Banks and IT security: The elements of success
In this interview, Nathan Horn-Mitchem, VP, Information Security Officer at Provident Bank, talks about delivering and maintaining IT security for 80 branches of the bank, discusses how data breaches re-shaped their data protection strategies, and more.
Provident Bank has more than 80 branches. What are the challenges in delivering and maintaining IT security across all these locations?
Our challenges in delivering security solutions to our users are not strictly location-based. Instead, they center more on balancing the needs of the business with the protections of security. Our IT organization has done an excellent job in building out a centralized infrastructure that allows security to implement a replicated branch template that basically enables our 80+ locations to seem more like one location, duplicated out 80+ times.
The larger challenge is related to new product development. As we introduce new products and services for our customers, we need to implement them with security baked in. Provident’s approach is to ensure the primary support functions (security, IT, compliance, legal, etc.) all have a seat at the table for every project from kick-off to close-out.
A second major challenge is making sure everyone in our bank thinks through the lens of Information Security. We spend a lot of time and energy providing security training throughout the year and require all new employees to spend over an hour at orientation understanding their information security responsibilities. Our mantra is: Information Security is the responsibility of every employee at the bank. Our goal is to ensure new employees, who can end up working in any one of our many locations, all have a similar understanding of the strategic importance of protecting the organization’s information assets.
How have recent data breaches re-shaped your data protection strategies?
Seeing such large and well respected companies fall victim to data breaches reinforced our desire to continually improve our data protection strategies. A major focus for us is user education. We remind all our new employees that, when a “big box” store gets hacked, customers tend to boycott the store for days, weeks, or months out of anger or fear. However, if your bank breaches your sensitive information, that will likely end the relationship permanently. As a financial institution, we only get one chance to protect our user’s data.
We recently implemented an outbound email classification project using Titus Data Classification, so anytime a user has to send an email outside of the enterprise they are required to classify it. We chose this approach because it forces our users to be part of the data classification process. Sending email can become an autopilot activity and it’s entirely too easy to release sensitive material without really thinking about it. Our user base has been receptive to the idea because it’s only a single click but they know all the encryption is being taken care of for them on the back end.
We’ve implemented a few monitoring controls to make sure the classifications are appropriate and nearly 100% are correct. This has dramatically reduced the effort of my team in stopping data loss and shows that our education efforts have been successful.
We’ve seen a rise in shareholder suits filed against directors and officers after data breaches. Are we nearing a time where all board members will be expected to have an understanding of the information security issues their organizations face?
I think that time has already arrived. The security culture at an organization can be shepherded by the Information Security function but organizational buy-in and results come from a commitment from the Board of Directors and Executive Management team.
At Provident, I report on our Information Security program to our Board on a quarterly basis at a minimum. I’ve spent a lot of time with individual members of our board attending Security conferences and answering questions whenever they arise. We rely less on scheduled briefings, preferring instead to have an ongoing conversation about our high-level goals, industry trends, metrics and a desire to continually educate ourselves.
We also invite subject-matter experts to present to our Board and Management team. Recently, we had a cyber-security lawyer speak with the Board about their legal responsibilities as it relates to cyber-crime and discuss the benefits and limitations of cyber security insurance. We work to set the tone that hubris and complacency have no place in our Information Security program. We are proud that this attitude flows top-down through every level of the Bank.