In the aftermath of the tragic events of September 11th, 2001, FBI director Robert Mueller met with the President of the United States and other top officials to discuss steps being taken to find those responsible for the attacks. There, the President asked Mueller a question that caught the newly appointed director off-guard:
“What is the FBI doing to prevent the next terrorist attack?”
Mueller, a former attorney accustomed to confronting crimes – not preventing them – had no answer. In the years that followed, the President’s simple question sparked a realignment of priorities within the FBI to address potential threats before they become reality. The same process is relevant to financial services companies battling a rapid growth in cybercrime.
“The evolution of the Bureau in the wake of 9/11 has some applicability to what we see happening in the cyber space,” said Mueller in his keynote at the Cybersecurity in Financial Services event hosted by Deloitte and BITS this Tuesday at Convene in New York City. The sixth director of the FBI, he began his term a week before 9/11 and served through September 2013.
Rather than primarily focusing on reactive strategy, the FBI now aims to identify particular threats, understand the extent of its knowledge on those threats, and work to collect intelligence against them. Counter-terrorism, counter-intelligence and cyber initiatives have taken precedence, he explained.
Mueller discussed lessons learned as the Bureau increased its preventive efforts, many of which are sound advice for financial services institutions protecting their organizations against cyber attacks. Just as the FBI must stay ahead of criminals and terrorists, banks and insurers must anticipate and address security breaches.
“There has not been sufficient focus on protecting that which needs to be protected,” said Mueller of cybersecurity strategy in financial services. “Assume a breach [will occur] – what will you do to address a series of breaches?”
The financial sector is particularly vulnerable to cyber attacks, said Mueller, and breaches should be expected. He recommends that executives collaborate with the people they would need to meet with after a breach. Such proactive meetings could be used to determine strategic next steps in the event of an attack.
Another primary challenge, said Mueller, was establishing “lanes in the road,” or determining which organizations have jurisdiction over certain areas of security. For the FBI, this involved assigning groups such as the Secret Service, National Security Agency, Department of Homeland Security and Central Intelligence Agency to monitor and protect areas in the US or overseas.
For financial services, the parallel could involve assigning divisions within the organization to focus on certain security initiatives. While this strategy ensures all departments are covered, it should not impede collaboration among employees in the event of an attack. Success is unattainable without pulling people together to address a particular threat, Mueller explained.
Human resources played a critical role in security efforts at the FBI, which deepened its teams’ cyber knowledge and hired computer scientists to serve as advisors. While additional talent is important, Mueller cautioned against the growing danger of inside threats. Business can meet every tech standard but still have an employee that could bring the company down, he said.
Cybersecurity now involves all organizational departments, from human resources to the C-level. “It is something that the CEOs need to know and understand,” said Mueller. The mistake of not drilling down far enough into technology is one often made by high-level executives in the private sector, and organizational leaders should have some cyber knowledge. “In the future, the leadership of the Bureau will have to have a background in cyber,” he predicted.