Four Questions Every CISO at Financial Organizations Should Ask Themselves
CISOs and other IT leaders are facing an increasingly sophisticated threat landscape as they navigate through modernization and digital transformation efforts. There’s no end to how frequent and how large data breaches occur, and financial institutions are a favorite target for cybercriminals because of the potential value of information in their IT systems.
The compliance landscape is an equal challenge. Although not limited to the financial sector, financial services firms certainly know that regulatory compliance is a growing factor of everyday business life. They must invest heavily to ensure and prove compliance to a myriad of regulations, including GDPR, SOX, GLBA, BASEL III, and SAS 70. For some who operate in multiple countries, regulatory requirements become even more challenging.
We recently discussed these topics with a select group of CISOs who attended a special event held at the New York Stock Exchange. During this moderated panel discussion of financial services industry leaders, four current CISO challenges and proposed solutions emerged:
How do you deal with access certification fatigue?
In an effort to prove compliance, access certifications require approvers to review and approve/revoke access for each user/identity. This can be an arduous, manual and time-consuming process especially when you consider individuals having to review in some cases 2,000 lines of identity access; leading to ‘certification fatigue’ or ‘rubber-stamping’. One way to address certification fatigue is to automate the access review process which helps to accelerate the time it takes and mitigates potential errors using a manual spreadsheet approach. Organizations can also consider using role-based access controls (RBAC) as well as risk-based certifications as another optional technique. RBAC, and even identity analytics, which we’ll talk about later, can enable organizations to implement a more contextual review that will help simplify access reviews and reduce certification fatigue.
What measures do you take to address risk from third-party access?
While CISOs put protections in place to secure employee access to their information, they may not be addressing non-employees such as 3rd party vendors, contractors, and partners. These 3rd parties are additional entry points into your IT environment that introduce another level of risk. One CISO shared his three-step process for addressing this issue:
- Get a view of what/who your 3rd parties are
- Determine what their level of access should be
- Set up measures for removing all access when they leave, which is a critical step that some organizations unfortunately overlook
If having to deal with 3rd party risk isn’t hard enough, many regulators are moving out to 4th parties (i.e. a vendor’s supplier) and the need to certify their access. Again, it’s about putting proper processes and controls in place so 3rd (and 4th) parties only get the access they need, when they need it, and their access is removed as soon as they are done with their work.
How can you confidently govern access for all non-human identities?
Organizations are embracing robotic process automation (aka bots) at a rapid pace, however, many are neglecting to include them in identity governance processes. At the heart of this matter: the cause of breaches is not limited to humans. The challenge for many organizations is not having a proper inventory of all the bots and service accounts in their environment, realizing that there may be orphaned accounts in that mix as well. Guidance shared was to establish a governance lifecycle for bots/service accounts, as you would for a human user, and determine what level of access they need. In short, treat them like any other identity.
How can we start leveraging artificial intelligence to govern identities?
Another key trend that is starting to take hold in financial services institutions is the use of analytics and machine learning to improve security and identity governance practices. What about AI? What does data analytics mean to us? Our panelists of CISOs advised that they are looking to AI to use identity-related information that is collected as a part of their governance program to help them find outliers (potential users that could pose an issue if they are over permissioned) and identify and automate low-risk activities. In short, these CISOs are looking to AI to help their organizations make smarter access decisions, improve overall security and reduce risk.
The big takeaway? As digital transformation creates new opportunity for innovation and agility, comprehensive identity governance can help ensure the journey is secure and compliant.