Cybersecurity 101

A quick introduction to cybersecurity

(note : I am writing this in a "top-down" approach; i.e. from business, risk management, to finally the role of cybersecurity. This duplicates the approach ISC2 took for its CISSP certification.)

Business Portion 

• Businesses (that have the luxury to think ahead) have a team and process to plan for risks, because risks can bring business to a halt
• The plan to address business risk is called a Business Continuity Plan (BCP). 
• The goal of the BCP is to secure (protect) assets, including such as people, equipment, building, and data - all needed to run a business. 
• BCP starts with ACCESSING the value of your assets : to do this, need to catalog all assets, and calculating the RISK impacting your business RISK = impact * probability
• Evaluate how you want to MANAGE the risk :
• accept the risk - it might happen but that's ok, loss of life is NOT OK
• mitigate the risk - reduce the risk using protection, training
• transfer the risk - buy insurance
• avoid the risk - move, don't do business
• reject the risk - deny that it will happen

• Security, as part of risk management, codifies how to protect people, property, data

policies : rules / law

procedures : steps

baseline : configuration

guidance : optional

• Information Security, a subset of security  : business needs a plan to protect the ALL data assets,  including physical (a printout of financial forecast) and electronic (code for the next software release), is protected against misuse and theft by governance, which entails:
• Cybersecurity, a subset of information security : focuses on electronic data at rest, in use, in motion

Tech Portion - Cyber Security

• CyberSecurity : is a subset of Information Security, and is focused on the electronic data aspect of Information Security

• What does CyberSecurity care about? the 3 CIA tenets (per ISC2):

• C = Confidentiality : keep sensitive data secret so that only authorized people can read it, usually via strong encryption; sometimes also called Privacy
• Encryption : DES, 3-DES, AES
• I = Integrity : no un-authorized changes to data, usually using hashing
• Hashing : MD5, SHA1, SHA2
• A = Availability : data can be used at the right time, right place

• Since the advent of the original CIA tenants, variants and additions, as seen from more modern interpretation of "CIA":
• Authenticity : data can be verified to be sent from originator, usually using digital signature
• Non-repudiation : sender of data cannot claim that they did not send it, usually using digital signature

• Access control follows the AAA framework
• Authentication : only allowed people can access information
• Authorization : allowed people doing allowed actions on information
• Accounting : logging of all activities centered around information 

Financial Services : Blockchain enables cost reduction and service revenue growth

Abstract 

Financial services is a considered a supersector by the U.S. Bureau of Labor Statistics. Just in the U.S. only, financial services contributed $1.5 trillion, or 7.4%, to the U.S. GDP.  But like all other products and services industry, the financial services is looking at digital transformation to both decrease cost and grow revenue. Blockchain is often one of the key technologies that elevates to the top of minds. What makes blockchain so useful in financial services? Quick answer :  it is blockchain's ability to provide a single source of truth to multiple systems, users, and places that make it powerful. 

Background

Financial services, just like any other enterprises, want to become more efficient and find new ways to make money. Digital transformation is often looked at as one of the enablers. An example can be seen here. 

Challenges in the Financial Services - Fintechs Disrupting Tradition

Financial services, due to its size, history, and regulatory constraints, is not keen to be agile and first adopters of digital transformation. However, disruption has already begun, arguably right under their noses. Some examples: 

• Payments : Stripe, valued at $115B, with a focus on on-line payments, eating potential into credit cards
• Stocks : Robinhood's offer of zero commission and its appeal to the future investors
• Savings : Bitcoin (cryptocurrency can be used as store, transfer of fiat money), elevating Coinbase

What is an incumbent to do?

Capital Markets in Financial Services

Within the financial services, there is a segment that serves the capital markets. Capital markets serve as the marketplace for 1) equity 2) debt. Like all markets, there are buyers and sellers. But instead of fruits or arts, capital markets match sellers of equity (shares of stocks) to buyers of equity, sellers of debt (loans, bonds) to buyers or debt. 

The systems used to line up sellers with buyers involves 1) process that relies on 2) financial market infrastructure (FMI) systems. The FMI system is considered critical in the eyes of the U.S. government - so much so that it is even governed. 

Focusing on the equity market scenario : a typical trade is done in three invisible steps: 1) execute 2) clearing 3) settlement. The execution step is focused on capturing the order at the exact time and price at the time of the order. The quickness of the execution step means that fiduciary checking of ownership in the underlying stock, and availability of funds, is deferred to later. that's where clearing comes in. and in the third step, the actual transferring of title of the stock to the buyer, and transference of funds to the seller, happens. This does not happen in real time : and is known as the T+2 phenomenon.  

Blockchain Value

The value of blockchain is that it will unify data that is 1) scattered across different systems 2) used by different, potential opposing, users 3) across the globe. Databases had a good start on this requirement with ACID requirements of a RDBMS system - but it was mostly designed for use by a single system, used by "one" users, and running locally. Distributed databases started to handle more of this, but did not handle "potentially opposing user". A way to handle this was via a consensus mechanism. 

Conclusion 

Blockchain can be an invaluable technology to the financial services sector because blockchain provides a single source of truth to tie multiple different systems together.  A single source of truth means that stock trades can happen at T+0 speeds, freeing up capital, offering more services into data, and keeping up with the Fintech evolution.