by Karen Gregory
Mark Clancy, DTCC's Managing Director,
Technology Risk Management
With cyber-security a growing concern for corporations, governments and indi-viduals around the world, DTCC has been raising its profile on issues related to cyber-threats in financial services.
Mark Clancy, DTCC’s Managing Director, Technology Risk Management, recently testified before a Congressional subcommittee, calling for increased information-sharing between the government and the financial sector to more effectively protect the capital markets from cyber-threats. Clancy also spoke at a summit of corporate security and risk managers, advising attendees to strengthen their cyber-capabilities by concentrating more on their ability to measure their performance against goals.
Threats to the markets
During a hearing entitled “Cyber-Threats to Capital Markets and Corporate Accounts,” Clancy called for restarting the Government Information Sharing Framework (GISF), a successful but now-defunct pilot program that targeted cyber-espionage as part of an information-sharing effort.
“While financial institutions have robust information security programs in place to protect their systems from cyber-threats, they are not foolproof,” Clancy told the House Capital Markets and Government Sponsored Enterprises Subcommittee during a June 1 hearing.
“A critical resource the industry relies upon to help safeguard the system is information-sharing between federal agencies and the financial sector. DTCC strongly supports restarting the GISF program, removing its pilot status and expanding its reach within the financial sector to ensure that all resources are working in concert to protect and defend the capital markets from cyber-attack.”
‘Critical line of defense’
Since the termination of GISF in December 2011, several organizations in the financial sector have experienced threat activity from actors first identified to the industry through GISF reporting. A recent assessment by the Financial Services Information Sharing and Analysis Center (FS-ISAC) found that these threats will continue to increase. FS-ISAC, of which DTCC was a founding member, was created in 1999 to address cyber-threats to the nation’s critical infrastructures. It is the primary group for information-sharing between the federal government and the financial sector.
“Information-sharing like that which occurred under the program represents the most critical line of defense in managing and mitigating cyber-risk today,” Clancy said. “GISF drove innovative new initiatives in the industry and helped reshape the sector’s approach to assessing cyber-espionage risks while prompting pilot firms, including DTCC, to revise best practices for managing threat information. It also spurred financial institutions to make significant additional investments in threat-mitigation and detection capabilities that otherwise could not have been easily justified due the lack of understanding of the risk to the sector.”
Clancy added that GISF should be expanded to include a broader group of financial institutions, as the pilot program’s reach and impact were limited and did not scale to the sector’s depth and breadth.
“Information-sharing today occurs at human speed while cyber-threats occur at wire speed,” Clancy said. “Now more than ever, an investment in standards, protocols and methods for the industry to rapidly share and consume threat and observable data is needed.”
As the keynote speaker at the 2012 Northeast Security Leaders’ Summit held in New York, Clancy drew on more than 20 years of experience developing information systems for DTCC and Fortune 500 companies to advise the audience how to look beyond the distractions of newly minted solutions.
“The profession has become all-consumed with managing compliance, imple-menting the tools of the trade and chasing after hot technology,” Clancy said. “You can spend a lot of money on tools and incorporating them into your system. But if you don’t know how to use them and you don’t have the right people and processes in place, it’s as good as going to Home Depot and buying a carpentry kit without knowing the basics of making a joint.
“We do a lot of things in our profession that are hard to observe and hard to quantify. But any time you can do something that you can measure the success or failure of in a provable way, you can produce a much better outcome,” Clancy said.
Success today is too often defined as the absence of failure by the information security industry, he said, instead of the demonstration of effectiveness.
“In our business—information technology—the industry strives for 99.99% uptime. That’s our goal at DTCC. It’s a measurable target, and you can set your price against whatever level of performance you choose. For example, if you wanted 90% uptime, your investment would be lower, and so would your expectations,” he explained.
The problem facing the information security industry is knowing what to measure against. And to learn that, Clancy said, requires studying a process step by step, taking it apart and seeing what can be measured.
Every organization will define its corporate information security risk differently, have a different level of tolerance for vulnerabilities and commit to a different level of resources, according to Clancy. “The key is to have a plan that will allow you to get to and understand the root of a problem, reduce risk and measure your achievements. That will drive the process, and in turn define your success.” @