Last month, Protiviti was a sponsor of the Fall Summit of the Financial Services Information-Sharing and Analysis Center (FS-ISAC) in Chicago. FS-ISAC is a global resource for the financial services industry, providing threat intelligence and analysis.
FS-ISAC’s summit offered presentations, case studies and best practices by industry leaders, including actionable information for all attendees. This summit consisted of presentations by over three dozen FS-ISAC members; 40 sessions were held during the four-day conference.
The keynote speaker was Jeffrey Baxter, a national-security expert and a founding member of the 1970s rock icons Steely Dan. While this juxtaposition of accomplishments may seem surprising, the talk itself shed light on Baxter’s transition from rock star to national-security expert. Invoking his own experience, he recommends applying a holistic set of interests to cybersecurity to develop an out-of-the-box mind-set in an environment of increasingly sophisticated and inventive threats. Hackers think in unconventional, creative ways to develop new threats, and security professionals must be equally agile in their thinking to anticipate the next threat.
One topic of focus was the shift from protecting information (cybersecurity) to anticipating and being prepared with a response and recovery plan (cyber resilience). Cyber resilience complements and expands on the traditional cybersecurity focus. It means that instead of trying to avoid breaches at all costs, companies accept that breaches will happen but are well-prepared to reduce the business impact when they do and are able to resume operations quickly.
The heightened interest in cyber resilience is explained in part by recent regulatory guidance. The Federal Register recently published an Advanced Notice of Proposed Rulemaking (ANPR), which calls for enhanced standards across five cyber risk categories: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience and situational awareness. These standards will apply to large, interconnected entities under supervision by the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency, and include increased scrutiny of service providers – meaning that financial institutions will want to assess not just their own cyber resilience and management of cyber risk but that of their service providers as well.
Further, one of the FDIC’s stated objectives in its Information Security and Privacy Strategic Plan 2018-2021 is to “enable FDIC business functions to continue executing their missions in the case of an adverse cyber event,” advising its members to “adapt and implement cyber resiliency design principles within FDIC’s enterprise security architecture to improve the ability to quickly recognize, respond to and recover from cyber attacks.”
Cloud technology remains an area of intense interest for the financial services industry and was the topic of several talks at the summit. Financial service institutions of all sizes are now making use of cloud platforms. Most institutions are will operate in a hybrid state, which includes both the cloud and locally hosted systems. Some organizations host certain applications locally to manage risk; others are embarking on a carefully considered, deliberate migration to the cloud.
Cybersecurity remains a concern with cloud platforms; now, cyber resilience is becoming significant as well. Heightened attention to service providers’ effectiveness in managing both is a critical responsibility of the cloud customer. These concerns can be mitigated by adoption of established approaches and tools for successful operation of cloud services.
Security in the Digital Age
Other talks at the summit focused on dueling pressures to meet both business and security objectives. Cybersecurity approaches must accommodate the innovations that grow a business. Security teams need to protect the institution’s assets and operations with rigor, even as business innovators change processes and leverage new technologies.
Some of the speakers described how walking through new use cases can help identify new potential threats, thus spurring development of preventative and mitigating countermeasures. This threat modeling is an effective technique to anticipate new threats as digital features change.
Factor Analysis of Information Risk
Presenters noted that senior leaders have come to accept the costs related to managing security but desire better transparency on the way that money is spent. While cybersecurity can’t easily provide traditional return-on-investment measures, measuring the value and effectiveness of the cybersecurity function is possible. Cyber risk can and should be measured through quantitative and probabilistic models embodied in Factor Analysis of Information Risk (FAIR). Proven mathematical and statistical models work, even with limited data. FAIR was explored at this summit, and also in depth at FAIRCON in October.
A Valuable Exchange of Information
FS-ISAC’s summits provide a valuable forum for financial institutions’ security professionals to exchange information and collaborate on critical threats facing the financial services industry globally.
Protiviti reports on conferences of interest to our clients are just one way we strive to deliver value and insight. Subscribe and follow our blog to stay engaged and learn more on topics of interest to you, including digital transformation, regulatory compliance, risk management and more. For a discussion that is focused on technology developments exclusively, follow our Technology blog.