Learn how hybrid work is fueling ransomware attacks and what to do about it.

Back to blog

The convergence of compliance and security in financial services organizations

Mark Guntrip | Oct 25, 2022

Illustration of main looking at computer windows with gears, fingerprint, and government building

Share this article

Compliance in the financial services (finserv) industry is an interesting beast. Most regulations merely tell an organization what they must protect — whether it’s a certain classification of data, remote system, or user — but they rarely indicate how organizations should meet these requirements.

For example, a law may dictate that organizations dealing with personally identifiable information (PII) use strong passwords, but the regulations often fail to define what makes a password strong. Is it a certain number of characters? A mix of letters, numbers, and symbols? Perhaps passwords are strong only if they are paired with multi-factor authentication (MFA)? The law doesn’t say. It’s usually up to the security team to make that determination. Whether they follow the National Institute of Standards and Technology (NIST) or the MITRE Att&ck Framework, security professionals can access very robust and specific guidelines for how to identify and stop malicious activity.

The result, of course, is that being compliant with all the appropriate regulations doesn’t necessarily mean that the organization is protected from malicious actors. Security posture is entirely dependent on how the security team has chosen to meet the outlined requirements. However as compliance regulations expand and evolve, finserv organizations can find the goals of maintaining compliance and enforcing security are being pushed closer together.

Growing complexity is the enemy of security

Rather than the traditional separation of compliance and security, companies that are finding that they can achieve better results and economies of scale by combining both teams under leadership from the CIO, would allow organizations to go from securing their workforce to ensuring that their products, services, and entire supply chain and partner ecosystem are protected from malicious activity.

Making things difficult is the fact that larger finserv organizations have numerous departments with an array of users who all require different security access. A teller in a bank branch may have no business connecting to the Internet, while a mortgage agent in the same building may need to check third-party sources for up-to-date rate information. Each role might also be affected by different regulations making the task more complex. Traditionally, these disparate needs would require separate hardware and networking — an architecture that breeds complexity. However, complexity is the enemy of security.

Taking a Zero Trust approach

Remaining compliant while protecting against the bevy of evolving threats is one hell of a balancing act for finserv organizations. Many have adopted a Zero Trust approach to security, which turns the traditional detect-and-remediate approach to cybersecurity on its head. In its simplest form, instead of trusting everything except known threats, Zero Trust assumes that all content (and users) are untrustworthy. One key ingredient in reaching a true state of Zero Trust is leveraging isolation technology.

Isolation technology enables a context-aware approach by ensuring trust between connecting entities. Coupled with other security controls, such as a web proxy, data loss prevention, or anti-malware tools, isolation ensures security and compliance by verifying that everyone is who they say they are and that they are accessing only the information, applications, and systems they truly need to get the job done.

Here are three ways that isolation can help finserv organizations accelerate the security/compliance convergence:

1. Ensure complete visibility and control over managed and unmanaged assets.

Isolation provides organizations with the visibility and control they need to ensure security and maintain compliance of both managed and unmanaged assets. Running all web traffic through an isolated layer in the cloud ensures that no malicious activity is able to make that initial breach on an Internet-connected device and then spread through the network in search of a more enticing target. As web- and email-based threats become more sophisticated and leverage advanced evasion techniques, organizations need to stop relying on a flawed detect-and-respond approach to security and focus more on prevention.

2. Rely on cloud-native technologies.

Cloud-native isolation solutions allow finserv organizations to ensure this visibility and control at scale without impacting the user experience. Finserv organizations can simply spin up and expand security controls wherever they do business — whether it’s in a remote branch, a customer site, or a conference center across the ocean. This ability makes it possible to ensure that security controls travel with entities across borders and regulatory jurisdictions — effectively connecting compliance requirements with security posture.

3. Extend security to vendors, tools, and the entire supply chain.

Successfully connecting security and compliance allows finserv organizations to go beyond just maintaining a secure organization. Having the framework in place to ensure compliance and security together makes it possible to extend security strategies to the products and services they are providing, all the way through the supply chain and partner ecosystem. Isolation ensures that a vulnerable partner doesn’t compromise your network or a ransomware gang is unable to use one of your Software-as-a-Service (SaaS) platforms to gain access and take down your network. A Zero Trust approach powered by isolation ensures trust between connecting entities — no matter who they are or whether you own or control the asset.

Finserv organizations have long tried to better connect compliance and security teams, however given the convergence of regulatory requirements and security goals, combining previously disparate teams can help streamline these efforts. A Zero Trust approach powered by isolation can help organizations gain visibility and control over managed and unmanaged entities, follow security controls and compliance across borders, and extend security across the entire partner ecosystem.

Share this article

Make the secure way to work the only way to work.

To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.