Oh how the times have changed. Once upon a time I was part of a group of peers who waited for new album releases, camped out over night for concert tickets and once even waited on line for the annual release of Strat-O-Matic’s baseball set (perhaps the nerdiest thing I’ve ever done). And all of this was done with genuine anxious anticipation. Now I’m part of a group who has been nervously drumming their fingers on the virtual table waiting for the FFIEC to release it’s new guidance on Internet-based application authentication.
Seriously, it’s a big deal. And so far it’s much adieu about nothing.
I don’t know what the actual hold-up has been. A draft of the new guidance was leaked online last year (ironic, don’t you think) and heavily circulated a while back but no one in any position of authority has offered word one as to whether or not that’s close to what the official document will look like. But here’s my question to stakeholders throughout the banking industry: Why are you waiting for the FFIEC to spell out what you need to do?
I suppose if you’re committed to doing the bare minimum expected by the examiners and not interested in extending your solutions to adequately protect your customers that’s a sound strategy. But why do you need anyone to tell you what to do? Shouldn’t you be continually assessing your environment, keeping current with existing and emerging threats and designing controls to reign them in? That’s not only a solid business practice it’s also heavily implied by, wait for it, FFIEC guidance. That’s right folks, if you’re supervised by any of the FFIEC sponsoring agencies they’re already expecting you to conduct periodic assessments and modify your infrastructure to mitigate and manage identified risks. But that’s really more theory than practice. All too often management is willing to wait and see what their annual exam reveals and only address those things that the examiner cares about. And because examiners typically operate under the constraints of limited hours they look at what they can and the rest just has to wait (and sometimes wait and wait and wait). So while a key requirement may not be satisfied, if the examiner didn’t have time to look into it the gap remains unchanged. Again, why does that happen?
I recently brought up this very topic during an internal meeting within my practice and one of our subject matter experts laughed at my naivete. As he pointed out so matter of factly, the only reason most of the FFIEC-centric activities ever really happen is because financial institutions don’t want to fail an exam. Rare is the management team that builds out their controls in an attempt to address the so-called “industry best practices” and instead does what they believe necessary to keep their examiners happy. And so if the FFIEC doesn’t spell out minimum requirements to authenticate and protect online banking solutions there’s little chance the industry will move in the right direction.
But what if the guidance falls short of what’s necessary to get the job done? What if it only frames the problem but doesn’t actually tell you how to solve it? Remember, the primary purpose of guidance is to raise awareness to the issue but not necessarily how to fix it.
I offer as a for-instance the most recent publication from the PCI folks. They just released a new document providing guidance for virtualized infrastructures (which is really a fancy term for cloud computing). I’ve been somewhat outspoken on this very topic because I’m not confidant that in-scope infrastructures have done enough to address traditional PCI guidance in a somewhat homogeneous environment – now these same companies are chomping at the bit to move things into the Cloud. If you couldn’t properly secure and monitor a configuration where each device could be identified and configured how are you going to be able to do it on a platform where you never really know where your information passes through? But the leadership atop the PCI council at least decided to try and frame not only the challenge but also provide some direction on what to do about it. And their guidance boiled down to this: No one can tell you how to secure relevant parts of the Cloud configuration so the only way to be properly compliant is to make the entire configuration compliant. I’m sure that when the audience first downloaded the document they were hoping to find directions for a clear path to being able to leverage the latest and greatest technology without having to boil the ocean. Instead they were told that you have to assess the environment and introduce PCI-related controls anywhere there’s a possibility in-scope data might pass. With that one broad stroke of a digital pen they pretty much made Cloud computing a much more costly investment for those who need to comply. Their guidance didn’t solve the problem, it just defined it more clearly and delivered the bad news that there would be no shortcuts available in effort or cost. And while it may not be popular guidance it is, ultimately right.
As for the FFIEC guidance I’d offer this as food for thought: If you have weak or deficient controls around online authentication your examiner is not going to give you a free pass because the new guidance is delayed. They’re not going to let you off the hook if you’re missing something significant simply because no one told you it was missing. You’re supposed to figure these things out for yourself, they’ve told you that time and time again. And while I won’t know for sure until I know for sure, I’m expecting their guidance will be somewhat similar to the PCI Cloud publication where they frame the problem and summarize by telling you that you need to figure things out based on your own unique infrastructure.
Seriously, don’t wait for the industry to tell you what you need to do when you should already know what that is. As Dr. Seuss advised many years ago in the great childrens book “Oh the Places You’ll Go”; Your mountain is waiting so get on your way!