By Daryl-Lynn Carlson
Through federal legislation in Canada and the United States, financial institutions are compelled to embrace the convergence of their security systems. So, not surprisingly, banks are well on their way to implementing the concept compared to other commercial organizations, many of which are still struggling to grasp the concept of security systems convergence.
But the process of bringing together physical and Information Technology (IT) security systems — even as a matter of compliance for the banking sector — has not been without hurdles.
By Daryl-Lynn Carlson
Leading banking and security industry panelists gathered at the PGA
National Resort and Spa in Palm Beach Gardens, Fla., earlier this month
to troubleshoot some common challenges and offer tips on expediting the
convergence of security systems.
An audience of 53 security professionals from regional and national
financial institutions listened in live to the session called Banking’s
Roadmap to Physical & Logical Convergence while more viewers across North America logged
on to their computers for a webinar transmission of the session.
“Convergence is a word that means a lot, in a lot of different
industries, and has certainly become a lightning rod within the
security industry around how we bring the two traditional disciplines,
or peers, of security together ”“ physical and electronic,” said Gareth
Webley, Chief Security Officer of National City Bank.
He and fellow panelists noted that criminals continually evolve their methods to circumvent security as quickly as new measures are
implemented. Citing fraud as a bank’s most prominent risk, Webley
pointed to the recent arrest of David Verhotz of Hudson, Iowa, who is
accused of embezzling $29 million from the Cleveland-based KeyCorp bank
”“ allegedly doing so right under its nose.
Webley, who is senior vice-president of global trade services, also
referenced the popular film Ocean’s Eleven, in which the characters
foil elaborate security systems to steal millions from the vaults of
three busy casinos ”“ a fictitious scenario but not entirely impossible.
The concept of convergence is relatively new, yet fervently championed
as the new standard to protect assets as electronic technologies
develop at lightning speed.
Banks, as well as government or health care sectors, are mandated by
law to protect customer information and comply with legislation
governing securities and investments. That means they must judiciously
guard information and assets in order to conduct business.
But just as any major organization, a breach in security would also affect a bank’s brand.
Ryan Buckley, vice-president of information security at Citizens
Financial Corp., acknowledged shareholder and consumer confidence are
key drivers behind convergence. “If my ID was stolen and my life turned
up-side-down, I might think twice about maybe going back to the old
days and begging out on the use of electronic channels into my bank,”
he suggested. “If there were major events where massive amounts of
identities were stolen and good portions of the public thought about
doing banking the old way and not electronically anymore, there would
be profound cost impacts to the banks.”
Panelist Adam Stanislaus, vice-president of security at First Data
Corporation, which provides electronic transaction services, suggested
convergence ”“ if done properly ”“ enhances an institution’s brand,
shareholder value and dialogue within the organization.
“At the end of the day, it all starts with the IT and the physical
organization. They are two different organizations in a lot of places
today and they talk different languages, they see different things,
they have different risks and different models. To establish a
relationship is the number one priority,” he said. “Convergence allows
you to better communicate with your executives and hear the physical
and the IT talking about the same things.”
An effective convergence strategy takes into consideration which
operations within the organization to include, technological
limitations, and provides for policies and procedures such as disaster
recovery to ensure the merged systems are effective.
Hurdles to convergence are related to its integration rather than
technology. John Maya, group director of information technology at ADT
added that persons within an organization responsible for convergence
should be carefully selected for their expertise, and that once a model
is in place, it requires continual monitoring.
“The resounding thing that we’re hearing throughout this symposium is
the relationship of physical security and IT organizations talking and
conversing, not one time but many times continuously to ensure that
we’re always looking ”¦ to make sure that as we see the risks, we’re
mitigating them that we’re classifying them and prioritizing them, and
then we go back and keep looking for more and more risks out there,”
Finally, be wary of contract support, said Buckley of Citizens Financial
Corp., who advised banks to always choose services from reputable contractors
“In an large enterprise, banking or not, you’ve got
thousands of contractors rolling that enterprise and they’re a couple
of keystrokes away from banging on the interface of that system,” he
cautioned. “So my advice is, I definitely agree go with very reputable
companies that know what they’re doing and not only know the security
functionalities of the products they’re aiming at you but also know
application security functionality to make sure that these security
products themselves don’t end up being entry ways into your jewel box,
so to speak.”