January 17, 2019

Resting on a house of cyber cards? – WST

This week we’re talking about availability.  When you come into work each day, do you think about the lights being on, the water running, or the HVAC working?  Probably not.  Could you run your bank for a day without these utilities?  Probably not.  Let’s face it, information technology and the infrastructure that facilitates its use is now as essential to keeping our banks open as power, water, and HVAC.  Could we operate our bank for a day without information technology?  Possibly.  A week?  No.

Similar to electrical and water utilities, your information technology infrastructure is a complex and interconnected system which provides the services your bank requires to operate normally.  Do you fully understand the impact of a single component failure in your information technology infrastructure?  What will happen if the router fails?  What systems will it impact?  How long will it take to restore normal operations?  And what will this outage cost you?  If you can’t answer these questions, it is time to take a serious look at the single points of failure that exist in your bank’s information technology infrastructure.

So how do utilities like electrical power and water deliver their services in such a reliable fashion?  The answer: redundancy and the minimization of single points of failure.  A single point of failure is simply anything that can stop or disrupt a business process by its singular absence.  Single points of failure for information technology infrastructure can be electricity, cooling, servers, routers, switches, Wide Area Network (WAN) connections, Internet circuits, an application, or key staff members.  Your task as an ISO, IT Vice President, or IT Director is to identify these single points of failure, identify their upstream and downstream impacts, the costs of these impacts, the method for adding redundancy, and determine the cost to implement redundancy/resilience.  Ultimately your analysis and recommendation will inform your Board of Directors’ decision on remediating or accepting the risks identified in your analysis of your bank’s single points of failure.

There can sometimes be resistance to invest ever more money into information technology infrastructure.  While there are legitimate concerns surrounding over-engineering of solutions, IT for IT sake, and a ballooning budget, the default “no” should be avoided.  It is agreed that you don’t put a $100 fence around a $10 house.  There will be times when clear-headed decision making will come to the “no” decision.  However, a thorough analysis of the risks, cost of negative impacts, and costs of remediation must be conducted.  The decision should be made carefully and needs to pass the scrutiny of business justification, plus be defensible during a regulatory review.

Past Weekly Security Tips – WST