From PCs to tablet to smartphones, customers enter institutions from all electronic angles. And these new banking habits put new strains on traditional IT infrastructure. How can banks ensure security?
It truly is a new paradigm, and it's causing institutions to rethink how they secure the infrastructure, says Roji Oommen, Managing Director, Financial Services, with CenturyLink Technology Solutions.
"Your end customer is acting in a riskier manner, and the zones of security you're responsible for have increased greatly," Oommen says.
Similarly, attacks have evolved from criminal acts to nation-state attacks, putting far more scrutiny and regulatory pressure on banking institutions to protect themselves in a manner befitting a critical infrastructure. And the heat is only beginning to get turned up, Oommen says.
"We expect that regulators will start imposing much stricter standards and potentially even greater liabilities on banks, who are supposed to be secure carriers of private information, as opposed to other industries,"
In an interview about how to secure the new IT infrastructure, Oommen discusses:
- Impact of today's security threats;
- The value of a hybrid IT approach;
- Lessons learned from CenturyLink customers.
Oommen is currently responsible for product strategy, alliances and partnerships within CenturyLink Technology Solutions' Financial Services business segment. He works very closely with the 500+ customers that make up this vertical to deliver innovative managed services for global businesses on virtual, dedicated and colocation platforms. Roji has more than 15 years of experience, at organizations such as Thomson Reuters, IBM and Bridge Information Systems, specializing in information technology for financial services firms.
Impact of Evolving Threats
TOM FIELD: How do you see evolving security threats putting new demands on a bank's legacy IT infrastructure?
ROJI OOMMEN: It's interesting; we think a lot of this is driven by the fact that consumer behavior is changing. You do so much of your computing on mobile devices and tablets. There's the expectation that there's a seamless ability for you to interact with your service providers, including banks. The issue is that the control that banks used to have on their touch points with you have changed from branch ATM and perhaps telephone to all of these different screens. The interesting thing about that is that the expectations that users have about security hasn't changed at all. They're acting in what we would consider a less secure manner than in the past because they take for granted that all of these things are secure. The bank has many more access points that they need to protect against.
The second thing that comes with that is in an effort to build platforms that meet the demands of their customers. Everyone wants to interact on their iPhone and Android device -- that's two technology platforms plus a website, plus potentially your legacy components as well. You've got a much bigger infrastructure than you're used to. Where in the past the infrastructure may have been fairly homogenous, nowadays, because of the demands of the end user platform, things are actually quite different. You have your end customers acting in a riskier manner, and the zones of security that you're responsible for have increased greatly.
Costly Implications for Banks
FIELD: How are the implications of these breaches even more costly for banking institutions versus organizations in other industries?
OOMMEN: What we've seen over the past decade or so is an evolving shift from these sorts of breaches or attacks being perpetrated by individual groups or an individual former employee, or even hacktivists. This has moved away from pure criminality into nation-state sponsored activity. There were lots of reports about foreign intelligence agencies and military bodies conducting cyber scams and assaults against critical national infrastructure assets. As we all learned during the financial crisis, banks are a critical part of our infrastructure. Our economy is a national security asset. These are specifically pointed, targeted activities being carried out by folks who are beginning to poke at the boundaries to see what our vulnerable points are. Frankly, the risks that banks undertake are significantly different than in other industries simply because, by nature of the service that they provide, there's a lot of regulatory scrutiny on cyber security. We expect that regulators will start imposing much stricter standards and potentially even greater liabilities on banks, who are supposed to be secure carriers of private information as opposed to other industries.
Business Benefits of Hybrid IT
FIELD: Can you describe some of the business benefits that your customers have gained in adopting what you call a hybrid IT approach?
OOMMEN: What we call hybrid IT is a step in evolution from legacy IT environments to the bright, sunny future of cloud-based computing at some point in the future. It comes from a recognition that while for new applications and services most people would naturally look to cloud-based tools in order to develop them, most modern enterprises, particularly in the banking space, have a tremendous environment of legacy applications that you are going to need to support for the foreseeable future. It's just not feasible to take a midsized bank and say, "I'm just going to migrate all of my IT to the cloud." It just isn't practical to do. Our answer to that is that we'll provide a suite of services that offer you cloud-like economics. By cloud-like economics, we mean you pay for what you use, and resources, when you don't need them, can disburse back and you'll only pay for elastic demand over time.
We can give you the capability to support existing applications with cloud-like economics, but on very secure dedicated infrastructure. So not only do you get to take advantage of paying for what compute resources you use, you also gain the advantage of not sharing infrastructure with perceived insecure applications as well. So you can run this privately, and we believe it gives banks a large number of tools in their tool chest that they can leverage depending on their needs at any point in time.
