Bankers: Be Our Society's Security Leaders
No doubt, the security controls from the 'green terminal' days are not a good fit for the Internet-enabled data centers! If we look back at the last 10 years (sorry, I know that's like 1869 in Internet years), the banking sector has made significant progress in instituting appropriate controls. Granted, at times this is due to the regulatory requirements - e.g., Thou shall strengthen authentication on Internet-enabled applications or Thou shall notify your customers when you suspect a breach. Nonetheless, speaking in broad terms - the progress has been made!
But that's not the point of today's discussion. Instead of worrying about the weaknesses, let's focus on some of the strengths of information security programs at financial services organizations.
Share what you know about information security - what, why and how - with your customers.
A number of years ago, Section 501(B) of the Gramm-Leach-Bliley Act mandated banking institutions to have an effective information security program in-place to protect their customer's information. Given the years that have passed since the mandatory compliance date, all banking institutions have been examined on this and a myriad of other information security related topics. That's good!
But what about all the other organizations - small and large - in the wild out there? Who is asking them about their information security programs? Do you think the Board of Directors at a certain retail chain or a grocery supermarket were briefed on the state of information security at their organizations?
Yes, without being bashful, I am referring to the TJX's and Hannaford's board members above. I picked these two for a couple of reasons. First and foremost, these two incidents alone caused as much heartburn to bankers, if not more, than they did to the officers of these two organizations. The senior officers at banking institutions know more about the average costs for cutting, processing and mailing new cards after these incidents than they ever wanted to know. The second reason I picked these incidents is rather simple - it proves the point that security over a bank customer's information is not only in the hands of their bank. Many other organizations gain access to a consumer's information during the course of day-to-day interaction with their customers. At times, this can very well be banking-related information, such as debit/credit card information, bank account information or other personal information such as social security number, home address, phone number, medical history or anything else personal to them.
With these recent incidents that I just talked about, there has been a decent amount of interest in how information is protected by retail outlets. The information about us as consumers is not only the domain of the banking institutions and the retail outlets in our society. It's everyone out there from schools to doctors' offices and everything in between. Yes, they should protect their customers' information. For the most part, they have a desire to do that, but there are no looming regulatory examinations that they need to prepare for, or a customer asking for how their information is protected by the organization they do business with. There are no incentives (alternatively, no punishments either) to institute appropriate controls.
Putting all these reasons aside for a moment, one of the most important reasons behind not instituting appropriate controls is not cost, resource, nor even the incentives or repercussions. It's the lack of direction. It's not understanding the 'value' of the information many of these businesses gain access to during the course of their normal day-to-day business. It's the age-old issue of accepting a certain risk without completely understanding the impact of that risk to the organization and its customers.
But where can these organizations turn to in order to understand that risk and in response institute appropriate controls? They don't have access to the regulatory agency representative that they can speak with. They don't have access to information security experts or the pony-tailed, gee-wiz, CSI-looking risk management experts. All they have is some technology support that keeps their business running and all the operational tasks humming. But all these businesses, large and small, have one thing in common. They have a banking relationship. Everyone needs a bank. Some go to the main street or the town square for their banking relationship, while others go to Wall Street. And then there are some who prefer to go to the Internet-cafÃ© for their banking needs.
So, after taking you through a maze of - the modern times information security controls at the banking institutions to the lack of understanding of the 'value' of the information all other businesses need to protect - here's my parting thought of the day: Over the last number of years, the banking institutions have amassed sizeable knowledge about managing their Information Technology-related risks. It's time to share that knowledge with the banking customers and guide them through the importance of protecting the information to which they gain access. It's an opportunity for bankers to step up and be a leader when it comes to Information Security. Share what you know about information security - what, why and how - with your customers.
It's not only the right thing to do; it will provide the competitive edge and that extra notch of customer service that every bank is looking for in this crowded world of a branch-on-every-corner (well, don't forget to count the Internet-based banks vying for your customers as well).