Stephen Katz on Top InfoSec Issues of 2008
Stephen Katz, former CISO at Citigroup, now founder and President of Security Risk Solutions, an information security company providing consulting and advisory services, sat down with Editor Tom Field to discuss the major issues facing banking institutions in 2008.
Read this interview for his insights on:
- ID Theft Red Flags - are institutions giving it enough attention?
- Vendor Management - the need to improve oversight of vendors and their vendors;
- Governance - what works, what still needs work;
- Pandemic preparation;
- Many other top issues.
TOM FIELD: Hi. This is Tom Field with Information Security Media Group. Today I am talking with Stephen Katz, and the best way to describe him is that he was the first CISO in the world. He is well known in security, well known in finance, and Steve it is a pleasure to talk with you today just about some of the issues that banking institutions are facing this year.
STEPHEN KATZ: My pleasure, Tom, and very pleased to be here and to be part of this.
FIELD: Steve, you are out on the road a lot now with your financial services roundtables. From what you hear, what you see, what are the top security trends that you see impacting financial institutions this year?
KATZ: Well, it's kind of interesting. We really, in doing these roundtables for the Roundtable Network, a couple of things have really come to the foreground. And we mention this a lot. There are really three things that the information security executives - actually, any executive deals with. Things that they know that they know, and that tends to be really a small part of their responsibility. The next piece and next larger piece, is things they know that they don't know. The scariest part and I think something that could be causing 50%, 60%, 70% of their responsibility are things they don't know, and how do you go ahead and discover what it is you don't know, turn it into something you do know and then try to figure out how to address it and make it better?
If I look at the roundtable network and through things we have looked at over the past year, some of the major issues that folks have brought to bear are their concerns about compliance, policies and governance. Essentially, the folks in the accounting world have it somewhat easier. They have something called GAAP, Generally Accepted Accounting Principles. We don't have that in security. So, each company has to go ahead and find a way to provide that on their own, and they don't have the statement in there to fall back on and say "This is required by GAAP." So, it is a matter of putting together a process within the company to say "This is what it required for us to provide a safe and secure environment for our customers, this is what is required for us to deliver on our trust commitment to our customers, this is what was required to deliver on our regulatory commitments."
The next area, which has caused a fair amount of concern, tends to be in the area of risk management matrix. How do I measure what is going on? How do I have the consistent and accurate means of demonstrating to the board or demonstrating to my business management that we are more secure than we were before and that we have made risk-based decisions, and here is the trendline looking at the system matrix both internally, and almost equally importantly how do our matrix compare with the matrix in our peer group?
The next area that saw a lot of concern raised about was data loss prevention, and how do you go ahead and ensure that the information that has to be kept within this company is kept within the company, and if it does get out of the company, that essentially is it protected in a way that it can't be made useful to anybody else? Data leakage has been an area of concentration and concern and that is very important. But I think as the article in The Times showed today, that before we had really good laptop encryption and it turns out that there's ways to bypass that.
Security continues to be a journey, not a destination, and simply protecting the core data itself so that even when it does get through your data loss prevention screens, that if it does become available to somebody else it is in a way that is of limited value to the people who see it.
Another interesting area is that we get a feedback on is how do you put together an effective governance program, and then how do you put together an effective security awareness, education and training program? And then next on the list and certainly not least, is how do we go ahead and manage security with outsourced service providers? What do we do to ensure that the vendors who are receiving our data are using our data and have full access to our data are adequately securing that data?
I think the other thing that we really need to think about is that a CISO is either becoming or has become a critical function within corporations themselves. They are a critical component of the business process. More and more businesses have relied totally on technology and they have offered products and service to both customers, suppliers, supply chains, business partners, so that the world has become totally borderless, and how do you go ahead and ensure that you provide adequate security, invest in security, while also ensuring that the company can meet its customers demands and business leaders can make a risk based decision?
Realistically, focus in the IT world tends to be custodians of data or custodians of applications. But the owners of applications and the owners of our data really are business management. And the challenge is to take the world of information security and make the risks realistic and understandable to the business folks. They will look at the security people as the experts, but the security folks have to be viewed as an intricate part of the business process, and we have to be viewed as people who can understand what the business is trying to offer and come up with a level of fair alternatives that allow our businesses to move forward and deliver products securely, we will also be in a position to draw the line when business A wants to accept a risk and the risk is too great to accept.
