Transcript of Mark Lobel Podcast
Mark Lobel: Good afternoon. How are you?
Swart: I'm doing well. I was hoping you'd talk to our listeners and tell us about, from your position as a Price Waterhouse Coopers partner in the security practice area, what is your assessment of the state of the information security war? How are institutions responding to the increasingly sophisticated threat picture?
Lobel: Richard, that's a good question. We haven't won the war yet. It is to your point increasingly complex and sophisticated, and it's changing. You know, when you look at just some of the numbers and metrics that we got, some of the base things have actually improved. Extortion, theft, fraud, intellectual property theft specifically, financial losses, those numbers are all down year over year. Which to us is the function's maturing. A lot of tools have been deployed. They're operating effectively to a degree. But the flip side or converse of that when you ask people what are the breaches and what are actually happening, the number who finally came out and said, 'I don't know,' that number shot way up this year. We had significant advantages and increases in the numbers, so while the things that they can track and measure have gone down, there's an acknowledgement finally of we don't know what we don't know yet. So, that tells us, kind of like a teenager, there's some great maturity there. There's still a lot of immaturity and opportunities for improvement.
Swart: Now do you think that's an immaturity of their process of detecting intrusions and attacks, or is it that the nature of the attacks themselves are getting more sophisticated and institutions simply can't detect some of the more sophisticated attacks coming against them?
Lobel: Well, the answer is definitely both. You know, a whole crime ecosystem has built up around the theft of personally identifiable information and it's -- especially the financial community -- has that sensitive information about people and access to their money. So that ecosystem has moved very swiftly to gain access to that information. And in the past it used to be gaining recognition for yourself as the goal. It's now making a living. So you don't make noise when, and you don't try to gain recognition when you want to gather the information, gather money from people's accounts and move on. So, when you look at that ecosystem emerging, yeah, identifying the threat is becoming more challenging. Another portion of it though is increasingly sophisticated tools have been deployed and implemented. But those great sophisticated tools produce a lot of data, and to turn data into information to make it useful and actionable and to have a process around it, I think that's the next set of challenges that financial institutions specifically are working on today. The creation of security information management solutions that allow you to sift through and, you know, separate the wheat from the chaff, and give you something that says hey, I need to make an action, I need to take an action on this activity happening over here right now. And I don't think we're there quite yet. But we're definitely moving down that path.
Swart: It's quite the challenge, especially given the volume of data and the complexities of data mining that have to be faced. Let's switch our attention to IT governance. It's receiving increased attention recently as a factor for success, both in terms of the IT management and also in overall corporate profitability. What factors are differentiating the most successful financial organizations from a governance perspective, and how does this impact the risk management and their IT security functions?
Lobel: Well specific to the IT security function and with the implications for the broader risk management function, we first of all did a regression analysis on our data two years ago. We said what factors predict lower breaches and lower downtime. I mean, that's our goal, right?
Lobel: It's make sure the systems are up, and make sure we haven't lost control of people's information or people's actual money. And those two factors that came as our biggest predictors. We're moving information security to an executive level and having a documented approach, a security strategy, if you will. So it's those things from the governance perspective which are really more governance activities. You know, it didn't come back and say implement more firewalls. It didn't say implement the latest tool. It said process and responsibility were those areas. So how does that impact IT security this year? We're really happy to see the number of organizations responding that they have a documented security strategy was up to 58 percent, a significant increase. And the number of organizations saying that they had chief information security officer or chief security officer went up materially a significant amount as well. So when you look at what things financial institutions should be doing for governance, we're starting to see them move in that direction.
Swart: Are you seeing a convergence of the security rule with the compliance or the physical security function?
Lobel: Along those lines, that's actually interesting because we've seen, and we almost called it, you could say it's a retrenchment of the CIO this year. And what do I mean by that? There was a four-year trend where we saw information security reporting less and less to IT. That trend has fundamentally reversed itself this year and one of the places we saw information security reporting to was the physical security. So a CISO reporting to a CSO, not reporting to the IT organization. So that CSO had reporting responsibilities to other places. That trend pretty much stopped cold in its tracks this year as more of the budget came from IT and as the reporting lines went back to IT to a degree. We've seen those opportunities. We've seen that convergence of physical information security. The numbers went up for folks saying they had some form of integration. It's just not a formal reporting relationship. But, are there opportunities for improvement? Are there opportunities for physical and information security to work together? Yes. Are we seeing that happening? Yes. Just not as formally in a reporting relationship like we've seen prior years.
