2009 Security Agenda: Interview with Industry Expert Steve Katz
With a new administration, new banking landscape and regulatory changes expected, we live in interesting times, indeed. In an exclusive interview, Katz discusses:
The world's first Chief Information Security Officer, Steve Katz is a prominent figure in the network security discipline. Since 1985, he has served as the senior security executive for Citibank/Citigroup, JP Morgan, and most recently Merrill Lynch and has been a force in raising the visibility and shaping the direction of the security industry at industry and government levels.
Deeply respected within both the financial services and security industries, Katz has testified to Congress on information security issues and was appointed as the Financial Services Sector Coordinator for Critical Infrastructure Protection by the Secretary of the Treasury.
Other credentials include: Founder and Chairman of the Financial Services Information Sharing and Analysis Center; Chairman of the American Bankers Association Information Systems Security Committee; Vice Chair, Financial Services Roundtable-BITS Security and Risk Assessment Committee; member of the New York Clearinghouse Banks Data Security Officers Committee; and member of the Securities Industry Association Information Security Committee.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today with Steve Katz who has been introduced as - Steve, I forget; is it the Godfather of Soul or the Godfather of Information Security?
STEVE KATZ: If I only could dance I would say Godfather of Soul, but I dance really bad, so I'll take the security part.
FIELD: Steve, it is good to catch up with you again. We talked earlier this year, and a lot has happened since then. But I guess to start out, let me just ask you, what are the types of things that you are up to these days? Just to give our audience a sense of what you are doing.
KATZ: Well, I'm spending a good portion of my time as an advisor to Deloitte's security practice. Another portion of my time working with a company called the Roundtable Network, and we put on roundtables for information security executives that are sponsored by security product vendor companies, and then I sit on a couple of boards, and generally try to keep my fingers on the pulse of the information security community, primarily in the financial services sector, but also from family health sector.
FIELD: Very good, Steve. From your perspective, what have been the top three banking/security stories of 2008?
KATZ: I think, well, there is really one primary story, and that is the state of the financial services sector as it is today, and that is pretty much driving everything we are looking at.
Unfortunately, as a result of the changes in the financial community and the changes in the economy we've seen a large number of companies becoming bank holding companies, and that is maybe a good thing. They are now companies that have become bank holding companies that are now required to conform to FFIEC handbook as well as GLBA. In many cases it is little more than I guess putting icing on the cake, and in other companies it is potentially making a new cake.
But by and large, I think most of the investment banks and credit card companies have become bank holding companies and have had pretty good security programs to begin with, and it is really maybe reshaping them, reformatting them, and again putting icing on the cake. But it is also now becoming subjected to a new set of regulators and regulations such as I mentioned the FFIEC handbook and GLBA, and also the OCC examiners, the FDIC examiners and the FRB examiners are a really challenging group to work with. They are very knowledgeable, and I'm not saying other examining bodies are not, but they do make companies sit up and pay attention and they are highly motivating, they help you make your program better. But in helping to make your program better, you have to stretch, and trying to stretch in difficult economic times is a challenge.
In addition to that, these economic times are really causing companies to have to figure out how they deal with large-scale crisis situations, and that is going to be a challenge. How do you make people who were employees yesterday not an employee today? How do you deal with a potential group of, I guess, people who are kind of disgruntled and still staying on the payroll and not sure if they are going to remain on the payroll for any considerable amount of time? That's major.
Another case is dealing with acquisitions and bringing new companies into the fold and figuring out how you can make that happen in a timely fashion. So I think story one, two and three is the economic downturn and the impact it has had on the entire sector.
I think story two will probably be the fact that we've been talking about de-perimetering for an awful long period of time and we are actually living through de-perimetering. There's a marvelous ancient Chinese verse you know, "May you live in interesting times;" we are certainly living in very, very interesting times.
And the challenge of delivering trust and delivering on our trust commitment to our customers is just amazing, but it is something that you have to deal with, and our customers are expecting us, especially in these interesting times, to continue to deliver on that trust commitment. They are somewhat shaken by the shifts in the economy, and the last thing we want to deal with is a cyber-security breach.
I think the third is probably the impact that data privacy and data breach notification laws are having on us and the fact that customers will--that banks must now make sure that they deal with the terms of data breach notification regulations that have come out both in Massachusetts and in the wonderful world of Minnesota. So not only is Minnesota dealing with the Senate race, but also they are dealing with the changing data breach notification law that has, I think, orange jumpsuit potential in it.
