GLBA and Security Avoidance Questions - Why Are We Not Surprised?
The one that stands out as the number one sign that there is something wrong with the approach many financial services companies are taking on GLBA - "What is the bare minimum we can do and still operate as a business?" Not that I was surprised to hear this question, but the fact that it came from a really large financial services company did surprise me. I expected it would come from small entities with limited budgets and manpower.
Now, I won't be able to tell you where this person worked -- let's just say he was at one of the world's largest fund managers. This person was charged with development and coordination of an overall infrastructure security strategy, which included operations and compliance management. He says it shouldn't be a surprise that some could consider information security as "just another tax, or as a simple hurdle in the way of their success."
What is the bare minimum we can do and still operate as a business?
His approach -- encourage people to avoid that dangerously short-sighted approach and instead take a strategic and forward-thinking position. GLBA compliance is not a one-time problem that can be offset with insurance, but rather represents a whole new way of thinking about assets and the market.
Another popularly asked question was about the "X, Y or Z technology" solutions offered by the GLBA vendors (it seems everyone these days has a GLBA compliance "solution") and would it achieve compliance? The answer? It would be like buying a hammer so they could stop worrying about leaks in the roof. The hammer won't work on its own. Security and compliance benefit from technology, but comprehensive management and design is the key to compliance success.
Is there any compliance pressure hitting your institution? You can take this advice and delegate someone to find the compliance leaks in a timely fashion and use that hammer to prevent them. Doing the right thing can become much easier when security managers are allowed to focus on solutions - and let go of the pursuit of an easy fix, simple purchase, or quick buy, which invariably produce short-term savings but long-term security pains