FIELD: Steve, that is awfully well said, and it really validates a lot of what we see out in the field as well, so it is good to hear it from you.
I want to take you back to compliance for a minute. What do you see as the top regulatory issues right now for institutions of all sizes -- what are they talking about most?
KATZ: It's what they are not talking about most that concerns me the most. I was on the phone with a couple of people today ... Your company has come up with a really good overview of the Identity Theft Red Flag regulations, and it is not getting enough press. Red Flags I think were -- the red flag regulations were passed and finalized, I think, last October. They went into effect as of January of this year and they are auditable as of, I guess sometime October or November of this year.
What is frightening about it or challenging about it, and I think you will provide the link to the regs, there is something like 60 pages to deal with of regs and commentary on the regs, and each of the regulatory agencies have put in comments and customized the regs in these specific FRB requirements SEC requirements, etc.
One key line in there is something that has to cause every security professional to, you know, cause them tension quickly, and that is the board of directors are required to get involved in and understand and approve the identity theft management procedures and programs. You now have board involvement. Throw in a tremendous amount of involvement to get it right, and there are very few people I have spoken to recently that are talking about the Red Flags Act. First of all, its financial services and the FFIEC is directly involved, the Federal Trade Commission is directly involved. It is really a big deal, and it has been very understated.
As I do these roundtables all across the country, I have only heard it come up once, and we have been bringing it up since then.
So I think if there is any pending issue, it is not so much what would it have to have in it, we've dealt with Sarbanes-Oxley for years ... Identity theft is getting less and less of press, lots and lots of play, and while it wasn't you know at all clandestine, the Red Flags Act sort of grew and grew and grew. There was a commentary period for most of 2007, it is in effect now, and they don't know how many folks have put together an adequate program that must have board approval.
FIELD: Steve, I think you make a good point there, and this certainly is Red Flags is what we hear a lot about and realize there is a lot of work to be done between now and November.
You mentioned governance a few minutes ago, too, and that's something we hear an awful lot about now. From what you've seen in institutions, what works and what needs work in terms of governance?
KATZ: Governance is probably the most misused, overused word around. If I look again in the information security world, you're looking to put together a program that defines roles and responsibilities for the board of directors in the boardroom, CEO, senior business managers, operations managers through individual workers top to bottom across the corporation. It is someone playing God in an incredible matrix and saying what/who has to prepare something, who has to approve it, what it is we have to approve, what do we have to do as security operations-wise, what kind of matrix does he have to look at, what kind of matrix does he have to prepare and what kind of action has to be taken?
It really puts a framework around information security, information risk management across the corporation, and the mistake I think we too often make is: We are really good in security about putting measures in to define governance from the security department on down. But it really has to begin with defining the roles and responsibilities and requirements from the board, and we mentioned the board's requirements and responsibilities for Red Flag.
The board also has a set of requirements under GLBA, which require that the information security officer be in place, that a program be in place. These will have to be defined and spelled out because the board members don't have time to figure that out themselves. Executive management certainly has a role, as well as responsibilities, and what they have to do to implement the security and implement the measures with protection, but also what they have to do to ensure that the program is actually in effect and it has been truly operationalized, which also requires that they and you have to work to help define the matrix, and they and you have to work to review the matrix, and they and you have to come up with the recommendations, requirements and what has to be done to set directive action programs in place. And then there is making sure it is full operationalized so that the operations manager, technology manager and business managers actually do what they have to do, and there has to be constant feedback. It really comes down to putting together a highly integrated matrix of roles, responsibilities and actions. It is a job, and I think it's a job of putting that together rests right on the shoulders of the head of information risk or the head of security or the head of operations risk.
FIELD: Steve, do you see anybody doing it particularly well or do you just see people talking about it?
KATZ: I see various companies doing posturing very well. It is a massive responsibility and really comes down to the CISO or head of information risk to sit down and say 'We need to put together an end to end governance program, and here's the matrix that we've filled out and here's what has to be done.' And it has to be put together like any other project and with a set of deliverables. And I think, unfortunately, you tend to use the term governance too loosely, so it leaves too much room for flexibility, and that is room for really sharing out what people need to do, have to do, and must do.
FIELD: Steve, let me take you in another direction. We are hearing an awful lot now about pandemics, and certainly we have had guidance come down from the regulatory agencies about it. Pandemic preparation is something that institutions haven't done particularly well. What do you see that they need to do to be both compliant and secure?
