With greater opportunity for lucrative data theft, a stronger class of cybercriminal has emerged: professional, highly organized and better trained, with access to deep supply chains of tools and techniques over hidden, online black markets.
System defenders are having a harder and harder time stopping cyber-criminals. Although there are lots of protective tools, there is not enough money, time or personnel to implement all of them effectively. This is compounded by the growing complexity of IT systems, especially within financial organizations where thousands of applications are deployed.
Cyberdefenders have responded with more diverse specialization, burdening firms with greater staffing requirements to bring in the IT expertise needed. Cybersecurity has been called the most demanding operation on the planet with a severe shortage of skilled, experienced and qualified individuals. Furthermore, the knowledge gap between leadership and cybersecurity has continued to widen, resulting in poor or uneven distribution of defensive strategies.
Defense in the cyberworld is difficult. The invisible duplication of information is intrinsic to computerized systems. Adding to this complexity, we now use global-spanning IT systems with numerous known and unknown dependencies. All of this requires defensive tools which are often only cost-effective on a large scale and with significant resource expenditure.
The squeeze between the exponential ramp-up of cyberattackers versus the further constrained cyberdefenders is what I call the "InfoSec crunch." In the future, this crunch is going to squeeze financial firms and asset managers even harder, leading to more organizational outsourcing of IT systems and support.
In the past, outsourcing often meant lackluster security. Recently, however, many successful outsourcing, hosting and cloud platform companies have realized that having strong, well-audited security systems are essential components of their businesses, as well as attractive to customers.
Outsourcing organizations are in an ideal position to elevate their security posture. First, since they are audited by all of their customers, they need to have a diversity and multitude of controls. This compels them to implement better risk and compliance processes often under frequent scrutiny from a variety of differing requirements.
To fulfill these security processes, outsourcing organizations have invested in highly trained security staff. Since audit and security are tied to customer satisfaction and on-going revenue, there is more resource justification for sophisticated tools and high-end expertise. Also, executive management is deeply invested in cybersecurity, and thus security is better integrated into business operations.
Since maintaining customer trust is an essential component of the business model of outsourcing organizations, investing in meeting future threats and compliance requirements becomes a core business practice as well.
Outsourcing organizations are tech-focused companies that can easily develop innovative and highly-customized security technologies compared to other financial or business oriented organizations.
These organizations, which do not view security as overhead, are also expanding their security offerings to include full-service models encompassing analysis, planning, implementation, monitoring and auditing. What financial institution offers its technical staff 10% personal project time, security research work or access to bleeding edge hacking tools?
By hosting large portions of entire business sectors, outsourcing organizations have an eagle-eye view on industry-wide threats and attack trends.
These organizations can afford the large-scale security infrastructure such as anti-denial-of-service filters, global threat monitoring and dedicated incident response teams. Because of their wide-spanning industry service offerings, outsourcing organizations have been categorized as critical infrastructure and thus can leverage special relationships with law-enforcement intelligence and enforcement agencies.
Not all outsourcing, hosting or cloud service providers are going to have the requisite level of security and audit maturity. Three things to look for:
1. Breadth and width of the outsourcing company's audit certifications.
2. The maturity and diversity of skill set of the security team.
3. The sophistication of the security technology.
In the near future, to beat the InfoSec crunch, many more organizations are going to migrate to third-parties to gain access to better data protection regimes, some of which may be unfeasible within their own organization. As the attackers get better, the only way for many traditional non-tech companies to defend themselves efficiently will be to look to outside help.
Ray Pompon is director of security for Linedata CapitalStream.