KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Berthold Kerl, Deutsche Bank AG
April 18, 2012 10:30
Berthold Kerl, Deutsche Bank AG
April 18, 2012 10:30
So welcome everybody to the session, making information security, a strategic priority. I think that's a very, very good title for the session and, and fits very well into today's time. And it also underlines that information security is now something which is even discussed on board level. At least in my company where I come from, this is the case. I now hear board members talking about topics like information classification, access control, and, and other things. And I don't think that happened two, three years ago.
So as I already said, I would appreciate if this is not a one directional conversation today, I would like to make it as interactive as possible. So if you have question, please, don't hesitate.
Go ahead, ask it. We will interrupt. We will try to, to make sure that that, that we get the answers that, that, that you can cover certain topics. Cetera. This very first session talks about cyber crime, and I will give a little bit of introduction. I will also give an outlook on what's going on in the later hours of today. Before I then hand over to, to my next to the next speaker.
Where, who, who, who will then go a little bit deeper into the topic of cyber crime, especially in banks. All right, so that's, then let's get started. Information security threats are constantly increasing. What should we be doing?
And again, that's just a little bit an introduction. If you heard my session earlier today, some of the slides already will be familiar with you will be familiar with them, but I will try to cover some additional topics as well. So what are the top threats in the future? And I've picked three categories, external threats, regulatory threats, and internal threats, cyber criminality increases as mass based matures.
I mean, this is, this is very obvious. We, we, we even see now nations arming up to cope with the cyber war even, and some to attack others to protect.
So that's, that's an interesting thing. And the companies are somehow in between, we see more and more activities.
I mean, when you look at, at, at developments last year in, in the European world, where revolution was organized using the web, you would see that now more and more is going on, on, on, on the internet. Something is sometimes it's good. Sometimes it's difficult and dangerous, and we have to deal with that. And cyber threat is also not only happening in the internet itself, but it's, it's somehow physical. So this is growing together.
We have IP telephony, we have the problem that people can attack our physical infrastructure, shutting down energy, shutting down, light, shutting down whatever infrastructure, which is at least has the potential to, to, to create nervousness in the organization and business disruption. Second, second, second topic is regulatory threats two, three years ago.
And, and we have Dr. Michael helped here with us who will give a speech later on from the B I received the B letter asking us to confirm that we take care of information security using some sort of international standard. It was not much more precise than that.
And, and then we obviously try to give a good answer. Now, when you look at the path and requests we received today, they're much, much more detailed. They go down in detail through each of the domains with quite specific requests, very different situation, which shows also the increased maturity of the regulators. But then obviously we also see that there's another sort of regulation coming from a data privacy perspective.
We, we do see data privacy initiative from, from the European union, the new European data privacy directive. Not, not sure whether you heard about the initiative in the us, you heard, right. It's the us, which is now also focusing on, on data privacy to much higher extent. So some Obama makes this now a topic in his, in his reelection campaign.
So, so that's interesting to observe and other regulators do the same such as the, the monetary authority of Singapore, which also comes up with a new data privacy act. And the, these new regulations will impose a significantly pressure and, and effort on the organization significantly. And the danger obviously is that by trying to cope with these kind of requirements, other things can't be taken care of again. And then of course we have still the internal threats, access control remains to be an evergreen.
This is, this is still a hot topic. And, and many companies definitely banks struggle with that topic. We have to deal with third party and even fourth party risk. It's meant like that the suppliers of our suppliers are part of the supply chain, and we have to find ways to manage them as well, not to talk about the cloud. And I think it's not the question whether or not to use the cloud. I think that will come. It's rather the question. We can only use it if it is secure. And that is a 100% core prerequisite, at least for banks, no cloud without the necessary security controls in place.
And I think basically already on, on a, on a summary of this page is going forward organizations, which do not understand that it and information security has to go hand in hand will fall behind. So that's, that's the new challenge I shared with you, this, the slide already, it sort of summarizes the, the cyber, the cyber space as we see it, it's quite a large field and we already covered also the regulatory challenge.
