A Chief Technology Officer for a Midwest banking holding company made a very interesting observation earlier this week. In commenting about the needed increase in fraud fighting resources, he warned about the perils of overemphasizing technology while ignoring training staff in using manual fraud-detection processes.
Most of what he says is spot on in terms of ensuring the proper prioritization, risk analysis and the blind reliance on technology to identify and neutralize threats and breaches. In fact, as an officer in a technology company, I happen to agree with him on almost everything he said.
He also noted that to prevent fraud, financial institutions need to go beyond adopting the latest technologies and ensure they have trained staff to identify fraud, such as by reviewing reports or spotting unusual activity
This is exactly the type of engagement I have been preaching for several years. Now the key is how to cost effectively apply those resources, train those departments in the latest detection protocols and remediation, implement new layers of detection and correlation. Even for the largest corporation, this has the earmarks of an expensive (but obviously important) initiative. And I am certain the answer can be found (yes, you guessed it) in the cloud.
It wasn’t too long ago that financial institutions were extraordinarily skittish about capital expenditures. Yes, the belts have loosened just a bit, but if an organization can find an equivalent alternative that saves 50% of the costs, it would be in their best interests to investigate a bit deeper.
But here is the case for the cloud in this situation. This article did not say anything about hiring additional help (with the incurred costs of hiring, training, ramping, salary and benefits), it posited that the staffs need to implement a protocol that included more manual review and action. I ask, with what time? There are only still 24 hours in a day, only so many balls a talented IT professional can keep in the air (especially considering the resources needed for banking compliance including the new FFIEC guidelines!) and most notably there is no such thing as 110%. IT professionals, especially in the banking forum, are already being asked to wear many hats. And the pressures to adapt to new complex guidelines, threats and initiatives will only grow over time. So with what bandwidth will this additional vigilance arise? Or more likely, what new vulnerability gaps will occur because focus is diverted or further fragmented?
Make no mistake; I am still saying that the best way to combat fraud is more manual oversight of the security environment. But, you can only ask so much out of a staff without adding more human resources at the problem. HOWEVER, the cloud allows you to use ready trained expert analysts to monitor, review, escalate and remediate various channels in real time while your on-premise staff attends to more significant priorities. The best part is that this security initiative can usually be deployed at half the cost of doing the same thing in-house. You not only gain the benefit of the latest technologies, updates and advances of enterprise-class security solutions (SIEM, Log Management, Identity and Access Management, SSO, etc…), but you get the intellectual resources working on your specific needs…AND there is no huge sea change (or additional architecture investment) because with security-as-a-service, you can pick and choose which solution works for your situation thereby leveraging your existing infrastructure.
“Technology has to evolve as the threats evolve, and technology will always have to follow the evolution of those risks, because we don’t know what to expect next,” the CTO said.
The idea that security-as-a-service is only a “set-it-and-forget-it” automated gap-filler is selling the concept completely short. Just like all technologies it provides a great deal of powerful automation options, but cloud-security is considerably more that its technology; it is the integration of additional manpower and cutting edge knowledge provided by virtual team of professionals.
When considering cloud-managed security (public, private or hybrid), it is important to look past the cost savings, the zero-day deployment and the other general benefits of a SaaS-like solution, but look at the gained expertise, the increased resources, the best-of-breed technologies, and most important, the ability to evolve with the constantly changing landscape of your security needs.