Ron Arden, Executive Vice President and COO of Fasoo, Inc., presented Countdown to Compliance with NYDFS 23 NYCRR 500 during FinCyberSec 2017 at the Stevens Institute of Technology in Hoboken, NJ on May 31, 2017. Ron was part of a day long event that focused on technical, regulatory, process and human dimensions of cyber threats faced by financial systems and markets.
Dr. Paul Rohmeyer, who organized the conference, started the day with opening remarks that set the stage for how the world of business and cybersecurity has changed in the last year. With constant attacks, like the WannaCry ransomware attack and the ever changing business and technology landscape, financial services companies have a lot to address as they look to safely promote new business models.
Dinesh Kumar, CTO from Mitovia, started the presentations by discussing security effectiveness. Collectively companies spend upwards of $100 billion annually on cybersecurity, yet data breaches are a daily occurrence. Dinesh focused on using a business model to determine outcomes of cybersecurity rather than focusing on tasks or events. If you ask a typical cybersecurity professional what she or he does, they might tell you they monitor something or try to prevent something. If you ask a sales person, they will say I increased revenue by xx dollars or I brought in five new customers. They don’t tell you they made 20 phone calls or had eight lunches to get the outcomes. Understanding that cybersecurity is a means to a business outcome helps focus resources and activities.
Ron Arden was up next and focused on the new NYDFS 23 NYCRR 500 cybersecurity regulations for financial services companies doing business in NY. Ron cited numerous statistics from the recent Ponemon survey on “Countdown to Compliance” that showed many organizations are not ready for the regulations and will need help to meet the compliance deadlines. A big focus of the presentation talked about understanding that the purpose of the regulation is to protect financial businesses and their customers. Ron advised the audience to not get caught up in the minutiae of the technical and governance details without focusing on the real point which is to protect nonpublic information from unauthorized access. There were numerous audience questions about third-party service provider security readiness and how financial organizations can ensure they are covered. It will take a combination of legal, process and technology solutions to address this. Ron spoke about Fasoo’s six step plan to address the data-centric security and encryption requirements in the regulation which address the main information protection points of the regulation for both the covered entity and it’s service providers.
Michael Frank, President of Secure Business Strategies, finished out the morning presentations by comparing our brave new world and its cybersecurity practitioners to an Eagle Scout and how we need to think differently. He cited the scout motto and oath and how with a few changes to wording they are very relevant to our cybersecurity fight. Key to Michael’s presentation was that cybersecurity equals business today. New business models from Quicken Loans, Amazon and many others are turning financial services on its head. Key to their success is the notion of trust, which is reliant on providing a secure, end-to-end business process. We as consumers of goods and services need to trust these providers to keep our information secure as we do business. Without it, these businesses will fail.
The afternoon continued with numerous technical presentations and ended with a great panel discussion with a CISO and two technical practitioners. Discussions went back to some of the morning’s topics on security effectiveness and business outcomes. The often cited Target data breach emerged as an area to discuss that compliant does not mean secure. Focusing on business effectiveness allows an organization to understand and prioritize its investments in security policy, process and technology. While a cybersecurity strategy should support the business strategy, it’s amazing how many companies do not do this.
This conference was a very successful event and I expect it will continue as more emphasis is placed on practical approaches to increasing security in the financial industry.