Back to Basics On IT Security. As information security stresses increase, remember the fundamentals. And make sure your CISO is really smart. Author: Ben Rothke Issue: February 2011 Magazine: Bank Technology News

1. Perspective
are needed to deal with the new Open source is your friend. If
security technologies that will find you asked someone 10 years ago if
widespread adaptation in 2011. Be you could have “no zero” for secu-
it social media, cloud computing, rity software with a strong secu-
videoconferencing and more—these rity program, you would have been
B ack to B asics technologies must have security
standards upon which they can be
built. Lack of standards means that
security will eventually have to be
laughed at. Today, no one is laugh-
ing at open source security software
and tools. The essential benefit of
open source is not necessarily that
O n I Securty
T i retrofitted. The significant prob-
lem there is that any sort of retrofit
is always a much more expensive
endeavor than had it been done cor-
rectly in the first place.
it is free; rather, that organizations
that use open source generally un-
derstand their problems better. They
take a more tactical approach to se-
curity fixes by using open source.
As information security stresses increase, remember the Demonstrate the value of securi- When combined with a highly
fundamentals. And make sure your CISO is really smart. ty with technical and financial met- technical staff, my experience is that
rics. Your CEO, COO, CFO, and banks that have embraced an open
BY BEN ROTHKE executive board don’t care if you source security program generally
use Check Point or Juniper. What have a much better understanding
ONE OF THE MEMORABLE QUOTES FROM rity? If not, you don’t have informa- they want to know is how effectively of their core security issues, as op-
the movie Bull Durham was: “This tion security. If there is no security the bank is protected. Communi- posed to blindly throwing tools at
is a very simple game. You throw oversight, kiss your data goodbye. cate that the bank’s risk exposure the problem.
the ball, you catch the ball, you hit If your chief information secu- is in check. If you can demonstrate Not that open source is a pana-
the ball.” Information security is like rity officer (CISO) is not at least as to the executives that the security cea. When open source tools are de-
baseball—you encrypt the data, you smart as your CFO, then you will group uses mature risk frameworks ployed and configured incorrectly,
decrypt the data, you use the data. have much less control over your to manage the bank’s risk posture, they can introduce more risks than
As 2011 starts, the key to data se- data. Given that data is the life- you’ll have won them over. they stop. But banks that realize that
curity is to focus on both the secu- blood of many organizations, the Scare them, but don’t FUD open source can be their friend and
rity fundamentals and look to new lack of an effective CISO can be them. Once again, you can assume embrace it are generally those that
technologies. Here are some of the truly “get” information security.
“
fundamentals: Know the hot security technolo-
Governance and oversight. Why
do many enterprises place their
G iven that data is the lifeblood of gies for 2011. Core security technol-
ogies such as firewalls, encryption
laser toner cartridges in a locked many organizations, the lack of an and intrusion detection will con-
room? Everyone knows that even
with all of a bank’s dedicated em-
effective CISO can be information tinue to be needed in 2011. As well,
some of the hot security technolo-
ployees, a few bad apples can make suicide gies for this year include those that
a lot of expensive office supplies dis- enable banks to secure corporate
appear quickly. But are the terabytes data on iPads or iPhones; protect
of a bank’s data adequately locked? information suicide. Only an indi- your board members are very in- against targeted attacks—the recent
If not, a ten dollar USB thumb vidual with strong business savvy telligent to have been appointed to Stuxnet malware attacks show that
drive can download unimaginable and security knowledge can oversee such executive leadership positions. targeted attacks are growing, and
amounts of corporate proprietary security planning, implement poli- So don’t use fear, uncertainty and banks need a way to avoid them.
and sensitive confidential data. cies and select measures appropri- doubt, but instead, let them know Social media control: banks such as
Where does the security buck ate to business requirements. That that it is no longer “their mother’s JPMorgan Chase, Citi, US Bank, and
stop? The reason a bank has a CFO person is the CISO. Make sure your network.” others have created corporate pages
is to ensure the management of firm has one. The threats facing most networks to interact with their clients; other
financial risk, in addition to effec- Security standards. They say today are significant. The Yankee banks will look for security controls
tive financial planning. Just as your about Chicago that if you really hate Doodle virus of the 1990s did noth- to ensure they can use social media
finances need a smart person to be the weather, just wait an hour, and it ing but annoy you. But today’s at- without the security risks.
on top of them, so too does your will probably have changed by then. tacks are targeted and stealthy. If Ben Rothke CISSP, CISA is a senior
data. Even if your data is locked, is Computer security is like Chicago you are a Fortune 500 organization security consultant with BT Professional
there a person who’s charged with weather—it’s dynamic and there are and not discovering at least two at- Services and the author of Computer
overall governance and oversight always new threats on the horizon. tempted attacks per week, then you Security: 20 Things Every Employee
around all things information secu- Strong corporate security standards need a better monitoring program. Should Know (McGraw-Hill).
FEBRUARY 2011 BANK TECHNOLOGY NEWS 31