FIELD: What do you see as some of the challenges that midsized banks face around compliance? How would an IT infrastructure provider help them meet these challenges?
OOMMEN: The alleged breach at JPMorgan Chase was actually quite informative. There were reports that JPMorgan Chase spends a couple hundred million dollars a year on cybersecurity to specifically protect the assets that were allegedly breached. So if an institution of that size, which spends so much energy, time and money protecting those assets, can be vulnerable ... it makes it very challenging for smaller institutions to compete. There are two things: One, obviously the cash expenditure, and two the talent that you need to recruit in order to be able to protect your infrastructure is scarce. You're not just competing against other banks, you're also competing against the likes of Facebook, Apple and Google, for a link to those resources.
The challenge that midsized institutions have is they need to come to the realization that it's very difficult to execute that on their own. Assuming you can get the right people, you potentially can. The decision you need to make is whether this is a core competency, and the competitive differentiator for you or not. In our view, low levels of IT infrastructure, particularly at the infrastructure layer when we talk about things like servers and data center and operating system are highly commoditized. What you spend on servers and maintaining your operating system and data center is probably pretty close to what your competitors spend. That proves no competitive advantage to you over time.
Going with an infrastructure provider who can offer a hybrid IT capability allows you to leverage their scale and dedicate resources, both financially and in building long-term competitive differentiation for you. While the big guys can play in that space, for the medium and small guys it's a much clearer decision.
Securing New Infrastructure
FIELD: When it comes to securing new IT infrastructure, what are some of the key lessons learned from your own customers?
OOMMEN: We as a service provider are lucky enough to have a broad view across industries. So not just banking, but we've got extensive capital markets customers who are protecting trading applications and infrastructure. We own some 20 percent of the US equities market and about 40 percent of the electronic market. We've also had a view into healthcare and the retail space. The thing that we broadly recognize is that when you're thinking about outsourcing anything, it's always dangerous to compare what your outsourcer provides to the platonic ideal of security that doesn't actually work. Most of the times when we go in and take a look at somebody's IT operation, what you find is that most people have a difficult time complying with best practices. This isn't because they're not spending time or effort thinking about it; it's just a fact that IT is changing so rapidly, it's difficult in light of all the other demands on your time to focus exclusively on this.
There's always a dangerous assumption to say that IT security is critically important for us, and therefore we must be really good at it because we do it in-house. Most of the time what we find is that most organizations are just simply not following best practices, again because of resources. If you go into that relationship with an open mind, you can very quickly see that implementing carefully documented control points to security in depth and just complying with best standards will often give you, for relatively low cost, tremendous improvement in your overall security posture.
FIELD: Where is the best place to begin assessing and meeting new IT infrastructure needs?
OOMMEN: It's always good to start talking to the business. What we're beginning to see in the banking space, because of consumer behavior and regulations as well, is you're competing against institutions that you financially didn't compete with earlier. Whether you're a regional bank who's now having to compete against Bank of America or Wells Fargo, the key part is to keep very close to your business. It used to be in the legacy IT world, we as IT practitioners would go to the business and say "I need you to define for me in excruciating detail what exactly you need from me, and then I'll go off and build it and deliver to you a year later." In this world where things are changing so quickly, it's important to be a really good business partner and understand that the business probably can't define very clearly what they want next week, as opposed to a year from now. You need to develop an IT infrastructure capability that enables you to respond quickly; that enables the marketing organization of your bank to run campaigns, experiment, turn things down rapidly when it's not working and double down on strategies that do. But that requires a very different mindset from legacy IT methodology.
Talk to your business and understand the competitive pressures that they're under and how you can best respond. It's always easiest to move to a new IT infrastructure for new applications. Any new application or service, whether it's interconnected to your legacy environment or not, you should take a hard look and be disciplined about whether it's advantageous for you to deliver that internally or not, because that's often a very good stepping point to create a new ideal infrastructure in the cloud or with an outsourced provider. Then, gradually migrate your legacy to the new platform over time - [that's] a very easy way to do it.
The third thing that we say is you've got to be really ruthless about understanding your benchmark costs against what industry averages are. There are lots of guys who are trying to build internal cloud platforms. If you follow the public cloud pricing market, that pricing has absolutely plummeted. At CenturyLink we've reduced pricing by over 60 percent in the last year, and looking forward we have a trajectory to continue decreasing cost over time. This is a huge benefit for businesses, but your own internal IT capability needs to be able to map that. And if you don't have a strategy for effectively doing that, you probably need to ask some hard questions about whether you should continue doing that internally or not.