Survey Results Point to 2009 Hot Topic: Vendor Management
First, have you checked out any of the new Bank Information Security Handbooks we introduced last week?
These electronic editions compile highlights of our content - articles, interviews, blog postings, agency alerts, etc. - in a unique format that gives you access to broad information resources from our ever-expanding content library. The goal is to put more information at your fingertips - help you make better-informed decisions. Humbly, I think we've succeeded.
Vendor management is a vulnerability to which institutions and examiners alike will pay heightened attention in 2009.
Stay tuned -- there are more to come -- but the first three BIS Handbooks are:
- Application Security Survey Results: Executive Summary
- Identity Theft Red Flags Rule Compliance Survival Guide
- Banking Confidence Survey - Executive Summary
Which brings me to the second point I want to discuss today - the findings of that aforementioned Application Security survey.
You may recall this study, which was conducted at the end of summer, before recent high-profile events in the financial services industry. The survey was motivated in part by recent OCC bulletin reminding banking institutions to ensure the security not just of the software applications they develop and manage in-house, but also those developed or maintained by contractors and third-party service providers.
The OCC bulletin begged the question: What exactly is the state of application security at U.S. banking institutions?
Well, without giving too much away from the survey report, let me just share a few top-lines:
- Banking/security leaders generally are pretty confident in the integrity of the applications they develop and manage in-house;
- They're not so confident in those apps developed or managed by contractors and vendors;
- Given their lack of process around assessing and remediating vulnerabilities, respondents don't offer much evidence why they should feel any confidence at all.
I share these results for a couple of reasons: 1) Because application security is an important topic, and I don't want to see it get lost in the shuffle as we discuss the crisis in confidence or ID Theft Red Flags Rule compliance. 2) These finding really cut to the core of a topic I believe we're going to hear a lot about in 2009: Vendor Management.
As far back as last year's State of Banking Information Security Survey, we identified vendor management as a key concern of banking/security leaders. Frankly, by the responses they gave us, too few banking institutions do a good job of selecting, managing and ensuring the security of their third-party service providers.
Subsequently, vendor management has been a resonant theme throughout this year. Virtually each of the banking regulatory agencies has issued recent guidance on the topic, and it's a huge component of the Identity Theft Red Flags Rule, for which institutions are now being examined for compliance.
Again, it's a topic that won't go away. In tough times, when resources are low, outsourcing thrives. I suspect we're going to see a lot more outsourcing in 2009. Yet, given the threat landscape - remember, two of the poster-child security breaches, TJX and Hannaford, happened on a vendor's watch - vendor management is going to be a vulnerability to which institutions and examiners alike pay heightened attention.
So, check out the Application Security Survey results, please. Think about the questions raised, and let me know: How confident are you in your in-house and outsourced applications?
More important, how confident should you be?