Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/13/2006
07:40 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Putting Security in the Bank

Under regulatory and threat pressures, financial institutions look for ways to fund, and market, security

NEW YORK -- Financial services companies are not only finding innovative ways to implement new security initiatives, they're also finding innovative ways to fund them.

ABN AMRO Bank N.A. now requires all the bank's application projects to allocate one percent of their funding to their security. It's all part of a movement among financial institutions to build security into services from the ground up.

Joe Bernik, CISO for La Salle Bank and head of information security for ABN AMRO Bank, N.A., says this ensures that a new application goes hand in hand with the organization's security, and the security aspect gets funded.

"If you have to mitigate security risk after the fact, it's a costly exercise," Bernik told attendees of the Cyber Security Executive Summit here today.

CISOs and risk management officials at major financial institutions speaking here say they are struggling to keep up with emerging threats and the ever-changing regulatory landscape. They face not only phishing exploits, but emerging application-level security issues, client laptop security, and compliance with regulations like strong authentication for online banking, which banks must deploy by the end of the year, according to FFIEC regulations.

But even with the progress firms like ABN AMRO have made in folding security into the application and service development process, there's still a long way to go. Bernik says his company is "trying" to routinely perform risk assessments on projects before they go live. "With risk assessment, when you do the assessment, you have to be in pre-production or something that's ready to be embedded in the app."

Regs like SOX have made it easier to get funding for security, CISOs say. "The regulators are doing the job for me" of getting the business side to take security more seriously, Bernik said. "I've had challenges in my business getting business owners to listen and take heart" in implementing security controls. The FFIEC's authentication reg is one such example, he said.

But as the regulatory buying craze slows down, financial organizations no longer have that ammunition, according to C. Warren Axelrod, senior vice president and business information security officer for the United States Trust Company. "You could say 'do it or the regulators will come in,'" he said. "But that's not so true now."

Banks are weighing the cost of strong authentication: Token-based authentication may make sense internally, but not for consumers, they say. "You're not going to pay $30 to $40 for each of your millions of customers," Axelrod said. Banks are looking for easy-to-use, simpler options for authentication, he said.

Getting funding for security is not just a matter of folding it into projects from the get-go, but also making it a selling point for your customers, financial execs say. Some large banks such as Bank of America, with its Passmark security, have already begun using security as a marketing tool.

"It's not about looking at point solutions," said Don Rhodes, policy manager for payments and technology at the American Bankers Association. "Think federated identities -- so that it's a revenue-steering solution and not a cost" issue, he said.

The bottom line is, for banks and financial services it's more about customer confidence in security. And marketing edge aside, it's a financial community issue. If one bank loses customer confidence, it hurts the entire banking system, says Dan Shutzer, executive director of the Financial Services Technology Consortium.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16219
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. An out-of-bounds read may be exploited by processing specially crafted project files. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16221
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. A stack-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16223
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. A heap-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16225
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. A write-what-where condition may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16227
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. An improper input validation may be exploited by processing a specially crafted project file not validated when the data is entered by a user. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute a...