational security. Each of the components is based upon security best practices and standards, with assessments on how the component is doing and what things need to be done to improve it. "Any threat we get is put into the proper category and the owner takes control, so the dashboard is continually updated," says Zacrep.
Why is security so complex these days? "Most firms have morphed from a mainframe environment to an incredibly heterogeneous environment," says SystemExperts' Johnson. "Within the environment they have desktop operating systems and server operating systems, third-party applications, authentication or authorization " everything new adds complexity. Then, when you add on that these are all coming from different vendors who have different viewpoints on how security is handled, integration becomes complex." Firms can work to reduce the complexity and properly manage security by categorizing it and making progress both individually and collectively, he adds.
Throw in the ever-quickening pace associated with security, the outsourcing trend and the increasing adoption of Web applications " more topics that the panel will discuss " and security becomes even more complex. "It used to be, when we conducted a security review, we would ask, 'Do you have an anti-virus system in place?' Now the question isn't just do you have it, but how fast do you propagate those virus updates to all of your systems, and how fast can the virus patches be applied?" says Gossels.
The software development cycle is also changing to keep up with security concerns, adds Gossels. Firms are looking for independent code reviews and actual testing of applications on the network to determine if intruders might be able to access the application. "This is critical to new Web applications," he says. "It's becoming an important part of what has to happen before those applications are released."
As security becomes even more complex moving forward, the organization itself is also key to safeguarding any firm. In Vanguard's case, it's a strategically designed organization, headed by Zacrep's Information Security group that is made up of 10 people who manage the overall security program, coordinate security policy and conduct high-level monitoring and assessments. In addition, there is a security architecture group within IT and security architects within each of the different IT divisions " as well as "security champions" within the businesses " and a business-contingency group that also addresses security. Security is no longer siloed as a separate function but has to be integrated and addressed at every point within the business.