Paul Smocer discusses the use of social media and cloud computing by financial services firms, including the inherent risks, and what you can do to mitigate them.
About the speaker
Paul Smocer is the Vice President of Security at BITS, a division of the Financial Services Roundtable.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Social media and cloud computing for financial services
Marcia Savage: Hi, I'm Marcia Savage with SearchFinancialSecurity.com.
We're here today with Paul Smocer. He's the Vice President of security
at BITS, a division of the financial services roundtable. We're going to
discuss social media and several other topics that are really important
to financial firms these days. Thanks so much for joining us today, Paul.
Paul Smocer: Marcia, it's always a pleasure.
Marcia Savage: Well, to begin, Paul, social media risk management
has become a very hot topic in the enterprise. What are the main security
risks financial institutions need to be aware of with social networking?
Paul Smocer: Marcia, I think when we think about social networking
it's not only security risks, but it's also to some extent reputation risks
as well. When we think about it, we think first probably about data
protection more than anything because we're now, in essence, offering
another channel for people to share information, and we need to make
sure that they're sharing the right information. That information is still
as secure as it was before, given other channels that we use to transmit
it. So I think that's a key issue. For us in financial services in particular,
there are also compliance issues, particularly in our trading areas.
The SEC just recently came out with a new rule around social media
and use of social media and what kind of material needs to be retained
and under what circumstances. So for a financial institution, there's
probably a little bit more of a restriction there than there would be for
other industry verticals. But I think beyond that, even from a reputation
kind of perspective, there are concerns being voiced about issues on when
information might be released by employees. For example, employees in
your financial area who might have access to unpublished financial reports
and may accidentally say something in a social media setting that could be
interpreted as pre-release of information.
There are also concerns about employees who may be misinterpreted
as being official spokespersons for an organization and then there's kind
of an emerging question around liability for what happens if an
employee gets into even a well-intentioned argument in social media
about our company's product versus some other company's product,
as an example, or about some individual at another company. So there
are a lot of considerations that we're looking at, and it's certainly an area
of focus for us going forward this year.
A lot of financial institutions have come out with social media policies. In
reality, those policies often either point to other existing policies or are
rewrites of policies that were used for - and although we don't tend to
think of it as such, email was really a method of social media and social
contact – so updating some of those policies to reflect the newer technologies
is often what people are doing. There are still a number of financial institutions –
and I think we'll see this for a long time - who are attempting to block the
use of personal social media at the workplace, particularly, again, those
who have significant compliance issues that they need to worry about.
But I do think organizations are recognizing that as we move forward,
as the workforce changes, as younger employees come in, that it is a
subject that we've got to deal with, and we've got to find ways to assure
that even though we're allowing perhaps private social media, that we're
controlling it either through isolating it in some way on the networks, or
keeping it confined and watching its usage as well.
Marcia Savage: Cloud computing is another hot topic, but surveys
continue to show that security pros are wary of it due to security concerns.
Does that reflect what you're seeing in the financial services industry?
Paul Smocer: Yeah, it certainly does. I think that you can think of cloud
computing in a few different ways. You can think of it in the environments
in which it exists, so I personally tend to think of it as data in the cloud,
processing in the cloud, and kind of the infrastructure in the cloud scenario.
Certainly from a data-in-the-cloud perspective, being in the industry we're in,
we've got a lot of regulations around protecting private information and so
there's a lot of concern about issues around where is the information stored,
is it co-mingled? In some cases, for example, organizations that have
operations in Europe need to worry about E. U. privacy regulations and if
the information is leaving the country.
Conversely, when there's an issue, if there is a data breach of some kind,
people need to think about how they're going to investigate that data breach
if it's in the cloud, and will the cloud provider allow them to do some sort
of investigation, especially if their data happens to be in an environment
where it's co-mingled with others. I think probably the biggest piece right
now is data. Obviously, software as a service has concerns, too, because it
just, to some extent, amplifies the general concerns we have about software
assurance and how securely it was developed. And if there are vulnerabilities
that are discovered now, now you're using software potentially that lots of
others are using.
Maybe, the fact that lots of others are using it makes it a larger attack
vector. So there are concerns being raised. Counterbalance with that is
a lot of security folks will tell you that others in their organization are
looking at the cost of cloud computing and recognizing that it's potentially
a more economical solution. So there's this dynamic going on around
making sure that what you're doing in the cloud computing environment is,
in fact, protected. But the other way I tend to look at it as well, and I think a
lot of our members do, is that it is really the latest iteration, if you would, of
vendor management or service provider management. Just like any other
service provider or vendor that you're going to use on the outside, you
need to think about what the risks are going to be up front. You need to try
to mitigate those risks as much as possible, either by finding the right
provider or by contractually obligating the provider in some way.
And then you need to monitor those risks on an ongoing basis to make
sure that the vendor is living up to what they said they were going to live
up to. So in a way it's a new issue, we hear a lot about it as a new issue,
but in a way, it's not. On the infrastructure side, as an example, if you go
back 20-30 years, the idea of sharing a data center with someone else was
kind of popular for a while. We've kind of morphed that technologically into
a slightly different model, but ultimately it's still the same model.