A Change in the Wind: Trading Firms More Willing to Discuss Cyber Tactics

I had a pretty good idea on December 8 last year that cyber security was going to be a big deal for capital markets firms in the New Year.

That day, we held our annual Waters USA conference, which brings together CIOs and CTOs from across the industry, both buy and sell side. I was responsible for chairing the opening C-Level panel, prior to which, we-the four CIOs and I-debated, during a conference call, the topics we should focus on during the planned 45-minute panel discussion. When the topic of cyber security came up, everybody was onboard, while at the event itself, several panels focused on cyber-related topics.

This is a departure from years past. My contacts had never wanted to delve into security-at least not in a public forum-because they were worried that they might inadvertently taunt hackers to take aim at their firm (consider the environment during the Occupy Wall Street movement), or because they felt that they didn't know enough about it to talk on the subject.

This has changed as the headlines being made, and the questions coming from board members and investors, alike, are more prevalent. Vulnerabilities like Heartbleed and Shellshock are now front-page events that demand attention.

As one CIO told me, "You can't have clients calling in and asking if our defenses are tight and have them go, ‘What do you mean?' You have to prepare talking points and ensure that the call center is ready to take those calls. It's more of a PR event. That's the phenomenon that has changed in recent years-if something comes out and it hits the press, it goes into another dimension of priority."

The VP of sales doesn't give a damn that I have to do these patches. As far as they're concerned, their projects are ‘light switches' and the light had better go on when they ask for something.

All Is Not Lost
It's easy to take on something of a nihilistic view point when it comes to defending one's environment against hackers. Take, for example, a distributed denial of service (DDoS) attack. Sure, the hackers aren't targeting information-rather, they'll shut down websites and prevent people from transacting online-although, as one security expert explained to me, DDoS attacks are often used to divert attention from a back-door infiltration. Essentially, the DDoS attack is like a boxer's jab-it's used to distract you and keep you off balance so that you don't see the cross coming before it lands on your chin. How do you stop something like that?

The good thing, though, is that there are not territorial fights that exist nowadays when it comes to security. If the security group says that XYZ changes need to be made, there won't be much push back.

But, as I alluded to in my feature on patching on page 30, the IT team can feel like it's being pulled in all directions. Every week, the business side of the company wants more enhancements on their systems, and their clients don't want to hear that they have to wait on an upgrade because they're busy testing a patch.

Technology and operations always have to run their own back-ups, upgrades and apply patches. Sometimes they require extensive, time-consuming testing, depending on how virulent the potential harm could be. That can lead to IT having to tell the business or clients that those changes they had promised a week ago are going to have to be pushed back. Such mission-critical tasks go all the way to the CEO, and when you're in IT, you don't want the CEO poking around in the dungeon.

As one executive told me, there's just never enough time. And as hackers have become more sophisticated, time has become an increasingly valuable commodity.

"Time is a killer," the executive explained. "There just isn't enough time to get all the changes into the environment that clients want and that IT wants. The VP of sales doesn't give a damn that I have to do these patches. As far as they're concerned, their projects are ‘light switches' and the light had better go on when they ask for something."