Five lessons we can learn from financial services and compliance
by Dwayne Melancon - CTO at Tripwire - Wednesday, 5 February 2014.
Banks and financial services organisations have been a prime target for hackers for a very long time, and as a result of this the industry has had to adhere to security compliance regulations for a lot longer than most other sectors.

However, as cybercrime has become more widespread and hackers are looking to exploit almost any organisation with a connection to the internet, compliance regulations have become more common and are now placed upon most other industries.

This has of course been met with a mixed response because compliance is something which you cannot escape from, it requires expenditure but doesn’t actually generate revenue, and if organisations fail to comply they could face hefty fines. In order to achieve compliance, organisations need to look at it as more than a simple a tick-in-a-box exercise – they need to develop a process which will work in sync with the entire company to help improve security. Organisations must also realise that while compliance won’t make you secure, if they’re not secure their organisation will not be compliant.

All of this can of course turn the process of achieving security compliance into a daunting task for many IT teams. However, by looking at how the financial industry approaches compliance, organisations can learn methods to determine what issues should be covered first to mitigate the greatest risks.

Below are five lessons we can learn from financial services and compliance, which organisations should look at to help them achieve compliance:

Embrace a structured, top-down approach to risk management. Use that risk model to create a stack-ranked view of your business services, applications, and infrastructure so you can prioritise.

While financial services companies are definitely among the most regulated, they use security as a model to enable top-down risk analysis for the business. When all of the components come together, with people working with real exercises and data in different forms, there is a significant step from compliance to a risk framework.

You can look at this more holistically and treat it as a business risk problem, not just “security’s problem.” A key success factor is in selecting a framework that allows you to use it frequently, and which is not overly complex.

Consider using the recently improved COBIT risk IT framework or ISO 27001, as these approaches makes it easier to deal with overall business risk, and not approaching it as an IT-only exercise. After all, we’re dealing with a business risk problem so, like financial services, we must understand how to mitigate risk and how to educate the business regarding how their success hinges on IT’s groundwork. These frameworks will guide you toward the selection and implementation of security controls to mitigate your key risks.

In security parlance, we articulate “control objectives,” which are the conditions we mean to satisfy as we implement security controls. For example, offer a control objective to ensure that customer data is never tampered with and focus your implementation work on understanding how to satisfactorily achieve your objective. There are multiple ways to approach this, but it is up to each element of the business to determine who is responsible, what part each plays in achieving the objective, and to ask the questions to ensure that the approach will scale to meet the demands of the business.

Align your security spending and resources to match the shape of your risk - ensure you spend more on the things that are most important to the success of your business, and less on things that don’t have as much impact.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th