Great Expectations for BanksHow Banking/Security Leaders Keep Pace with Banking Innovations
"There's an expectation that security will be built-in and be part and parcel of all those factors," Moretti says. "On the other hand, there's increased concern over who has access to personal and corporate data."
This concern manifests itself in both the boardroom and in the bank lobby, Moretti says. Customers especially are sensitive to the security of their personal data. "People are debating security techniques on Facebook," he says.
The challenge, then, for banking and security leaders is to help enable innovations such as mobile banking, but also to detect and prevent the risks of these new ventures.
In an exclusive interview on global banking and security challenges, Moretti discusses:
- Top information security threats facing global leaders;
- Biggest regulatory challenges of 2011;
- Tips for managing information security across the global landscape.
Moretti, CISSP, Executive Director, UBS Investment Bank, IT Security Risk Management is a member of the (ISC)2 Board of Directors and the (the (ISC)2 Global CSSLP Advisory Board for Software Security. Alessandro leads a global team of 25 covering risk analysis, risk management and the IT forensic team. A British and Swiss national, he has extensive international consulting experience working with Fortune 500 financial services, nuclear and petrochemical companies, including Baker Hughes, as interim CISO on some assignments, establishing new security risk management and security testing functions.
TOM FIELD: If you can, just to start us out, maybe you can tell us a little bit about yourself, your experience, and the multiple roles you are playing today?
ALLESANDRO MORETTI: Yes, I've got a role as a member of the application security advisory board for (ISC) 2, and that has got a number of professionals from various industries and government professions. Also, I have experience within the banking and finance sector of the past 10-12 years because I run a global security risk function within UBS, the global bank.
Top Global ThreatsFIELD: From our perspective here in the US, we see a lot of fraud. From your global perspective, what do you see as being the top information security threats on the radar of banking and security leaders?
MORETTI: That's quite interesting because the application security advisory board met just in quarter four of 2010, and we discussed a number of these topics amongst ourselves. What we are seeing and what we discussed towards the end of last year is that there is actually a divergence of innovations and expectations for security -- against the increasing awareness within the community, in banking and in government, of data leakage in and around and outside of the organization. So those are increasing threats from a divergence aspect.
I think from the industry sector itself and the overall community of people that use and corporates that use technology, we are seeing an increasing usage of mobile applications, social media, corporate and public clouds, where information is stored electronically on various different platforms, an increasing use of service providers who provide services to both the banking sector and the government. All of these are what we call new innovations within the IT technology sector to support the banking sector and government. This is where there is an expectation that security will be built-in and will be part and parcel of all those factors.
On the other hand, given all the news done more recently, is an increasing awareness and concern of who's got access to personal and corporate data. I think one of the things has come out recently in 2010 as well, are things like Facebook security methods. If you see all the personal blogs and stuff where people are more aware of what's happening to their social data. They are very aware and becoming increasingly aware of the possibility of data [leakage]. That is a challenge that we've got as professionals within the sectors, including the banking sector, this divergence of expectation.
Mitigating the RisksFIELD: Well, given this evolving landscape and the innovations that you've mentioned, how do you see banking institutions best protecting their customers from some of the emerging security threats?
MORETTI: It's quite a challenge because of the divergence. One of the things that we want to do is to make sure that we've got the competency built into our security professional organizations within the banking sector and with our partners. That is something the (ISC) 2 has recognized -- that if we essentially certify these professionals, the more professional they are with more competency, the more likely that they are going to address some of these problems. But to answer your point, from a proactive and reactive aspect, there are ways to essentially fix legacy issues with reactive measures so that we can react to challenges and threats that are appearing, and in a proactive way by developing more secure codes, more secure environment, and more secure mobile platforms. One of the things that we are also seeing is that security is becoming more commoditized. That is going to become a little bit cheaper, and it becomes built into what we call the DNA of how we operate our institution, our banking institution, if not the government institution. To give an example of that, when you are developing or where you are innovating with some of these new platforms, including maybe an application for a mobile device, you can actually use some of the commoditized security penetration-testing procedures and service providers to help you understand your approach to security. In addition, you can sort of use a social engineering type penetration. Again, commoditized to what are essentially US standards as well, the typical stuff they see to establish how secure your external service provider is.
I think some of the other things that are coming through over the course of 2011, you'll see in the next couple of years. It's much more of an appetite for security innovation on the desktop and with data.
Another thing that perhaps we're looking at from an industry perspective, which perhaps something might be is a reinvention of the mainframe, is virtualization. There are some contents now where if we want to maintain control of external sites outside of a particular headquarters or main office, virtualization is being a way of controlling the desktop. So the desktop is controlled by the headquarters, and you don't have to rely on security staff in remote locations and perhaps even outside of the states. It is a concept that allows us to make sure that the security attributes on the desktop being used by external staff from remote location can be maintained securely.
