by Hamish Barwick

Regulation proves security headache for CBA’s CIO

Nov 09, 20113 mins
Risk Management

A new approach to information security is needed by both the financial services and security industries to allow banks to better protect their customers’ assets, says Commonwealth Bank of Australia (CBA) chief information officer, Michael Harte.

Speaking at the Australian Information Security Association (AISA) 2011 conference in Sydney, Harte said extra security controls placed on the banking industry by government regulators was a source of distraction from arguably a bigger threat to customer and company data.

“We’re told by the regulators that we have to know every single person who has access to our system, monitor who is in there and what they’re looking at,” he said.

In-depth: Information security 2011 Research Report.

“We’ve ended up in a situation where we spend more money protecting internal assets from our staff than we do protecting them from Russians, Brazilians and other people who want to steal the money.”

Harte said he would much rather see a realignment of information security spending towards battling international cyber criminals.

We spend more money protecting internal assets from our staff than we do protecting them people who want to steal the money

“We know we need to be compliant and respect the value of that data but locking things up too tight is not the way of the future,” he said.

Security regulations also created what Harte called a “paradox” for the bank as on one hand it was trying to balance customer trust with its requirement to gather information about customers’ long term financial needs such as mortgages.

To overcome this, Harte proposed that CBA make the information it held on customers available to them through a secure repository where they could view all of their “digital artifacts” such as age and health information.

“They could also choose to send this personal information to their doctor, health provider or insurance company,” he said. “The important aspect is that the customer has control over which third parties can view that information.”

In addition, CBA’s online services, which were part of a core banking modernisation project that began in April 2008, needed to become cheaper and more open or face competition from low-cost providers, Harte said.

While the financial services industry is able to undertake huge amounts of data collections for its customers, Google and other Web-based companies could offer this service at a tenth of what CBA could do, he said.

“These companies can gather up more relevant information around the person’s preferences and put them into a position where they will tell the consumer what is the best deal in insurance, asset management or banking,” he said.

“If we are not open, convenient and low cost like companies such as eBay can we are going to be competed out of the race,” he said.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow CIO Australia on Twitter: @CIO_Australia