In August, I gave two talks to two very different groups (the Association of Contingency Planners – Liberty Valley Chapter hosted by The Vanguard Group and the closing keynote to the IT bank examiners from all of the Federal Financial Institutions Examination Council – FFIEC agencies [Federal Reserve, FDIC, Office of the Controller of the Currency, NCUA, and State Liaison Commission]) – yet, there was resonance from both groups on several points. This three part blog post is intended to share a few of the key points and some of the feedback from the live audience.

The key themes were:  The Power of Integration, The Problem of Extreme Complexity, and the Importance of Frameworks.  There was another important theme, “Excellence,” which I’ll deal with separately.

Deploying security controls and solutions is necessary, but not sufficient.  Compliance requirements and contracts with business partners or payment card processors mandate that security controls and security best practices are in place such as separation of duties, change control, encryption of sensitive data, least privilege access control, and separation of development, test, and production environments.

However, putting a check in the box that a required control is deployed does not mean that the control is effective.  A key attribute of any control is integration.  The more highly that a control is integrated the more effective it will be.  That integration can be with business processes or with technology.

In the photo above, the lock and unlock security functions are integrated with the key.  It is effortless to lock the car when you park.  Contrast that to the case of manual door locks.  With manual locks, each time you park, you have to make a decision (a risk analysis), “Is it worth climbing all around the car to lock the doors or am I in a safe enough place to leave them unlocked?”

Yes, the car had locking capability, but because it wasn’t integrated, much of the time the car was left unlocked.

Every time you plan a security control or deploy a security capability, think integration; think about the key fob.  If you make it effortless, you raise effectiveness.