Mark Clancy 
Cyber attacks on businesses, particularly financial services businesses, are grabbing big headlines with increasing frequency. Are the threats really so ominous? Mark Clancy provided an objective, almost calming, perspective in Australia last week.
Clancy, the chief executive of the industry-supported initiative Soltra, was in Australia last week to speak at the regular Omgeo Advisory Council Australia meeting, which is being transformed into a bigger regional group. Omgeo is a DTCC-owned company, which is in turn owned by the global banks and other big financial institutions. Soltra was formed last year by DTCC, of which Clancy was the chief information and security officer for six years. Its joint-venture partner is the not-for-profit Financial Services Sharing Information and Analysis Centre (FS-ISAC).
Matthew Chan, who heads up Omgeo in Australia, said that the Omgeo Advisory Council would become the DTCC Advisory Council globally. In the Asia Pacific region there would be a larger regional council, including the currently separate Australian chapter, along with Hong Kong, Singapore and Tokyo.
“We will be thinking about how to format and structure our activities,” Chan said. “It’s an opportunity to produce industry forums so we can bring together the buy-side and sell-side of the industry.”
Australia has about 20 members of the current council and represents a core of knowledge that can be leveraged through the Asia Pacific region.
Clancy is one of the world’s foremost experts on security for big financial institutions. He is active in the financial services and critical infrastructure communities and participates in the FS-ISAC and Financial Services Sector Co-ordinating Council (FSSCC). In addition, he serves in a leadership capacity as a vice chair of FS-ISAC’s board of directors, as a member of FSSCC’s executive committee, and leads the international co-ordination for FSSCC. If he wasn’t so affable you’d think he might be from the CIA.
Clancy said Soltra, the name of which is inspired by the ancient Scottish beacon defence system against the English, known as Soltra Edge and surrounding castles, looks to provide the defence infrastructure and the distribution channels for sharing information about cyber security.
“As a community we can share information in order to increase the attackers’ costs and also reduce our costs to defend against them,” he said. “I don’t think we will ever get to parity though… It’s asymmetrical.”
This is the interesting dynamics of the cyber security world: an attacker against a company, often a bank, can mount the attack with as little a $1000 worth of software and bombard the target company in a classic ‘denial of service’ barrage to disable its website. It may cost $1 million to defend against this.
Soltra works on the principle that if someone is going to attack you then he will probably also attack me.
“Any target is attackable if you put enough resources into it,” Clancy said. “So the key to defence is to try to exhaust the attackers’ resources.”
As a group, then, Soltra helps members ot push out their capabilities not just to similar companies but also to those with who it works up and down its value chain.
For DTCC, Soltra Edge is an on-premise software solution. What it does, according to the organisation’s specifications, is: “It enables critical entities to import structured and unstructured threat information, standardise and organise that threat information using STIX formats and route the uniform threat intelligence via the TAXII standard to devices and analysts in order to take immediate action to prevent cyber incidents.”