Take Ten Podcast with Rhonda MaClean
Welcome, Rhonda.

RHONDA MACLEAN: Well, thank you, Linda, it’s nice to be here.

L. MCGLASSON: What are some of the constants - - and you’ve obviously, with your years of experience, seen many of them, but what are we still dealing with, the problems you had back in the early days, in terms of information, security and risk? And is the TJX data breach that just recently hit the headlines a glimpse of what we can expect to happen when security and operational risk management doesn’t occur?

RHONDA MACLEAN: Well, I’d like to say it’d be nice if we didn’t see those kinds of things occur. But I think we will continue to see them, and I think this is where the challenge lies. And TJ Maxx is just one of the companies that have had it - - we’ve had recent headlines over this last year. You can go back and look at the Department of Veterans Affairs and the big data loss that occurred there. Also, in February, the Justice Department’s Inspector General’s Office reported the FBI had lost 160 of their laptops between February of 2002 and September 2005. So nobody’s immune to this.

And I think it goes back to what was the beginning of your first question, what is constant and what needs to be constant? And it’s the fundamentals. I think, in many ways, we have continued to struggle with what are the basics, what are the basic things we need to do. And it’s about risk management, not about risk elimination. Obviously, in the environment we live in, we can’t eliminate risk. So we can start by thinking about the basic fundamentals we’ve known for a long time we need to do. And that revolves around three key elements. Those are people, process and technology. It takes all of those working together to deal with the threats and the risks we have today.

So, from a people standpoint, if we’d look at that, do we know who’s having access to our systems? Are people trained? Do they know - - are they aware of what they need to do and why they need to do it?

Do we have good relationships and processes in place, so if we are doing business internally and we have a breach, do we have a good crisis management process in place? Do we have a process for vetting people who have access to our systems? Do we have reporting mechanisms we make sure the controls and the processes we’ve put in place are working and they’re in compliance? So can we measure that?

And then there’s technology, and technology is the key part of that. Having good access control software, having encryption, which is basic and fundamental when I think of the laptops, the lost laptops. It’s just - - in today’s environment, it’s beyond me to understand why anyone would not encrypt their laptop. It just seems so basic and fundamental to lock that down, because they are so mobile. And as we get more and more sensitive data on mobile devices, such as BlackBerries and our cell phones, which may contain customer information or prospect information or all kinds of valuable information, what are we doing to protect those? So it is about doing the basics.

I do see a change, however, instead of just looking at network security and thinking about firewalls and perimeter controls, I do see more and more emphasis going on that data. And I think that’s heading us into the right direction, and that’s to support the business of the future and the businesses who are doing it today, which is globally. Which means we need to have access, and access by people who may not work within our walls of our companies. So geographically, the walls have come down, because the technology and the way our business is going. That’s what we need to do, and we need to enable those transactions to happen. We just have to have good people, process and technology in place to assure we can do it effectively.

L. MCGLASSON: What would you recommend financial institutions to further their research perspectives on emerging threats and solutions?

RHONDA MACLEAN: I think there’s a lot they can afford themselves off that is already out there. There’s some great threat reports that are produced by a number of sources that they can have access to. The Symantec Corporation does a wonderful report you can get right off their website they keep up to date. The Anti-Phishing Working Group has information you can get. Carnegie Mellon University and the CyLabs and the CERT program have some tremendous information on threats. I think making sure that you afford yourself, taking advantage of really what’s out there an available really gives you a good handle on where the threats are going and what people are saying.

I think another really important thing is to become part of the financial institution sharing mechanisms, whether it’s through the FS-ISAC capability that the financial institutions have put in place, or just through your network of reaching out through organizations such as the Financial Services Roundtable and BITS or the FSSCC, which is a great technology research arm of the financial industry.

So there’s a lot of available resources out there. You just need to become active and take advantage of them.

L. MCGLASSON: I think you said the key word is “active.”

RHONDA MACLEAN: That is a key word, “active.”

L. MCGLASSON: In terms of customers’ trust in the financial services industry as a whole, and then also especially where online banking is concerned, are we facing more problems due to the influx of botnets, phishing malware and keyloggers? And what more than multi-factor authentication can and should be done? And then finally, is mutual authentication the next obvious step for most institutions?

