The Field Report with Tom Field

Time to Start Thinking About the State of Banking Information Security 2009

Time to Start Thinking About the State of Banking Information Security 2009

Talk about a harmonic convergence.

Just as the major banking regulatory agencies went before the Senate committee recently to deliver their "State of the Banking Industry" addresses, I was sitting back and starting to think about drafting the questions for our next State of Banking Information Security survey.

You'll recall our inaugural survey from this past winter, when we first took the pulse of the U.S. banking industry to get your sense of what the top banking/security priorities would be in 2008.

No huge surprises. You validated our belief that Identity Theft Red Flags, vendor management and pandemic preparation would be significant agenda items this year, and they have been. Indirectly, you also were the first to articulate that customer trust - acknowledging and securing it - would be a top priority, and now suddenly everyone is talking about this same issue.

So, six months into this year, six months away from next, it's a good time to think about what will be 2009's hot topics. Help me brainstorm here.

Some items are just perennial. Budgets, titles, reporting relationships, regulatory challenges - we know we're going to track this data year-to-year, and it'll be interesting to see how/if pandemic preparation is becoming a bigger focus of business continuity/disaster recovery planning.

But what about the Identity Theft Red Flags rule? This year has been all about creating a plan to meet compliance; next year will be about deploying it. What challenges do you expect to face there?

And then there are vendor management and application security, which I lump together. We knew the former would be a focus this year (see the FDIC's revised IT Risk Management Program Examination Procedures), while the latter came to light just recently with the OCC's special bulletin about ensuring the integrity of software applications whether they're developed in-house, by vendors or by contractors. The common theme is: No matter whether banking services or solutions are managed by your employees or your partners, you're accountable for their security. So, what are you doing about it? I'll be curious to see how far vendor management has progressed beyond SAS 70 audit reports.

Some other areas that have my curiosity:

Phishing - Incidents are up, of course, and we're seeing increased vishing attempts against banking customers. What are institutions doing to educate their customers?
Security awareness - By their own admission, most institutions do an average-to-poor job of educating employees and customers alike. The Red Flags rule puts new emphasis on awareness programs, but have they really improved?
Physical security - Convergence with logical security is something everybody talks about, but what are institutions really doing differently now?

What else? I hear people talking about data leakage, the insider threat, the business role of security. But what's on your mind at the midpoint of 2008? What banking/security issues are you most focused on as you look ahead to 2009?

Share your thoughts and ideas with me. Your input will help craft a State of Banking Information Security survey that meets all of our needs.

About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.