5 Takeaways From The Cyber Security Exchange – Financial Services
AI, Third Parties & Digital Identity Dominate Discussion
Third parties should be viewed as partners because their actions directly affect your organization. Automation is the next disruptor, as workflows are augmented.
The digital identity is the building block of today’s security. “Checkbox” compliance is by no means a cure-all; plus, all of these points are contingent upon the size and scope of an organization’s security team.
These were some of the more prominent points in this week’s Cyber Security Exchange: Financial Services.
Leading security practitioners descended upon the Millennium Hotel in Times Square, New York City, from June 10-12. IQPC’s event found cyber experts shifting from masterclasses to “Ignite Sessions” and panel discussions. Each session featured financial-sector security pros conversing over pertinent topics.
What follows are the biggest takeaways:
1.) Third-Party Predicament
Much of the discussion on Day 1 of the Exchange revolved around third-party vendor risk management.
Nasser Fattah, Managing Director, MUFG Union Bank, provided his take on these “partners,” including adoption benefits such as cost cutting, core business focus, intellectual “capital” and catalyzing digital transformations.
Fattah, and others, also discussed the concerns that tag along with outsourcing: privacy, politics and regulations chiefly among them.
It’s here where Fattah outlined the importance of a vendor management program (true vetting behind each transaction). The takeaway here could be: Vet now or pay later.
Third-party vendors may, in fact, be the weakest link in the security chain. Chief information security officers (CISO) and the like must now recognize that external party behavior can impact the core business in numerous ways.
2.) Automation 101
Outside of being true buzzwords, artificial intelligence (AI) and machine learning (ML) will likely dictate the future of cyber security. This comes as the industry faces understaffing, increased workloads and a vastly widened attack surface. The consensus appears to be that without AI augmentation, enterprises will fall behind in the potency of their controls.
In a Day 2 panel, Rahul Patel, CIO, KBC Bank NV, New York, Paul Ferrillo, Partner, Greenberg Traurig LLP., Max Tumarinson, CISO, Amalgamated Bank and David Stern, CISO, BGC Partners, discussed “intelligent defense.”
Notable topics here included whether these platforms are the “silver bullet,” “throwing more people” at a systemic issue, the need for data scientists, outsourcing “plumbing” tasks and recognizing “cost per pound,” or actual impact. Ferrillo said a foolproof cyber plan must take corporate reputation into account.
3.) Identity: The Building Block
Elsewhere, attendees, along with the vendor community, discussed the digital identity – which is of utmost importance. Identity and access management (IAM) controls are the gateway into sensitive segments of the organization. It is a highly horizontal topic that demands attention with governance, risk management and compliance (GRC), cloud services, and more.
At the Exchange, Luminate Co-Founder and CPO, Eldad Livni, spoke about the Zero Trust theory, the principle of least privilege and organizational impact. With least privilege, he said, access is only provided to requisite assets, and only for job-specific purposes.
Since the network has widened, it cannot be defined so easily anymore. In order to clean it up, IAM applies – in determining who is trying to access the network, and applying multi-factor authentication (MFA).
4.) The Regulatory Maze
In another session that resonated with attendees, Ferrillo also documented today’s “regulatory complexity,” including recognizable measures such as the General Data Protection Regulation (GDPR), New York’s Department of Financial Services (DFS) regulation and NIST’s Cyber Security Framework.
The corporate lawyer underscored the importance of NIST, and said it is the source material for many other governing frameworks.
Ferrillo said that although it may take time for CISOs and others to flesh out applicable frameworks (i.e., NIST), it is well worth it; it’s either that or face other ramifications, such as exorbitant legal fees.
Another interesting tidbit comes from the DFS rule, which exemplified New York State’s position on the world cyber-stage. The DFS measure calls for affected organizations to appoint a CISO – the first requirement of its kind.
5.) A Team Dilemma
Last but not least, of course, includes ways to implement “creative solutions” to the ongoing talent crisis. This is a vast conversation that, unless reeled in, can splinter off into numerous directions.
At the Exchange, attendees spoke about internal hiring, more women in the IT space, grassroots security efforts, and psychological guidance that can help CISOs better lead their teams.
On Day 3, Marc Crudgington, CISO, Woodforest National Bank, and Paul Raines, CISO, UNDP, led a panel on these “solutions.” The result became peer-to-peer advice on best hiring practices and ways to rethink security.
Suggestions – outside of widening the teams – included high school sessions on coding and security issues, along with bolstered curriculums and fostering positive work environments. This goes for everyone from entry-level security folks, to higher analysts and those just beneath the CISO.
We hope you’ve enjoyed the Cyber Security Hub’s coverage of the Cyber Security Exchange: Financial Services! Be sure to check out our earlier recaps, along with compelling coverage of the space.
Be Sure To Check Out: The Many 'Arms' Of Today's Cyber Security Team: An Inside Look