Making things secure

FST. How important is data security to your bank, as well as the financial services industry as a whole? How has this area of business intensified over the past ten years?

AL. Data protection has always been of major importance for the banking industry because of the legal and regulatory context. But over the past ten years, data protection has been enforced, first by various internal policies such as data classification, encryption, and physical access policies; secondly enforcement came by implementation strategies and thirdly by security infrastructure. While information confidentiality is easily understandable, data integrity is less understandable and Sarbanes-Oxley strongly intensified the controls covering this information properly.

FST. What are the key security challenges that you currently face?

AL. With the recent integration of the non-financial risk functions, our challenge is to provide the Executive Management with one single radar-screen; one single view on all key risks, all major incidents and on all issues in respect to the implementation of the remediation actions, in reconciliation with the ING SWE risk appetite. Furthermore, our effectiveness will be demonstrated by the containment of incident costs and capital costs, an increasing maturity level in internal controls and finally by a positive contribution to client satisfaction.

FST. What do you think are some of the common mistakes that organisations make when it comes to IT security/business continuity efforts?

AL. One of the common mistakes is that organizations believe that this is the responsibility of one team, i.e. the Information Security or Risk Management team, but not theirs. It is one of the motivations of our security awareness sessions: to make people aware across the organisation that security, and therefore, business continuity is their responsibility.

FST. There have been a number of recent high profile cases of data loss. How do you see the financial sector responding to these cases?

AL. Even if incidents like this were to occur on a more or less regular basis, the recent cases would of course had the same impact, mainly because of the amount of the fraud. And in such circumstances, the response is immediate: the attention is pushed again on the bank’s critical activities and we are requested to analyze the risks. This means identifying the potential risks and assessing them, identifying measures to control them and finally monitoring them. With such cases it is also key to refocus on the insider threat, whereas a lot of initiatives and projects still only address the external threats.

FST. Do you think that there is a sufficient understanding of security risks across the enterprise? What are the pitfalls of a ‘box ticking’ approach to information security?

AL. Security awareness is a recurrent and never-ending story; threats are more and more innovative and malicious, and users more and more vulnerable in front of the technology. Ideally, security should be completely transparent to the users, exactly as it is done in the car industry. While this is not the case, the users will feel ‘secured’ because they have bought and installed some software and ticked boxes, whereas they will actually still be at risk.

FST. Where do you foresee as being the main emerging security risks in the coming months and years? How confident are you that you can respond to these risks effectively?

AL. Malicious activity will continue to increase and will require attention and fast response. The second point of attention will concern insider threat: projects such as identity and authorization management and security monitoring are on the agenda.

Annick Loks, ISO at ING Belgium

Annick Loks started her career in ING (former Bank Brussels Lambert) twenty years ago as System Engineer Ten years ago she joined the Security Engineering team. From there she moved into Information Security, Information Risk Management and more recently to the integration of the non-financial risk functions. She is now the head of the Information Risk Management team with ING South West Europe.