Lessons in IT Security From the Credit Crunch

I read an article in the Financial Times Corroded to the core: How a staid Swiss bank let ambitions lead it into folly. It struck me how relevant this is to IT Security.

UBS’s current losses were triggered by the meltdown in the US subprime mortgage market. But the seeds of the bank’s downfall were sown a decade earlier. That was when UBS lost almost Sfr1bn from its exposure to Long Term Capital Management, the hedge fund that collapsed in 1998. The episode persuaded UBS executives the group could never again allow its investment banking arm to risk undermining the trust of its super-rich private banking clients.

UBS introduced tough procedures for vetting the bank’s exposure to risk. The process, controlled by executives based at UBS headquarters in Zurich, earned the bank the reputation as one of the world’s most prudent lenders. But there were flaws in its design. The process focused on credit risk – the likelihood that a borrower or counterparty will default. But UBS paid less attention to market risk – the effect of market fluctuations on assets held on the bank’s books

So UBS had the equivalent of a security breach and overreacted by putting too much security in place. As it turned out, they put the wrong procedures in place and didn’t actually solve the problem.

UBS was also grappling with other problems. The creation of DRCM had sapped its fixed income division of many of its best traders and made it difficult for the bank to attract talented replacements. Meanwhile, the bank’s risk managers were exasperating bankers and traders with what many saw as their excessively cautious approach. “The control functions were seen to overstate risk so much that they lost quite a chunk of credibility,” says one person familiar with the bank’s operations.

Bankers marvelled at the caution with which UBS approached private equity loans while ignoring much bigger problems. “We had 20 people on the beach looking at grains of sand with microscopes when the tsunami came along and wiped everybody out.”

And this is a problem with a lot of IT security today. Some parts of the Security industry are overmarketing, overhyping and make too much noise about security. The risk is that people will become tired of listening and begin to ignore the message. I call this security-fatigue, and its human nature (think about charity-fatigue and drop in donations as people are tired of being asked for donations).

As Bruce Schneier points out that IT Security is becoming either incomprehensible or improbable for many companies but just a part of the process for most people.

As part of a Network Design process, I welcome the reasonable application of security, with a considered and balanced approach both from the top and the bottom. I look forward to having Security people moderate their message and be considered and practical about Security Implementation.

As the UBS found out, details count but its the big picture that matters : we don’t want “people on the beach looking at grains of sand with microscopes when the tsunami came along and wiped everybody out”.