KATZ: First of all, step back and say pandemic preparation is not avian flu preparation. And I think we tend to use the two synonymously and spend an awful lot of time tracking outbreaks of avian flu and how many cases of avian flu you might have in Indonesia.
I think it is how do we prepare for a massive problem that can impact every employee we have, or a massive biological problem? What needs to be put in place?
What you first realize is that you prepare for a pandemic the way you prepare for any other major crisis, whether it is an electrical crisis, whether it is a natural crisis like a flood, earthquake, power failure.
It is a crisis that you have to prepare for, and you have to go through the efforts of determining what is a must-have within so many hours, and it comes after the charter of ensuring the availability of services and what services must be made available, and how do you do that from remote locations and recognizing that there is only so much you are going to be able to do as an individual decision, so much you can be able to do as a sector and so much is going to have to do because you are relying on communications and communications networks and power networks.
And it comes down to a fully integrated approach to dealing with a pandemic, like having to deal with any other major event that can have impact on a company. The problem with the pandemic is that if there is a pandemic it is going influence not just a geographical region, the potential would be both domestic and international. So it's maybe in terms of financial services staying plugged into what FFIEC is doing; OCC, I know, is actively involved and have done an incredible job in sharing pandemic counsel ... So, if you look at the FFIEC, if people aren't involved with that they really should be.
FIELD: Good point. Steve, let me ask you about cyber crime. We all hear and we all know that the bad guys are getting better, but are they also getting stronger ties to organized crime, as we hear? And if that is the case, then how do we fight back?
KATZ: Wonderful question. And I understand there was also a meeting in D.C. last week on cyber crime, public and private sector discussion on cyber crime. And I know we have been looking at that, gosh, when I was sector coordinator for the financial services sector back a bunch of years ago. This private/public partnership focusing on cyber crime was something of a major focus.
I think if we turn the clock back 10 years ago, we were beginning to look at organized hackers. We were looking at folks who were beginning to go ahead and try and harvest information and then go ahead and sell it.
I think if you were looking at cyber crime today, we are looking at two major areas of concern. One is, I think, state-sponsored terrorism. State-sponsored crime. That can come from almost anywhere, whether we are looking any country you want to name or looking at Al Qaeda trying to attack the economic infrastructure. They are out there trying to garner information and try to impact the economy of the United States and thereby the economy of the world, or the economy of the Western World.
The other is freelance fellows or folks who have figured out that you can go ahead and harvest identity information, harvest financial information, and now go out and sell it. I think what we are missing are the sales of folks who are harvesting the information ... they operate independently, but have a place where they can go ahead and if you will, fence stolen merchandise. And the level of the merchandise, type of merchandise that you have, will come up with a price, and it is almost like an eBay for bad guys.
I think what we need to do is one, work much more closely together ... If I can rub my magic lamp, let me step back, for years -- and this is not in any way shape or form a slap at DHS or Treasury -- but DHS, Treasury are primarily run by, you know, overseen by political appointees. First six months to a year of a new administration, folks spend that time away; three years into or two-and-a-half years into their job, if they are there that long, they are trying to figure whether the President is going to let them stay in that position, and seven-and-a-half or eight years later they know the President is going to be out and they will have to get another job anyway.
If I could rub my magic wand, and I was just over the financial services sector, I would come up with a cyber security czar to solve the financial services that would be positioned in the Federal Reserve Boardroom or Federal Reserve board of governors.
One advantage you have there is that if somebody is part of the FRB or under the umbrella of the FRB, you are not looking at political appointees. These folks are there at a span of administrations. So, I think if you could put together a really strong cyber security czar for financial services in the Federal Reserve who would reach across the private sector, both to be able to reach as well as the public sector, de-politicize it as much as possible and recognize that this is a long-term commitment that a public/private partnership is certainly a reality that can be achieved.
It is the change in consciousness that we have to put in place that says this is important to the country. The same way we recognize that Y2K was important to the county, cyber crime -- whether it is state-sponsored cyber crime or Al Qaeda-sponsored cyber crime or organized crime-sponsored cyber crime -- can significantly impact a company within our economy, and that if we recognize and accept that as a reality, then we have to put a program in place that will say we are bringing the resources of both private and public sector together with some very long-term objectives.
It is not a short-term effort that can be achieved, and it is one that says awareness is incredibly important, exchange of information is critically important and then mind around a common goal is incredibly important. It can be done.
