Time to Start Thinking About the State of Banking Information Security 2009
Talk about a harmonic convergence.
Just as the major banking regulatory agencies went before the Senate committee recently to deliver their "State of the Banking Industry" addresses, I was sitting back and starting to think about drafting the questions for our next State of Banking Information Security survey.
You'll recall our inaugural survey from this past winter, when we first took the pulse of the U.S. banking industry to get your sense of what the top banking/security priorities would be in 2008.
No huge surprises. You validated our belief that Identity Theft Red Flags, vendor management and pandemic preparation would be significant agenda items this year, and they have been. Indirectly, you also were the first to articulate that customer trust - acknowledging and securing it - would be a top priority, and now suddenly everyone is talking about this same issue.
So, six months into this year, six months away from next, it's a good time to think about what will be 2009's hot topics. Help me brainstorm here.
Some items are just perennial. Budgets, titles, reporting relationships, regulatory challenges - we know we're going to track this data year-to-year, and it'll be interesting to see how/if pandemic preparation is becoming a bigger focus of business continuity/disaster recovery planning.
But what about the Identity Theft Red Flags rule? This year has been all about creating a plan to meet compliance; next year will be about deploying it. What challenges do you expect to face there?
And then there are vendor management and application security, which I lump together. We knew the former would be a focus this year (see the FDIC's revised IT Risk Management Program Examination Procedures), while the latter came to light just recently with the OCC's special bulletin about ensuring the integrity of software applications whether they're developed in-house, by vendors or by contractors. The common theme is: No matter whether banking services or solutions are managed by your employees or your partners, you're accountable for their security. So, what are you doing about it? I'll be curious to see how far vendor management has progressed beyond SAS 70 audit reports.
Some other areas that have my curiosity:
What else? I hear people talking about data leakage, the insider threat, the business role of security. But what's on your mind at the midpoint of 2008? What banking/security issues are you most focused on as you look ahead to 2009?
Share your thoughts and ideas with me. Your input will help craft a State of Banking Information Security survey that meets all of our needs.