Reflecting on FST Summit May 2013

By Dr Guy Bunker.

I recently attended a summit for Financial Services (http://www.fstsummiteurope.com/). It wasn’t specifically around IT security although, understandably, there was a great deal of discussion about it. I found the whole event both interesting, who knew you could save so much money with managed print services or selecting a specific type of silicon chip, and useful – the rise and rise of social media, BYOD and the security issues it raises. Social media monitoring is being used by regulators as a means to find potential issues with service providers – which raised, at least in my mind, the interesting thought of creating a ‘denial of service’ type attack through focused, bogus, use of social media against a particular provider. We know there are challenges with using social media as a reliable means of evaluation – after all, Facebook analysis shows that 10% of their accounts are ‘not human’. While 10% doesn’t sound like a lot, when you look at how many Facebook accounts there are, this equates to 100 million – and quite a lot of reputational damage can be done with a tiny fraction of that.

Security was, of course, a big topic and we had a number of great meetings with various banks, insurance companies and building societies. We were specifically talking about our future directions with Information Governance and Adaptive Redaction. This resonated with all the people we spoke to and another very simple use case emerged; when a simple reply to a customer email could put the organization at risk from a data breach. It arises when a customer sends in information by email, of which some of that information is protected under a specific regulation (for example PCI DSS for a credit card number). Customer support then wants to acknowledge receipt and hits ‘reply’ - at which point the credit card number is then flowing outside the organization, creating a breach. This is something that Adaptive Redaction can solve as it automatically removes the policy-breaching information before it leaves the organization. What was most apparent was the simplicity of the problem that hadn’t been raised before.

One of the other interesting areas was around compliance and the issues with regulations that are subjective. This makes it hard to know whether an organization is or isn’t compliant – and frequently it is only when the organization is being inspected that an objective perspective is discovered. We talked at length about the challenges of geography and the different jurisdictions as well as the various other pieces of legislation, most of which appears to contradict something, somewhere. While there wasn’t a rush to have an overall objective global legislation the challenges certainly put most CIOs and their budgets under strain.

We are back at the same meeting in November, by which time we will have released our new products and there will undoubtedly have been new security and compliance challenges and issues. So it will be interesting to hear what the major topics of conversation are then… it’s only six months away, but in security that is almost a lifetime.