Sept. 11 Remembered: Convergence is One Key to Avoid Catastrophe
The sixth anniversary of September 11th draws near, and the question floating among those in the financial services industry remains, â€œIs my institution ready in the event another 9-11 happens?â€
For information security expert William Crowell, his thinking is that by having a completely integrated and converged security program at your institution will help prepare your staff to handle what may be termed a catastrophic event. â€œSeptember 11th was the wakeup call for the security industry as a whole,â€ said Crowell.
â€œRemember, the bad guys go for the seams, just as the 9-11 hijackers did,â€ he noted. Asked why should financial institutions need to be concerned about physical and logical security convergence, Crowell replied, â€œThe majority of financial institutions and the industry as a whole is very concerned with security, and their systems are secured and that they minimize risk wherever possible.â€
That being said, he added, over the years all of the different services within a bank have grown up and gone into separate â€œstovepipes,â€ banking in one, credit cards in another, retail is separate from corporate banking, and so on. â€œAlong with that, risk assessment, risk management and security have all been separate as well. So the convergence of physical and logical security is part of a set of actions that need to be taken to manage risk more robustly.â€
One thing troublesome to Crowell is the fact that most of industries are global in nature. â€œMuch of their business or parts of their business are supported globally, over vehicles like the internet. This makes them much more susceptible to attacks that can be very costly.â€
Crowell pointed to the growth of back office processing, help desk, and administrative tasks being pushed to third party vendors in overseas locations. One example he gave was last year Crowell was speaking to his accountant in California. He asked him when they would be getting back a return for his taxes, (he was turning them in at 4:45 p.m. on the West Coast). â€œMy accountant said, â€˜Oh, weâ€™ll have them ready for you tomorrow by 8 a.m.â€™â€
â€œWhat do you mean tomorrow? I asked. So he replied, â€˜I send it out to Asia for processing.â€™â€ An accountant with no staff, and all his work was outsourced overseas, Crowell said.
There are some companies that have initiated physical and logical security convergence, and are approaching it in the right way. â€œOne very large convergence project has started at BT or British Telecom,â€ Crowell noted.
â€œIn this country, I think weâ€™re beginning to see several convergence projects in the banking industry. Bank of America and Wachovia are in the early stages and working hard on it,â€ he said.
There may be inherent weaknesses in financial institutionsâ€™ approach to security/infrastructure that could cause problems in the future, Crowell noted, â€œI see the growing dependence on electronic transactions over the public internet and potential risk that this poses as the attacks become more sophisticated. Attackers are becoming very sophisticated in terms of their ability to penetrate a networkâ€™s defenses.â€
Whatâ€™s most troubling to him is the combined insider outsider threat, where an attacker gets entry into the systems or gains help covering up the intrusion via a change in logs or a firewall setting.
What about institutions that have the â€œwait-and-see approach to convergence? What do financial institutions need to do not to get left behind? â€œInstitutions that will get left behind are the ones who do not recognize the enormous changes in skill levels and organizational structures that will be needed to gain the advancements that convergence offers,â€ Crowell noted.
He explained that typically the physical security office is run by an ex-marine or ex-law officer, adding: â€œThatâ€™s who knew the most about physical security.â€
â€œNow, physical security is much different, authorization and access equipment is running on the network, and has to interact with all the other systems to get the most value out of it. This is where anyone starting out needs to begin. Ask these questions: What kind of people do I need? And where do I get them from? Do I need to hire them, or buy consultants?â€
Once an institution has made the commitment, then they need to design enterprise security architecture that will facilitate the change. â€œThen incrementally build it. Frankly the technologies are still immature and there is still much to come before they are completely robust. So an incremental approach is best,â€ Crowell explained. Earlier this year Crowell co-authored the first book to focus on this subject, â€œPhysical and Logical Security Convergenceâ€ published by Elsevier.
William Crowell is an independent consultant specializing in information technology, security and intelligence systems. He has worked with multiple information security companies since retiring as Deputy Director from the National Security Agency in 1997. Since 9/11 he has served on the Markle Foundation Task Force on National Security in the Information Age, which published three landmark studies on Homeland Security and information sharing and has also served on numerous panels to investigate and improve military command and control, intelligence and security systems. In August 2007 he was named Chairman of the Director of National Intelligence (DNI) Senior Advisory Group.