Blog

Tag: Paul Rohmeyer

Ron Arden Talks About NYDFS and Cybersecurity at FinCyberSec 2017Ron Arden, Executive Vice President and COO of Fasoo, Inc., presented Countdown to Compliance with NYDFS 23 NYCRR 500 during FinCyberSec 2017 at the Stevens Institute of Technology in Hoboken, NJ on May 31, 2017.  Ron was part of a day long event that focused on technical, regulatory, process and human dimensions of cyber threats faced by financial systems and markets.

Dr. Paul Rohmeyer, who organized the conference, started the day with opening remarks that set the stage for how the world of business and cybersecurity has changed in the last year.  With constant attacks, like the WannaCry ransomware attack and the ever changing business and technology landscape, financial services companies have a lot to address as they look to safely promote new business models.

Dinesh Kumar, CTO from Mitovia, started the presentations by discussing security effectiveness.  Collectively companies spend upwards of $100 billion annually on cybersecurity, yet data breaches are a daily occurrence.  Dinesh focused on using a business model to determine outcomes of cybersecurity rather than focusing on tasks or events.  If you ask a typical cybersecurity professional what she or he does, they might tell you they monitor something or try to prevent something.  If you ask a sales person, they will say I increased revenue by xx dollars or I brought in five new customers.  They don’t tell you they made 20 phone calls or had eight lunches to get the outcomes.  Understanding that cybersecurity is a means to a business outcome helps focus resources and activities.

Fasoo sponsors FinCyberSec 2017Ron Arden was up next and focused on the new NYDFS 23 NYCRR 500 cybersecurity regulations for financial services companies doing business in NY.  Ron cited numerous statistics from the recent Ponemon survey on “Countdown to Compliance” that showed many organizations are not ready for the regulations and will need help to meet the compliance deadlines.  A big focus of the presentation talked about understanding that the purpose of the regulation is to protect financial businesses and their customers.  Ron advised the audience to not get caught up in the minutiae of the technical and governance details without focusing on the real point which is to protect nonpublic information from unauthorized access.  There were numerous audience questions about third-party service provider security readiness and how financial organizations can ensure they are covered.  It will take a combination of legal, process and technology solutions to address this.  Ron spoke about Fasoo’s six step plan to address the data-centric security and encryption requirements in the regulation which address the main information protection points of the regulation for both the covered entity and it’s service providers.

Michael Frank, President of Secure Business Strategies, finished out the morning presentations by comparing our brave new world and its cybersecurity practitioners to an Eagle Scout and how we need to think differently.  He cited the scout motto and oath and how with a few changes to wording they are very relevant to our cybersecurity fight.  Key to Michael’s presentation was that cybersecurity equals business today.  New business models from Quicken Loans, Amazon and many others are turning financial services on its head.  Key to their success is the notion of trust, which is reliant on providing a secure, end-to-end business process.  We as consumers of goods and services need to trust these providers to keep our information secure as we do business.  Without it, these businesses will fail.

The afternoon continued with numerous technical presentations and ended with a great panel discussion with a CISO and two technical practitioners.  Discussions went back to some of the morning’s topics on security effectiveness and business outcomes.  The often cited Target data breach emerged as an area to discuss that compliant does not mean secure.  Focusing on business effectiveness allows an organization to understand and prioritize its investments in security policy, process and technology.  While a cybersecurity strategy should support the business strategy, it’s amazing how many companies do not do this.

This conference was a very successful event and I expect it will continue as more emphasis is placed on practical approaches to increasing security in the financial industry.

Fasoo talks about cyber security and protecting sensitive data in the finance industryRon Arden, Vice President and COO of Fasoo, Inc., participated in a panel discussion on cyber security priorities in the finance industry at FinCyberSec 2016 at Stevens Institute of Technology in Hoboken, NJ on June 1, 2016.  Ron was joined by Alan Brill, Senior Managing Director from Kroll, and Michael Frank, President of Secure Business Strategies.  The panel was moderated by Dr. Paul Rohmeyer, who organized the conference.

The first topic of discussion addressed the challenges of cyber security in the financial services industry.  Dr. Rohmeyer asked if there are unique priorities of CISOs who are operating in different industries or if they are similar?  Ron mentioned that people either want to disrupt operations or steal data when you experience a cyber security event.  Regardless of industry, the general goals are the same.  There are clearly unique processes in financial services that may not be in other industries, but the basics are the same.

Michael Frank mentioned how the lack of security basics is hurting the financial industry and many others.  We rely so much on technology and assume that everything works that we frequently neglect simple things.  Systems that use default passwords or assume that someone is who they say they are with minimal confirmation are common issues.  Another example is the risk that a typical printer poses to a company if a user can print any sensitive document.  Uncontrolled printing lets anyone print anything and take it out of the business.  We are so focused on protecting the perimeter of our companies from hackers, that we are ignoring the trusted insider who can steal valuable information on a piece of paper.

Fasoo sponsors FinCyberSec 2016There was also discussion on the risk posed by insider threats to unstructured data – typically files and documents.  Most of the data breach headlines focus on hackers stealing information from databases, yet most of the intellectual property inside a business is in documents we work with every day.  Encrypting these documents and restricting their access through persistent security policies is the best way to ensure that only authorized users can access the sensitive information inside.

Another topic for the panel was “Where are we off target?”  Are companies focusing in the wrong areas when it comes to cyber security?  Discussions again focused on securing the valuable data in your company and ensuring that you follow business processes.  Too much emphasis is placed on technology as the silver bullet without thinking about the people side of things.  One example was a major financial transaction where the person executing the transaction got an email from the CEO asking him to transfer a large amount of money to another bank.  While this may be normal, there is a process to verify this through a phone call.  The email looked legitimate, but was actually a phishing email that looked close to the real thing.  A simple phone call verified it was bogus, but most people just accept that the technology is working.

During Ron’s closing remarks he mentioned that just because a company is compliant does not mean it’s secure.  A perfect example is Target from a few years ago.  Target was PCI compliant, but they still had a major data breach.  Cybercriminals exfiltrated large amounts of unencrypted data that caused major problems for the company.  Regulations frequently have guidelines that meet minimal requirements for data security, but do not specify technologies or processes.  That is changing and newer laws are mandating encryption and permission controls as ways to ensure that sensitive information remains safe from all unauthorized users.

This conference was a very successful event and I expect it will continue as more emphasis is placed on practical approaches to increasing security in the financial industry.

Categories
Book a meeting