Joel Van Dyk always wanted to be a physicist.
Growing up, he was fascinated by science and technology and inspired by Star Trek and Carl Sagan. In fact, he eventually received a graduate degree in physics from New York University. When the Cold War ended, though, funding for high-energy physics research dried up, so he turned to Wall Street. Distributed digital computing and the Internet were in their infancy, and the financial industry was looking for talent to leverage the new technologies.
It turned out to be a perfect fit, and Van Dyk has never looked back. “Physics explores the unknown and distills complicated concepts so they can be used in meaningful ways,” says Van Dyk, who is the senior vice president, CISO at Convergex. “I still do the same thing when I address a security threat: figure out cost-effective ways to mitigate the risks, and explain them to our team.”
When Van Dyk began his career at Morgan Stanley in 1990, technology revolved around mainframe terminals. With the introduction of PCs, he remembers the excitement about staff being able to personally handle their own e-mail and spreadsheets. Demand for Internet access and business web pages followed soon after, though most people didn’t fully understand why they needed a website or what they would use it for.
Since then, technology capabilities and general technical knowledge among the general public have grown exponentially, along with accompanying security threats and vulnerabilities. As a result, security professionals’ strategies have had to mature dramatically.
Van Dyk believes that comprehensive and holistic approaches are the most effective strategies because they help explain threats and appropriate responses to them throughout an entire organization. “Security has to be built in from the beginning so that it’s organically part of any process or application,” he says. “That will help make it a business enabler and a positive differentiator rather than simply a roadblock.”
One of the financial industry’s most potent security tools has been the Financial Services Information Sharing and Analysis Center (FS-ISAC), a security information exchange set up by the Obama administration to disseminate details about known threats. During Van Dyk’s tenure at Depository Trust & Clearing Corporation (DTCC), where he was director and chief information security architect, he helped architect Soltra-Edge, an application that, he says, organized the torrent of daily threat intelligence information from FS-ISAC into a database. While at DTCC, he also worked on implementing effective security for the cloud—which included developing Clarient Global, a cloud-hosted company and joint venture with several investment banks, including Goldman Sachs and JP Morgan.
His goal now is to create a more effective information security program. A key part of this is Security Intelligence Event Monitoring (SIEM), a tool that organizes and logs information from numerous sources, correlates them, and produces automated alerts about threats and vulnerabilities. Such a system not only leverages FS-ISAC data, but it can also detect a firewall breach, an anomaly in an application server, or an attempt to drop unknown software into the network and recognize the connections between them.
The need for this capability is critical since attacks at every level have become constant and more varied than ever. At the same time, systems are extraordinarily complex, making it difficult for individuals to effectively navigate and manage the aggregated information.
“Security has to be built in from the
beginning so that it’s organically part of any process or application. That will help make it a business enabler and a positive differentiator rather than simply a roadblock.”
“The holy grail is to successfully use big data and machine intelligence to automatically create graphic alerts that are easy to understand so we can respond quickly and appropriately,” Van Dyke says.
He views migration to the cloud as one of the financial industry’s most prominent trends. Having helped DTCC become one of the first companies to leverage its capabilities, Van Dyk indicates that the cloud provides several important benefits. The first are the agility and cost-effectiveness that come with being able to scale network bandwidth and machinery up or down on demand. It also enables firms to focus their energy on core business functions rather than managing the supporting technology infrastructure.
“When mainframes were the only option, firms started hosting their own data centers and other technology operations,” Van Dyk says. “The cloud allows them to outsource those functions in an efficient and cost-effective manner and devote their attention to finance, which is where they can maximize their expertise. The key is to get the security right.”
Persistent threats such as sophisticated government or state-sponsored actors who can infiltrate systems and then remain undetected while continuing to gather intelligence are what currently threaten Van Dyk’s work the most. It has become an even more potent threat due to the extensive interconnectedness of systems and networks throughout the industry, as well as the burgeoning Internet of Things, which creates even more connections, openings, and potential vulnerabilities and targets.
Van Dyk’s goal is to integrate all of Convergex’s systems, vulnerability scanning, and remediation into a single, unified process. As the prominence of the cloud continues to grow, this will require implementing uniform policies, applications, and standards across the entire cloud- and internal technology infrastructure.
In spite of the many threats, Van Dyk believes the financial industry’s responses have been positive and effective. He points to the relatively low number of damaging security events as proof of the talent, expertise, and innovative approaches of the security professionals involved.
“Quite honestly, given the volume and sophistication of cyberthreats, I’m gratified that more of them don’t get through,” Van Dyk explains. “After all, the greatest challenge we face is that security processes and practices have to be successful 100 percent of the time. For the bad guys to succeed, they only need to be right once.”