The second element is an effective organizational structure to manage the initiative. A common roadblock to implementing new security standards is a decentralized company, which can lead to inconsistent approaches to IT security across the enterprise, along with incomplete monitoring and accountability. However, piecemeal fixes will not work. Grafting a centralized security program onto a decentralized organization often results in the corporate equivalent of organ rejection.
How might banks address this issue? They can create a hybrid centralized–decentralized model, in which critical compliance activities and governance oversight are centrally managed, while less critical functions remain with the business units. Alternatively, banks can construct enforcement mechanisms that shift the burden of compliance to the heads of the business units, rather than keep it centralized at corporate headquarters. Regardless of the specific solution, banks can manage risk exposure and regulatory compliance in a uniform fashion only if they have the requisite organizational structures in place.
The final element of a robust risk-mitigation program, customer awareness, can be a key component of a company’s defense against fraud and identity theft. A well-educated bank customer can more easily spot phony come-ons, like phishing e-mails, and avoid being deceived. In fact, many banks are finding that educated consumers are their front line of defense in reporting phishing and other fraud attempts. One basic but effective measure is to advise customers to always type the bank’s Web address into their Internet browser rather than click on a link in an e-mail, because the e-mail may be fraudulent.
Furthermore, making customers aware of enhanced online security is a key differentiator in the marketplace. In a 2005 survey by Deutsche Bank Research, “security offering” was far and away the most important feature to prospective online banking customers, with 87 percent calling it their top priority. A well-publicized security program could prove a significant lure to new customers in the highly competitive banking environment.
Any highly regulated industry will face similar vicious cycles of its own and should be thinking about approaches for leaping ahead of regulatory requirements. The common thread is that simply responding to regulatory guidance will never be enough. Anticipatory thinking is the only way to avoid being caught in the middle of an endless series of provocation and regulation.
Joni Bessler (firstname.lastname@example.org) is a vice president with Booz Allen Hamilton in San Francisco. She specializes in strategy and operational effectiveness for financial-services companies.
Debra Banning (email@example.com) is a principal with Booz Allen Hamilton in McLean, Va. She specializes in information assurance with a focus on IT security compliance, information-related risk management, and security program development.
Roman Regelman (firstname.lastname@example.org) is a principal with Booz Allen Hamilton in New York. He specializes in growth, strategic operations, and technology for financial-services companies.