Greg Medcraft, chairman of the board of the International Organization of Securities Commissions (IOSCO), recently stated that the next major shock to the global financial system will be the result of a cyber attack. It would be easy to let this warning go in one ear and other the other, but I hope this will be a useful wakeup call to at least a few industry leaders. Know you need to make changes, but not sure where to start? Here are a few tips for those looking to curb their risk:
- Establish where your vulnerability management program stands now, and where it’s going tomorrow. Medcraft noted that the U.S. government is in the process of developing risk management standards. That’s a step in the right direction. In the meantime, we’re doing our own work to get ahead of this problem. One of the tools I’ve developed at Core Security to help organizations at risk is the Vulnerability Management Maturity Model. As I explained to Rob Lemos of eWEEK, when security teams patch software vulnerabilities in their systems, they too often focus on the wrong issues, patching the holes that are easiest to fix rather than addressing the flaws that are most likely to be the focus of attackers. Our model helps companies analyze their ability to properly patch software insecurities and offers a roadmap for improvement. Of course, we sell products and services that help address this issue (e.g. the Core Security Attack Intelligence Platform), but as our model highlights, there is more to fixing your vulnerability problems than buying a new product. Changing the culture of a company is more powerful than buying a new firewall.
- Practice strategic penetration testing. Another expert recommends a “regime of multi-level penetration testing.” We agree of course, and it’s worth expanding on the topic. As outlined in our maturity model, we recommend penetration testing conducted by your own internal staff and external validation. We also recommend utilizing advanced analytics to prioritize vulnerability management efforts. Otherwise, you will find yourself waist-deep in a sea of vulnerabilities with no idea how to start bailing yourself out.
- Don’t lose sight of business goals. I always encourage those who are addressing these problems to do so from a business perspective. If you’re a CISO in the finance industry, don’t think of yourself as a security professional. Think of yourself as a finance professional who is responsible for security. Don’t lose sight of what the company does, and how it makes money. If you start imposing security-related restrictions without considering how they impact the bottom line, you’re not doing your job.
Of course, there are many additional steps leaders in the financial industry must take to address today’s threats, but you have to start somewhere!