Many people feel that it creates a lot of work for people who are doing the right kinds of things already, and who already have the right kinds of controls constructed. But it doesn't really help prevent a lot of the things that Sarbanes Oxley was created around. I firmly believe that for us, it was a matter of more documentation, as opposed to having to really change our control structure. It certainly helps spur on the ability to have our HR system delete employees on the physical side as well as on the electronic side from an authorization perspective. So I believe there are certain things that have become easier for us to comply with now that SOX is around, and it's made some things easier for me to help justify why we need to unify our security and access to databases. But overall, it didn't create a great deal of change. National City had already been highly ranked on corporate governance by independent surveys.
SIW: Day-to-day, what do you consider to be the top risks that you face?
From a risk perspective, network-based attacks always concern us. Phishing attacks always concern us. Bank robberies always concern us. Our ability to safeguard our employees from a fire suppression perspective and the other kinds of life-safety threats that are out there is very important to us. Those are the sorts of risks that we face across the different disciplines.
SIW: It seems that when we go through the risks you mention - network attacks, phishing attacks, robberies, life-safety of employees - they still silo out to either network security or physical security. Is that the case, or can you treat the risk group areas in a converged manner?
We are actually in the process of designing and building a new command center where we will treat alarms or alerts from both worlds in the same way. There will be a security operator in our security command center which will be manned 24/7. They will be looking at alerts from burglar alarms, robbery, and tuned things coming off our networks IDS's. It will also be making sure that those IP-enabled security devices (alarm panels, DVRs) are network accessible.
We now view it as an even more critical need. We believe that if we've got an alarm panel out there, it needs to be able to communicate through the network. We'll also have a redundant dial system. We're starting to see more and more devices that are IP enabled. For example, if you have a door lock that is controlled by IP traffic, and someone is able to spoof that contact or cause that device through an electronic hack to open, or at the same time interrupt a video service, then someone could perhaps pick that lock, and gain access to the facility.
We're really starting to see that as more security devices get IP enabled, attacks against organizations are going to start to converge as well. Some of the romanticized views of crimes in the movies are actually going to become more real as people get more sophisticated. We've also seen a shift from network attacks done by what we call "script kiddies" (people just doing it for the glory) to it being backed by organized crime. And eventually, I think those investments by organized crime are going to be made and they'll have skills to attack network controls and network security devices as well as the old brute force through the door.
SIW: This is a very progressive idea, this idea of the converged command center. You'll have alerts coming in on intrusion alarms, alerts on network attacks, and maybe they'll have different priorities, but they'll be coming into one view. Can you tell us more about how this will operate?
Our command center will be monitored 24/7. Our geeks that monitor our firewalls, phishing alerts and all those sorts of things typically work during the day. They need to go home at night. So a lot of these alerts would be set to go to pagers or e-mail queues, and there pagers are going off so much that they tend to get desensitized to that. So for us, it's important to have a security officer that we can train to look at these alerts and ask, "Should I get the firewall engineer out of bed?" So we're thinking very hard about that so we can have work flows and queues that they can set up to be reviewed by a subject matter expert the next day if they feel this is a medium priority. But having someone who can watch the trending happen is a tremendous benefit, and it's a better use of the resources.
It's very exciting to think through and design it. And hopefully by the end of 2007 we will have it up and running, at least in its pilot stages.