Latest news
Why Managed Security Services are so Popular in Financial Institutions
by Carl Annicq - EVP Corporate Account Program and Business Development for Ubizen - Friday, 20 June 2003.
In 1996, market risk exposures were added as a second separate type of risk and were given separate capital charges. The new framework of Basel II will introduce operational risk as a third type. The Committee has been working with the industry to develop a suitable capital charge for these operational risks; for example, the risk of loss from computer failures, poor documentation or fraud. Based on work to date, the Committee expects operational risk on average to constitute approximately 20% of the overall capital requirements. IT risks, such as the risk of being hacked and the risk of online fraud, are important elements in this.
The higher these operational risks, the higher the capital requirements. It is therefore key to minimise these risks as much as possible. As such, the new Basel recommendations are a clear incentive for banks to use sophisticated risk management methodologies, use advanced methods for calculating their capital requirements and enhance their control environment.
An advanced Managed Security Service can clearly help financial institutions to quantify IT risks and identify which steps have the highest marginal impact to reduce those risks as an overall reduction of operational risk will lead to lower capital requirements. For a financial institution, reducing the capital requirements with even a few base points has drastic profit and loss implications.
Apart from sector specific requirements such as the Basel Accord, more generic legislation on computer crime and privacy (e.g. the Data Protection Act of 1998) form a clear incentive for financial institutions to streamline security risk management on a company-wide level.
Operation complexity of e-security driving the adoption of managed security services
One of the many challenges for FSPs during an economic downturn is maintaining their security posture with shrinking resources. With hackers and viruses becoming ever more sophisticated, security has stopped being a series of protective product installations and become instead a full-time, 24x7x365 process. It is simply not enough to deploy point products, or even families of products, and assume that the organisation is safe. All of the various products require ongoing maintenance, frequent patches, updates and proactive management. This is obvious for signature-based systems such as virus scanners and intrusion detection systems, but perhaps not as obvious (but equally important) for devices such as firewalls.
As such, there is an increasing 'stealth trend' for large financial institutions to outsource this maintenance and management process to managed security service providers. This represents a significant sea-change in attitudes towards both security and what companies will entrust to a third party outsourcing partner.
There have been numerous instances of FSPs allegedly outsourcing their security. When you read into the details this is not quite the case. Financial institutions are outsourcing some aspects of their security infrastructure. Typically this will be the operational aspects of the primary IT defence and detection systems, such as firewalls and intrusion detection systems (IDS).
The higher these operational risks, the higher the capital requirements. It is therefore key to minimise these risks as much as possible. As such, the new Basel recommendations are a clear incentive for banks to use sophisticated risk management methodologies, use advanced methods for calculating their capital requirements and enhance their control environment.
An advanced Managed Security Service can clearly help financial institutions to quantify IT risks and identify which steps have the highest marginal impact to reduce those risks as an overall reduction of operational risk will lead to lower capital requirements. For a financial institution, reducing the capital requirements with even a few base points has drastic profit and loss implications.
Apart from sector specific requirements such as the Basel Accord, more generic legislation on computer crime and privacy (e.g. the Data Protection Act of 1998) form a clear incentive for financial institutions to streamline security risk management on a company-wide level.
Operation complexity of e-security driving the adoption of managed security services
One of the many challenges for FSPs during an economic downturn is maintaining their security posture with shrinking resources. With hackers and viruses becoming ever more sophisticated, security has stopped being a series of protective product installations and become instead a full-time, 24x7x365 process. It is simply not enough to deploy point products, or even families of products, and assume that the organisation is safe. All of the various products require ongoing maintenance, frequent patches, updates and proactive management. This is obvious for signature-based systems such as virus scanners and intrusion detection systems, but perhaps not as obvious (but equally important) for devices such as firewalls.
As such, there is an increasing 'stealth trend' for large financial institutions to outsource this maintenance and management process to managed security service providers. This represents a significant sea-change in attitudes towards both security and what companies will entrust to a third party outsourcing partner.
There have been numerous instances of FSPs allegedly outsourcing their security. When you read into the details this is not quite the case. Financial institutions are outsourcing some aspects of their security infrastructure. Typically this will be the operational aspects of the primary IT defence and detection systems, such as firewalls and intrusion detection systems (IDS).
Spotlight
The security of WordPress plugins
Posted on 18 June 2013. | Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection.
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
