The financial cybercrime landscape has changed considerably with organized crime shifting its focus to companies rather than organizations and Russian cybercriminals "coming out of the closet" as the geopolitical climate changes, Steven Chabinsky, general counsel and chief risk officer at CrowdStrike, told attendees of the 2015 IAPP Privacy Summit in Washington.
"It's difficult to harden everything," said Chabinsky, speaking as a panelist on financial cybercrime and privacy. Recent major breaches, he noted, have been spawned by third parties or vulnerabilities that were outside the purview and control of the breached companies' networks.
Chabinsky noted "fundamental changes" in how financial institutions are looking at security.
"They're moving away from 'after the fact,'" he said, toward a strategy that is more "behavioral based." He advocated a security approach that is "contemporaneous, comparative and cloud-based." By looking at the "state of a computer," what it does, how it functions to detect intrusions. Noting that a museum may not know whether an intruder might be a visitor hiding in the bathroom after hours or a security guard gone bad, they do "know the Hope diamond should not move from its pedestal."
The average intruder is in an organization's system an average of 201 days, Shane McGee, chief privacy officer at FireEye told the audience. The panelists, which also included Byron Hawkins, senior manager, financial services- IT risk and assurance at Ernst & Young, and moderator Christine Frye, senior vice president, chief privacy officer, at Bank of America urged privacy officers and CISOs to work together.
"The success stories I see are from when privacy and security have regular conversations," Hawkins said.
They also noted that there's a real need for HR to be brought into the discussion on privacy.
Privacy is "increasingly bringing different parties to the table," said Frye.