Banking Services: How to Maximize Vendor Relationships
Brian Hurdis, executive vice president of technology services at FIS, discusses:
Hurdis joined FIS in October 2009 with the company's acquisition of Metavante Corporation.
Previously, Hurdis served as senior executive vice president of operations and service delivery and chief information officer for Metavante, a position to which he was appointed in July 2008. In this role, Hurdis was responsible for service delivery, development operations, project management, call center and item processing operations. He was also a member of the company's Executive Committee.
Hurdis has 26 years of experience in the banking and technology business. Throughout his tenure, he has held several executive-level management roles, including president of Metavante's Image Solutions division.
TOM FIELD: What are some of the biggest information security challenges facing banking institutions in 2010?
Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today with Brian Hurdis, the Executive Vice President with Technology Services at FIS. Brian, thanks so much for joining me.
BRIAN HURDIS: You're welcome. Tom.
FIELD: Just to get us started, why don't you tell us a little bit about yourself, please, and your role at FIS?
HURDIS: Well, my role at FIS really covers a number of the technology components that really represent our business. As you know, FIS is in the business of providing transaction and financial processing services for a large number of banks across the world in this particular case. My responsibilities fall into the areas of running a lot of the strategic operations and within that that would include our data centers, our network environments, working through the architectural guidance with many of our application teams or our products if you will, and then also taking on responsibility for things like information security across the enterprise, as well as how we deliver that ultimately into the course of our products, ultimately delivering products and services to the banks themselves as clients, and in many cases, certainly many more as time goes on here, directly to the end consumer. So that is kind of the breadth of my responsibilities here as we look across the landscape here at FIS.
FIELD: Well, Brian, to tackle the question that I asked up top, as we begin this new year, from your perspective what are the biggest challenges facing your banking institution clients?
HURDIS: Well, I think if you go right to the heart of the matter here, it is really looking at where are the weakest links? And I don't mean that in a derogatory way by any stretch, but as we get into that, the biggest challenges still remains in the industry still today is really the end consumers themselves and, quite honestly, the education that needs to go on and continue to go on with that audience.
As we get to have more and more channels, that being anywhere from the internet, which certainly is very prevalent here in the marketplace today, to the mobile channels that are certainly growing in popularity, and also even if you look back a little bit into the old voice response or IVR environments, the weakest link is the social engineering that does go on to create opportunities for the bad guys to ultimately gain access to data as well as to other confidential type information surrounding the clients themselves.
So, to me that is the biggest issue that remains out there, and certainly as we focus on products, as we focus on tools and monitors if you will, it is all trying to center around to minimize the impact that something like that might happen. But nonetheless education still remains a very, very key aspect to what we do daily through our delivery of products and services to our banks, and hopefully in many cases then assisting them in continuing with their education of their own clients that use the tools.
There are a couple of different areas, though, Tom, that I think just make sense to highlight here as well. I think it really boils down into making sure that again, as we talked about the social engineering characteristics, that we also focus on things like secure communications for email, things that we do everyday that normally people aren't considering from a private or confidential use the impact if someone were to get a hold of it as you are corresponding back and forth here. So again, messaging being the theme behind all of that, I think that represents also a very strong area of focus. And I am not trying to ignore the fact that again there are still a lot of bad guys coming after a lot of data centers or businesses such as ours, that happens all the time where they are trying to penetrate, the key is they are looking for the weakest link. And as I talked about the consumer in some regard, I would also look at some cases where you have small businesses and some other scenarios where again, the sophistication and the diligence if you will in maintaining those environments from a security point of view is not as high as it needs to be given the capabilities of what the hackers, if you will, have in the marketplace today.
And probably the last thing just to highlight there is really related to knowing where your data is and being able to classify that data; that being either from a consumer point of view or from how a bank treats its data, which I think many of them are certainly very formal about. And clearly what we need to do as we represent the custodians to a lot of that data in the businesses that we are in, so again, data classification, identification, and in this case protection surrounding that based on the type of data is also a very important aspect to the business.
FIELD: Now, Brian, how do these challenges vary, if they do at all, by the size of the institution whether we are talking about a Bank of America or a Citibank or the small bank on Main Street?
