Cybersecurity In-Depth

The Edge

When You Know Too Much: Protecting Security Data from Security People

As security tools gather growing amounts of intelligence, experts explain how companies can protect this data from rogue insiders and other threats.

Learning Lessons from Financial Services
Security companies are starting to face new laws and regulations that will dictate how data collected by security tools should be protected.

The financial services industry, which also is responsible for vast amounts of sensitive data, has long been tightly regulated. It's worth considering what the security industry might learn from an industry using organizational controls and peer-to-peer collaboration to protect data.

"Financial institutions depend on public trust in the financial system, just as cybersecurity firms depend on their customers' trust in their responsible data management," says FS-ISAC CEO Steve Silberstein. The financial services industry has evolved "trust-building" mechanisms such as FS-ISAC's Traffic Light Protocol, which lets members share intel in a trusted network without the fear of that information being leaked or used against them, he says as an example.

Because the industry has always been heavily regulated, individual financial firms have invested in personnel, infrastructure, services, and protocols to protect customers and themselves. Beyond this, Silberstein says, they are connected to each other and, increasingly, other sectors.

The Financial Data Exchange (FDX) is another example of how the industry has collaborated on data protection, he adds. The nonprofit was created to enable the secure exchange of financial data and address challenges in the way it's shared. Likewise, FS-ISAC subsidiary Sheltered Harbor was created to protect firms if an event such as a cyberattack causes systems to fail.

As in security, financial services organizations are implementing new technologies including cloud computing, machine learning, and artificial intelligence, all of which have "profound implications" for data protection. The same principles of sound data governance must apply.

"While these new technologies provide potentially game-changing business opportunities, they also bring new risks that institutions must manage if they are to maintain the trust of their customers, because these same new technologies are also supporting the criminals," says Silberstein. Building a strong peer-to-peer network and sharing intel are key to mitigate risks.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What's in a WAF?"