Prime pickings: Application security

Applications provide the juicy data that organizations must protect, says Marcus Prendergast, CSO of ITG. Dan Kaplan reports.

In today's digitally connected world, where most companies' competitive advantage largely is based on how well they interact and serve customers over the internet, Investment Technology Group (ITG) is an anomaly. 

The New York-based brokerage and financial markets technology firm has an attractive-enough internet presence, but the site isn't as highly programmable or littered with forms, fields and interfaces as one is used to finding in cyber space. To the contrary, the highly regulated ITG purposely maintains a limited web footprint, choosing to conduct the brunt of its business behind the corporate firewall.

“We're very much disconnected from the internet,” says Marcus Prendergast, the company's global head of security since 2010. “We don't expose anything unless it's necessary to expose it. It's not as though we have to use the internet to communicate.”

As a result, the 1,100-employee company is able to mostly avoid a major risk that other organizations simply cannot: cyber intrusions designed to pierce through web applications – those front-line attacks, like SQL injection and cross-site scripting, that can lead to a jackpot of customer data. It's become arguably the most preferred vector of attack by hackers, and is believed responsible for many of the headline-grabbing breaches of the past two years, including major personal information heists at Sony and LinkedIn.

But, applications still play a vital role in ITG's business model. It's just that Prendergast is less concerned about the public-facing ones and much more interested in the security of the roughly 55 backend legacy programs, which handle stock orders and provide confidential data to ITG's 700 customers. He says about three percent of all equity trading volume in the United States is conducted via these applications and systems.