Considerations and strategies for securing a modern financial institution

A Q&A with Jeff Javits

In 1933, the bank robber Willie Sutton was asked why he robbed banks, despite their high security, thick-walled vaults, barred windows and armed guards. “Because that’s where the money is,” he deadpanned in response. In that regard, not much has changed since Willie Sutton’s day. There’s still a treasure trove of incalculable value behind the walls of most financial institutions today, though it’s no longer just gold bars or paper currency. It’s data, too. And lots of it.?

What has changed drastically is the attack surface, and it has changed primarily to benefit the would-be Willie Suttons of our time. There are seemingly endless ways for digital thieves to pilfer our personal information, and they can do it with a lot less risk now than they did bursting into banks and dodging gunfire back in the day. Very few high-speed car chases occur after a bank’s data is stolen out from beneath them. They might not even know anything has happened for days, even weeks or months.?

Modern financial institutions don’t just have to keep money and transactions safe and secure, they have to secure every shred of personal data that might be used to steal identities, commit fraud or outright take funds. The proliferation of AI will only continue to complicate the security landscape for banks, and it’s a near certainty that exponentially more advanced, sophisticated threats to their security exist on the horizon. To learn more about how banks can secure their most valuable and fastest-growing asset – data – against a reality that is evolving just as quickly alongside, I sat down with longtime friend and infosec expert, Jeff Javits.?

For more than a decade, Jeff has served as Information Security Officer and also Chief Information Officer at several financial institutions, working in that industry since the late 1990s. His resume includes leadership roles at Wells Fargo, Synovus, Fremont Bank and Heritage Bank of Commerce. Today, he consults with financial institutions of all sizes to help them implement the right tools and processes to meet their increasingly demanding security needs. We chatted about his experience, foundational elements to consider when securing a bank, and how to approach today’s ever-changing security landscape.

Let’s start with an obvious question. How does securing a bank differ from securing any other enterprise, and how does that impact your foundational approach??

Securing a financial institution is just like securing any other enterprise, but with broader, deeper and more thorough redundancies in place to cover the most significant risks. Security is not a single, momentary state – it is an ongoing process.

This means that first and foremost, you have to manage your strategy to a specific framework. There are too many disparate areas to cover to fly by the seat of your pants. It is virtually a guarantee that without a framework, which serves as a de facto checklist, you will miss something critical. There are a number of existing frameworks, like ISO 27001, NIST, COBIT and others, that lay out management guidelines and best practices and delineate the many different areas requiring ongoing management to secure a financial institution. Are you managing identities properly? Are you protecting your networks, and keeping software up-to-date or patched?

It doesn’t particularly matter which one you choose for your specific environment, what is important is that you choose one and stick to it. Ultimately, these are the frameworks that auditors measure compliance against. If you don’t have anyone within your organization who is already familiar with these frameworks, then you’ve identified your first security gap.?

What other foundational elements do you need to consider at the outset when you’re developing a modern security strategy for the world of finance?

As I alluded to already, the first key step is to acknowledge what you don’t know and which areas your team does and does not have expertise in. Then you can fill in the gaps by getting specialized help. Think of this process like Maslow’s “Hierarchy of Needs” – make sure the basics and your largest risks are covered and then get more sophisticated from there. Test regularly and frequently to understand your security posture day-to-day. How secure are you now? Next week? Where is a breach most likely?? Where are our biggest risks?

Another critical foundational component of properly securing a financial institution is to define clear ownership of equipment, software, tools, and processes within your company, despite departmental borders. Everything from desktop computers to security software, routers, and firewalls. If your networking and security groups argue over who owns firewall policies, who implements them, and which group must patch and maintain that firewall, for example, you’re far more likely to be breached.

Multiple teams may have a stake in a tool or process. Going back to our firewall example, the networking team should own and manage it, but it’s the Information Security group that needs to know when there’s an alert. So there will always be a degree of shared ownership.? Clarifying and agreeing on ownership and roles helps avoid situations where one thinks the other is doing the work, or one team becomes overprotective, and the result is an alert that no one responds to quickly.?

Finally, it’s critical to build a culture of security through education right from the outset. This has to be a continuous effort, from onboarding to regular training and reminders for security policies, secure procedures, positive guidance on how to accomplish goals securely (rather than being a “no” person), and updates on current threats, tricks, and scams. Business Email Compromise and persona masquerading will only increase as time goes on, enabled by AI with the potential to supercharge the danger.?

Can you walk us through how you would accomplish this at a practical level as a security leader at a financial institution??

The basics are pretty simple and will be familiar to security pros across other industries. Manage servers, desktops, laptops and mobile devices with approved, secure images and inventories. Keep them secure with updates and patches as part of an organized patching program. Basic backup and recovery across the entire stack still matters, as does making sure your recovery solution won’t restore any malware.?