RHONDA MACLEAN: There’s a lot of parts to that question, so let’s start with just customer confidence and online banking and using online services in general. I think the banks have been a little bit ahead of the game in the sense they’ve been in the business of selling trust for years, and I think they’ve clearly understood good controls need to be in place. Again, it’s about risk management and not risk elimination, but it’s keeping abreast of what those risks are and the threats are and then adjusting your program. It’s not about being static. What maybe you did a year ago might not be enough today, depending on what you’re seeing. So that monitoring of activity and watching, if you’re having problems or your customers are having problems. The FFIEC recently, about a year and a half ago, put out a new requirement letter really requiring two-factor authentication, and really understanding the risk around how are you controlling the risk. And I think all the banks are going through that process of really assessing their risk and applying what is appropriate controls based on their own customer environment and controls that they may have in place.

I actually think one of the things the industry also can keenly take advantage of is that customers who do online banking typically check their account balances more often, and they actually detect if they have a problem, unlike customers who wait for a statement and maybe don’t recognize they have a problem for a few days. But I think the more and more customers do things electronically, they can watch their balances, they can watch transactions, they can watch activity. And I think the customers are an important part of this, I think, helping us know when there might be a problem. So online banking actually offers our customers a lot of advantage in the financial industry, I think, to do that, to be a part of that, an active part of that.

The other part of your question about mutual authentication, I think customers like convenience, and being able to get online very quickly and very safely is a key factor. And I think it’s important that, as we allow transactions to occur, whether it’s on the consumer side or on the commercial side, making sure that we if we are handing off transactions such as wire transfers that we have effective mutual cross-authentication for those things to occur.

L. MCGLASSON: What keeps you awake at night in terms of information security within your practice and also what you’re seeing?

RHONDA MACLEAN: What I’m seeing, I’d say I think that there’s a real threat out there that we haven’t seen to its fullest extent yet, and that is the botnets. I believe you mentioned that earlier. I recently was in Australia and met with a number of the folks in the financial industry in Australia. And back in early December, there was a denial of service attack, which really says we’re trying to prevent - - that will flood the network with so much traffic that no one can get to a site. So they can virtually make a site inaccessible. And I think that this would be very, I think, unsettling to all the institutions, as well as the regulators and really everybody if we really saw that type of targeted attack against the financial sector. This is where I think there needs to be a strong, strong continuing public-private partnership between the financial industry and Department of Homeland Security and critical infrastructure protection. And when you put this globally, I think in global terms it means that we also have to have effective treaties in place, so that if we see this in internationally that we have a mechanism to respond to it very quickly, and all the players know what their role is and how we’re going to make this work, and really address the issue. I think it could be, to me, and that would be a very scary situation indeed if we had a real concerted, targeted attack against the financial industry.

L. MCGLASSON: You were talking about sharing information across borders. Here within our own borders, what would you like to see in terms of sharing best practices and expectations between the regulatory bodies, both federal and state, and those financial institutions out there?

RHONDA MACLEAN: Well, I think the financial industry is doing a really pretty good job in this area. I think this is an effective - - where we’ve put in associations such as the Financial Services Roundtable, the American Bankers Association. And I think what we’ve put together back in 2002, with the Financial Services Sector Coordinating Council - - which really brings together all the associations as well as the utilities and the institutes which do our training in the financial industry to work together. And they meet on a very regular basis, and they co-meet with the FFIEC and the FBIIC – (Financial and Banking Information Infrastructure Committee) - really the FBIIC members, which is made up of our regulators in this industry, and having that dialogue, that constant dialogue, I think is important, of enhancing that partnership, because it is really a two-way street. We really are interdependent on one another to really address the risks that we’re facing.

And that structure seems to have been working. Out of that has come a number of initiatives, including the Financial Services Information Sharing and Analysis Center, which is the FS-ISAC, which does a lot of threat sharing. There’s also some great work that has been done, I believe, in the money-laundering area as well as the privacy area and just operational risk management in general through some of these associations and memberships and collaboration between the institutions.

L. MCGLASSON: Finally, your words of advice to the information security professionals out there in financial institutions?

RHONDA MACLEAN: Continue to grow and continue to develop strong relationships within your own organizations, to really become a part of the business and the business solution and helping the business enable new ways and innovative ways of delivering banking and finance services to the customers. But also, make those connections on the outside. Keep very current about what’s going on and very vigilant. And never get discouraged. This is a great opportunity, and it’s a great career path for people. Risk is something and security and business continuity, all those things that go into the operational risk scheme, those are great career opportunities. It’s like playing chess. You can learn something new every day, and the game changes, and you can only get better at it and find new and exciting things to do.

L. MCGLASSON: Thank you, Rhonda, for sharing your thoughts with us today. And we’ll come back to you later on to hear more of your insight. I’m Linda McGlasson, and this has been another Information Security Media Group podcast. Look for more interviews with the luminaries of information security in the financial services industry on our website. That’s all for now.




Around the Network