Now that you have a handle on the nightmare scenario and understand the importance of fostering a culture of security across your investment firm, here are four steps to guide you through the creation of that culture.
1. Create a computer incident response team
Start by creating a “Computer Incident Response Team” who will oversee your information-security policies. Although IT professionals are responsible for overseeing and maintaining your computing infrastructure, you also need business users to play a central role in your security initiatives. After all, they’re the ones who use these resources – and the ones who can represent the biggest vulnerabilities and risks. While the team’s responsibilities can vary, many CIRTs are active in several key areas:
- Creating a Plan – This team should develop the information security plan and work closely with their peers across various departments to implement and maintain it.
- Creating Training Programs – This operationalizes the firm’s security plans and policies.
- Responding to Incidents – Business users can add valuable insights, assess the business impact of breaches, determine who must be notified, and more.
- Communicate with Peers – CIRT team members spread the word to colleagues and keep security top-of-mind. They also help coworkers self-assess security risks and encourage constant awareness.
2. Define your terms
Before you can secure your confidential information, it’s important to define exactly what you mean – and ensure everyone in your organization is literally and figuratively on the same page.
Many firms create a 10 or 20-page written information security plan that formalizes the definitions and policies that govern the creation, access, and deletion of confidential information and computing services. That can be everything from a definition of personally identifiable information (PII), a description of user access privileges and roles, or policies regarding USB thumb-drives. What matters is that you’ve explicitly and unambiguously documented all aspects of your company’s at-risk assets and services. A multi-disciplinary cross-functional team often works best in these efforts.
Technical Safeguards and Responses
With a business perspective, the CIRT team can help IT define the technical restrictions that should be in place – everything from encryption for mobile devices to screen-lock policies, USB usage, antivirus scanning, spam filtering, password policies, penetration tests, audits, and much more. These are matters that should not be in the sole jurisdiction of technical experts.
In the event of a breach, your CIRT can manage and facilitate the response that’s needed after assessing the impact of an incident. That can encompass working with internal stakeholders and notifying regulators and government officials as required by law. Your business people – not the IT team – know the value of that data, and they’re in the best position to define the response.
3. Deliver comprehensive training
All of the documents, committees, and meetings won’t have any meaningful impact if the proper security practices don’t spread quickly and uniformly across the organization. And the way that starts to happen is through systemic and comprehensive training practices.
- Face to Face – Face-to-face, instructor-led, hands-on training is the best way to instill the security culture. The emphasis needn’t be (and shouldn’t be) on the bits-and-bytes with a lot of tech-speak. Instead, focus on what business users need to know to keep IT resources secure and protected.
- Video Refreshers – When employees have quick questions or when face-to-face sessions aren’t practical, on-demand video lessons can fill an important gap.
- Start Early – Make security training a part of your onboarding process – and ask employees to start training before their date of hire. Make sure new hires recognize their responsibilities from day one.
- Keep it Going – Awareness doesn’t stop with the training. Regular newsletters about data security are a good strategy. Periodic reminders from top managers can also reinforce your security-oriented culture. Update your teams about new and emerging threat strategies and sources.
4. Remember the internal culture reaches out externally
Even when you have locked down your internal systems, implemented best-practices policies and procedures, and trained your employees to think “security first,” there’s still more work to do, culture-wise.
- Assess third-party risks – Perhaps the weakest link in the security chain is one you have little (or no) control over: the performance of your partners. Have you analyzed the security practices of your strategic business partners? You can outsource, but not your security responsibilities.
- Regulatory risks – Following the right security practices will enable you to achieve clean audits from industry and government regulators. What you do inside will greatly affect your external reputation.
- Personal email – Even if your employee is following all of your processes and practices with work-related email, you could still be vulnerable if her private, personal email is breached or corrupted. That can unintentionally open a back door to your network environment. And that means security vigilance must extend from professional to personal domains.
Having proper perimeter defenses and rigid security controls are, of course, non-negotiable requirements for any hedge fund or private equity firm. But the new front lines in corporate IT security aren’t technical – they’re people. By developing an internal culture of security, the organization does far more than deploy and configure bits and bytes. It commits to defining and following thoughtful, far-ranging policies to eliminate the needless internal vulnerabilities that often go unrecognized.
From a properly trained and staffed computer incident response team to carefully defined policies and procedures to complete training, financial services firms can take simple but important steps to prevent breaches, strengthen security, improve regulatory compliance, and increase customer confidence.