http://www.computerworld.com/securitytopics/security/story/0,10801,76610,00.html By Michael Hardy IDG News Service DECEMBER 11, 2002 Protecting financial institutions from cyberattacks requires increasing levels of cooperation between the government and the private sector, panelists said yesterday at a conference in Washington called Homeland Security 2002: Establishing a Culture of Cooperation. Many of the conference's sessions emphasized such cooperation, which is being fostered by changing mind-sets in both government and the private sector. In the financial services world, the responsibility for keeping up with threats -- and the technologies that can help guard against them -- rests with the banks and investment houses, said Richard Marshall, deputy director of the Critical Infrastructure Assurance Office, one of 22 federal agencies that will soon become part of the U.S.'s new Department of Homeland Security. "The scope of change, the pace of change is just too quick for government regulators to keep up with," he said. "This has got to be a self-curing issue." The key for financial firms is business continuity, he said. The threat might be electronic, or it might be a physical attack or disaster. Either way, a firm must be sure that it can continue operating, protect its customers' privacy and anticipate problems in time to prevent them. Marshall's agency is working on the finishing touches to the National Strategy to Secure Cyberspace, a collection of best practices that business are invited -- but not required -- to follow in implementing security programs. The public comment period on the document closed last month, and Marshall said he expects President George W. Bush to approve it early next year. "We don't pretend to know all the answers, but we believe that together we can help come up with some intelligent solutions," he said. "And we realize that it's not going to be government-down. It has to be 'Let's join hands and work together.'" Financial services firms in general are ahead of other private-sector industries in securing their information, but they aren't where they need to be, Marshall said. "You need to raise the security bar," he said. The technological challenges are formidable, said Dale Hazel, senior vice president of marketing at Convera Corp., a software company that makes search products for businesses. More than some other types of businesses, financial institutions store massive amounts of data, he said. Terabyte measurements are common, and he said he has seen some databases that exceed a petabyte, or 1,000 terabytes. Such mountains of information stretch the limits of system scalability, he said. Meanwhile, companies don't have a good handle on how to balance prudence with overzealousness, said J. Michael Gibbons, a former chief investigator of computer crime for the FBI, now a senior manager at consulting firm BearingPoint Inc. "Those of us in homeland security all just want to understand how much security is enough," he said. "We want the truth, and the quest for the truth is the most difficult thing we face." Inside financial firms, executives see the wisdom of spending money on security, said Leigh Williams, senior vice president and chief privacy officer at Fidelity Investments Inc. His company spends about $1 billion per year on technology, much of it security-focused, and believes that the cost is worth the payback. "We have for a long time expected a return on our business-continuity efforts," he said. "We do believe that before the September attacks, it made a lot of sense to invest very heavily in protecting the data and systems customers rely on. I don't think that has changed at all in the last couple of years." What has changed, Williams said, is the approach to the problems. "Before September of 2001, we approached security in a very fragmented way. We tended to split data security from physical [security]," he said. Since then, the company has come to see both physical and cybersecurity as part of the same issue. Fidelity has integrated itself more closely with financial services firms, smaller banks and other institutions, Williams said. "We're operating more as an industry and less as a collection of firms," he said. "And with that, industry is now better connected to government." During the past couple of years, financial trade associations -- including the Securities Industry Association, the Investment Company Institute "and a dozen other trade associations" -- have consolidated their efforts to interact with government through a new group they formed called the Financial Services Sector Coordinating Council, Williams said. Meanwhile, government agencies and regulators have also been consolidating power. "Instead of there being hundreds of us talking at once and getting nothing done, we've become much more tightly integrated," said Williams. Fidelity plans to sustain its high level of investment in security. "It takes a pretty good bite out of our bottom line," he said. "We do it because we think it will offer us some payback." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 03:57:58 PST