FIELD: Wow. Steve, given what you've just talked about, how do you assess the state of consumer confidence in banking institutions today? And I guess I would ask you to differentiate between Wall Street and Main Street there, if there is a difference.
KATZ: So many of the banks that have rolled up into the large financial services institutions, I think companies -- people living in the small communities have always relied on the fact that their little banks are -- and I don't mean this in a disparaging way -- but the banks who are on the corner of Main Street and Main Street and these small banks are now part of really large bank holding companies.
I think people's confidence has really been shaken down to their very roots. I think the people have always used community banks and still believe community banks are solvent and strong. I think people in the mid-tier banks and seeing their banks financial conditions really become somewhat shaky, become somewhat frightened.
I think the future of banking in general is very, very solid. I was quoted in Linda's blog today saying banks really have two things to sell, money and trust, and if you don't sell them the trust, you are not going to sell them the money. It is a quote that I stole from John Reed, the former CEO of Citigroup. But I think that is part and parcel of what our financial services sector is: If we don't continue to provide trust in the financial services sector, the people are really not going to use us.
We have to make sure that they understand that when they use the financial services sector and they use their banks, the money is going to be there, and the banks have to make sure that they continue to provide a level of trust.
And we in the information security/information risk area have to make sure that we are not one of the concerns that people will have. They have to understand that when they bank electronically, when they store their information with us, that information is going to be protected every bit as much as their money is going to be protected, and that the customers have to believe that they are both going to be well protected and that we have customers' best interests front of mind and center of our plane.
FIELD: So what is it that the individual institutions have got to do to ensure and grow that trust?
KATZ: I think first of all we have to let our customers know that it is important to us and that this trust commitment is first and foremost in our mindset. This is what we do, and this is what we provide, and this is what we want to do. And then we'll want to do it as this is what we do.
I think we have to go out there and let them know especially--and just my expertise is not at the point of not being a banker, my expertise is more of being able to protect the confidentiality, integrity and availability of customer information. And I think we have to make sure that our customers know that this is front of mind for every person who banks with us electronically, every person who banks with us in any way, shape or means.
We have to know that not only is there a cornerstone of the relationship we have with our banks, and it is not only something that is checked internally, but it is something that regulators demand and something that not only is demanded but is something that they check on regularly. It is something that at least once a year the FDIC, the Federal Reserve Board or the OCC or the State Bank Commission goes out and makes sure that we are doing the best to provide the integrity, confidentiality and availability of information.
And we really have to make sure that it is something that is shared with our customers. I think I mentioned earlier that de-perimetering is an issue. I think we've reached a level in our banking environment where there is no inside and there is no outside. And our customers have to understand we are protecting data the way we protect deposits, although in this environment somehow that has almost a hollow ring to it, but I think we have to make sure that we do more than let that have a hollow ring.
FIELD: That's a good point. Early this year when we spoke Steve, you spoke about Red Flags compliance, and at the time you pointed out that board involvement was going to be a key issue in that. So November 1 has come and gone now. From what you see, how well have institutions complied with the Red Flags Rule, and where do you see that they are still lacking?
KATZ: I think Red Flags is really one of the cornerstones of protecting consumers from identity theft It comes back down to this trust commitment to our customers. Red Flags should be a little more than the program banks and financial institutions have had in effect. If we have reason to believe that customers' information might be compromised or could potentially be compromised, we will know about it early on, and we will take steps to ensure that that information is protected.
The financial institutions that I've spoken with have recognized, going back at least six to eight months ago, how important that protecting customer identity information is. They are taking the regulation very seriously. I am quite certain that most of the financial institutions have year-end presentations to the board on the state of information security risks and am quite certain that Red Flags will be part of their annual presentation to the board.
Many of the financial institutions security technology risk officers and security information officers will be presenting to the board at year-end or Q1, and Red Flags will be part of that. I think they have gone through the process of flows and data flows to highlight where potential risks of customer information would lie and have put in sound programs to literally say 'here is a potential risk point, here is a potential tipping point, and know when there has been a potential breach of data and have taken appropriate steps to deal with it.' Six to eight months ago, nine months ago, a year ago, this was brand new information.
So I think the financial institutions technology risk officers, the officers I've spoken with, have taken this quite seriously and have recognize that it is and the boards of directors have taken it quite seriously as well. I think boards are very good at recognizing that customer data is quite important and protecting that data is important.
And as I mentioned earlier, the Massachusetts Data protection Law and the Minnesota Data Protection Law set a new high watermark, as has Red Flags. I'm sure the folks I've spoken with have done everything they can to make sure that they will be in compliance with Red Flags, and they will certainly be subject to audits by the external examiners regarding Red Flags.