And, and on the internal threat side, I think we have still a number of, of challenges to cope with just talking about a few examples before we then start off with the session. We still of course have the issue with data leakage. One of the problems is now new technology like mobile storage devices.
Actually, it's not a, a difference in principle informative. You could also take out paper information on paper or other media and, and use it for whatever purpose. I think the, the big difference now with, with, with, with new technology is it can now be done in a very, very massive way.
That's, that's the big change with a USB stick, with even storage with, with the SIM card on, on, on, on a camera, whatever you can take out tons of data. And that's very different. And we have to find ways to protect us from both intentional, as well as unintentional things to happen. Big problem also is, is, is the whole behavior thing.
And, and here comes into play things like flexibility and convenience of the people. So people in, in banks sometimes like to work at home, like to work at weekends, don't wanna carry a company, laptops want to work on their, on their tablet, PCs cetera. So what will, what will they do if you don't offer them proper, proper technology, they will just send their information to their private email accounts. And of course of the information goes beyond company's control. So how do we deal with that?
And, and many other things which we will have to manage. And the other question which we will cover in the course of today is what do we do with all these things? How do we evaluate the risk and how do we come up to, to a proper recommendation to management. And obviously there is a big room of options and, and we have to think about ways to, to define these scenarios, to come up with pro and cons of each of the scenarios, and finally to organize the decision making pro process in, in the company to, at the end of the day, decide at which point, how far we wanna go.
And what is the risk we want to accept later on Giving you an overview of, of the session after my little introduction, I will hand over to Dr. Saha from co a Cole who will talk about facing the online threats against retail and banking customers. And also what are the future perspectives? After that session, we will have our regulatory slot, we will start, which I think is very good that we have Dr. S helped with us from the fin who will give us an insight on what, what the regulator thinks about information security and what the banks should be doing in that regard.
And that will be followed by a PE discussion with Dr. Valin from association of German banks. Toski from KU Matthias bank, Dr. Ho Wilder for Cole, welcome to from Munich re and, and myself.
And, and we would like to, to discuss with all of you, what is a lean way to approach and deal with regulatory requirements. Then in the afternoon, we will switch a little bit to identity and access governance in the finance industry, starting with duke GreenSky from CROs bank, who will make us familiar with identity and access management governance in the new CHRA bank, after the emerge. And also then followed by Wolfgang swag from Munich re who will give us an insight in best practices in MUN re with regard to identity access management.
And last session of this slot is about risk identification and evaluation. That one will be Cod by Dr Zha and myself, with regard to delivering action of recommendation to senior management. It's very lengthy title based on structured risk identification and evaluation process. And the last session will be about identity access management.
Again, given by Dr. Martin Coolman from, as I said, I would like to make this session as interactive as possible. And therefore I would, first of all, give you the opportunity to comment, to ask any question wishes, whatever, before over to Dr. S is there anything you would like to cover here?
See, one thing, one, one finger, yes, please go ahead. So yell it out. Matthew Gardner from RSA, you mentioned data privacy, and we're actually find that the sort of security approaches, which usually have something to do with monitoring runs into the problem of, or perceived problem of data privacy, where financial institutions or companies from a security point of view would like to monitor their infrastructure more closely. Yeah. But that often means they're monitoring their users, their employers, yeah. Employees more closely. So how do you get across that? So did you get that?
Yeah, So perhaps I tried to, to summarize, I think if I, if I understood correctly, your question was on the one hand, we would like to, to protect the data by, for example, monitoring and, and surveillance technology. Yes. On the other hand, we have data privacy regulation, which makes it in some countries more difficult to do this.
Yes, That's Correct. Yeah. Yeah.
That, that is a big challenge. And it is, of course, as I already mentioned, even more complicated by different regulations. So what can be done in some countries can be done in others. And that's, that's a big challenge for the, for the organizations. Okay. So we try to cover that in the course of, of this session and, and I, I make a note. Okay. Thanks. And.
