Bloomberg News
CROWN JEWELS: Former FBI Director Robert Mueller says banks must first and foremost protect their most critical assets from cybercriminals.
Partner Insights

How Much Cybersecurity Is Enough?

Print
Email
Reprints
Comment (1)
Twitter
LinkedIn
Facebook
Google+

When can an organization rest assured that it's done enough to secure itself and its customers or constituents against cyberattacks? It's a question bank chief executives and boards ask themselves when wire-transfer fraud occurs, when new malware strains like Svpeng emerge, when denial-of-service attacks take place, and when data breaches happen. The question cropped up again and again at a cybersecurity event in New York on Tuesday.

"In a world where the leading experts in this space say almost anything can be hacked, regardless of how careful you are how much is enough? And what is the right configuration of enough, technologically and financially?" Tim Pawlenty, the CEO of the Financial Services Roundtable, said at the event, which was hosted by Deloitte.

It's hard to know for sure because no defenses are entirely foolproof. But experts say that if they can't secure everything, banks need to at least identify the most critical assets and do everything in their power to secure them. Upper management also has to be engaged and provide direct oversight of cybersecurity strategy, according to Robert Mueller, a former director of the FBI under Presidents George W. Bush and Barack Obama.

Mueller, one of the speakers at the event, said one mistake he made when running the bureau was delegating important information technology functions to third-party vendors or consultants.

"On September 11, [2001] our technology was antiquated to say the least," he said. "Much of it dated back to the 60s and 70s." Mueller ordered the development of a new case management system, but he said the project took longer and cost more than expected because he delegated too much responsibility to a third-party vendor.

"That was a mistake," he said. "I did not ask the hard questions I should have made sure it was on track." The contractor was replaced and the project eventually completed.

Private-sector CEOs dealing with cybersecurity technology make this same mistake, he said. "Delegating can do so much reputational damage to your organization," Mueller said. "[Cybersecurity] is not something CEOs and boards can delegate, they have to drill down and make sure they make the [chief information security officers] and IT managers explain in good English to the point where they are satisfied that they know what is happening."

Another lesson learned from this incident, Mueller said, was the need for patience. "One problem I had with IT was being impatient to get it on board and pushing through certain guideposts to make sure we were on track."

Mark Clancy, managing director of technology risk management at the Depository Trust & Clearing Corporation, a bank-owned financial services company that provides clearing and settlement services to the financial markets, raised his own security question. "What level of resiliency do we need to build to?" he asked. In the physical world, financial institutions build their infrastructure to be resilient enough to withstand a car bomb attack, he noted.

"Where do we set the expectation of resiliency in cyberspace?" he asked. "Are these Wiper attacks" the nickname for a series of malware attacks carried out on computers in South Korea last year "the equivalent of car bombs and we must have resilience for them?"

Mueller replied that banks need to identify their crown jewels and do everything they can to protect those critical assets. "If you're going to protect everything the network, the broad, outer ring how much money are you going to put in this?" he said. He added that he doesn't think this is a discussion all CISOs, CEOs and boards are having and that most are instead focused on looking for signs of a data breach.

Mary Galligan, director at Deloitte, agreed companies must figure out what their most critical assets are and do everything they can to protect them.

"What can I afford to [have affected by a denial of service attack]? What can I afford to have stolen, and what is it I cannot, no matter what, afford to have destroyed?" she said. An organization might decide it can live with a DDoS attack on its customer-facing website, which would prevent people from seeing the latest information about the company.

"Companies have to be completely resilient where if something were destroyed, that would be the crux of the business," she said. "The CEO is deciding what he can let walk out the door."

JOIN THE DISCUSSION

(1) Comment

SEE MORE IN

RELATED TAGS

Five Mobile App Features that Show Yes, Banks Can Innovate

Fintech startups claim to out-innovate banks. But financial institutions sometimes break new ground. Here are five examples of banks that are testing and launching mobile app features capable of much more than showing an account balance.

Image: iStock

Comments (1)
From my perspective the title is asking, how much education is enough? When building your home, you build it hopefully with the best possible sustainable materials currently available, sealing out the elements to stand the test of time. When architecting a digital framework around security you're combating human ingenuity. I'm not aware of any legacy software security outlasting civilizations oldest cities.

Go ahead and place that 100 ton digital block wall in front of all that precious data but let me remind you levitation will always be possible in God Mode. Or for the truly innovative, the method of walking around it may be more appealing.

My answer suggests it's never going to be enough (to either question) but those who seal their data off from network connectivity have a better chance of standing the test of time. My opinion of course...
Posted by learnsalot | Friday, June 27 2014 at 2:37PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.
Already a subscriber? Log in here
Please note you must now log in with your email address and password.