FIELD: Now, Steve, we had an important national election last month, and we've got a Democratic President coming in now. What do you think that banking institutions might expect to see from the Obama Administration?
KATZ: The only reference point I can take us back to is the Clinton Administration, and they took a very active role in terms of critical infrastructure protection. The Clinton Administration was uniquely responsible for, I think, Presidential Decision Directive 53, which really was directly responsible for setting up coordinated financial security.
So I think you can see a rather strong focus on information protection. There has also been some discussion that the Obama Administration will be setting up a Chief Technology Office, and whether that will happen or not, I think that is still up for discussion. There was a meeting early this month with some Senators and about 60 private sector folks looking at information security.
So I think we have every reason to be optimistic that the Obama Administration will be at least as strongly focused on information security as was the Clinton Administration. I am hopeful that with the number of Clinton Administration folks that are active in the Obama Administration that we will wind up seeing a return to a Security Czar out of the Whitehouse.
What I am somewhat optimistic about, and it's just one person's opinion, is that we will see a renewed emphasis in private security coming out of the financial services sector, the government side of the financial services sector. If I could sort of wave a magic wand, we would have a Cyber Security Czar in the sector coming probably jointly out of the board of governors and treasury.
I think the problem we have: We've always had an Assistant Secretary of Treasury as the interface between, I guess the government's side of financial services and the private sector, and that tends to be a political appointment. People tend to roll in and out of that. So the person who is doing it in the Bush Administration is rolling out of that position and is looking for a job.
If I could wave a magic wand, I would have a Cyber Security Czar for the financial services sector somehow working in the Federal Reserve Board ,and that would be a non-political appointed position, and you would have more ways to see continuity over a greater period of time.
FIELD: Now, Steve, one advantage Obama is going to have is he is going to have a Democratic Congress as well. There seems to be some resolve that we are going to see some kind of regulatory reform, or some type of extra-regulatory push. People understand the what but they don't really know what the when is. What do you see as some of the major regulatory issues that are going to be taken up in 2009, and I guess as part of that I would ask you: Do you foresee this administration and Congress reshuffling the regulatory agencies as has been proposed by the current Treasury Secretary?
KATZ: That is really a rough one ... I certainly see as I mentioned the greatest focus on cyber security. I'm sort of going to circle back; when we mentioned the tough news stories, what I didn't mention was the White House breach, and I think if there was ever a need for something to hang as a--it sort of comes back as sort of regulatory issue.
If there was ever a wakeup call as to why you need a greater focus in information security within that breach in the White House email system and saying you really need to have either congressional oversight - well, that wouldn't work in the White House, but you need a greater amount of focus within the White House on data security and information security.
If a breach can take place in the White House email systems, then a breach can take place anywhere in the executive branch, and I think the Obama Administration has to go in there and say they cannot allow that to happen. And I think that the oversight that we are going to hopefully see out of the pending regulation or out of the administrative branch has a much stronger focus on information security for hopefully a Cyber Security Czar coming out of the White House with cyber security czars in each of the equivalent cabinet level areas, and I would also like to see some general regulation.
And again, I'm focusing on information security and information technology, and I will leave the banking regulations out of there because they are far wiser and far more informed than I am to look at that, but I think a preemptive set of privacy regulations coming out and a preemptive set of data security regulations, which will really require a little more prescriptive in terms of a data center security focused on information, so that you can be protecting data regardless of where it is, some sort of regulation that recognizes that there is a need to bring in academia, private sector and public sector, say what is the root cause of the problem and how do we deal with it, as opposed to a whole lot of patchwork regulations.
And I would make sure that we get it done sooner than later, because I think the absolute need to get something done a lot earlier is a far better way to go, and hopefully that will happen a lot sooner than later.
FIELD: Steve, based on the conversations you have with people these days in the industry, what do you see as the biggest security threats to banking institutions?
KATZ: The biggest security threat I think is still is a patchwork approach to security and not looking at this as a business risk management issue. The security, as long as we look at security as something that is being added on to instead of an integral part of the product, we are going to have a problem.
I think it is very much the nature of the information security or heads of technology risk working with the heads of business and again working with the regulators and examiners to make sure that information protection is part of the solution and part of the product offering and making sure that folks understand this is part of the service that we offer to our customers.
