“We had a vault, there was money in it, and we had customers.”
That’s how Paul Milkman describes the old old days of banking, but as he reflected at the recent OCE Discovery conference in Toronto, keeping money and information secure is no longer as easy as swinging shut a giant metal door.
Milkman, who is the senior vice-president and head of technology risk management and infosecurity at TD Bank Group, said that the increased interconnectedness of banks, customers and data has forced financial services firms to radically rethink the way they approach and resource for protecting important assets. For example, when Milkman arrived at TD about five years ago, there were about 50 people globally that were tackling some aspect of cyber-security.
“To defend this thing (today), we’re somewhere above 250 people, just in security. We spend in the space approximately $150 million to $200 million a year,” he said.
What compounds the problem is the complexity of the infrastructure and software that a modern-day bank needs. Milkman estimates that TD runs some 200 business applications and works with a “huge” number of partners, including vendors and core processors. There are at least 24 million personally identifiable records to keep safe.
“The reality is, that’s a very large thing to defend, so we’re committed to defending it,” he said. “There are a lot of threats, and we track them at a tremendous level of detail. We’re tracking how folks are developing malware. In the 90 minutes I’ll be here today, I will personally get only the more serious vulnerabilities sent to my e-mail.”
Those threats could include everything from a new variant of a software virus to “some high school kid that wants to take a shot at (Canada Revenue Service),” he said.
From a network standpoint, meanwhile, “It’s really hard to tell where you begin and third parties begin. When is your cusotmer part of your network? If they’re using your app or trading stock, they’re effectively inside the network.”
At the moment, Milkman and his team are also spending a lot of time thinking about authentication and access issues — which of the bank’s more than 105,000 employees should be able to get at various systems and information, and under what circumstances? This means not only blocking the bad guys from getting at TD and its customers, but digging deeper than ever before to find patterns, trends and other insights that will guide security strategy from a process as well as a technology standpoint. Milkman’s talk was a good reminder that, rather than get overwhelmed by the security risks they face, they need to embrace the possibility that some answers are now within reach.
“Security is becoming all about big data,” Milkman said. “We have to track it so we now what to do about it.”
Watch the Webinar: Is Your Internet Access Putting Your Business at Risk? and download The Internet Security eBook, from Allstream.