FIELD: Steve, you mentioned vendor management earlier, and in talking about how institutions have to get a better on their vendors who are securing critical data, but a point we hear a lot more now is not just your vendors, but your vendors' vendors - fourth-party service providers. What do you see as some steps that institutions can start to take manage their vendors a little bit better?
KATZ: There are a couple of things. I have to turn around and say yes, full disclosure I am on the board of directors of a company called Avior Corporation that has a vendor management product in place -- actually it is a vendor management tool that brings in requirements from FISAP to FFIEC guidance and on and on and on. I took the board position because I viewed management of third-party or fourth-party service providers as a major importance.
If you look at a large corporation, take any one of our large financial services firms over the city, J.P. Morgan or the Goldman, you are looking at thousands and thousands of third- and fourth-party vendors and no consistent means of understanding all it is that they do. I had sort of high hopes for the FISAP process, the shared assessment process that they've put together. I think that is a solid question set, standard questions set, all standard set of procedures are there. I think prioritizing vendors either using the FISAP or using FDIEC guidance or using internal policies and standards is incredibly good. I think what you want to do is come up with a way to have a consistently measured question set that you can use across the board to measure service providers over time.
Then you want to have two sets of priorities. One is, and I think we really have to be careful with how they do this, you look at your top tier, the top in the 10% in pay. All vendors are going to submit the questionnaire, the top 5% will always have a site visit by either the financial services firm or a firm representing the financial services firm. The next 10% to 15% will have telephone reviews, and the remaining percentage will go through periodic control assessments, and the results of all of the control assessments will then also trigger onsite visits or telephone visits.
I think a consistent control usability is incredibly important. I think so much of what we do today in terms of vendor assessment tends to be done by a series of spreadsheets that winds up being incredibly labor intensive, inconsistent, and we never really ever have a handle on what is going on. So, I think consistency is important, a solid matrix is important, prioritizing importance to a vendor, and that comes down to be a type of data that they are receiving and prioritizing what it an acceptable level of security and what isn't. So hopefully that is giving you some view, or some answers to the question.
FIELD: Do you think that financial service executives have gotten the message that vendor management is more important now, and that they are going to be getting more pressure from the regulators on this?
KATZ: I think they have and I think, are you familiar with the Moody's Rating System? I think Moody's has really kind of taken on or doing some work with ...a process where they are using a automated rating system combined with an analyst, combining with the hands on work to ultimately come up with a security rating system for certain process party vendors. Whether it is Moody's -- and I think that is a really good way to go -- or whether it is going to be some other [system], that is certainly going to be helpful.
FIELD: Steve, you mentioned security awareness earlier, and as you know -- we all know -- that institutions struggle with doing enough security awareness for their employees and for their customers. Do you see any examples of this being done well with either constituency, with employees or customers?
KATZ: I hate to turn to one of my alma mater. City has put together -- we put together a program years ago, and they have improved upon it by a number of orders of magnitude. They have put together security awareness training videos, security training, awareness training program for employees and loyal service providers as well as customers. They have really done a remarkable job of recognizing that. They also have to do a security awareness training for their security or risk management infrastructure. So I think every one of the -- everybody that has anything to do with information security is trained.
Another company that has done an incredibly good job is Depository Trust and Clearing Corporation, and they have an ongoing security awareness program that has been quite effective, and they have managed their commitments from their CEO who actively takes an active part and an active role in not only the ongoing day to day security practices, but also is right there in the middle of their annual security day and has shown up a couple of times in costume. In fact. I think a year or two ago they had, they did something about piracy and here is their CEO in a pirate's costume.
But again, they take it seriously. The commitment has come not only from the security office, but also from the very top of the corporation. And if it is meaningful from the top of the corporation and you get the CEO to take part in it, it is going to be meaningful to everyone below the CEO.
FIELD: Now, what do you see happening with some of the smaller institutions, if anything? Because you know too often it comes down to a matter of resources, and the bigger institutions have the resources the smaller ones don't.
KATZ: There are a couple of firms out there that provide security awareness and training programs. Some of them are online, and some of them are videos that are darn effective, and from what I understand are not that particularly expensive, and they will help the company help get the message out.
FIELD: Now you mentioned before that ID theft red flags is sort of the one issue that is not getting any of the attention it deserves. What else do you see as you look around at institutions aside from Red Flags. What do you think they are not paying attention to as much as they should be?
