April 27, 2009 - Tom Field

I'd like to think we saved the best for last.

This past Friday, as the annual RSA Conference concluded, I presented the results of our annual Banking Information Security Today survey to a surprisingly packed house of banking/security leaders, regulators, consultants and vendors.

The regulators are always ranking their institutions. This time we asked the banks and credit unions to rank their regulators.

I say "surprisingly" not because I was shocked by their interest, but rather I was a little stunned to see so many people at a 9 a.m. event following the previous evening's Codebreakers Bash - the annual hoe-down that ends the conference week for many attendees.

But we had an attentive crowd at my presentation on Fri., and I treated them to an overview of our just-completed survey's results. Now, we're still putting together our executive summary, so I don't want to pre-empt that announcement. But I can tell you this - that our results come back with interesting developments in five key areas:

• Response to the Recession - financial institutions have fewer resources and more demands, so how are they prioritizing their work?
• Heartland Aftermath - You'd better believe that institutions are "mad as hell and not going to take it anymore." See how they plan to prevent further Heartlands.
• Vendor Management - We thought vendor management was a priority last year. Now, in the wake of the recession and further trust concerns, institutions are preparing to ramp up their scrutiny of service providers.
• Regulatory Compliance - OK, so we turned the tables. The regulators are always ranking their institutions. This time we asked the banks and credit unions to rank their regulators. Wait til you see the results.
• Mobile Banking/New Services - As we discovered last fall, when we conducted our Banking Confidence survey, institutions - despite the recession - are continuing to invest in mobile banking and new services. The trend continues; check out where institutions are expanding their efforts.

There's more - much more - and we'll be ready to share it all soon. I just wanted to give you a quick heads-up, so you can be prepared to download our upcoming report and share it with your colleagues. As one banking leader told me after Friday's session, "The results themselves aren't a huge surprise - they validate what many of us already believed. But now we've got something to go to our business leaders with and say 'Here! This is what I mean ...'"

Verizon Business Study of Data Breaches
Consistently throughout the RSA show, I kept hearing security leaders from across industry - and government, too - compliment the work of one individual.

The man is Dr. Peter Tippett of Verizon Business. His work is the new study of 2008 data breaches in which he and his team dive deeply into the types of breaches organizations are suffering, where they're coming from and how these breaches might be prevented. It's good, thorough research, and you can learn more about it in an exclusive interview I conducted w/ Dr. Tippett.

Speaking of Breaches...
Interesting session I attended on Thursday: Defending Citizen Data: Proactively Preventing Government Breaches, a case study featuring Robert Maley, CISO of the Commonwealth of Pennsylvania.

Now, Maley is the state's first CISO, and when he took office a year or so ago ... well, in his words, the state's incident response plan had some issues. "There were basically two rules [after a data breach]," Maley says. "Who knows about it? And do we have to tell?"

Maley's job was to establish a formal incident response program, establish penetration testing, conduct proper risk assessments and set new policies and guidelines. "We had to develop a game plan," Maley says - and get everybody to buy into it.

The results? Well, in 2006-2007, before Maley arrived, Pennsylvania's government suffered data breaches affecting 500,000 records. In 2008, as Maley's approach evolved, 212 records were breached. So far in 2009, just two.

"We've used these results to change our culture," Maley says. "Now we're preventing security problems before they happen."

Hats off to Maley. He's definitely at the point of a trend to track.