There will be no shortage of cybersecurity topics of interest to banking institutions and financial services organizations at the upcoming RSA Conference 2015 in San Francisco.
See Also: Data Center Security Study - The Results
In the past five months alone, we've seen massive breaches at Sony Pictures Entertainment and health insurer Anthem. These incidents caught everyone's attention and made people just a bit more sensitive to their own organizations' abilities to detect and respond to intrusions.
Nation-state and hacktivist groups are a big worry, especially if they target the biggest banks and clearinghouses.
And, closer to home for banking institutions, breaches such as the one that hit JPMorgan Chase have raised new alarms. In fact, after Chase discovered in August 2014 that its breach had exposed information related to 76 million households and 7 million small businesses, we all were left questioning whether any banking institution could truly be secure.
We all accept now that no bank or credit union is immune to a cyber-incident, we're all prospective targets, and the cybersecurity stakes are much higher than they were a year earlier. Beyond the hard costs associated with breach response, we all have seen the tolls of brand damage, and we have seen high-level executives fired for breaches that occurred on their watch.
This is the mindset we bring to RSA Conference 2015.
Beyond Payments Security
While the topics of interest to financial organizations at RSA Conference 2014 revolved around breaches that exposed payment card data, a la Target Corp., this year's event will be more focused on attacks that aim to destruct and compromise data - the types of attacks that are waged by nation-state actors and hacktivist groups.
For financial services, these threat actors pose increasing concern. That's not to say that organized cybercrime groups are no longer a worry; it's just to say that criminal groups are not the only adversaries the banking industry now has to be worried about.
Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center - and a speaker at RSA Conference 2015 - says the low, slow and advanced intrusions striking organizations today necessitate network and data segregation that's handled in a more secure way.
"Destructive malware keeps me up at night," Nelson says. "And nation-state and hacktivist groups are a big worry, especially if they target the biggest banks and clearinghouses. ... There needs to be some very careful and good plans put in place to detect and respond quickly."
This is just one perspective on why attack attribution and information sharing are playing more prominent roles for banks and credit unions and will be key discussion points at RSA 2015.
Information Sharing, Attack Attribution
For those attending RSA Conference 2015, there are literally scores of sessions from which to choose. But for the banking/security leader, here are four specific sessions that catch my attention. They all are related to information sharing and attack attribution:
- The Advancing Information Risk Practices Seminar, April 20, 1 p.m. This seminar, being led by host of qualified speakers, including Mark Clancy, managing director and chief information security officer at the Depository Trust & Clearing Corp. and CEO of Soltra, an open platform created by the FS-ISAC and the DTCC, will focus on how organizations should risk rank security gaps and then develop qualified resource response pools. This half-day seminar will review quantitative risk analysis and risk metrics that matter, as well as the benefits of cyber-insurance.
- Defending Critical Infrastructure: Preparing via Real-World Cyber Exercises, April 21, 4:40 p.m. This session will review cyber-attack exercises aimed at helping organizations test their defenses and train their staff to respond. For banking institutions, these types of cyber-exercises have become invaluable, and first proved effective at helping banks and credit unions mitigate risks associated with distributed-denial-of-service attacks waged against them in 2012 and 2013.
- Attribution Debate - Is It Worth It?, April 22, 8 a.m. This session will focus on attack attribution and whether it's really critical to know who our attackers are. While I wholeheartedly believe attribution matters, the challenges law enforcement faces when it comes to accurate attack attribution has made this a topic for lively debate.
- Full Disclosure: What Companies Should Tell Investors about Cyber Incidents, April 23, 10:20 a.m. This session will review how much information breached or attacked organizations should share with law enforcement in the wake of a cyber-incident. It will focus on when businesses should bring in their own legal counsel, and how much they should communicate internally once an incident has been discovered. While, in theory, we would hope that any business that has suffered a cyber-attack would err on the side of full disclosure, post-breach response is never that simplistic.
Of course, each of these topics is relevant beyond RSA Conference 2015. I look forward to the debate that will continue after the event, and I welcome your feedback as well. It's going to be a week jam-packed with plenty of hot topics to discuss. If you're at the event, please say hello to me and my colleagues at our booth, #4042, or visit our ISMG media suite on the Eastern Mezzanine, Room 236. And be sure to look for news updates from the show at our RSA Conference 2015 news page.