Chief Legal Officer, Alkami
Dr. Anand Singh
Chief Information Security Officer, Alkami
Cloud can provide a significant competitive advantage in today’s fast-paced world. Alkami has some unique perspectives on this topic since we have the ability to look at it from both sides; we consume Cloud services and we also provide Cloud services. We started the discussion by sharing some of those perspectives.
Cloud Storage – Many data loss incidents in the Cloud are not truly security issues as much as the result of an error. It is really important to secure storage in-Cloud and to ensure that it is not publicly accessible. An error that leads to public publishing of Cloud storage buckets with sensitive information may mean that that data is available to anyone on the web. “Ensure you have strong controls in place to prevent an occurrence of this situation e.g. disallowing public buckets as a default and ongoing review/remediation of public buckets.”
Foundational Security Practices – Foundational security practices such as patching, defense in depth, and least privilege are applicable in Cloud, just as they are applicable in more traditional setups such as captive data centers or on-premises setups. Cloud can provide many additional capabilities (such as Identity and Access Management) but these additional capabilities are built on top of this foundational setup and not in lieu of it.
Defense in Depth – Defense in depth is critical. A good defense-in-depth setup will ensure that if one control fails, another can pick up the slack. A good defense-in-depth setup will include at least a Web Access Firewall (WAF), Next Generation Firewall (NGFW), Next Generation Anti-Virus (NGAV), and Endpoint Detection and Response (EDR). As an example, WAF can be extremely effective in removing malicious traffic, spam, and targeted attacks such as credential stuffing.
Creating a culture that emphasizes a security-first mindset requires more than just occasional reminders. Our panel of Alkami and client security leaders discussed why developing a “security-first” mindset is everyone’s responsibility.
With the help of our security-conscious Alkamists, we explained how a culture of security is the strongest defense against cybersecurity threats. One example we provided for building such a culture was our Information Security Steering Committee (ISSC), which gives a cross-functional team of Alkamists a say in the security process, leading to increased engagement in our security program.
We also detailed our Hacktober Games event that we hold every October to practice and raise security awareness. The event includes contests like the Strong Password Competition and Bug Bounty, which puts Alkamists to work on finding security issues. These games also remind the company that security is everyone’s responsibility.
Strengthening Cybersecurity through Community
Consequences of cybersecurity reach far beyond the individual, impacting communities, organizations, entire industries, and even nations. Our panel of security leaders discussed building an ecosystem that brings our community together for mutual advancement of all our cybersecurity postures.
Our featured security leaders included Jon Biskner, VP of Information Technology at Nicolet National Bank, David Glod, VP of Information Security at Mountain America Credit Union, John Stream, Chief Information Security Office at SwitchThink Solutions, and Paul Love, SVP and Chief Information and Privacy Officer at CO-OP Financial Services.
In providing their answers to a range of questions from attendees, the panel imparted some important security insights:
Defining community: Our security community includes more than our clients. It also includes our clients’ users. Also, FIs’ communities are more than their users. Their employees are additional active members of the security culture. All can engage in improving their passwords and investigating fraud.
Security patching during a pandemic: Our panelists have created different types of virtual private networks (VPNs), like portals that security teams can work through to deliver upgrades to machines remotely. They also detailed how they push updates remotely in stages to keep traffic clear. Keeping employees educated on security issues remains important, but engaging them can be challenging. Our panelists suggested making it personal and explaining security tips can be used at home to protect their private and family lives against threats like ransomware.
How to measure improvement: Panelists discussed comparing survey results from the Federal Financial Institutions Examination Council (FFIEC) over time to see where improvements need to be made. Using data from these results can help tailor security training to each risky line of business.
Our attendees learned a lot in this year’s CISO Summit, but the three big takeaways focused on the fundamentals of security, security by design, and staying defensive:
- The fundamentals of security remain the same regardless of where you are: in the cloud, on-premises, or using a data center.
- Build security in by design – think of it before you move into the cloud.
- Consider the depth of your defenses. Make sure you have multiple layers of control in case something fails, so you can always rely on the next layer of security.
Thank you to our panelists and attendees for another great CISO Summit!
You can watch the CISO Summit on demand by clicking the link below.