Five Steps to Help CISOs Manage Financial Firms’ Risk in the Age of Elastic Compute and Technology

Twitter: @tomdotdolan

Financial services firms seeking competitive advantage and market success continue to face enormous pressure to innovate as they develop cutting-edge offerings. Ultimately needing scalable, available technology to drive future success.

The big challenge is how to dynamically extend security and compliance to a changing business architecture powered by elastic compute and technological complexity.

One of the key priorities of a financial services firm is to protect assets, data, and applications while establishing the right balance of controls. And what is significantly harder is understanding the control status all while meeting the business demands in an elastic technology environment. Adding devices, servers, virtual machines and access to clouds hinders visibility, fragments control and adds business risk—making it more difficult to stay in compliance.

To effectively manage risk, security professionals need to identify the most critical processes, applications and technologies to appropriately match them with prioritized protections.

Here are the five steps to minimize security risk exposure as you embrace operational agility:
1) Understand business processes that are critical to the organization
Collaborate with your CIO to prioritize which processes are crucial to the business operations and subsequently rank or categorize them. Which processes are foundational? Which processes help maintain the firm’s competitive advantage?

2) Prioritize the security of technologies and applications that support the business processes

Identify the applications, infrastructure and devices that support the critical processes and make sure that you apply failsafe security practices to protect them. While it sounds like a monumental task, especially with the explosion of devices and virtual machines in your dynamic environment, with the right visibility tools you can verify the accuracy of your configuration management database (CMDB) tools and build a foundation of continuous, real-time asset intelligence, learn the status of critical applications and analyze the security hygiene of the devices and infrastructure that supports them.

3) Use Asset Intelligence to build the right policies and implement proper segmentation

Application segmentation is a topic that has many organizations overwhelmed by the complexities, interdependencies and potential negative business impacts. Instead of “boiling the ocean”, a better approach is to start with “macro” segmentation vs “micro.” Once you have a control on true inventory and asset intelligence, the first step is to separate production and development environments. Then the second step is to look at your most critical applications to decide on how to segment these from the general IT environment balancing dynamic nature of the environment, risk and feasibility.

Campus segmentation should start by addressing device risk and broad user groups. Focusing on the obvious areas is often the best policy. For example, Guest and Corporate segmentation as well as IoT and facilities devices make for good places to start.

A segmentation strategy needs to encompass both campus devices accessing applications as well as the servers and cloud workloads supporting the application. This requires coordination of traditional switches, firewalls, software-defined networks (SDN) and cloud technologies which should mirror and reinforce your identity and access management (IAM) and application access policies.

4) Understand posture compliance of managed endpoints

Managed endpoints remain the top attack vector for malware-based threats. Unfortunately, we all know the troubles with the current processes for patching, updating and securing these endpoints. Even though scans happen daily, devices are mobile. Agents are often missing or out of date. It is important to invest in real-time posture assessment, at time of connect, with subsequent continuous checks. Tools that integrate within your operational stack to automatically remediate gaps in posture improve overall endpoint health while driving down security incidents and operational time spent on remediation.

5) Establish continuous controls monitoring

Today’s regulatory environment requires corporate boards and directors to correlate cyber risks to business and operational impact. In order to understand business risk represented by gaps in application, infrastructure and endpoint controls, a continuous monitoring program of control existence, and effectiveness is required.

Minimizing a financial firms’ risk by protecting its assets, data, and applications has become more complex in the age of elastic compute and technology. But with the right process and tools it can be managed. To learn more about how to establish proper posture visibility and consolidated control, view the Forescout Financial Solution Brief.

*Markets in Financial Instruments Directive (2004/39/EC) (MiFID II), General Data Protection Regulation (GDPR), SWIFT Customer Security Programme (CSP), Federal Financial Institutions Examination Council (FFIEC), New York Department of Financial Services (NYDFS)