“ONE OF THE MEMORABLE QUOTES FROM

the movie Bull Durham was: “This is a very simple game. You throw the ball, you catch the ball, you hit the ball.” Information security is like baseball—you encrypt the data, you decrypt the data, you use the data.

As 2011 starts, the key to data se-curity is to focus on both the secu-rity fundamentals and look to new technologies. Here are some of the fundamentals:

Governance and oversight. Why do many enterprises place their laser toner cartridges in a locked room? Everyone knows that even with all of a bank’s dedicated em-ployees, a few bad apples can make a lot of expensive office supplies dis-appear quickly. But are the terabytes of a bank’s data adequately locked? If not, a ten dollar USB thumb drive can download unimaginable amounts of corporate proprietary and sensitive confidential data.

Where does the security buck stop? The reason a bank has a CFO is to ensure the management of financial risk, in addition to effec-tive financial planning. Just as your finances need a smart person to be on top of them, so too does your data. Even if your data is locked, is there a person who’s charged with overall governance and oversight around all things information secu-

rity? If not, you don’t have informa-tion security. If there is no security oversight, kiss your data goodbye.

If your chief information secu-rity officer (CISO) is not at least as smart as your CFO, then you will have much less control over your data. Given that data is the life-blood of many organizations, the lack of an effective CISO can be

information suicide. Only an indi-vidual with strong business savvy and security knowledge can oversee security planning, implement poli-cies and select measures appropri-ate to business requirements. That person is the CISO. Make sure your firm has one.

Security standards. They say about Chicago that if you really hate the weather, just wait an hour, and it will probably have changed by then. Computer security is like Chicago weather—it’s dynamic and there are always new threats on the horizon. Strong corporate security standards

are needed to deal with the new security technologies that will find widespread adaptation in 2011. Be it social media, cloud computing, videoconferencing and more—these technologies must have security standards upon which they can be built. Lack of standards means that security will eventually have to be retrofitted. The significant prob-lem there is that any sort of retrofit is always a much more expensive endeavor than had it been done cor-rectly in the first place.

Demonstrate the value of securi-ty with technical and financial met-rics. Your CEO, COO, CFO, and executive board don’t care if you use Check Point or Juniper. What they want to know is how effectively the bank is protected. Communi-cate that the bank’s risk exposure is in check. If you can demonstrate to the executives that the security group uses mature risk frameworks to manage the bank’s risk posture, you’ll have won them over.

Scare them, but don’t FUD them. Once again, you can assume

your board members are very in-telligent to have been appointed to such executive leadership positions. So don’t use fear, uncertainty and doubt, but instead, let them know that it is no longer “their mother’s network.”

The threats facing most networks today are significant. The Yankee Doodle virus of the 1990s did noth-ing but annoy you. But today’s at-tacks are targeted and stealthy. If you are a Fortune 500 organization and not discovering at least two at-tempted attacks per week, then you need a better monitoring program.

Open source is your friend. If you asked someone 10 years ago if you could have “no zero” for secu-rity software with a strong secu-rity program, you would have been laughed at. Today, no one is laugh-ing at open source security software and tools. The essential benefit of open source is not necessarily that it is free; rather, that organizations that use open source generally un-derstand their problems better. They take a more tactical approach to se-curity fixes by using open source.

When combined with a highly technical staff, my experience is that banks that have embraced an open source security program generally have a much better understanding of their core security issues, as op-posed to blindly throwing tools at the problem.

Not that open source is a pana-cea. When open source tools are de-ployed and configured incorrectly, they can introduce more risks than they stop. But banks that realize that open source can be their friend and embrace it are generally those that truly “get” information security.

Know the hot security technolo-gies for 2011. Core security technol-ogies such as firewalls, encryption and intrusion detection will con-tinue to be needed in 2011. As well, some of the hot security technolo-gies for this year include those that enable banks to secure corporate data on iPads or iPhones; protect against targeted attacks—the recent Stuxnet malware attacks show that targeted attacks are growing, and banks need a way to avoid them. Social media control: banks such as JPMorgan Chase, Citi, US Bank, and others have created corporate pages to interact with their clients; other banks will look for security controls to ensure they can use social media without the security risks.

Ben Rothke CISSP, CISA is a senior

security consultant with BT Professional

Services and the author of Computer

Security: 20 Things Every Employee

Should Know (McGraw-Hill).

Back to BasicsOn IT SecurityAs information security stresses increase, remember the fundamentals. And make sure your CISO is really smart.

BY BEN ROTHKE

G iven that data is the lifeblood of many organizations, the lack of an effective CISO can be information suicide

Perspective

FEBRUARY 2011 BANK TECHNOLOGY NEWS 31

031_BTNFeb11 1 1/2 4 /2 011 4 :31:17 P M