Banking institutions that don't share threat intelligence will never advance their information risk management practices. That's the position advanced by Mark Clancy, managing director of technology risk management at the Depository Trust & Clearing Corp., which provides clearing and settlement services to U.S. banks.
"Not having information about what threats are occurring is sort of like trading in the market without market data," says Clancy, who is also CEO of Soltra, which offers an automated information sharing platform developed by the DTCC and the Financial Services Information Sharing and Analysis Center.
"You don't know what events are occurring, and that's basically what you need to understand the risk," he explains during this interview with Information Security Media Group, conducted at the RSA Conference 2015 in San Francisco.
Clancy, who on April 20 hosted a seminar at RSA about advancing information risk management practices, says to fully appreciate today's emerging threats, banking institutions and other critical infrastructure industries must understand attacks against their competitors, vendors and partners to adequately ensure they are strategically mitigating their own risks.
"All of us are attacked every day by the same people," he says. "And the attackers have huge efficiencies, because they run an attack once and they use it a thousand times."
The more information institutions share about attacks, the better they can prepare and defend their networks against known attacks, Clancy adds. For smaller institutions, this is becoming increasingly critical, because these organizations typically don't have the internal threat intelligence that larger institutions do.
"At present, only large institutions really have the expertise in threat intelligence to understand what's happening," Clancy says. "So, this is a way of essentially creating crowdsourcing. If you're a smaller institution, you can benefit from all of the knowledge in your community, which is probably a mix of large and small institutions, and you can leverage it."
During this interview, Clancy also discusses:
- How Soltra was founded;
- How other industries are working with Soltra to share information;
- Why smaller institutions are often at a disadvantage when it comes to information sharing, because they outsource many of their platforms and services to third parties.
Clancy's department at the DTCC comprises information security and information technology risk management. He has enterprisewide responsibility for developing and implementing global security and business continuity policies, standards, guidelines, procedures and threat assessments. He also is the CEO of Soltra and chairs the DTCC Security Steering Committee, which is composed of senior IT management as well as business-line and other corporate managers. Before joining DTCC, he was executive vice president of information technology risk at Citigroup.