It is coming back to the line: We sell trust, and the business heads and business folks that we work with have to understand that what we are offering is a solution to a business problem and what we are offering is solution to a customer problem. We are not solving a security problem; we are solving a customer problem. And to the extent we still try to solve security problems, we are going to wind up having resistance. To the extent we look to solve a business problem and a customer problem, we will have solutions.
But again, for far too long, and I've been doing this for a lot of years, we've tried to solve security problems and we've tried to sell security, and folks aren't really interested in security. People are interested in finding the best solutions to for their customers' problems. And so the same thing in dealing with regulators. We are not trying to solve regulatory compliance problems. Regulators are really looking to ensure that the safety and soundness of the products and the institutions with the examiner. If they sit and focus on solving the problems of customers to the extent we have to focus on providing safety and soundness solutions, we are going to succeed.
What we really need is a to walk around with a business hat on and a business head on to the extent we are looking to go in and tell a business head or a board of directors what we are doing for them and why we need their help is not going to work. What you have to understand is we have to understand what their problems are and we have to understand what they need to do to protect their customers, and this is going to be awfully clichÃ© because I think I've used this in almost every interview I've done for the past 30 years, but if you look at the nuggets of security, you are looking at answering some very simple questions that have absolutely nothing to do with technology and nothing to do with security.
And I've used this in discussing security with boards of directors, I've used this in discussing this with heads of businesses of the companies of which I've worked, the first question it always comes down to is: Do you care who you are transacting with; is that important? And that is not a technology problem, or a security problem, it's a business problem. If the answer to that is yes, then you can figure out how do you want to know, and once you know who they are, do you care what they are going to be allowed to do? And then once you get an answer to that, do you want that transaction to be confidential? Are you concerned about the integrity of that transaction? Do you want a signed receipt for that transaction? If something was wrong with that transaction do you want to know about it?
Focus your security program around very simple questions that add value to the business transaction and add value to the product, and not value to the security. Don't even have compliance discussions with regulators and with examiners because you can turn around and say we have solved a business problem.
We've gone through the confidentiality availability and integrity and the audits that are involved, and we've explained risk, and we've had a documented risk control system in place, and here is the risk we are willing to accept. And if the regulators turn around and say 'We don't agree with that you have at least raised the level or are dealing with a level of risk that has been raised within the business community itself.' And they can sort of argue back and forth on whether the risk is too great or not, but you've dealt with the business issue, and you've dealt with customer confidence issues, and you've dealt with trust issues, and you've dealt with examiner issues at the same time.
FIELD: That's well said, Steve. Why you've got that business hat on, I want to ask you one last question. If you were at one of your old jobs today at a banking institution as a security executive, what would you see as the major business priorities for banking and security leaders in the New Year?
KATZ: Making sure you have a presence at the table, so that you have developed a level of personal trust, so that when there is an issue the folks know who you are before there is an issue and you are not just some person who shows up and says, "Oh my gosh we've got a problem." Because "oh my gosh" here comes a guy who comes to us with a solution; here's this guy who we've known through the course of a year and has developed this personal level of credibility so that when he or she comes to the table and comes to talk to me, I know he's got the interest of the business at heart and he is going to come to me with a set of recommendations that are best for the business, and not come to me with a security problem that I have to solve.
FIELD: That is well said. Do you see banking institutions being able to invest their resources in new services this next year? I hear a lot of people talking about mobile banking.
KATZ: I think banks recognize that they have to grow. I think mobile banking is going to continue to increase, and I think electronic banking is going to continue to increase. I think the rate of increase may not be as great as we hoped for a year ago, but there was an article out a few weeks ago or a few days ago that talked about mobile technology and cell phones being the future for all kinds of transaction services. I really think that is going to take place.
If you take a look at the kids going to the universities today, they are all wiki friendly, web 2.0 kind of folks. They are the customers for the next five to next 10 years. They are confident doing things on the iphones, they are confident doing things on a shared application perspective. They are comfortable sharing data, and they are not comfortable hearing that you can't do that. That is the next generation of customers, and we have to figure out a way to deal with them because if we don't, they are going to go to the bank financial institutions that will provide them with the privacy services that they want.
We've got to find a way to make sure that we can safely and securely provide and supply them services that they need and that they want to use. And the only way is technology risk professionals have to find a way to do that in a safe and secure way. Always find a confident way to say "yes" and securely offer the products and services that our customers need or create those products and services that our customers want.
FIELD: Steve, I appreciate your time and your insight today. Thank you so much.
KATZ: My pleasure Tom, any time.
FIELD: We've been talking with Steve Katz, and for Information Security Media Group, I'm Tom Field. Thank you very much.