As we enter the home stretch of baseball season, teams looking to compete for a playoff spot are starting to assess which prospects they want to call up to make their playoff roster. Dubbed the “September call ups,” fans and analysts are often eager to debate and predict which next touted pitching prospect, for example, will help their teams in the playoffs and beyond. Who has the best long-term star potential, and who’s a flash in the pan?
One attribute that always seems to catch our eye is the young flamethrower who hits triple digits on the radar gun. While simply having a supercharged arm used to be enough to succeed, these days America’s pastime demands control as much as it does power. Recent emphasis on the “Three True Outcomes” (HR, Strikeout, Walk) has been a major factor this. What it boils down to is that the pitcher who can limit home runs and walks will succeed – both of which require precise control.
In the same vein, a plethora of talented fintech startups have come onto the scene over the last ten years, most of which boast cutting-edge technology with disruptive potential. Just as control is important when evaluating the next ace pitcher, control over cybersecurity is paramount for financial institutions when assessing potential technology partners. Bank Director’s 2019 Risk Survey found that cybersecurity was the top concern for senior bank executives (for the fourth year running), with 83% reporting that those concerns have increased over the past year.
What we see in the market aligns with this. Whereas in the past cybersecurity was somewhat of an afterthought, discussed deep in the vendor selection process, today it’s front and center when financial institutions evaluate vendor relationships. Building the right cybersecurity program means the difference between making it to the major leagues or toiling indefinitely in the minors.
Cover your bases: Seek out and commit to standards
When setting out to build a world class cybersecurity program that will satisfy your clients, the best first step is working towards adopting the highest standards and certifications in your industry.
- SOC Certification: Developed by the American Institute of Certified Public Accountants (AICPA), System and Organization Controls (SOC) certifications are industry standards that provide service organizations independent validation of the internal administrative, technical, and physical controls for their systems, procedures, and infrastructure.
- The US National Institute of Standards and Technology (NIST) Cybersecurity Framework: NIST consists of standards, guidelines, and industry best practices to manage cybersecurity-related risk. Adherence to the NIST framework ensures alignment with business requirements, risk tolerance, and organizational resources, while also establishing a roadmap for reducing cybersecurity risks.
Foundational attributes: Building the complete package
In the course of adopting these standards, many of the following pieces of a leading cybersecurity system will fall into place. It’s easiest to think about them in five separate categories.
1. Hosting & data centers
Data security and privacy begins and ends with where it’s stored, processed and maintained. Maintaining fully separate hosted environments across multiple data centers and regularly testing and auditing them against security best practices should be a standard practice. Employing strong encryption and data masking are also critical for securing data that is in motion or at rest.
No matter the level of confidence in your data security, always plan for the worst. Another best practice is to run a Business Continuity Plan & Disaster Recovery (BCP-DR) site in parallel with the production site in an effort to eliminate any unnecessary down time.
2. Securing physical environments
Physical security plays a major role in maintaining your cybersecurity. A number of considerations, like hosting servers at Tier IV, SOC 2, or ISO 27001 compliant data centers, ensuring there’s redundant clean power (with UPS and backup generators), and establishing connectivity to multiple internet providers are all necessities for a holistic security strategy.
Employing physical security controls such as on-site security and active monitoring are also a part of the security equation. This includes maintaining a secure perimeter with multi-level security zones and access levels, staffing 24/7 security personnel, deploying CCTV video surveillance, and using multifactor authentication and biometric access control.
3. Network security
Taking network security to the next level means going beyond standard firewalls. It requires building a complex network architecture with multiple security zones including additional technologies for advanced threat analytics and monitoring such as SIM/SIEM, IDS/IPS and DLP solutions depending on the sensitivity of the information processed.
4. Application and software development security
Training and security controls are critical to making sure applications are secure and effective from development to deployment. For this, it’s important to maintain a security focused Software Development Life Cycle (SDLC) process that includes training and security controls for development, QA, and environment management.
This includes creating segregated environments for development, testing, and staging, which ensures that actual customer data will not be used in development or testing environments as well as ensuring segregation of duties are enforced to ensure that only employees who have a need to know or need to have access to the production environment do so.
In addition to standard web-application penetration testing, going above and beyond means looking for new ways to test your code. The Open Web Application Security Project (OWASP) Top 10 Web Application Security Risks, which represents a broad consensus about the most critical security risks to web applications, will give your code one of the best tests out there.
5. People management
While technology leads the charge in automating many cybersecurity and risk management functions, the value of human capital hasn’t diminished. If anything, with technology being as advanced as it is, it’s now more important than ever to have knowledgeable professionals supporting your cybersecurity program.
A top-down approach is ideal. Establishing a C-suite information security officer sets the tone for the organization, assigns responsibility, and fosters accountability. (MyVest has both a Chief Information Officer and an Information Security Officer.)
On a staffing level, best practices include extensive background checks, rigorous onboarding programs, and regular employee trainings. In terms of access, multifactor authentication is a must, and conducting periodic access reviews will ensure the right employees have the appropriate access to firm and client data.
Making it to the majors
There’s an overabundance of young pitchers (technology firms) out there who can throw fast – but it’s the ones who learn how to control it, and develop a comprehensive approach to consistently getting hitters out (the right cybersecurity program) – that will make it to the majors and contribute to a championship-winning team.
See our CIO’s recommendations in InvestmentNews for evaluating the security standards of third party vendors.