HURDIS: I think if you break it down from the point of view of how we hit it in the prior question, it really boils down from a consumer perspective. I don't really see any major difference between the sizes of the institutions. I think maybe where it does surface for itself is in the area of how much dollars and time and energy goes into that consumer education as we talked about it, but I think that challenge is universal; not only in the U.S. but quite frankly across the world here as we continue to see more adoption into what I will call the alternative channels, or the electronic channels. In this case, I am also including voice.
I think if we kind of look around then, and I kind of highlighted that in my last comments, is that as institutions grow, I think that the larger institutions can afford the specialization into that particular -- whether it be training or in some cases certainly in the technological or engineering kinds of disciplines that support information security. I think that is where a business such as ours, FIS, becomes very relevant in today's economy. As the sophistication grows, we have scale to continue to invest, and certainly many of the larger banks fall into that category. But I think it is not just dollars spent, it is management expertise that gets wrapped around that, and I think that is just a challenge for all institutions, but certainly perhaps for some of the smaller institutions just to maintain the pace, the sophistication and expertise that needs to be done to create the right amount of protection.
FIELD: Well, you know you are headed down a path I wanted to take you anyway; I wanted to give you a chance to brag a little bit.
HURDIS: Oh, here we go.
FIELD: Where can a partner such as FIS really provide the most value in tackling the challenges that you have outlined?
HURDIS: Well, I think if you break it down to the core aspects of our business, I mean, clearly the services that we provide have to be secure, have to be well monitored, have to be very much integrated with the operations of our clients that use our services. And from that point of view, I think that really represents the main connection point that we represent in the industry today.
We are there to be an extension of our customers' operations, and security is probably the most vital one that anybody can provide. If the systems aren't up, it is not as important as if the system is secure, so that is obviously our number-one goal and why we spend a significant amount of time, dollars, and resources maintaining that capability that we have.
I think the other thing that comes into it is really focused around how do we try work with again, our bank clients and ultimately in some cases preparing them to work more directly with their consumers, on what tools the should be using, some best practices? Again, the transparency of some of the things that we do operationally, although we certainly do have the things that we keep very secret from the point of view of being able to create the right amount of protection, we do have a lot of tools and a lot of expertise that we are able to provide as consulting to our clients. Some of that is part of the course of our relationship, some of it is for a fee, but nonetheless it is the level of expertise that we bring to that marketplace.
And on top of that, we also have a very broad perspective both domestically and internationally on what is going on across the world, if you will, as it relates to these kinds of scenarios. We are very zoned-in as an organization to many, if not all, of the law and protection agencies that we have, government agencies, for that. We stay very abreast through a number of the organizations and associations as to the type of threats and the type of incidents that have gone on, and obviously we are able to leverage that into our delivery of protection, but also then to the educational opportunities that we have and any consulting efforts that we have with our clients.
FIELD: Give me a sense, Brian, what are some of the types of solutions that you are most excited about to present to your clients this year?
HURDIS: Well, I think you know a lot of things that continue to evolve that maybe aren't brand new in nature but the whole scenario of how do we continue to generate better forms of authentication, whether it be dual factor, multifactor, other scenarios along those spaces that also can cross channels (channels being a delivery mechanism). Those are the things that I feel are very exciting in this particular space. As we look into 2010, and quite frankly, even beyond that.
It is very, very critical obviously that we are able to continue to refine that and also that at the same time make it very easy and straightforward for ultimately the consumers to use that. Because the first breakage, if you will, that occurs within a security program is the fact that it is just too cumbersome, and people start circumventing it or doing something that ultimately creates some level of exposure in that whole protection "cloak" if you will that gets wrapped around the product or the service itself.
I think the other thing that really becomes very interesting is some of the things that we are starting to do here across our products, so we are not only trying to protect the origination of those transactions and the access to the data, but also some of the bad things that could happen, to make sure we are doing everything we can to monitor what I will call abnormal behavior as it relates to transactions and payments.
I think we have all been exposed to over the years the different scenarios that the credit card environments have been able to do looking at transaction types, whether I am traveling in a foreign country and all of the sudden my particular credit card gets challenged for the reason they are making sure I really am who I am and am now out of my normal band, if you will, in terms of where I am doing that transaction. The same kinds of tools and techniques are what we are building into our products that go well beyond the credit space, looking at any and all of the payment channels. And so these are things that we continue to evolve, too, to continue to tie that proactive kind of fraud detection if you will, beyond what I will call the traditional credit space and to look across the different payment channels that continue to evolve here.
