RSA 2010: Banking/Security Agenda - Paul Smocer, Financial Services Roundtable
Paul Smocer of BITS discusses:
Smocer, VP of Security at BITS, a division of the Financial Services Roundtable, leads the group's security program. Smocer has over 30 years' experience in security and control functions, most recently focusing on technology risk management at The Bank of New York Mellon and leading information security at the former Mellon Financial. While at Bank of New York Mellon and at Mellon, Smocer was actively engaged with BITS as a member of its Vendor Management Working Group, as 2005 Chair of its Security Steering Committee, and as 2004 Chair of its Operational Risk Committee.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group, and I am here with Paul Smocer from the Financial Services Roundtable.
Paul, it is a pleasure to be talking with you again.
PAUL SMOCER: Tom, it is good to be talking to you as well.
FIELD: Now we are at the RSA Conference ... we have both been here all week, and I would say the resonant themes I have been hearing, especially related to financial services, are about the incidents of fraud prevention and then hearing an awful lot about the ACH issues and the ATM issues that financial institutions have been faced with. What are the security trends that you are most concerned about now?
SMOCER: Well, we continue to work a number of initiatives that we had started last year, or even earlier in some cases. I am here at RSA; I spoke on a panel actually with regard to email authentication, and we think that continues to be an important subject to our members for a number of reasons.
Number one, it is one of the main vectors for downloading malware through phishing, and in particular the sophistication of phishing and the targeting of phishing has grown over the years. So when you think of some of the fraud scenarios that you were just speaking to, the way those often start is through somebody getting a phished email that takes them to a location that downloads malware, that captures their credentials, but then allows some fraud to be perpetrated, pretending to be their identity. So, that continues to be a hot issue for us.
We are working not only with our members, but we are working with other associations, other financial associations, as well as with the ISP community to try and find the ways to facilitate the implementation of stronger email authentication across the board.
While we are on the subject of authentication, we are looking at authentication itself. We just went through a significant survey process around authentication practices, both on the customer side and internal to institutions, and we are in the process of kind of assembling that with the idea that hopefully that will serve as a base for us to kind of move into best practices going forward.
We actually just launched a project around biometrics that is a continuation of some work we did last year. The work last year was really based on how far has biometrics come; does it present a viable option in any way? And that work, I think, came to a recognition that in fact the biometrics field has progressed quite a bit, so we are going to see how we might be able to leverage that in that space.
In particular for 2010, obviously this whole malware, zero day vulnerability issue is key to us, so we are looking at techniques and possibilities, and we have heard a lot at the conference here obviously around ways it may be addressed. I'm not sure anybody has seen a silver bullet yet, but we are continuing to look at that space.
We are also looking at the social networking space, and we are really looking at that from three perspectives. Number one the use of personal social networking within organizations; our industry probably has a little bit greater challenge there than some do because of some of the compliance requirements that come into play with regard to retention of business-related information, particularly in our trading areas. So we are looking at personal use in the workspace. We are looking at workspace use -- organization-hosted social networks for collaborative purposes. And then kind of on the far end of that, on the emerging side, is the use of social networks as a product delivery channel; so we are continuing to look at that.
We are looking at cloud computing, obviously. We have been through a number of sessions here about the pros and cons and the concerns around security, particularly I think focused on the data storage, data privacy question. So we are continuing to work in that space.
We are continuing work around software assurance so secured development lifecycle, treat monitoring, threat practices, etc., so you know there is a whole ecosystem out there, and as I keep telling people: You squeeze one end of the balloon, and another piece moves, so we are trying to get as much of the coverage as we can in working with our members.
But it was interesting this year as we went into 2010, there was probably the strongest level of consensus since I have been working with BITS, either when I was in the industry or on the staff side, around kind of what the key issues were to deal with in 2010.
FIELD: Let me ask you about regulatory reform because it is an issue that we brought up in our survey, and I think I was a little surprised to see that banking and security executives very much feel that whatever regulatory reform comes down is going to have a direct impact on information security.
SMOCER: Well, I think there is still a lot of debate around what roles the various agencies will play. I think from a practical perspective when this settles and we can figure out what the new regulatory world looks like, that will give the agencies as well a chance to settle and focus more on the cyber IT space. That is not to suggest that the agencies aren't focused on that right now, but there have certainly been some distractions over the last couple of years.
I think that the areas that we are seeing from a regulatory-focused perspective are pretty much the same areas that we just talked about. Certainly authentication, certainly software assurance, certainly some work form some of the agencies in the cloud space. We just saw some new regulation come out from the SEC with regard to social network usage in the environment.
So, I think collectively we are on the same track. We try to stay very close to what the regulators are thinking, either through the work we do at BITS itself, or through some of the other associations we have, for example, at the Financial Services Sector Coordinating Counsel level.
FIELD: What can you tell us about the shared assessments program? Any advances in that this year? Are you starting to see more acceptance of it?
SMOCER: Well, the program has just gone through another update. As you know, we try to constantly keep the questionnaire portion, the SIG portion, and the agreed upon procedures up to date as the world evolves as it were, so that process is fairly constant.
We are looking to expand; that program is actually run by the Santa Fe Group in association with BITS, but we are looking as well at other industry vertical where this makes a lot of sense; particularly the healthcare space, as an example. We are still working through the process of trying to get the vendors and all of their users connected, so that the eventual hope of the do-it-once from a service provider perspective becomes a reality, but that continues in some ways to be a challenge to be honest.
FIELD: So, we are here at the event this week, what are the conversations you have been here to have and what sort of resonant themes do you see bubbling up?
SMOCER: Well, as you know, for the industry as a whole and not just for BITS or the FSTC but the industry as whole, security is a critical and important matter. So we are certainly trying to encourage people to keep focused on the issues. Because while it is important to us, the ecosystem is such that others in the world -- you know, financial services doesn't live alone on the internet; it lives in conjunction with a lot of other people. So we try to keep the focus going.
We are trying obviously to pick up as much intelligence around what the vendor and service provider community is doing to address some of the issues and whether there are some good or better solutions out there. It is certainly an opportunity to interact with our peers.
Security itself too is in my mind a fairly industry agnostic issue. While some may focus on it more than others, the reality is that the issues in information security really affect all industries. So we are trying to see if there are techniques that other industries have recognized that might serve to improve what we are doing as well.