Think Beyond Compliance-Driven Security

The financial services sector is often regarded as a benchmark of IT and security. This leadership position, however, also comes at a price: Financial services was one of the first industries to be impacted by cybercrime. That comes at little surprise – as the tall tale of Willy Sutton (a prolific bank robber) tells us, when asked by a reporter why he robbed banks, he simply replied, “Because that’s where the money is.” The latest research from PwC shows that cybercrime accounted for 39% of financial services economic crime, compared to 17% in other industries.

One estimate suggests financial services companies will spend $2.6 billion by 2016 on protecting networks and other cybersecurity efforts. The cost of compliance, when graphed alongside security spending, represents a similar trend. Namely, the effort and resources exhausted on compliance is also on a steep incline, and compliance costs are as unavoidable as cybercrime. However, we will need to expand the scope of our security thinking. Focusing on compliance alone as a security strategy is not enough anymore. Just because an item doesn’t fall under a regulation doesn’t mean it’s not sensitive data. If compliance is the only basis of a data protection strategy, it risks not being secure even though it might be in compliance.

A compliance-driven view of data security simply does not equal a more secure environment. When we look at data through a compliance lens only, we often only see two types of data: Regulated or not regulated. But the reality is not that simple. Sensitive data exists beyond the realm of data that falls under compliance. Corporate secrets, customer preferences, sales contacts, the timing and planning of a new product launch, financial data – all of these are sensitive and need to be protected because, in case of a breach, they can be the source of significant post-breach losses.