November 8, 2006

Are You Safe? How Do You Know?

When I was very young, I had a recurring nightmare about a giant. It was huge, terrifying and very, very real. In the last moment of the dream I would look out the window and see him right in front of our house, then I’d wake up shaking and in a cold sweat.

Whenever I asked my father, he assured me that we were safe, as any good father would. My dad was a doctor, a Lieutenant in the Korean War, surviving a shrapnel hit in the back from a mortar round. He is also very smart and shrewd, having made more money from investing than he ever did as a doctor. So when he told me I was safe, I believed him. Kids need to hear that they are safe. It was not until I was an adult with children of my own, though, that I understood that when he said I was safe, he was able to back it up.

In today’s world, everyone wants to hear that your bank is safe. Directors, officers, shareholders, customers, staff members, and yes, bank examiners all want to know: Are you safe? In his book Good to Great, Jim Collins lists Face the Brutal Facts as one of the keys to business success. But far too often business people put blind faith in reports about their organization’s safety without performing the due diligence necessary to ensure that those making the claims are able to back them up.

The Best Defense is a Good Offense

Soon after the Sarbanes-Oxley act went into effect, I read dozens of articles predicting the demise of many small companies about to be drowned by the costs of compliance. Most companies approached compliance as an expense, spending as little as possible in an effort to just get by. But in the last year or two a new approach has emerged, with many companies going right past mere regulatory compliance, redesigning their management systems and Information Technology (IT) departments to align with best practices. In doing so they achieved not only compliance, but also significant operational efficiency and competitive advantage delivered by the new, streamlined structures and processes.

I’m sure you already know that the best way to deal with an IT auditor is to be prepared. When he walks in the door, you already know what he’s going to ask and how you’ll respond. “Are you secure?” You’ll answer, “Yes.” “How do you know?” You’ll pull out your policies, risk assessment, network diagram and inventory, plus any reports you might have from your penetration tester, independent IT security audit, event log analysis or managed security services provider (MSSP). He’ll thumb through them, slowly nod his head and say, “I concur,” then head off to the nearby diner for some homemade pie.

Wouldn’t that be nice! A year ago, you may have actually gotten that response. But as Bob Dylan sings, “The times, they are a changin’.”

Today your auditor is apt to instead spread out the mass of documentation you’ve given him, say, “Log me on as administrator,” and proceed to spot-check dozens of the data points presented in your reports. But he won’t stop there; he has his own checklist, and if he finds gaps in your reports, you could be in trouble. And if your reports say you’ve got the firewall configured properly but his testing shows no limits on outbound traffic, you can be sure your score will suffer.

Doing Your Due Diligence

Nobody expects a banking decision-maker to understand network security details, yet you’re required by law to protect sensitive information and bound to shareholders to spend your security dollars effectively and wisely. Here are some common sense tools to help you answer the question: Are we safe?

Get an independent IT security audit. IT regulations are all about security, not just IT, so hire a firm with real security credentials and experience, not just accounting and financial auditing credentials or Windows or networking expertise. Many IT folks and nearly all non-technical people operate under the misconception that, since computer and network security is technical, their regular technical people should be able to handle it. This is rarely true. Training for security work heads off in completely different directions than training for IT operations, and the result is a different way of thinking. The goal of IT is to provide usability. The goal of security is to defend against breaches and information loss.

Set up a security monitoring and reporting system. Competent security systems should produce understandable reports on your security stance every month that can be reviewed by executive staff. Make sure that the covered items align with and are prioritized according to your regulatory body’s guidelines. Like nearly all areas of business, you need to keep score.

Streamline your architecture. Simple architectures are the easiest to secure and to keep secure. Complexity and “security by obscurity” hamper not only the hacker, but the security maintainer and IT operations staff as well. Build simplicity and uniformity into your information systems by centralizing management and technical controls. Use automation to eliminate tedious and error prone tasks such as log file reviews, patch management and software installation.

Drive down operational costs. Use your scorecard reporting system and your newly streamlined architecture to focus on priorities and automate operations. Your staff and consultant’s time is too valuable to be spent driving between branches, poring through firewall logs, or dashing from desktop to desktop installing software from CDs, rebooting machines or running Windows Update. Keep them doing the things that make a real impact on your bottom line.

Good security is no longer just about spending money because of legal mandates. It’s also about building a better and more intelligent business.