Some Strategic Initiatives for Banks in 2008

By Thomas Schmidt

Financial Insights, an IDC Corp. research group, recently issued a report summarizing what it expects to be the Top 10 strategic initiatives for the banking industry in 2008. The list, compiled by research directors and analysts in North America, Europe and Asia, is intended to provide business leaders with informed opinions on the technologies required to create a competitive advantage.

Not surprisingly, Information Management (especially Information Lifecycle Management) and Data Security figure prominently on the list, occupying the first and third positions, respectively. This article looks at some of the key reasons why these two initiatives in particular will assume such importance this year.

Moving to Information Lifecycle Management
“Banks’ data resources are growing rapidly, and the growth of unstructured data in particular is dramatic,” the Financial Insights report states. “This growth in data -- in some banks, ‘explosion’ is an apt term -- has accelerated in the last few years. Effective management of data has thus become a priority. The old focus was on the management of the data infrastructure itself, especially in the areas of data warehousing, storage and security. Current initiatives, however, indicate that banks’ approach has matured. They are striving to implement an Information Lifecycle Management approach.”

Information Lifecycle Management (ILM) is an important technology control by which managers classify, place, protect and archive information, track metadata and optimize storage.

ILM is not a purchased product or service. Like IT Risk Management, it is an ongoing strategic initiative, combining people, processes and technologies to maximize the business value of information and focused on organizational risks and costs. The most effective organizations recognize that these disciplines intersect, and apply them in a complementary fashion.

ILM starts by categorizing an organization’s information assets according to their business value -- a process called data classification. This allows IT organizations to deploy people, processes and technology to provide appropriate levels of security, availability and performance to each class.

Data classification therefore gives organizations an opportunity to uncover and maximize business value through IT services. For example, if data classification identifies email archives as a source of legal and regulatory risk, IT may implement encryption, searchable disk-based archives, or other processes to reduce exposure. Using the categories of IT Risk to classify information supports fine-grained analysis of the IT Risk associated with individual classes of information, and helps optimize processes to mitigate risks by class.

Perceived effectiveness of ILM
How do organizations perceive their ILM efforts thus far? For the 2007 and 2008 volumes of its IT Risk Management Report, IT professionals were asked to rate their organizations’ effectiveness in implementing a variety of process and technology controls, including ILM. (In both reports, financial services institutions were represented more than any other industry.)

Although ILM ranked in the upper half of all controls for effectiveness, closely related and supporting controls fared less well. For example, Asset Inventory, Classification and Management -- essential for effective ILM -- received the poorest ratings in both volumes. The discrepancy implies that organizations’ ILM processes may be fragmented, or unsupported by the disciplines, skills and processes needed to make them effective.

The most effective organizations deploy a broad range of technology and process controls rather than concentrating resources on a few high-priority controls. Results for ILM and associated controls indicate many organizations have a long way to go toward this ideal.

IT Risk Management should apply ILM to define data protection requirements based on the value of information, and set clear information management policies. By applying ILM as a key control within IT Risk Management, banks can prepare themselves to make proper decisions regarding classification of information and its placement in information stores. Both ILM and IT Risk Management processes benefit from an integrated approach, creating a stronger and more effective IT organization, and improving the risk posture of the institution as a whole.

Data security: The battle continues
Data security’s place on Financial Insights’ list of strategic initiatives for the banking industry in 2008 comes as no surprise. With data breaches on the rise, consumer confidence waning, stricter data privacy regulations in the pipeline, and a focus on outsourcing, financial services institutions must ensure they are protecting customer data -- both internally and externally.

Moreover, as the Financial Insights report observes, the banking “environment is ever changing, increasingly hostile and complex, regardless of regional location.”

Take data breaches. The Identity Theft Resource Center announced in January that there were 448 breaches in 2007, exposing more than 127 million records. Of these incidents, 6.9% were reported by banking, credit and financial services institutions. That’s up from 312 breaches in 2006 and 158 in 2005.

But as a recent article in Bank Systems & Technology makes clear, the ongoing demand for access to client data makes data security an increasingly complex task for financial services firms.

“If companies want to prevent data breaches, damage to their brand, and huge fines, they must ensure data is protected both internally and externally, and make sure they constantly track new data privacy regulations.” (“Data Security: An Increasingly Daunting Task,” Wall Street & Technology online, November 26, 2007)

Internal threats in particular should not be overlooked.

“‘There is so much talk about phishing and identity theft coming from outside, but the biggest source of fraud comes from employees and insiders,’ Jacob Jegher, a senior analyst at Celent, told Bank Systems & Technology. ‘There are millions of knocks on a company’s door coming from outside but a low success rate. On the other hand, the number of knocks on the door from insiders is very low, but the success rate is very high.’”

According to Jegher, companies need to carry out more background checks on potential employees, further limit access to data, and use behavior analysis tools to monitor resources that employees are trying to use when they don’t need them.

It is essential for banks to “operationalize” their security efforts. That is, they must have the ability to turn security into a standard business process -- one that is driven by policy, and is automated and measurable.

Conclusion
In a statement released at the time of the Financial Insights report, Jeanne Capachin, vice president of Research, Banking and Insurance, observed:

“This year, banks are focusing much more on back-office improvements with their technology spend. Partly because the pendulum has swung to favor enterprise-wide IT initiatives, but also because business heads are recognizing that to meet their individual goals the enterprise infrastructure must be refreshed. Product-focused investments will no longer solve the problems they are facing.”

As we’ve seen, Information Lifecycle Management and Data Security will be at the very top of banks’ strategic agenda in 2008. To that end, a streamlined blueprint is necessary for acquiring, deploying and managing solutions that protect data, systems and applications, as well as enable the enforcement of IT policies. These solutions make it easier to accommodate changing business requirements and help ensure that non-public customer and institution information is always secure and available.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.