Swart: Well, given that IT security is coming back under the realm of IT and metrics are a significant challenge for everyone in IT, let's tap your experience. You've written extensively about security benchmark and security metrics. Could you maybe summarize for our listeners some of the key elements of an effective benchmarking program?
Lobel: A combination of things make up an effective benchmarking program. I mean the top ones are, first of all, what are you going to measure? So, and are you collecting that information? Hard to benchmark it if you don't know what you have, you don't know where your customer data is, you don't k now what technologies are deployed, or the effectiveness of those technologies. So, knowing what you have, where it is and how it's operating, and collecting the information in a consistent fashion on a, over a period of time, is kind of your first piece and challenge. So, if you don't have data to benchmark against, you've kind of lost the battle right off. And then the second is what are those benchmarks? You know, when you look across industries, financial services has for many years clearly been the benchmark industry. That's been the area that we go to. And when we work with financial services institutions, you ask the question of, who are your peers? Who do you benchmark against? So, one, knowing what you have to benchmark with, and then two, figuring out the right universe, who you want to learn from. You know, as some other industries that don't rank as highly as financial services, everybody comes back and some people in that industry will say, well, we're as good as everybody else, and then you compare industries and say, well, but your industry's at the bottom of the barrel. You're not spending, you're having breaches. You're having downtime. Have you really thought this through? Is that where you want to be? And maybe the answer is yes. Maybe it's you know, we want to be on with our peers, and we're going to aim for that profitability, but if you're intelligently taking that risk, that's fine. So, when you look at a metrics and benchmarking program, it's knowing what you want to benchmark, and it's having the right universe to benchmark against. It's kind of those two key areas to begin with.
Swart:: Great advice. Let's talk about strategic thinking. The financial industry has been known for its leadership in strategic thinking about security challenges for a long time. But what issues are emerging in security, IT security specifically, or will soon emerge, and should be at the forefront of a financial institution's strategic planning process regarding IT security?
Lobel: We don't, you don't, have enough recording space on the podcast to go though all the areas that are emerging, but two of the key ones I will say are outsourcing. It's, you know, everybody said we want development to a lower cost, but that means that you need to have the data that the developers are going to be working their applications around sent to those geographies. Or you need to do something to protect the data. If you're protecting it, if your obfuscating, or you know, encrypting, or, or changing the data before it goes overseas, that's great. If you're not, it raises some real questions for the organization, and why is it necessary to protect that data and information? Because some of the numbers we've seen specifically from our respondents in India and China are that even though we've seen significant improvement in India, and we see real challenges in China, they're still below the overall world average, and definitely below the United States average. You have a lot of companies who have a captive capability in India. They say it's just where, it's just us, but over there. Well, when you look at the numbers for the survey, we see a huge range of quality in the information security protections that are over there. So, the financial services institutions are asking themselves and asking their outsource vendors the hard question of are we really protected? Have we put the controls in place? Do we know what's going over? And is it monitored and protected on an ongoing basis? The other question related to that and which makes China really interesting is when India firms, you know there's only so fast you can grow. When India firms reach their capacity, or at least for a short while, they will subsource. And one of the place they subsource is China. And this is our first year of really meaningful numbers from China, and the numbers are definitely challenging. They are to the degree consistent and maybe even a little bit less than the numbers we saw for India last year. China has some real opportunities for improvement in information security. And if your information's going to India, do you know if it's being subsourced? So I put the whole outsourcing topic and the subsourcing topic as one key challenge. A second one we touched on before is actionable information. We have tons of data, what do we do with it? How do we process it? How do we put intelligence into it? How do we turn it into actionable information so we're actually using all those technologies that we have to protect the information that we have in an effective and a cost-efficient manner?
Swart: Fantastic advice there, Mark. Well, I appreciate your time today. I think we're probably out of time. We're going to have to let you go. But I certainly appreciate the information you've provided for our listeners today.
Lobel: My pleasure, Richard. Thanks so much.
Swart: Well, thank you for listening to another podcast of the Information Security Media Group. To listen to a selection of other podcasts, or to find other educational content regarding information security for the banking and finance community, please visit www.bankinforsecurity.com, or www.cuinfosecurity.com.