In an era of constant technological evolution, our utilization of different technologies, including mobile devices, has had massive impact on the financial services industry. As a result, the industry is facing major disruption as new technology translates into new ways of exchanging value (money). In fact, digital payment concepts are constantly developing, with technology advances changing the payment universe as we know it. Disruptive innovations, such as Apple Pay, continue to gain scaled acceptance globally. Contactless payment solutions could take us a step further towards getting rid of the security and convenience shortfalls of traditional credit and debit cards, but it’s important that a capable, secure network is put in place before digital payments can truly flourish.
The Changing Payments Landscape
The first official currency was introduced in Turkey in 600vBC and, around 1661 AD, coins evolved into bank notes. In 1946, the first credit card was introduced and since the start of this century technology advances have disrupted the world of money more than once. In 1999, European banks started offering mobile banking while in 2008, contactless payment cards were issued in the UK for the first time. Now, driven by mobile and Internet technologies, we are in the early stages of fundamentally changing how we perceive the concept of money. Financial control is no longer only in the hands of the financial industry. Today, entrepreneurial minds are connecting us to our (and others) money in new and innovative ways.
Smartphones and tablets have recently become common devices with 79.4 million U.S. consumers who shop online. According to (source) 51% of U.S. digital buyers are expected to make purchases using a mobile device. New services like Apple Pay and mobile payments (M-payments) are becoming increasingly common in financial services. The questions we must begin to consider are, who will be the key providers in the financial services market in the future and what sort of payment ecosystem will emerge? Read More »
In this environment of advanced threats along every point of the value chain, I’d like to talk about what it means for you, our customers and partners, to have supply chain security throughout the product lifecycle.
I’ve just finished a short video on this topic. I’d love to hear your feedback, insights and suggestions on securing the product supply chain.
Not long ago I was asked to attend a quarterly Board meeting of one of my healthcare clients and to present the recommendations of a Strategic Security Roadmap (SSR) exercise that my team and I had conducted for the organization. The meeting commenced sharply at 6am one weekday morning and I was allocated the last ten minutes to explain our recommendations and proposed structure for a revised Cybersecurity Management Program (CMP).
The client Director of Security and I waited patiently outside the Board Room while other board business was conducted inside. As is the case with many organizations, information security was not really taken seriously there, and the security team reported into IT way down the food chain, with no direct representation in the C Suite. The organization’s CMP had evolved over the years from anti-virus, patching and firewall management into other domains of the ISO27002 framework but was not complete or taken seriously by those at the top. Attempts at building out a holistic security program over the years had met with funding and staff resource constraints and Directors of Security had come and gone with nothing really changing. Read More »
Today, Cisco filed comments on a Proposed Rule published by the Department of Commerce’s Bureau of Industry and Security (BIS) in an effort to comply with an international agreement called the Wassenaar Arrangement. The proposal would regulate a wide array of technologies used in security research as controlled exports, in the same manner as if they were munitions. Cisco, along with many other stakeholders in the cybersecurity research field, has identified a number of significant concerns that we believe require BIS to revisit the text of the Proposed Rule.
BIS’ focus on limiting the cross-border trafficking of weaponized software is well-intentioned, but the current text would cause significant unintended consequences that must be addressed in a revised draft of the Proposed Rule. If implemented in its current form, the Proposed Rule would present significant challenges for security firms that leverage cross border teams, vulnerability research, information sharing, and penetration testing tools to secure global networks, including Cisco. The result would be to negatively impact—rather than to improve—the state of cybersecurity.
The goal of regulating the export of weaponized software is understandable. However, many of the same techniques used by attackers are important to developers testing their defenses and developing new effective responses. Cisco needs access to the very tools and techniques that attackers use if we have any hope of maintaining the security of our products and services throughout their anticipated lifecycles. The development of new export control requirements must, therefore, be done carefully and based upon the needs of legitimate security researchers. Otherwise, we will leave network operators blind to the attacks that may be circulating in the criminal underground—and ultimately blind to the very weaponized software that the proposed rule intends to constrain.
The requirements in the Proposed Rule are far broader than necessary to address BIS’ stated intent—controlling the export of weaponized software. We look forward to working with the Department of Commerce to ensure that the goals of the proposal can be met in a manner that is technology neutral, narrowly tailored to the actual risks faced by the nation, and reflective of the needs of legitimate security researchers seeking to protect the information technologies upon which we increasingly rely.
I recently had the opportunity to sit down with Roland Cloutier, Global Chief Security Officer at ADP and former CISO at EMC, to discuss how they integrate and leverage threat intelligence into their security operations centers as well as their greater security technology infrastructure. It’s pretty rare for the CISO of a F500 company to discuss what technologies they use in such an open way, but it was really a testament to the trust they have for the solutions they have chosen. To hear Roland discuss it himself, watch the video at the end of this post or read the case study.
ADP had created a much more proactive, and dare I say “predictive” security program than most. They are consuming threat intelligence from numerous sources including AMP Threat Grid to create what Roland dubbed ‘intelligence-led decision making.’ How is this different from today? Most security organizations, whether it’s analysts in the Security Operations Center (SOC) or the <<other group>> tend to be in a very reactive mode. They see an alert pop up on screen and start to scramble. It’s tough to get ahead of the game when the technology you’ve invested in is merely a reactive one. Roland and his team have spent the time to develop and execute on a strategy that has flipped this model and puts them in a very proactive situation. So how have they done this? A few key elements: Read More »