As we all know, checks are in the status of decline here, and certainly the forms of electronic payments continue to grow, and with the mobile channels that we are adding to the mix here it only creates more of a challenge to make sure that we have these kinds of capabilities. And I think that is really the wave of the future here, to protect the inbound side, if I can call it that, but obviously to get very, very involved in looking across the channels and looking for those same kinds of fraudulent transactions or patterns that pop out of it.
Jumping around just a little bit more here on this same topic here, I think the other side of it is making sure as we continue to look across our components within the environment, is really looking at some of the national consortiums if you will that have been brought together here as a result of some of the exposure that has happened within the industry and trying to take what they have learned through their unfortunate examples here and apply that in terms of new products and services that we either can use internally from an infrastructure point of view, or ultimately to expose to our clients here.
So that one is more of a work in progress, but I think the key here is the more communication there is, the more visibility and transparency on incidents that do occur, the more as a whole the industry can actually expand and, if you will, harden its capabilities to protect the end-client's data, which is what this whole industry is about. It is all about confidence, and having said all of that it is all about protecting that data and those transactions of our clients and ultimately their consumers.
FIELD: Well, that is well said. Brian, another direction entirely; as you know the regulatory agencies have pressured financial institutions to improve their vendor management. From a partner's perspective, what can the vendor bring to that relationship to help the institution meet its regulatory needs?
HURDIS: You know, it kind of goes back to a comment I made earlier in our discussion here on the call. It really boils down to the need to make sure that we as a vendor, that we as a service partner, look very much in the same vein as an extension to their operations. To me that comes in the form of transparency that they need to understand enough about our operations so that they are able to adapt whatever components that they have retained on their side, and ultimately the management of the clients is always something that they will maintain and retain; they need to have that transparency of that knowledge.
Outsourcing to a vendor does not abdicate in this case the bank's responsibility for maintaining a knowledge of what goes on behind the scenes, as well the responsibility for making sure that it fits very cleanly with their operation. Very similar to what maybe a disaster recovery plan needs to incorporate between the different components, a security awareness programs needs to do exactly the same thing.
From a vendor point of view, to continue with that scenario, we do need to stay on top of our game as I mentioned before, to make sure that we are a step ahead of the bad guys, that we continue to invest and have the wherewithal and the funds if you will to continue that investment, both in what I call physical technology, but also in the expertise that is necessary to continue to work on the engineering for that.
And then lastly, clearly we have to have our own security controls and policies that are comprehensive and continuously reviewed and audited to make sure that that king of a discipline is not just a point in time policy but really is part of the culture in terms of how we actually operate the company.
FIELD: Brian, a final question for you: What advice would you offer to banking and security officers to help them maximize their relationships with the service providers such as FIS?
HURDIS: Well, I think that the key starts with communications. We feel very strongly that, you know again, we need to make sure that our clients understand what our operational practices are, again at a level that we can disclose to them to make sure that we don't create other issues, but nonetheless communications being a primary theme of that.
One example of what we have done here within FIS is we have a scenario where our clients are invited in certain business units, and we are expanding this across the enterprise, to have more of an in-depth discussion on key topics such as information security, another case would be an example of a disaster recovery, so that they have a good understanding of what we do, how we do it, and quite frankly talk more specifically about things that they could be doing and how the could enhance their own internal practices or, quite frankly, some of their other training and education with their clients.
So again, I think that is a very important aspect of it as you look at a bank and their staff trying to work more closely with their vendors, it all has to start with that line of a communication here. But I think the other side of this really comes down to continuing to have some back and forth dialog on what strategic direction the banks themselves want to go, and again I think that does dovetail off the communications, but there is a strategic view of if they adopt more channels, adopt more strategies to engage with companies like FIS to work with them to understand what does that mean, what are the broader implications of that in terms of their delivery and their support and some of the things we have talked about earlier in this conversation.
FIELD: Brian, very well said. I appreciate your time and your insight today.
HURDIS: You are welcome, Tom. Thank you.
FIELD: We have been talking with Brian Hurdis, Executive Vice President with Technology Services at FIS.
For Information Security Media Group, I'm Tom Field. Thank you very much.