Security

09:36 AM
Kelly Sheridan
Kelly Sheridan
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Cybersecurity Lessons from Former FBI Director

Robert Mueller describes how security initiatives within the Bureau are applicable to financial services.

In the aftermath of the tragic events of September 11th, 2001, FBI director Robert Mueller met with the President of the United States and other top officials to discuss steps being taken to find those responsible for the attacks. There, the President asked Mueller a question that caught the newly appointed director off-guard:

“What is the FBI doing to prevent the next terrorist attack?”

Mueller, a former attorney accustomed to confronting crimes – not preventing them – had no answer. In the years that followed, the President’s simple question sparked a realignment of priorities within the FBI to address potential threats before they become reality. The same process is relevant to financial services companies battling a rapid growth in cybercrime.

“The evolution of the Bureau in the wake of 9/11 has some applicability to what we see happening in the cyber space,” said Mueller in his keynote at the Cybersecurity in Financial Services event hosted by Deloitte and BITS this Tuesday at Convene in New York City. The sixth director of the FBI, he began his term a week before 9/11 and served through September 2013.

[ 5 Ways Insurers Can Expand Analytics Use. ]

Rather than primarily focusing on reactive strategy, the FBI now aims to identify particular threats, understand the extent of its knowledge on those threats, and work to collect intelligence against them. Counter-terrorism, counter-intelligence and cyber initiatives have taken precedence, he explained.

Mueller discussed lessons learned as the Bureau increased its preventive efforts, many of which are sound advice for financial services institutions protecting their organizations against cyber attacks. Just as the FBI must stay ahead of criminals and terrorists, banks and insurers must anticipate and address security breaches.

“There has not been sufficient focus on protecting that which needs to be protected,” said Mueller of cybersecurity strategy in financial services. “Assume a breach [will occur] – what will you do to address a series of breaches?”

The financial sector is particularly vulnerable to cyber attacks, said Mueller, and breaches should be expected. He recommends that executives collaborate with the people they would need to meet with after a breach. Such proactive meetings could be used to determine strategic next steps in the event of an attack.

Another primary challenge, said Mueller, was establishing “lanes in the road,” or determining which organizations have jurisdiction over certain areas of security. For the FBI, this involved assigning groups such as the Secret Service, National Security Agency, Department of Homeland Security and Central Intelligence Agency to monitor and protect areas in the US or overseas.

For financial services, the parallel could involve assigning divisions within the organization to focus on certain security initiatives. While this strategy ensures all departments are covered, it should not impede collaboration among employees in the event of an attack. Success is unattainable without pulling people together to address a particular threat, Mueller explained.

Human resources played a critical role in security efforts at the FBI, which deepened its teams’ cyber knowledge and hired computer scientists to serve as advisors. While additional talent is important, Mueller cautioned against the growing danger of inside threats. Business can meet every tech standard but still have an employee that could bring the company down, he said.

Cybersecurity now involves all organizational departments, from human resources to the C-level. “It is something that the CEOs need to know and understand,” said Mueller. The mistake of not drilling down far enough into technology is one often made by high-level executives in the private sector, and organizational leaders should have some cyber knowledge. “In the future, the leadership of the Bureau will have to have a background in cyber,” he predicted.

Kelly Sheridan is an associate editor for Insurance & Technology. Prior to joining InformationWeek Financial Services, she was a staff writer for InformationWeek and InformationWeek Education. Kelly has also written for trade publication Promo Marketing and a number of ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly22
50%
50%
Kelly22,
User Rank: Author
6/30/2014 | 5:21:31 PM
re: Cybersecurity Lessons from Former FBI Director
Absolutely. The potential for in-house threats is alarming, especially for financial services firms, which handle large quantities of sensitive data. Not only do they have to hire skilled and trustworthy employees, but they should also provide the training to keep them updated on security best practices.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
6/28/2014 | 4:07:05 PM
re: Cybersecurity Lessons from Former FBI Director
Yeah we're seeing in banking that fraudsters are using the human-contact channels, like the call center, to help them try to get access to enterprise networks and customer access. Everybody in the enterprise has to be alert and aware of best practices at all times. Any kind of strange behavior in any network or account has to be noticed asap and investigated.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
6/28/2014 | 4:04:29 PM
re: Cybersecurity Lessons from Former FBI Director
We're starting to see some of that in banking though where bank are more willing to share information and cooperate with each other for the sake of better overall security in the ecosystem.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/28/2014 | 3:46:21 PM
re: Cybersecurity Lessons from Former FBI Director
Mueller's point about how companies can get the technology right but can still stumble if they fail to get the right human cyber security skills in-house is important. Working with HR to hire employees with cybersecurity experience who possibly worked for a government agency, like the FBI, sounds like a wise move for financial services firms.
Kelly22
50%
50%
Kelly22,
User Rank: Author
6/27/2014 | 6:38:19 PM
re: Cybersecurity Lessons from Former FBI Director
That's a good point as well, Kathy. Competitor companies could definitely help strengthen each others' strategies with additional information. That may be difficult to get started but could really help in the long term.
KBurger
50%
50%
KBurger,
User Rank: Author
6/27/2014 | 5:16:54 PM
re: Cybersecurity Lessons from Former FBI Director
The anticipatory (prepare for the inevitable next attack) vs reactive approach is key, I agree. Financial services firms have new capabilities around analytics, modeling, social media, etc., that can help them do this. It also requires some cross industry cooperation with companies that may be competitors, in order to share info, insights, forecasts, etc., that has not always come naturally to the industry. Of course, BITS' role is to facilitate this kind of collaboration.
Register for Insurance & Technology Newsletters
White Papers
Current Issue
Insurance & Technology Digital Issue Oct. 27, 2014
Innovation? Check. Core modernization? Check. Security? Check. Today's insurance IT challenges don't stump this year's Elite 8.
Slideshows
Video