Being in a heavily regulated industry, we have an obligation to comply. It is understandable that the regulatory burden often leads some to consider doing the bare minimum to get through the next audit. When faced with an overwhelming number of requirements, we are tempted to calculate the minimum our team needs to do in order to be in compliance and avoid a finding.
As a former consultant and now CIO for my fourth financial institution, I have experienced policies, procedures, and practices that represented the bare minimum needed to satisfy requirements. The reasons for that were either “we don’t have the time to do it better” or “the auditors and examiners didn’t ding us, so it must be OK.”
Maybe this is acceptable in some areas, but how about when it comes to your data and network security?
At the recent CUNA security summit, there were some 40 senior IT attendees, including CEOs, CIOs, CISOs, and managers. Clearly there is great interest in this industry about how to provide a higher level of security for our credit unions. Everyone there was interested in what others were doing to secure their systems and networks, in an atmosphere of sharing experiences, knowledge, and ideas.
“Your customers—members in the credit union world— deserve more. They deserve the best security you can provide for their personal information”
We all understood that just meeting regulations was not enough. Several attendees stated they were implementing the SANS Top 20 Critical Controls. So why were we all thinking this way?
• There are multiple regulatory compliance bodies overseeing various industries and they don’t all provide the same guidance or requirement levels, suggesting one or more of these guides is missing something or the developers of the guidance have a different idea about what is most important.
• These regulatory bodies are mostly reactive; once a vulnerability is identified they then develop the regulation, have it reviewed and approved, and publish it to their constituents. This takes time and leaves us vulnerable if we merely adhere to their publications.
• Most regulations, though not all, are geared towards a specific industry, such as credit unions. But those of us in IT understand that bad guys use some of the same tactics from one industry to another to gain access.
• It’s very difficult for regulatory bodies to draft a regulation that fits every environment. Not all credit unions have the same network structure, support staff, or ability to implement security measures. A $40 million credit union doesn’t have the same resources as a $4 billion one, so regulations need to address organizations of all sizes.
As far as why some IT shops don’t do security as well as they could, let's look at the first excuse, that "we don’t have the time to do it better.” I would ask them if they have the time to identify, counter, and remediate a network or data breach? And how much time does it take for one of your IT staff to research and work their way through finding out how to fix a problem when your expert on that particular system or area within IT is not available as opposed to having your Subject Matter Expert (SME) develop proper procedures so their backup can easily follow them to fix a problem?
If there are loopholes in your policies because they meet the bare minimum requirement, of course you will get compromised. Using lack of time as the reason for not doing things in the best manner possible is inexcusable. By blocking out dedicated time each week to work on these items, and having your direct reports do the same, you will make progress.
"As to the second excuse, that "the auditors and examiners didn’t ding us, so it must be OK," auditors and examiners have checklists to follow. And since some of them are auditing and examining multiple departments, their level of expertise is somewhat limited in one or more of those areas. IT audits and exams are perhaps the most difficult. Most auditors and examiners don’t come from an IT background; they get training and look for specific words or phrases in policies and procedures and certain types of software and hardware settings when they come onsite. Your customers— members in the credit union world—deserve more. They deserve the best security you can provide for their personal information.
Think about airports and how many people complain about the TSA security and how it slows everything down. But if those agents slacked off and let someone through who caused harm to people in one way or another, everyone would then scream about how TSA failed to catch them. Think about how many of your users, and in some cases members, complain about your security measures. What would those same people say if it was their personal information that was compromised because you lowered your security standards just to make them happy?
Here are some facts concerning security threats and breaches:
• BP reports it suffers 50,000 attempts of cyber-intrusion every day;
• The Pentagon reports 10 million attempts every day;
• The National Nuclear Security Administration records 10 million attacks every day;
• Attackers average 205 days inside an environment before they are discovered;
• 69 percent of victims learn from a third party that they have been compromised; and
• Healthcare has become a much higher target than financial institutions because their records contain more personal information and the black market has become flooded with compromised debit/credit cards.
Most auditors and examiners you encounter will readily agree that meeting regulations may be the minimum that you should do, but as a responsible senior IT manager you should constantly review and upgrade your security. There are many organizations you can join and become part of to help keep your security knowledge up-to-date. These organizations include the FBI, Department of Homeland Security, InfraGard and FS-ISAC for financial institutions.