The five minute CIO: David Cahill
David Cahill, AIB’s senior information security specialist
This week, the focus switches to security as AIB’s senior information security specialist talks about managing mobile devices, why real-world testing is important and user buy-in is essential.
As a percentage, how much of your annual IT budget goes on security?
That’s always a good question. To be honest, it’s nearly impossible to quantify as very often, security is taken out of several different budgets. For example, you could look at firewall admin, putting in new security rules – that would fall to the IT network guys rather than the information security team per se. Likewise, we have mainframe sec rules and that would come down to the mainframe team.
Indicative percentages would be between 4 and 8pc. That’s seen as a ballpark figure and, in my personal opinion, I’d say we’re within that threshold.
If you’re looking at security spend in the financial services sector, there’s been a number of high-profile incidents worldwide. I think that’s brought the focus back on security and that’s resulted in the purse strings being loosened.
You recently deployed mobile device management (MDM). Why did you do it, and how did you go about managing the project?
We recognised there was a requirement to facilitate these devices. As part of the bank’s digital strategy, we’re looking to become technology-driven to a large extent and to try and deliver as much value as we can to our customers and our users, and there’s no doubt that tablets and smartphones can drive productivity. But like all new business initiatives, they need to be reviewed and facilitated in a secure manner.
Once we identified mobile device management as a key issue, what we had to do was review the capability of these devices – then at that point you can develop a technical appendix and test the devices against this. We ran a proof of concept to validate that we can meet our security requirements. That enabled us to validate our security configuration so that it worked as expected ... It’s a cyclical process – you can go back and revise your policy based on what you’ve learned in the real world.
Obviously, mobile device management is a high-profile topic and there are a number of enterprise solutions. We reviewed three of the mainstream solutions and checked if they met our needs as a product. We don’t want to reinvent the wheel or increase our spending unnecessarily so we needed to see that the solutions were as close a fit with our existing technology. The easier it is to embed with your current systems, the better.
When we chose a vendor, we did a proof of concept: a pilot with a small subset of users. That was hugely valuable. Until you’ve released a solution in the wild – even in a controlled environment, you get a huge amount of valuable data – you can’t have a true understanding of what you’re dealing with.
When you put it in place, how did it change your security posture?
We implemented it in Q4 last year and it’s one of these issues I’m certain every organisation has seen it where you’ve got your smart device. They’re going to be out there anyway and used. Our attitude was, we’d rather facilitate users but do it in a secure manner rather than sticking our heads in the sand and say we don’t support it.
In terms of our security posture, we’re quite satisfied with our chosen solution. It wasn’t about product limitations so much as scenarios we didn’t consider, and you only become aware of potential issues when you see it in the wild.
How do you strike a balance between security and usability, when too much of the former is often a block to people being able to use it?
To give you an example, if a user is using a smartphone or a tablet for both business and personal purposes, there’s certainly a balance to be reached. Our attitude was: we’re going to segregate the corporate element and make sure all of our controls were in place over the corporate partition but have less stringent controls over the personal section, such as personal photos on their smartphones.
Basically, we created a clear segregation between business and personal use, and we put a complete block on exporting files outside the corporate element of the device. If you’ve got a corporate email or file, it sits within those rules.
We have a number of controls in place – the devices are configured to automatically check in to the MDM server on a regular basis. If they miss a check in, we initiate the corporate wipe. We also have a 24-hour support line, so if a user is away or travelling and a device is lost or stolen, they can call and get the device wiped then and there. They can choose if they want the device fully wiped or only a wipe of the corporate information.
Can you give an example of a security project that really worked, and what were the factors that made it a success?
What makes security a success is that there aren’t headline instances. An example ties in with the mobile device management: that gave us the platform to develop a new outlet, the Lab, or Learn About Banking, in Dundrum Town Centre in Dublin. It focuses on our self-service banking offerings, and future services we have, and how customers can use their smartphones or tablets.
We’re also using that as a learning environment so it’s two-way. We also want to let them tell us what their banking needs are. The Lab lets us showcase what we think is innovative and we’re also trying to learn from the customer. Coming back to the MDM, we can demo our services that are now available as mobile apps. We couldn’t have launched this project if we hadn’t a mobile device management solution in the first place.
What lessons have you learned over the years about security?
Certainly user buy-in is essential. If you don’t have that, not only are you going to suffer in terms of support, but if it’s a new system, you don’t see it used successfully. But it’s important the staff need to understand what’s expected of them. There’s no point in giving them an encyclopedia of security controls. We try and centralise our controls as much as possible, for example, centralised key management – saving people from having to remember individual passwords for specific items.
Executive sponsorship is also hugely important. You need weight behind any project that involves significant change.
Another one would be around avoiding production pilots. If you are trialling a new system, there needs to be a test. What you can’t do is put something in a production environment [because then] you can’t amend it. I’d definitely advise people to try and avoid that.
Lastly, I know the terms ‘rogue user’ or ‘insider threat’ are bandied around, but I’m of the opinion the vast majority of incidents are related to users trying to do their jobs and making a genuine mistake. It’s our job in security to make it more straightforward for them.
After the ATM hack in New York, the likes of the PCI standard were criticised. How much of security involves ticking a compliance box when that might not be the most secure option?
The compliance box as such is a specific part of a more holistic approach to security. I don’t think you can be more secure by simply implementing PCI or ISO 27001, but what they can do is put you on the correct road. They get you thinking about the right procedures and potential issues. If you’re simply going to look at PCI or ISO on its own, it won’t make you more secure. You have to look at the wider picture.
The ATM hack is a perfect example of us moving away from what a crime is in the 21st century – it’s no longer about guys with guns robbing banks: that was a team of cyber-attackers running the whole thing. We have to be aware of that and build our security posture with that in mind.
How is security seen by senior management: is it essential to have, or just a cost to be managed or is there competitive advantage to be had by implementing new policies or systems?
To be honest, I think we’re moving away from the old perception of security as being an inhibitor to doing business. Nowadays it’s genuinely seen as a positive. One of our objectives is not to be seen as the ‘no’ men, but to help the business to innovate and to do what they have to do in a secure manner. And in terms of the Dundrum project, all our inputs were taken on board and we got the support on that.
In any project for any organisation, if you can get in early doors and you’re there through the lifecycle, that’s better than having to retrofit the security at the end, which will give you a serious headache.
David Cahill will be speaking at a morning seminar on Data Protection at the Aviva Stadium in Dublin next Wednesday, 22 May.