Booz Allen Hamilton released their Top 10 Financial Services Cyber Risk Trends for 2013. They did a great job on identifying trends and provide a bit of insight into what is happening in the field, while providing some advice and predictions. I would like to highlight some key words that stand out to me and provide you with my personal take from a “Standards” or Management Systems perspective.
1. Business/Information risk protection is not just a technology issue―Technology alone is not the answer you must involve an integrated strategy of People, Processes and Technology.
2. Data disruption attacks may become data destruction attacks (i.e. vulnerability)― One of Clint Eastwood’s famous lines was “A man’s got to know his limits.” An organization can never expect to eliminate the constant barrage of attacks, but by identifying their individual vulnerabilities and knowing their systems limits, effective planning can avoid exposing vulnerabilities reduce them or increase monitoring.
3. Nation states and threat actors are becoming more sophisticated―You have to know your threats to identify your vulnerabilities. Knowing the enemy allows you to plan and deploy the proper resources, technology and of course, plan for business continuity in the event of disruptions; nothing is 100% and you have to be prepared if things go wrong.
4. Legislation could push industry standards around cyber risks and improve threat intelligence information sharing―On February 12th of this year, President Obama issued Executive Order: 13636 Improving Critical Infrastructure Cybersecurity. It acknowledges the need for public private partnership in preparing for, preventing, and mitigating threats. The order directs federal agencies and departments to share cyber threat information with critical infrastructure owners. The order also requires these agencies and departments to work with businesses to develop IT security best practices and international standards that infrastructure owners could voluntarily adopt. It looks like there is increasing support for incentive programs for those who choose to adopt the new framework, especially from insurance industry companies.
5. Predictive threat intelligence analytics will create a more effective risk management capability (monitoring)― All information an organization collects and processes is subject to threats of attack, error, and nature and to the vulnerabilities inherent in its use. An organization must establish and maintain a good monitoring process to be more predictive and make appropriate changes to its practices and technology at the right time to stay ahead of the bad guys. As information security risks and the effectiveness of controls change depending on shifting circumstances, organizations need to:
a) monitor and evaluate the effectiveness of implemented controls and procedures;
b) identify emerging risks to be treated; and
c) select, implement and improve appropriate controls as needed. ((ISO/IEC 27000:2012(E) Information technology—Security techniques—Information security management systems: Overview and vocabulary. Second edition. 27000 Security. 2013. http://www.iso27001security.com/html/27000.html))
6. Vendor Risk Management (supply-chain management)―This is becoming an increasingly important concern among firms; We are only as strong as the weakest link. There is a growing concern about the continued increase in higher business environment volatility that continually makes the task of managing global supply chains tougher every day. Changes over the last few years in the social, political, technology, environment and economic domains around the world, suggest that the business landscape and paradigm of supply-chain management has transformed permanently.
Uncertainty is the road block to flawless execution. You can read my complete article on the subject, A Critical Need In Any Business Continuity Management System: Addressing the Supply Chain.
7. Cyber risk continues to be a board-level issue (top management involvement)― How does leadership articulate its expectations to the organization’s as a whole? All levels of relevant management throughout the organization should demonstrate commitment and leadership in implementing policy and objectives that support a culture of proactive risk management. Demonstration of commitment and leadership may be achieved using education, motivation, engagement and empowerment.
8. Firms must continue to embrace and adapt to the new “boundless network,” which includes Bring Your Own Device (BYOD) use and must also invest in training its workforce to properly access and protect corporate data―All mainstream management system standards ask you to define and show evidence of effectiveness measures that evaluate individual organizational training programs. Further you are asked to define how you measure competence in your evaluation of training program success. No workplace is immune from security threats. Employees are often the target of these threats as well as the organization’s first line of defense. Threats endanger the confidentiality, integrity, and security of your workplace, as well as your virtual workplace and computer systems and must be addressed with a correspondingly appropriate level of training and continuous quality improvement in training programs.
9. Identity and access management is becoming a key security control area in which firms will continue to invest heavily―Due to global privacy concerns, identity and access management is fast becoming one of the most important components of an organization’s security infrastructure. With the advent of new and tougher regulations, how well you protect your enterprises’ information assets is directly related to your organization’s reputation, legal responsibility and financial well-being.
10.The Financial Services industry will rely more heavily on cyber benchmarking―The soon to be released National Institute of Standards and Technology (NIST) Cybersecurity framework in answer to the Improving Critical Infrastructure Cybersecurity Executive Order, will become the benchmark by which all critical infrastructures are measured. Many of the leaders in the financial industry agree with the concept provided it ties in with already accepted industry standards and presents smarter regulation rather than simply more regulation. Please reference my previous blog on the topic for more detail: Information Security in the Financial Industry. More Regulation or Better Regulation.
John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner (HISP), and Master HISP with over 25 years of successful experience in Management System Development
Notice: The views expressed in this blog are those of the author and should not be interpreted to have been endorsed or otherwise represent those of BSI Group, or any other of its employees, officers, directors or anyone otherwise affiliated with BSI Group.