Risky business

3 May 2011

Even over the past five years, the way that customers and criminals engage with the internet has changed. The rise in ‘hacktivism’ and the mass productisation of increasingly sophisticated malware mean that banks are more vulnerable to attack than ever before. Michael Jones speaks to Michael Paisley, head of information risk & business resilience at Santander, about the sea change in cyber threats that banks are currently facing.

Michael Jones: How do you go about establishing best practice resilience and operational flexibility to avoid risk management failures?

Michael Paisley: Start with clear goals - understand what is important to the business's mission and value proposition. This may sound obvious but it often gets lost. Cut across silos of assessment and mitigation undertaken by disparate elements of the organisation such as cyber security, physical security, facilities management, business continuity, crisis management and risk management, and achieve convergence across one or more of the following levels:

  • goals
  • structures
  • activities
  • reporting.

To keep a clear view of this, somebody with sufficient seniority must be made accountable for the end-to-end risk management process. This doesn't need a monolithic organisational structure; matrix management lines can suffice. Develop a reference framework (as distinct from standards) to understand:


  • criticality of business functions and underpinning assets
  • 'credible threat' assessment
  • ability to coordinate response (internal AND externally)
  • ability to prevent
  • ability to absorb impact (asset-based - what is the impact on SLAs?)
  • ability to adapt (business process-based)
  • ability to recover
  • decentralise hands-on mitigation and ownership by evolving a hub and spoke model - make the business responsible for mitigation
  • develop a performance management system
  • integrate outputs into a formal governance process.

How do you create a strong dialogue between the IT solutions designers and the strategists to ensure you can get a single view of risk?

The software development lifecycle must be managed in accordance with the organisation's risk appetite. The software development lifecycle should follow key stages. At the very high level you define your needs - where you're going to have functional requirements and non-functional requirements. Functional requirements are there so that whoever is going to use the software can do whatever they need to do. At the non-functional requirement level these might be associated with security so you need to define your requirements.

Often you will have defined an internal standard with the type of controls that you will be expecting in every piece of software, whether it is developed internally or bought in. You then have a more risk-based approach to it. In simple terms you might ask 'is this a customer-facing application?' 'Is it financially sensitive data?' 'Is there a higher threat level?'
There are all sorts of questions you can ask about its risk level and then heightened levels of control that you can apply relevant to the level of risk.

How can banks improve in this area?

Many organisations already do these things; however, for many an area where improvements might be gained is the development of a more converged approach that facilitates the assessment of a broader portfolio of risks and initiating events. There is always room for improvement and from a security perspective if there is a business need to achieve something then we need to find a way to facilitate this being met in a secure way. If you simply approach things from a 'you can't do that, it's not policy' perspective, then that's not helping the business and you're not contributing to the delivery of value.

The collaborative approach is to say 'if we are going to achieve a security control and deliver what you want, the way that we might achieve that is to do xyz'. Both sides need to feel that there is a cultural engagement and that it's a positive thing. That way people won't take entrenched positions. You're simply trying to minimise your risks.

Can a third party ever provide as good a risk solution as doing it in-house?

Yes; however, the real answer is contextualised to the individual organisation and its operating environment and requirements. On what basis is the risk mitigation sought? Cost, quality or something else? The provision of managed security services or alternate work area recovery solutions are common examples of circumstances in which a third party might provide a 'better' risk solution than can effectively and efficiently be delivered in-house.

The growth of cloud services is another; however, you must ask the question 'how will we know that this is working?' and measure performance accordingly. Critical to success are the upfront contract deliberations and defined SLAs; get this wrong and you won't have a fit-for-purpose solution.

What are the biggest business continuity challenges that your business / the industry faces?

The pace of internal and external change is such that maintaining awareness and visibility of the following becomes problematic:

  • hyper-extended supply chains (third party, primary, secondary, tertiary and intra-group suppliers)
  • organisational complexity (local, regional, national and transnational jurisdictions) and decentralisation (the spoke without a clear hub)
  • regulatory drivers
  • commercial risk drivers
  • emerging opportunities (changes in technology such as virtualisation and cloud)
  • emerging threats (productisation of cyber crime capabilities such as WikiLeaks and Zeus Trojan).

How has Santander coped with organisational complexity and the above areas?

In the past few years, Santander UK has been coalesced out of what was Abbey, Alliance & Leicester, Bradford & Bingley, GE Money and parts of RBS. The amount of change in the property portfolio, which impacts business continuity, the back-office operations involved - everything changes and you end up with a hyper-extended supply chain that needs to be consolidated.

The organisational complexity is through the roof compared with what our parents had to deal with and it's accelerating all the time. Today we are surrounded by the most complex organisations in history from a commercial business perspective. Traditional hierarchical management structures don't exist any more. Most people in big organisations are dealing with matrix management with multiple reporting lines. Global businesses have enormous supply chains with all sorts of associated risks.

