Today's economic climate may mean belt tightening for many security officers, but Anthony Meholic already learned how to do more with less when he joined Republic First Bank after working at global powerhouse JPMorgan Chase. The senior vice president and information security officer at the bank, which serves the greater Philadelphia area, knows what it takes to protect corporate assets in a tough economy.
How do you think the economic downturn will affect security budgets? It's always been a real chore to justify an information security budget because you can't put a monetary figure on the return on the investment. Information security is there to make sure nothing [bad] happens, so if you're doing your job, nothing [bad] is happening. Given that you're already starting behind the eight ball, the economic upheaval in the banking industry is just going to put more of a burden on security professionals to get more funding. They'll have to learn how to live with less. Take good stock of your resources, the skill sets of your team, your networking infrastructure and see what you can do within the limited budget that you'll be getting.
Can outsourcing help? It's certainly part of the picture. Going from JPMorgan to Republic First Bank-from a very large international corporation that had a large budget for security to a smaller regional bank that doesn't have the [same] resources-gave me good insight on how to manage and do more with less. If you're a small or midsized bank, you might not have the resources to have an ethical hacking team like I had at JPMorgan, or you can't afford some of the more expensive tools. So you have to rely on vendors to perform some of these services. Typically, we have vendors performing our vulnerability assessments and penetration testing.
What else might help in lean times? There are things you can do with a small team or a small budget. It's going back to basics. One of my main focuses when I come into a security position is to get a really detailed understanding of the flow of confidential and restricted data. You have to know where your data is going and who it's going to; once you know and understand that, you can start targeting areas of risk. You need to have a mature risk assessment process in place so you can prioritize these risk areas. Once you prioritize the risks associated with the various areas, you can start focusing your limited resources-whether it's budget, assets or staffing-on those areas. You probably won't cover every single one, but at least you've hit all the high-risk areas.