This virtualization is something that is coming back. It's being used extensively in government over the past couple of years, and you'll see that the industry sector is looking quite closely at this as a tool. Of course coming back to the application security advisory board, one of the things that we're trying to do is develop applications especially for these new platforms like mobile in a secure manner with that expectation that when you download an application to a mobile device, and if it is using your personal data, that it is going to be inherently secure. Now obviously there are platform providers like Apple that will do a lot of diagnostics -- it's like security testing or checking to make sure that the application itself meets their standards.
Regulatory ChallengesFIELD: Allesandro, I would like to take you into another direction and talk about regulatory compliance. Now, particularly in Europe you've got many different privacy regulations country by country. As a global organization, when you are working in so many different countries, what do you find to be the challenges in terms of regulatory compliance and privacy, and how do you respond to these challenges?
MORETTI: Yes, it's an interesting question, and it's one where we have to rely on to a certain extent other professionals like the legal and compliance community who are in touch with the regulators. There is a partnership between the security professional and technology, or maybe in information security and the legal and compliance specialists. Because quite often, you'll find that the regulations are very pertinent to regions or regions associated with regulators. In Europe, there are some common regulators certainly for the banking sector, and then in Asia Pacific, again, what you'll find is that it's much more aggressive by the regulators there to set the pace in what they expect. But I think security concepts are not new, and essentially what the regulators are trying to do is address the pace of change in innovation that we talked about in the first part of this interview, and I think the bank will certainly have two-to-five-year programs to address those security confidences.
The issue that we have with the regulators is not so much the security concept itself, but sometimes the vagueness and perhaps change of direction depending on which regulator or which region you're operating in. So a small change on a regulation relating to data protection in one region, it may be because there are legalities with that. It can't impact the whole process. For instance, if you have a two-to-five-year project and you've put a project plan in place, you decided on the technology to accommodate that, and then certain technology is viewed as not being suitable by one regulator, then of course that impacts the global rollout.
However, a lot of regulators are discussing security concepts with each other, and I think it is helping. The US stance has got a slightly different appetite for electronic security measures then perhaps some of the regulators in Asia Pacific, and that can be a difference when we're offering the platforms at a global basis.
Fraud TrendsFIELD: Another question for you is about fraud. In the US, we've just conducted a fraud study where we find that payment card fraud, phishing and vishing, check fraud remain top concerns. When you look across the countries that you work in, what are the top banking fraud concerns and how have they been addressed?
MORETTI: It's an interesting topic for some people talk about fraud in a different aspect. I think your implied definition where you are out to seek financial gain is the appropriate one to talk about.
Typically, I think the external organizations targeting banking sectors are known about, and they are becoming more sophisticated in terms of trying to defeat security to full financial gain, but I would say that is stealing and not fraud, though. The fraud aspect we mainly talk about is from clients or even employees on falsifying identity or information for financial gain. I think that is more the topic that we probably need to emphasize on this particular call.
The false identification being processed to get access to new accounts or existing accounts is certainly a threat to the ... I won't say it is increasing, but we are concerned about it from both a security professional organization and also probably from an industry. But, in fact, we rely on the government here to make sure we can get a standard perhaps globally in terms of understanding and verifying someone's identity. It might be different in the corporate world, but certainly if we can identify an individual and it is government certified, that helps us combat the falsification of identification for financial gain and some of the electronic systems. Now for instance, most people probably can create Yahoo accounts, and there are some other social networking sights where you can claim to be a professional, but there is no verification of your identity. So there is quite a challenge I would say over the course of the next two to three years to see if we can come up with a common standard to verify a person's individual credentials in that aspect to help us combat any fraud that happens certainly in the financial sector.
Tips for Global BusinessFIELD: Well, we've talked a lot about a lot of topics here. We've talked about social media, the advent of mobile technology, regulatory concerns and fraud. If you could boil it down, what advice would you offer to banking and security leaders when dealing with the global challenges that they face in 2011?
MORETTI: Certainly from a global perspective, for the US-based institutions, it is to understand when and where and how you are operating outside of the US legal territory. That sort of leads on to one of my earlier comments is that really in each region that you are operating in, you do need to seek out the local legal professionals. It is too difficult and too hard to make solutions that you would understand and compare and contrast US regulations with what happened in the local territory. Certainly, make sure you've got good legal representation. Another point from a risk and security professional aspect, is also saying that you can not transfer risk by using an external service provider or by using a partner. Risk has to be understood, and you have to control that risk. So if you are operating in another jurisdiction, you are operating with a partner, you still need to do some due diligence in terms of what that external partner is providing to you. You will then put in your due diligence process, including service provider assessments and even look down to the technologies we've talked about earlier. Maybe you want to control the security with technology upgrading and outside of the US with that local provider by offering virtualization so at least you can control it.