It's an endless cycle that requires a systemic and systematic way of trying to manage it. What largely comes out of M&As is trying to resolve the bulleted problems listed above, plus cultural differences.

Will this problem always exist around M&As?

You are always going to go through a change curve and there will always be a period whereby during that curve there are difficulties in engaging people and the curve will drop down. But eventually it will come back up again and they become more engaged.
Some people are inherently scared of change in those initial stages, so the objective here is to make that change curve as narrow and as shallow as possible by providing people with clear guidance on what they need to do, clear tools that they can use to do it, clear training on those tools, and training and consultancy to overcome the issues that they will face.

How can the industry make sure it keeps in step as threats and risks evolve in the future?

All organisations should develop and maintain the ability to acquire information from multiple sources and assess/analyse it to the extent that the output becomes actionable intelligence. This is a skill in itself and risk teams would be well advised to consciously develop it. The output can then be used as input to the risk assessment process.

Information can and should be gathered from multiple points, both internal and external to the organisation. One word of warning; practitioners should always apply the principles of critical analysis to information and not accept it at face value - who has produced the data, what do they have to gain, what was the sample and methodology used, and what caveats have been applied.

How much of a priority for the financial services community is cyber security?

Huge. Financial services and retail banks in particular have large attack surfaces, which are a natural consequence of providing interactive customer services across multiple channels. Threats can be internal or external and have a multiplicity of motivations. All banks are technology companies and have an inherent vulnerability to cyber attacks, which, if not appropriately mitigated, will result in significant financial loss, disruption to services, reputational damage, and customer dissatisfaction.

What are the most potent threats, and how can these security risks be mitigated?

The spread and prevalence of financially motivated 'stealth' malware targeting customers rather than banks. Resilience isn't just about continuity of services, it's an inherent characteristic. If you look at the resilience model above then one phase is 'absorb impact' (asset-based). We can't prevent customers' PCs becoming infected, but by deploying controls to the customer's PC we can absorb any effects of that infection by preventing it interfering with the online banking session.

Similar malware designed to act stealthily, perhaps with polymorphic qualities, may be used to attack organisational infrastructures; perhaps the distinguishing characteristic between these emerging threats and previous viruses and worms is the motivation behind them. After all, although these are technically based attacks they were designed by a human being with human motivations. The risk is from targeted attacks, perhaps to steal information, perhaps to disrupt services.

Mitigations should be based on the organisation's own threat and risk assessments based on the practices we have already described (a simple example being encryption). A point to consider when determining the level of threat is what capability is required to launch the attack. The Stuxnet attack on the Iranian nuclear facility required exceptional capabilities, the use of a number of zero-day exploits and a blended attack methodology - clearly the reward was deemed sufficient for the effort expended in this case. The same amount of effort might not be warranted in other scenarios.

Are retail banks at risk?

Retail banks in particular are targeted by some of the most capable and motivated cyber criminals from across the globe, but all financial institutions and many others outside of the sector face a rising threat of online 'hacktivism' - a threat that is enabled and supported by the productisation and marketing of the tools to mount the attack combined with a physical lack of proximity between the victim and the attacker, together with relative anonymity. WikiLeaks was a relatively ineffective example, but the warning signs are there. Detecting, absorbing or adapting to DDoS attacks is one mitigation.

What are the industry's major concerns about cloud security?

They are primarily around data security assurance, although there are other areas - cloud computing is with us and it seems reasonable to assume that economics will drive its take up considerably. As a regulated industry there are quite rightly stringent requirements placed on the security of a customer's data and the integrity of financial statements that are published to the market. If insufficient assurance can be obtained regarding either confidentiality or integrity then this becomes an issue.

Of course 'the cloud' is a wonderful marketing strapline implying that it encompasses the resilience and availability of the internet. This is clearly not the case in many instances and users of cloud services should gain assurance from the cloud provider.

Are these concerns justified or are they disproportionate to the actual risks?

The concerns are justified under certain circumstances, but not all. When evaluating 'cloud risks' we need to establish exactly what we are referring to: a private cloud, public cloud or hybrid cloud. The risks and issues are significantly different for each, with the majority of significant issues residing in the use of public cloud services.

In addition, we need to understand what layers of cloud service provision exist within the service being used; for example, we might procure software-as-a-service (SaaS), but not realise that the SaaS provider has obtained platform-as-a-service and infrastructure-as-a-service from other providers.

In essence, the same assurance requirements are required as for any other service provider and, although I firmly believe that in time 'cloud' technology will become the norm, for many industries we need to see greater clarity and maturity regarding security and resilience assurance.