By Tom Cole, Managing Director - UK & Europe at Abacus Group
The technology industry is famous for creating new sayings, acronyms and concepts to explain absolutely everything. We’ve all been there; sitting in a meeting with execs and tech geeks throwing around tech jargon. This buzzword bingo series sets out to highlight, explain and discuss useful disciplines and technology focused on the alternative asset management industry. I’ll be your helping hand in deciphering this jargon. First up on the bingo board is Defence in Depth…
We live in a digital world that is constantly open to attack. And, because there are so many potential attackers, businesses need to ensure that they have the right security in place to prevent systems and networks from being compromised. This is where Defence in Depth (DiD) comes into play. A cybersecurity model first conceived by the National Security Agency (NSA), this approach promotes the use of a series of cybersecurity defencive mechanisms, which are layered to protect valuable data and information. DiD is also known as the “castle approach” because it stimulates the layered defences of a medieval castle. Imagine, if you will, before penetrating a castle, you must navigate past the moat, ramparts, drawbridge, towers, battlements and so on. If one mechanism fails, another steps in immediately to counter an attack.
It is important to note that a single or grouping of technical solutions won’t achieve DiD. People, operations, and technology all contribute to delivering a successful DiD strategy. Below is a diagram highlighting how the Abacus platform delivers DiD.
.png?width=6666&name=DiD%20Mockup%20(Full).png)
There is no silver bullet within cybersecurity. With layering, if (or when) one defence fails, another is there to contain and thwart the risk. This intentional redundancy creates greater security and can protect against a wider variety of threats. For an extensive list of controls and to scratch that acronym itch, check out The Fan™, illustrating a technology and process defence in depth diagram by Northrop Grumman Corporation.
Alternative asset managers harbour precious intellectual property. Regardless of your strategy or high/low tech approach, cybersecurity risks remain consistent. Protecting your firm's data is an absolute must. Aside from being a sound business expectation, there are other stakeholders, such as investors and regulators who would be impacted. By recognising this widely adopted and accepted approach and aligning your firms’ people, processes and technology accordingly, you are stepping closer towards ‘best practice’. Both investors and regulators firmly acknowledge the real risk of cybersecurity.
Expectations from regulators and investors over the past decade have correlated with this heightened risk. Particularly over the past three years, Operational Due Diligence (ODD) conducted on fund managers has become more sophisticated. Appreciation and understanding of cybersecurity disciplines and approaches (such as DiD) need to be demonstrated. I have been privy to very robust and technically-thorough ODD, where analysts have been passionate about the ‘trust but verify’ mantra. Rightly so, the industry is becoming more mindful and educated towards cybersecurity. Alternative asset managers must ensure they remain in line with best practice and budget for ongoing cybersecurity enhancements and improvements. The cost of prevention versus cure is frankly just common sense.
So, the next time you hear DiD, you’ve ticked off the first box on your buzzword bingo card ✔️
If you're interested in delving deeper into defence in depth and cybersecurity controls, contact us and we'll be in touch!
