Security stops us from keeping up with boutique firms: NAB

Security is always a concern among banks, but at the Trend Micro Evolve 2013 Security Conference, National Australia Bank (NAB) head of IT Security Services Andrew Dell highlighted why banks seem to innovate slower than boutique firms that set up shop with state-of-the-art security.

Dell said that while it is fine that the local financial services industry is seeing an increase in competition due to large, global financial players, there is also a challenge from smaller, niche companies that offer either financial services or services related to the financial market.

"They're basically large financial services companies, but they have a whole bunch of benefits — they're small, they're agile, and usually they've got greenfield IT equipment, so they're able to really think outside the square when it comes to radical new banking platforms or solutions or the services they can offer," he said, referring to companies such as PayPal, which was born almost as a consequence of eBay.

In contrast, Dell said that incumbent market leaders like NAB have many existing systems and services that also need to be maintained, in addition to any new innovative features that these younger players might bring, increasing the number of security challenges they need to meet.

"We need to come up with some tools and products to react to [our rivals]. There's a sudden and urgent need for us to develop some new, competitive solution, [but] the challenge for us is the security function — how do we keep that safe?"

And simply outsourcing the development of any new financial services is a potentially rocky road, he said, warning that there are plenty of soft targets in an organisation's supply chain that hackers could target.

"We think we've got a pretty good handle on our immediate third parties ... but the challenge is, what about our provider's providers, and our provider's provider's providers, because that's more likely where the threat is going to generate from."

Dell said that within the bank, its operational security governance team has grown fourfold in size in the past year, mainly due to transformations that the bank is going through.

"We need to find that balance between governing and assuring ourselves of the posture and threats posed by our third parties, not from a malicious perspective, but just by the very nature of the relationships that we have with them, and the types of interconnectivity between our systems and theirs."