Have you heard of Sutton’s Law?
It’s the principle of focusing on the obvious answer to a problem. You might recognize it better from its source, the convicted bank robber Willie Sutton, who is alleged to have answered, “Because that’s where the money is,” when asked why he robbed banks. In his autobiography, Sutton says that while he probably would have said it if asked, he actually robbed banks because he enjoyed it, loved it even. Well, that’s where the money still is – in financial institutions – and it stands to reason that the attackers targeting them enjoy what they do and find it profitable. The methods used by the attackers may have moved on, with cybercrimes rising at an alarming rate, but the end result is the same: financial loss. So what is security in the financial services industry? More to the point, how do you know if you’re being effective with your approach to security?