Where to begin?This question is echoing throughout the information security functions of financial services industry (FSI) organizations. Chief information security officers (CISOs) and their staffs face growing pressure to strengthen IT security and data privacy in a highly dynamic and potentially risky environment.

To best answer the “Where to begin?” question, a useful starting point is understanding the top security and privacy issues on which leading CISOs are focusing. And, because there are so many information security risks confronting CISOs and other IT-security executives, prioritization is critical.

The frequently overlapping security issues discussed herein are culled from our interactions with FSI CISOs and their teams. By addressing these priorities, CISOs can help enable their security capabilities to be less reactive and more responsive.

Such a transformation is not easy given the rapidly changing nature of information security threats as well as the significant changes underway in most FSI IT functions: Results from Protiviti’s 2014 IT Priorities Survey indicate that a staggering 71 percent of IT organizations within financial services organizations are undergoing a major IT transformation.1

Beyond the boundaries of the enterprise, regulators are acting as change agents by placing newer and greater compliance requirements on financial services firms. And the ever-mutating nature of security threats continues to pose problems.

The following priorities must not only be addressed; they should be managed in a way that supports the development of a security architecture capable of adapting to new and emerging threats:

1. Breach readiness: Given the rise in advanced persistent threats (APTs), breach readiness represents the top IT security concern. Leading FSI IT security executives espouse a mindset that a breach is a matter of when, not if. While investing in the tools necessary to fortify breach readiness is a requirement, IT security executives with more advanced breach readiness capabilities are spending less time on investment decisions and more time ensuring that their staffs and other employees are receiving sufficient training and preparation.

2. DDoS prevention: Responding to distributed denial of service attacks (DDoS) represents a key component of overall breach readiness. However, DDoS prevention also requires its own set of highly specific controls. These attacks are increasing in frequency and also are mutating. As one IT security blogger put it, “Today, DDoS attacks are thicker than fleas on a hound dog, and are more complex than ever.”2 Recently, bad actors have been adapting their DDoS attacks to exploit holes in network time protocol (NTP) servers. From January to February 2014, NTP amplification DDoS attacks against customers of the world’s leading DDoS protection service increased by a massive 371 percent.3

5 Top IT Security Issues – Striving for a State of Readiness

1 Protiviti 2014 IT Priorities Survey: www.protiviti.com/ITpriorities.2 Vaughan-Nichols, Steven. “DDOS in 2014: The New Distributed Denial of Service Attacks and How to Fight Them,” http://blog.continuum.net/ddos-in-2014-the-new-distributed-denial-of-service-attacks-and-how-to-fight-them.

3 “High-Bandwidth NTP Amplification DDoS Attacks Escalate 371 Percent in the Last 30 days,” Prolexic Technologies press release, March 12, 2014: www.prolexic.com/news-events-pr-threat-advisory-ddos-ntp-amplification.html.

The Top 5 IT Security Issues1. Breach readiness2. DDoS prevention3. Data loss prevention4. Vulnerability management5. Security operations center effectiveness

© 2014 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet. PRO-PKIC-1114-166Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

About ProtivitiProtiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 40 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Contacts

3. Data loss prevention: Data loss prevention (DLP) is garnering attention from both a solution and strategy perspective. From a strategic standpoint, IT security executives want to ensure the DLP program is adapting as the enterprise expands into new markets. From a solution standpoint, IT security executives are discovering that there is not a silver-bullet tool that can meet all DLP requirements. Fortifying DLP programs requires comprehensive scrutiny of major systems as well as network architecture and governance processes to ensure everything is configured properly to protect data. One key component of a strong DLP program is data labeling, particularly with communications. Organizations are now expected to have the capability to identify communications of a certain data classification. Like DLP, effectively designing and implementing this capability is a challenge given the complexity of configuring IT systems as well as ensuring that policies and procedures support the data labeling solution.

4. Vulnerability management: Regulators continue to hone in on information security issues; as they do, vulnerability management is falling into their crosshairs. For example, U.S. Federal Reserve regulators are expressing greater concerns about the controls surrounding business managed applications (BMAs). This scrutiny is driving CISOs and their teams to identify, assess and remediate a wide range of vulnerabilities, including those related to data security, IT asset management and server configuration, among many other areas.

5. Security operations center (SOC) effectiveness: The effectiveness of an SOC is a major influence on an FSI organization’s breach readiness. Many IT security

executives are immersed in event monitoring, security training, systems profiling and other means of strengthening their SOCs. More than ever, it’s also critical for SOCs to be integrated with the organization’s lines of business – audit, corporate communications, physical security, business continuity management, and more. Such integration and cooperation give management confidence that the organization is prepared to respond expediently to incidents. In addition, training represents an increasingly important focal point of SOC improvement. Effective training – which involves identifying who is to be trained, what type of training they need and how frequently it should be provided – can greatly increase the speed and effectiveness with which the organization responds to security incidents, providing confidence that analysts have the right tools to understand and perform the correct analysis.

While nearly every FSI IT security function is addressing these issues, the most mature security functions are doing so in a more “mature” way. This maturity is manifested in going beyond reacting to these issues, to cultivating a larger-picture understanding of how these concerns relate to each other, how their potential effects compare and, as a result, which issues require immediate attention (and more resources).

Armed with the knowledge that comes with higher organizational maturity, FSI IT security teams will more effectively engage with their partners at the enterprise level. Security teams that are building on this new knowledge can proactively team with other business areas, increasing enterprise support for the security team’s vision and goals and, ultimately, the state of readiness across the enterprise.

Ed Page+1.312.476.6093ed.page@protiviti.com

Michael Walter+1.404.926.4301michael.walter@protiviti.com

Cal Slemp+1.203.905.2926cal.slemp@protiviti.com

Andrew Retrum+1.312.476.6353andrew.retrum@protiviti.com