-
The "Bash" bug is more dangerous than Heartbleed, because it exists in a lot more places and can be used to do greater harm. Here's what bankers need to know to protect their IT infrastructures.
September 26 -
Banks are closely following an emerging technology BillGuard is testing that would monitor the whereabouts of mobile devices to detect payment anomalies.
August 27
New security threats keep assailing the financial services industry, but Ken Pfeil, chief information security officer for the mutual fund giant Pioneer Investments, seems unruffled.
Pfeil is in charge of security for an infrastructure that includes operations in 27 countries and more than 2,000 employees (Pioneer, whose U.S. headquarters is in Boston, is a unit of UniCredit, the Italian banking conglomerate). He recently shared with us some of the security steps the company has been taking.
BTN: I haven't seen the name Pioneer associated with any security incidents.
Pfeil: That's why I'm still employed.
What security threats do you primarily worry about?
It varies from week to week based on the threat landscape and what the other side of the fence is trying to do. Everything that's old is new again, everything from phishing and
When you hear about something like Bash or Heartbleed, do you have to deploy a team to search throughout the infrastructure for spots where you might be vulnerable?
Fortunately, we have a very mature response plan in relation to stuff like that. We know what technologies we're running. We know where we're running them, and we know what our exposure is to a large extent. Does that require a more mature and deeper dive into things? Absolutely. Then we've got to give due diligence and confidence to our customers as well as our partners as well as receive the same level of confidence from the vendors we do business with. There's a lot of back and forth and due diligence when something like that happens.
Did the Bash vulnerability surprise you?
Bash did not surprise me. The vulnerability in 25-year old software does not surprise me one bit. Vulnerabilities in six-month-old software surprise me a lot.
Some people have said financial services companies should stay away from
That could be said for any type of software. Take Microsoft. People have been waiting for
Where are you putting your greatest efforts in security technology?
We work with all security technology: proxies, firewalls, intrusion protection systems
antivirus, anti-malware, authentication systems. It's not just a question of buying new technology, but exploring new capabilities of the technology. For instance, we use the CounterAct access control system from ForeScout. About one and a half years ago we began to explore the integration capabilities, and we have been making this product work with other software, such as the Bromium anti-malware technology we use. So if we have a user that goes to a website that redirects or tries to execute something within the user's browser, Bromium stops that. It's not something traditional antivirus software is going to catch because anti-viruses are
Have all the big security incidents of the past year helped you obtain the security technology budget you need?
Absolutely. It's unfortunate, but when bad things happen to other companies, that's good for us. When bad things happen to our companies, it's good for everyone else. With the state of things that have happened in the news and the airplay things have gotten, it's certainly elevated our visibility to the point where the executives get now what they didn't get two years ago.
Will your security budget be bigger in the coming year?
As we've gone further along in our program, we've had to make less investment in technology, so we're seeing a return as far as being able to recover man-hours we once burned doing a lot of manual analysis. A typical investment company will invest in security technologies anywhere from 3% to 12% [of the total budget]. I know that seems like a wide range, but the further along you get into your program and executing your long term strategy, the less investment you have to make and the more of a return in productivity you'll see. There is a return on security investment, even though everybody thinks that is more like a unicorn. A lot of folks will look at it, especially folks that are not security savvy, and they'll say, 'how can security be anything other than a cost center?' But if you're able to actually show your operational numbers, you're executing on a vision, you're executing on a strategy, the number of reactional events have gone down and you have relevant security metrics that back up the things you're trying to accomplish, then you can talk more intelligently in the boardroom rather than just the network hall or wherever the geeks happen to be.
Are you able to say 'we've blocked this X number of intruders and the potential losses would have been X'?
Absolutely. Every good chief security officer and every risk manager worth his salt will understand completely what constitutes an annualized loss expectancy. That's just a ballpark estimate based on past events, based on landscape, based on what's happening with competitors and things like that. That's what you can expect to lose, but when you take that into the overall equation of what you're expecting to gain by executing on your road map, it's simple numbers. Especially when you can unequivocally demonstrate that particular events that happened did not cause disruption.
I would think that would be hard to quantify.
If you start with a company that has cybersecurity insurance, you can take the worst-case deductible out of that. Say a company has a $250,000 deductible for an incident breach that would result in $10 million worth of loss. That's a set number you can include in the equation. Especially in financial services, executives understand money very well, but technology, if it's not enabling the business directly, you've got to show at least the indirect method [of] how it's enabling the business.
Can you share any security priorities for the coming year?
It's continuing to improve on the mechanisms we have. I see in the next three to five years on our roadmap an expansion of existing capabilities, a deeper look at data from the metadata perspective and the classification perspective and certain intelligence aspects being done automatically. I want to continue with our automation vision. That leaves us a lot more time to be on top of our game and ahead of the curve when we start to see something trending in a certain direction. The last anything any CISO wants to be is behind the eight ball and purely reacting. That's not an enviable place to be.