Nutanix Security Architect Eric Hammersley discussed why financial services professionals must deploy internal security measures and work with software vendors that prioritize compliance controls in his keynote presentation to Argyle's CIO membership at the 2017 Technology Innovation & Security in Financial Services Forum in New York City on September 27. In his presentation, "Intrinsic Controls as Foundational Design Architecture for Vendors," Hammersley explained why financial services professionals should collaborate with software vendors that incorporate compliance controls into their solutions.
According to Hammersley, financial services professionals often commit significant resources to discover and purchase various software. Yet the software that financial services professionals buy may require many hours to implement.
The general process of software deployment challenges financial services professionals around the globe. In many instances, this process fails to help financial services professionals achieve their desired results.
"How do I bring things into the data center and get them deployed in a timely manner? I couldn't do it," Hammersley said. "It requires a very cyclical process, and it's very expensive."
Oftentimes, financial services professionals are forced to allocate substantial resources to find the right software vendor. They also may need to work with multiple vendors or hire internal staff to ensure that all software is compliant with industry mandates.
"The security ecosystem is massive, and it requires just more money out of your pocket," Hammersley noted. "You have to be able to fill in security gaps with your own people or a third-party."
Yet security standards may be difficult to understand – even for regulators themselves. This can make it difficult for financial services professionals to implement software that meets all industry standards, at all times.
"The standards that you need to apply, the compliance controls that you need to meet and the verticals that you operate in don't provide a lot of [security] help," Hammersley stated. "Most compliance standard regulators in the marketplace today can't even agree on a standard themselves."
Financial services professionals are responsible for finding software that complies with industry mandates and learning how it works. Conversely, most financial services professionals lack the necessary time and resources to get the best possible results from software implementations.
"You have to figure out what standards to apply where, how products work, how to make products work within those standards and how to approach things going forward," Hammersley indicated. "It's a complicated problem, and it's one we've lived with for a long time."
Ultimately, the software vendors that financial services professionals select can have far-flung effect on their respective businesses.
"Vendors know how their software works because they wrote it and created it, [yet] customers the ones who have to figure out how to add controls to it."
If financial services professionals choose a software vendor that offers industry-compliant solutions, they may be able to speed up their implementation efforts. Plus, these financial services professionals could lower their implementation costs and ensure consistent compliance with industry standards.
"What we need to do is make the responsibility of a vendor shift to how you use a vendor's products," Hammersley pointed out. "The vendors aren't being responsible partners in the vendor ecosystem."
Financial services professionals need to look beyond the software itself as they explore myriad solutions. By doing so, financial services professionals can evaluate the time and resources required to deploy software and select solutions that can be deployed instantly.
"We need to think about how people consume software. We consume software the same way we did today as we did 20 years ago," Hammersley stated. "Resource and budget constraints prevent us from being effective … with the [past] method of purchasing software."
Hammersley recommended that financial services professionals rethink the way that they approach software investments.
"What we need to do is make the responsibility of a vendor shift to how you use a vendor's products."
Rather than focus exclusively on the software itself, Hammersley suggested financial services professionals perform an extensive evaluation of a variety of software vendors. That way, financial services professionals can find out how software vendors help customers maintain compliance with industry standards.
"Vendors know how their software works because they wrote it and created it, [yet] customers the ones who have to figure out how to add controls to it," Hammersley said. "You can't be expected to, as a customer, to know more about a software that a vendor created."
By choosing software vendors that incorporate compliance controls into their solutions, financial services professionals can get the most out of their software investments. Also, financial services professionals that analyze software vendors closely will be better equipped than ever before to avoid compliance issues and streamline their data center operations.
"You need to talk to vendors about what their controls are and how they are implementing them," Hammersley indicated. "That way, when you use software in the data center, you can actually do something with it."
Eric is a Security Architect at Nutanix and has been on the Platform Security Team for the past three years. He leads all platform security efforts from within Engineering for the on premise product line. Prior to Nutanix, Eric was the Chief Engineer for the Joint Staff J6 ITS at the Pentagon where he managed all IT Engineering and Operations teams for the Joint Chiefs of Staff. The remainder of his 23-year career was spent working for the US Department of Defense as active duty military and a government employee managing DoD IT Infrastructure, systems, networks and security.