KATZ: That touches on an interesting thought. So many of the regulations that are out there ... are out there because the firms themselves are not delivering on the trust commitment that they have made to their customer and the trust commitment is being reinforced by regulation.
I think an effective security program will transcend. HIPAA will transcend protecting employee information to protecting financial information. It says what do we have to do to deliver trust to ensure that trust commitment for our customers, our employees, or service providers, our consulting staffs? We did some kind of background security, we did some work at City back in, a while back, where we had John Reid stand up in a video and say Citigroup, or Citicorp at the time, really only had two products, money and trust. And if you are not selling the trust, you are not going to sell the money.
And I think it's kind of commitment that comes down to the way we are going to deliver on the trust commitment to our customers, and we are going to deliver on the trust commitment to our employees and put an effective program in place that is risk-based, recognizing there is a minimum baseline you have to meet anyway, and as long as we do that, the regulations will not be a challenge. Because the regulations are just there to ensure they deliver a proper level of security.
If we deliver the proper level of security, we never really have to worry about the regulations per se. We've analyzed risk, we've determined what is best for our customers, we've made recommendations to business management with risk recommendations, and in some cases the recommendation is you really can't, you know ... we at the head have to take risk, have to insist that this is the way to go and elevate it to a risk management committee of the board. If you put an effective program in place, you really don't have to worry about the regulations.
FIELD: As you said, it all comes back to this one fundamental issue of trust. That is the issue.
KATZ: And coming back to fundamentals. If we look at small thing that happened at Soc Gen, it comes down -- at least if we can believe the media coverage -- it was a breakdown of fundamental control. There was a breakdown in understanding what it is end users do. It is understanding that you now have somebody in Department A who is doing things that only people in Department B, C, D and E are doing. It is understanding that segregation of duty that should have been in place wasn't in place.
Somebody mentioned at one of my roundtables that if you are with a company long enough, eventually you have access to everything, and no one will know about it.
FIELD: Well, you are right.
KATZ: And do we really know what applications our end user or customers are accessing? Do we know when they are accessing them? Do we know why they are accessing them, and is what they are accessing normal behavior? Is what they are doing matching what their group should be doing? Or are they doing something that is out of the normal bounds of the group that it is a part of? And instead of trying to rely on businesses to tell us what they think people should have access to, wouldn't it be great if we could go back to the book and say 'Here are applications that these people are accessing, is that right?,' as opposed to saying you go define a role or roles and responsibilities in groups, let's go back and let the behavior define the group. And then take it form there.
FIELD: Steve, you mentioned the roundtables a few minutes ago. Tell us a little bit about the roundtables. Where you go, who you talk to and the types of conversations you are having.
KATZ: Roundtables are incredibly interesting activities that I was fortunate enough to get involved with about three years ago. And we wind up having -- we hold 50 roundtables a year in roughly 10 cities across the United States and Canada. We invite CISO's from major firms to each of the roundtables, and we generally have 12 to 15 CISO's at each of the roundtables. They are in all cases sponsored by a vendor, but they are really there to enhance networking among the CISO's in the particular city that we are in, and we are really there to help articulate and have these folks who participate share how they are ... But by and large most of the people attending these roundtables, and we probably have 50% overlap at each roundtable, stay in contact with each other in between the roundtables. It has become a professional networking event for them. There aren't any dues, they don't have to pay anything to attend. But they do -- and we get their permission at each roundtable event -- they share their contact information ,and these folks stay in contact with each other, so that when there is a problem or there is a concern they can pick up a phone and say, 'Hey Mary, I am seeing this, have you seen it?' And it is outside the bounds of any organization. I know they get together for lunches, two or three or four of them at a time. I know they get together for drinks occasionally. But it becomes a very informal network of security professionals who are dealing with the same problems. So, they know the secret handshake and code word, and they respect each other and help each other out. And to me, that is the most gratifying part about what I am doing now is helping to build these ad hoc professional networks at this point in 50 cities.
FIELD: Well, Steve, I really appreciate your time and your insight today.
KATZ: My pleasure Tom. If there is anything else I can do, please feel free to let me know.
FIELD: We have been talking with Stephen Katz. He has been giving us his insights on what he is seeing in financial institutions in 2008. For Information Security Media Group, I'm Tom Field. Thank you very much.