Implement an organized information security program with policies, controls, control testing, training and education, reminders, and outside party review in place. Build a culture of security with support and buy-in from the board, CEO and other executives. Remember that third party risk is also a huge factor. Vendors and partners must be secure for you to be secure, so manage vendors and third party risk appropriately. All of this should be part of an ongoing, organized enterprise-wide risk management effort.

On the network security side, all of the existing standards still apply – firewalls, antivirus, ongoing real-time monitoring for malware and ransomware activity or movement, utilizing outside managed detection and response (MDR) vendors for continuous monitoring, correlation of events from activity logs, and access to threat intelligence. Use encryption for data at rest and data in transit where you can.

Create software development processes that build security in from the start, rather than adding security on later. Ephemeral containers that are “spun up” and torn down must have the same secure templated configurations that any other desktop or server would have. Change control processes for hardware and software changes that make all changes visible and include information security staff in reviews and approvals. Application security is critical, and principles like removing privileges during job moves or role changes to avoid “permission creep” is as important as applying the “least privilege” rule to begin with.

Incident response, business resumption and disaster recovery plans are another critical element. Perform walk-throughts, practice and test, test, test to make sure the bank can continue to run or recover critical functions rapidly in the event of a breach. Regulators review these plans to make sure they have been thoroughly and adequately tested.? Your ability to operate is another critical asset to protect.

We’ve talked through some of the commonalities, but what are the unique challenges of securing a bank compared to other enterprises??

Commerce and transactions need to occur, at an extraordinary scale, for a financial institution to remain viable and serve its customers. As a security leader within a financial institution, you can’t simply say no when there’s risk involved. The risk is inherent and omnipresent, so you need to be able to find a way to say, “Let us help you accomplish what you need to accomplish securely.”?

This brings us to the concept of Zero Trust. At a basic level, the concept is that you essentially trust nothing and verify everything – hardware, software, end users, business partners – to allow access along the way. It’s a framework for requiring all users, software, servers, and networks to be authenticated, authorized and continuously validated. Zero trust assumes there’s no traditional network edge.

In financial institutions, we also want to limit risk with the concept of “single system compromise”.? Security design should isolate and protect systems and network segments, so that if one is hacked,? bad actors cannot move laterally into other areas with sensitive and valuable data. For example, after hacking into an employee laptop, intruders will then crawl the network laterally to get to servers, applications, and data storage to find where the good stuff is hiding.? We need system designs and tools that segregate networks and systems in addition to tools to detect and quickly lock down intrusions. While you may already have basic network segmentation separating major network areas in place, a recent trend is to continue to “wall off” systems, applications, and subnets into more granular segments for additional protection.? Isolation limits data compromise by limiting intruders’ lateral movement.

Finally, banks need more than just the bare-minimum protection set of information security categories offered. Banks also need transaction protection, fraud detection, and other categories of security products to protect money and transactions. If most companies need antivirus, intrusion detection, firewalls and backups, for example, then financial institutions need at least that and then some.

What types of solutions make the most sense for selling into banks, and which would you dismiss outright??

Buyers typically want to see an existing tool replaced, rather than an additional product category or tool with new associated costs. This can be tricky for established security vendors, who provide software suites that can only be updated with new functionality built into an existing framework. That presents a major opportunity for startups, who can come in and replace a specific piece of functionality in a more targeted way.

Products that automate work or increase efficiency will always be well-received within financial institutions. Demonstrating clear and specific time savings that free staff for higher-order security work will make products and services more attractive.?

Keep in mind that banks have to keep up with the latest vendor offerings to protect against the latest threats. They have to prove that their security programs, policies and tools are never static, but rather evolving and improving their overall security posture. Solutions that mirror this need will be impactful, solutions that don’t are a non-starter.?

What final advice do you have for founders or leaders in this space??

Ultimately, security at any company is everyone’s responsibility. Security policy should be approved by the Board of Directors, with executive support and high expectations for every single employee to protect information. These policies must be well-summarized and effectively communicated to everyone in the company, rather than being unread documentation sitting idle in a tucked-away file.

Remember that information security is a dynamic and ever-changing landscape with your transactions and private data as the target.? The bad guys only have to get it right once to break into your company’s systems, but to protect it we have to be right every time. Use a risk management approach to continually test existing controls, manage changes, search out gaps, and monitor evolving new risks.? And don’t forget that your intellectual property, like the source code to your software product itself, may be the most important information asset to protect.

We must always prioritize carefully as we face numerous risks, threats, and choices, operating the systems we have while fixing, upgrading, and implementing new ones. Vendors who can combine functions and reduce the number of security tools required, automate time-consuming tasks like chasing false-positive alerts, and covering more risks without adding another category of product to buy will always be of value to financial firms and all enterprises.