Warren Axelrod on Banking Information Security

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

C. Warren Axelrod is a veteran banking/security executive and thought-leader, and in an exclusive interview he discusses top security trends and threats, including:

Axelrod is currently executive advisor for the Financial Services Technology Consortium. Previously, he was a director of Pershing LLC, a BNY Securities Group Co., where he was responsible for global information security. He has been a senior information technology manager on Wall Street for more than 25 years, has contributed to numerous conferences and seminars, and has published extensively. He holds a Ph.D. in managerial economics from Cornell University, and a B.Sc. in electrical engineering and an M.A. in economics and statistics from Glasgow University. He is certified as a CISSP and CISM.

TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. I am here at the RSA Conference, and I am talking with Warren Axelrod, who is affiliated now with the Financial Services Technology Consortium.

Warren, it is a pleasure to talk with you.

WARREN AXELROD: My pleasure, too, Tom.

FIELD: Warren, why don't you give us a sense of everything you are involved with these days because I know you are wearing multiple hats, and you have got multiple projects going on.

AXELROD: Well, the main one is the Software Assurance Initiative that I am managing for FSTC, and that is a broad look at application security and software assurance, both in terms of the development lifecycle, operations, testing, and potentially setting up an industry lab to test the highly used critical software. And what we have done is we brought together groups from some of the major financial institutions, from academia, such as Carnegie Mellon that is obviously big on software engineering, and also companies such as Microsoft, Northrop Grumman and so forth, and also some of the government regulatory agencies, although they are not participating, they are listening in.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

What we are trying to do is establish preferred policy and practices for financial services as a whole in the software assurance area. The reason for this is that the regulators are increasingly looking at the application layer, which traditionally has been very neglected, and they are specifying in some cases with quite a level of detail what national institutions would be expected to do.

So for instance, the OCC, the Office of the Comptroller of the Currency, in 2008 put out a bulletin purely on software assurance and application security. And they went down to such a detail where they, in one of the Appendices, they listed the 10 top OS vulnerabilities, which to me is amazing in a sort of regulatory guidance document.

The other area where there is a lot of oversight activity is in the payments side, the PCI data security standard, particularly Section 6, which looks at application security, and this is an evolving area for them. I think there is just a general recognition that many of the successful exploits at the application level, and that traditional information security professionals have not been strong in that area.

One of the reasons for that is that the knowledge required is much broader. You have to understand the business; you have to understand software design and development and testing, as well as some of the broader security issues. Traditionally, security professionals have come out of the engineering network and systems area with very little applications experience. So there has been a lot of evangelizing by people such as Gary McGraw to try and get that idea across.

FIELD: Now, Warren, you have been in information security for a number of years now. We are seeing a lot of fraud, we are seeing payments issues as you discussed. What are the security concerns most top of mind for you these days, especially as related to financial services?

AXELROD: Well, I think there is really one area that stands out to my mind, and that is the insider threat. My own belief is that it is grossly under reported; and there are many reasons for that. Probably the main reason is that a lot of it goes unrecognized. If we don't have the monitoring tools in place that are sophisticated enough to catch the insider, and the insider has, in general, authorization and is authenticated through the system and given a lot of privileges and can operate under the radar in many regards. It is hard to detect it because it is usually only often after the fact that some anomalous behavior is recognized.