Financial services organizations are among the leading adopters of cloud services, according to McAfee’s recent Cloud Security Report. This shift to private and public cloud is happening amidst conflicting priorities between regulations and business drivers. Most financial institutions are interested in the cost and flexibility benefits of clouds and are actively looking for ways to address the risks and meet regulatory restrictions of the cloud, while taking full advantage of what cloud services offer to business.
One of the big cloud challenges in financial services is the tension between speed and risk. Many departments, especially those that benefit from high-touch relationships, such as wealth management or private equity, want the easier and richer customer interactions that are promised by clouds. From email to file sharing to digital signing, these groups are not waiting around for the often slower and more expensive services approved and deployed by IT. Private-label subsidiaries and lesser-regulated units are even less likely to wait for IT. So, it is no surprise that IT professionals in financial services are among the most concerned that these Shadow IT activities are impairing their ability to keep the cloud safe and secure.
My advice to CISOs is to change tactics and get ahead of these groups. It is more difficult to catch or stop Shadow IT than to prepare and support the desired services, so it is essential to gather the requirements and find ways to meet them. This means employing business case driven answers to data encryption, data classification and granular access controls over data movement. Business driven solutions can reduce the chances that users and businesses will find a way around controls.
Reducing Shadow IT also means delivering services in a shorter timescale for a lower internal price. Businesses are not going to wait six months and pay 10 times as much when they can turn on a Dropbox account in less than five minutes for less than $100 (or free).
Finally, it means listening to and educating these groups on their understanding of the risks involved, to foster a culture of cooperation and compliance between these groups and IT. Without sufficient understanding, groups will often will rationalize their actions, thinking that it is just a one-time action, or that their data is not that sensitive, or it is with a client they can trust. Unfortunately, as we have seen repeatedly, the ease of sharing digital information quickly refutes any and all of these justifications.
Education should be addressed head on. For example, before you spend that $100 on a service like Dropbox, here are some things you need to consider. CISOs should research examples of how this type of activity has been compromised, and how to adequately protect the client and the organization. Work with them on how to perform a risk assessment that is specific to their needs, based on business case, regulations and jurisdictions.
Managing multiple geographies and jurisdictions is going to be a long-term challenge for cloud services. There are no one-size-fits-all solutions available when it comes to clouds and privacy regulations; in fact, they are increasingly one-size-fits-one. While some markets will have complementary regulations, some will be contradictory with a neighbor, and some may even make it virtually impossible to use a public cloud service. These regulations make it all the more important to get ahead of Shadow IT activity and deploy suitable services.
The cloud offers significant cost and flexibility benefits, and deployment appears to be inevitable, whether you are ready or not. So get ready and make the necessary investments now. Cloud providers and security vendors are increasingly aware of the need to incorporate industry-specific regulations and other constraints into consideration when designing and developing products and services, and are able and willing partners in this journey. The future of cloud banking is still cloudy, but together we can greatly reduce the risks.
By Joe Bernik, McAfee’s CTO for Financial Services