
Banking Security


Tyrone Watson-Ferguson, Vice President of IT Securitym, Security Bank of Kansas City
When you hear the words “bank security” what comes to mind?
Most people probably think of vaults with laser beams, armed security guards, silent alarms, and numerous camera’s watching their every move.
When I hear bank security, “physical” money does not cross my mind.
I think of secure customer online banking, safe debit /credit card transactions, rogue admins high jacking systems, and disgruntled employees stealing data.
As a Cyber Security professional my perspective of bank security is customized to my responsibilities. What I have learned is that keeping banks secure requires visibility into processes, and that requires collaboration.
Over the last 10 years I have been involved in security projects, security operations, security strategy, security audits, security training, I think you get the point. Every single one of them has required an understanding of numerous processes.
What I have encountered is security professionals are not often privy to the processes they are required to secure. This is where the collaboration aspect comes in to play. In order to secure banking processes from start to finish you have to understand the processes and their purpose. The owners and stakeholders of those processes may feel territorial or have personal connotations when info sec begins their discovery of processes.
Bank Security is usually a priority for banks but ironically the changes required to become more secure are often meant with resistance. The two main reasons for resistance are, one - most employees do not like change because change causes discomfort until that change is normalized. Reason two- most employees are not familiar with cyber security attacks, and the change seems unnecessary to them.
In order to secure banking processes from start to finish you have to understand the processes and their purpose
In order to prove there is validity to the recommended changes, security professionals must try to educate the process owners of the risks they are allowing to remain if they do not accept change. Banks are hereditarily risk adverse, and by FFIEC regulations, banks must have a risk management process. I like to use this process to educate process owners of the risk in their environments and teach them how to formally accept the risk if they still deem the changes unnecessary after they have been educated.
Ensuring a bank’s security also requires ensuring proper documentation of processes and procedures are put in place. During one of my previous assignments I was asked to evaluate all the security processes and procedures between two business lines. The goal was to standardize the access control processes and procedures between the two business lines. During one of the conference calls it was discovered that one of the business lines did not have formal documentation for their processes and procedures. The processes and procedures relied upon tribal knowledge and experience to monitor and provision access. It is extremely difficult to secure any entity that does not have documented standardized process and procedures. The lack of standards allows for employees to perform key business task in an erratic manner. Since unpredictably in itself is a security vulnerability, tasks that are not performed in constant manner create additional risk and thus less secure. Reviewing business processes and procedures at least once a year will help with security and efficiency. Often times a process can be optimized with the advent of technological advances and or changes to business requirements. It is important to make sure the steps in a process and their security controls are still relevant.
Security controls are more effective if you understand the business purpose of the system that the controls are being utilized for. For example, you probably would not put the same level of controls in place for a system that processes food inventory levels as you would for a system that processes credit card transactions. Having the proper level of controls in place is vital for security. Ask questions like are there any deadlines associated with the process? What are the material losses associated with the process? How sensitive is the information involved in the process?
When security professionals are tasked with securing a process, adding security typically results in adding an “inefficiency” to the process. Process owners often believe they have optimized the process and it is perfect just the way it is. These two competing priorities, functionality verses security often come at the direct expense of each other. A secure process may be “bullet proof” but take an incredibly long time to complete. Conversely a process may be incredibly fast and efficient but is extremely insecure.
Security is everyone’s responsibility and security professionals need the help and cooperation of all employees to help implement security controls in effective and efficient manner. There are fundamental principles and industry standard that have been accepted as best practices but there aren’t any one size fits all security solutions. The best way to implement Bank Security requires all stakeholders to bring tolerance, willingness, and understanding to each implementation. Security professional need to understand processes, and process owners need to allow security professionals to address the risk or vulnerabilities in a process.
ON THE DECK
Featured Vendors
Claim Connect IQ: A Digital Marketplace that Connects Insurance Professionals with the Best Service Providers
FastTrack Disability Risk Management Solutions & Services: Robotics Driven Claims Adjudication Processes
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
What It Truly Means For IT Security To Bea Business Enabler
Digital Transformation 2 Requires a CIO v2.x
Leverage ChatGPT the Right Way through Well-Designed Prompts
Water Strategies for Climate Adaption
Policy is a Key Solution to Stopping Packaging Waste
Congestion-Driven Basis Risk, A Challenge for the Development of...
