Banking Security

Tyrone Watson-Ferguson, Vice President of IT Securitym, Security Bank of Kansas City

When you hear the words “bank security” what comes to mind?

Most people probably think of vaults with laser beams, armed security guards, silent alarms, and numerous camera’s watching their every move.

When I hear bank security, “physical” money does not cross my mind.

I think of secure customer online banking, safe debit /credit card transactions, rogue admins high jacking systems, and disgruntled employees stealing data.

As a Cyber Security professional my perspective of bank security is customized to my responsibilities. What I have learned is that keeping banks secure requires visibility into processes, and that requires collaboration.

Over the last 10 years I have been involved in security projects, security operations, security strategy, security audits, security training, I think you get the point. Every single one of them has required an understanding of numerous processes.

What I have encountered is security professionals are not often privy to the processes they are required to secure. This is where the collaboration aspect comes in to play. In order to secure banking processes from start to finish you have to understand the processes and their purpose. The owners and stakeholders of those processes may feel territorial or have personal connotations when info sec begins their discovery of processes.

Bank Security is usually a priority for banks but ironically the changes required to become more secure are often meant with resistance. The two main reasons for resistance are, one - most employees do not like change because change causes discomfort until that change is normalized. Reason two- most employees are not familiar with cyber security attacks, and the change seems unnecessary to them.

In order to secure banking processes from start to finish you have to understand the processes and their purpose

In order to prove there is validity to the recommended changes, security professionals must try to educate the process owners of the risks they are allowing to remain if they do not accept change. Banks are hereditarily risk adverse, and by FFIEC regulations, banks must have a risk management process. I like to use this process to educate process owners of the risk in their environments and teach them how to formally accept the risk if they still deem the changes unnecessary after they have been educated.

Ensuring a bank’s security also requires ensuring proper documentation of processes and procedures are put in place. During one of my previous assignments I was asked to evaluate all the security processes and procedures between two business lines. The goal was to standardize the access control processes and procedures between the two business lines. During one of the conference calls it was discovered that one of the business lines did not have formal documentation for their processes and procedures. The processes and procedures relied upon tribal knowledge and experience to monitor and provision access. It is extremely difficult to secure any entity that does not have documented standardized process and procedures. The lack of standards allows for employees to perform key business task in an erratic manner. Since unpredictably in itself is a security vulnerability, tasks that are not performed in constant manner create additional risk and thus less secure. Reviewing business processes and procedures at least once a year will help with security and efficiency. Often times a process can be optimized with the advent of technological advances and or changes to business requirements. It is important to make sure the steps in a process and their security controls are still relevant.

Security controls are more effective if you understand the business purpose of the system that the controls are being utilized for. For example, you probably would not put the same level of controls in place for a system that processes food inventory levels as you would for a system that processes credit card transactions. Having the proper level of controls in place is vital for security. Ask questions like are there any deadlines associated with the process? What are the material losses associated with the process? How sensitive is the information involved in the process?

When security professionals are tasked with securing a process, adding security typically results in adding an “inefficiency” to the process. Process owners often believe they have optimized the process and it is perfect just the way it is. These two competing priorities, functionality verses security often come at the direct expense of each other. A secure process may be “bullet proof” but take an incredibly long time to complete. Conversely a process may be incredibly fast and efficient but is extremely insecure.

Security is everyone’s responsibility and security professionals need the help and cooperation of all employees to help implement security controls in effective and efficient manner. There are fundamental principles and industry standard that have been accepted as best practices but there aren’t any one size fits all security solutions. The best way to implement Bank Security requires all stakeholders to bring tolerance, willingness, and understanding to each implementation. Security professional need to understand processes, and process owners need to allow security professionals to address the risk or vulnerabilities in a process.