Authentication, Cloud & GovernanceThree Hot Topics Addressed by Thought-Leaders
Let's review some highlights from these conversations:
Hyland Says FFIEC Guidance is Coming SoonTrust me, no one was any more surprised than I was when Gigi Hyland, board member of the National Credit Union Administration, suggested to me that the FFIEC's new online authentication guidance might be issued sooner, rather than later.
Like many of us, I'd come to assume we were months away from seeing the final guidance. It seemed a safe bet that banking regulators were embarrassed by the accidental disclosure of the draft guidance last December, and now they were: 1) Inundated with unsolicited input from banking practitioners, analysts and thought-leaders who have strong opinions about multifactor authentication, and 2) Needed extra time to sort through that input and revise their recommendations.
Hyland didn't say which is the holdout agency, but she did suggest there is some urgency to issue this new guidance ASAP.
Frankly, none of the regulators wanted to even discuss the draft document or its ultimate release. Hyland was the first to entertain a direct question about the guidance, and she gave me a direct answer, saying the FFIEC is really only waiting for just one member agency to sign off on the latest draft. And because her constituents are also asking, she'd like to see this sign-off soon.
"We at the NCUA are anxiously awaiting the final green light from the last regulatory agency that's reviewing this," Hyland said. "In the FFIEC process, we all have to be in agreement before it gets issued. So, the vetting process within each agency is sometimes more protracted than within other agencies."
Hyland was careful to not say which is the holdout agency, but she did suggest there is some urgency to issue this new guidance ASAP. "We're waiting, essentially, and working with other regulators to try to come together and agree on the final guidance, so we can issue it, hopefully, as expeditiously as possible."
Now let's see if "expeditiously" translates to before summer.
For more on the pending guidance, as well as Hyland's take on mobile banking and current fraud trends, see: NCUA's Hyland on Top Fraud Threats.
Global Cloud Standards in DevelopmentWith all the buzz about cloud computing, it's easy sometimes to overlook significant developments, and this is one of them.
At an event in Singapore recently, the Cloud Security Alliance announced that it was partnering with the International Organization for Standardization/International Electrotechnical Commission to develop new, global security and privacy standards for cloud computing.
I spoke with Marlin Pohlman, Chief Governance Officer at EMC, and prominent member of the CSA, and he compares the cloud security evolution with the development of railroad standards in Europe in the 19th century. "Countries realized eventually that having a joint infrastructure was in everybody's best interests," Pohlman says. "On a global basis, countries are recognizing that they need a uniform commercial code, if you will, for data - a unified approach for managing IT infrastructure services. And they need to do it in a harmonized, cross-border, compatible fashion."
Cloud computing has been the hot topic for two years now, but my take is that the talk is starting to turn into action. In 2010, the buzz was that organizations were taking the leap into the cloud. In 2011, they're getting serious about securing their presence there.
For more on this partnership and the future of global cloud security standards, see: The Case for Cloud Security Standards.
ISACA on GovernanceYou can't discuss cloud risks or FFIEC compliance without acknowledging the word that typically comes before risk and compliance: Governance.
In a recent conversation with Robert Stroud, international vice president with ISACA and the IT Governance Institute, the topic was governance of enterprise IT. And the tone of the conversation was: It's all about risk. No matter what aspect of emerging business technology you look at today - mobile devices, social media, even cloud computing - the talk has to turn to identifying and mitigating the risks.
"You can't de-risk everything, but you can de-risk the majority of circumstances you will see in normal operations," Stroud says.
Understand the value that security offers to the organization, he adds. "One of the parallels that I often use is that security needs to be a positive word, not a negative word in the organization," Stroud says. "So we really need to ensure that security adds value to the organization while understanding where to put the appropriate components in place, where to identify the risk and when not to cry wolf."
For more of Stroud's insights on governance, see: Governance: It's All About Risk.