Darren Guccione, chief executive officer
and co-founder, Keeper Security
Jason Mallinder, group chief information security officer (CISO), managing director, Credit Suisse
Jon Pumfleet, group CISO, Close Brothers
John Skipper, CISO, Metro Bank
What does the cybersecurity landscape look like for the financial services sector in 2021?
DG: Everyone transacts with the financial sector. Covid-19 has been a catalytic event with migration to distributed remote work and it has triggered an exponential increase in the number of endpoints to protect. As a result, CISOs have to put controls and safeguards outside the normal perimeter and think differently.
JM: The cybercriminals don’t stand still and the threats are evolving. It’s critical to address this operational risk, which has grown because of remote working induced by the pandemic. As an ecosystem, the financial services sector needs to work together and keep re-evaluating threats. It’s often hard to explain the challenge to various parts of the business, so I like to use the analogy of building a house from scratch and forgetting the electricity. We must embed security from the outset. Of course, it’s more expensive to knock the house around after it is built to make fixes, but this is the issue organisations with legacy challenges face.
JS: When I joined Metro Bank as CISO in 2019, I had two key areas of focus: ensuring our systems and platforms were in a defendable state, through patching and controls; and improving the visibility of the network. A new security operations centre provides visibility in one place of our endpoints, our network and on our boundary points. We’re gradually layering into this application-level feeds so we can see the business results. That gives us a much better ability to spot and react correctly to suspected cyber events.
JP: There is no doubt the cyber arms race is accelerating. Cybersecurity has moved from a very opaque topic to a conventional business challenge for boards now. There is a tripartite negotiation between consumers, firms, and regulators and the government sector to understand what’s acceptable. Given the tsunami of recent headlines, people are becoming accustomed to it, but we have to work out together what “good” cybersecurity looks like. I sense we have started a more mature conversation about breaches and that’s an encouraging sign.
What are the leading cyber threats for the financial services sector and the best tools to combat cybercrime?
DG: It’s worth bearing in mind 80% of breaches are a result of weak passwords or stolen credentials. So it is crucial to improve cyber hygiene, secrets management and visibility over the endpoints. Also if you’re using an identity platform, which every bank does, cybersecurity defence is not a silver bullet. It requires a comprehensive strategy. It’s like having spokes on a bike wheel, things like two-factor authentication, enterprise password management, single sign-on solutions and endpoint security all must feature. The key to better protecting the organisation is to link all these products.
JM: We have to deal with third-party and supply chain cyber risks and as a sector this is probably one of the least mature areas and where innovation is needed. The criminals are smart and they will go for your weakest point. However, working with smaller business vendors, who might not have significant cybersecurity, is essential. We must be proactive and work to protect the whole ecosystem. We should move away from the term cyber “basics”; I prefer to call them “fundamentals” because they are not easy but critical. You have to have a layered approach to the controls and work with other CISOs in the sector to keep pace with the threat landscape in which we operate.
JS: We are moving to a cloud-first policy because it provides flexibility, enables us to innovate at speed and has greater scalability, while offering good security. More than that, it is possible to tap into anonymously shared cyber threat data in the cloud, which is massively powerful. Comparing our environment with what is going on in other banks is a step-change for cybersecurity.
JP: The underlying question is: does the business have the capability to spot threats, prevent them where we can, and detect and respond to everything else? The response piece has come to the fore recently and here crisis exercises are game-changing. They can help bring to life the cyber threats for businesses. With ethical hacking tests, you see visceral responses from non-technical employees. As a CISO, I have to help people join together all the dots to form a pattern that boosts cybersecurity.
What should financial services do to innovate and digitise securely?
JM: As a sector, we need to eliminate the idea that the IT department is full of security dinosaurs who say “no” to everything. We are enablers, not blockers. The role of the CISO isn’t just to find security loopholes; it’s about how you can manage risk to an acceptable level.
JP: To reduce information asymmetry and make our customers better understand the risk, I would love to see us all work more with the cyber-rating agencies that make cyber threats visible and understandable. There is an obligation to continue working towards that and finding ways to articulate an organisation’s risk appetite as a sector. We have to govern the gap between where we want to be in terms of security and where we are. Bridging this with reliable and transparent information will help me sleep better.
JS: I think there needs to be innovation around API security. Financial services is definitely one of the sectors where that balance between security and opening up data is vital. Those of us in retail banking or wealth management deal with areas of people’s lives that are intensely private for them and we need to respect this in the way we look after their data. But equally, we can make people’s lives easier if we’re sharing information between one product line and another, and we can offer them products and services that better suit their requirements. So again, we can manage risk and fraud across the sector better if we share that kind of information.
DG: It’s imperative to make sure you understand how your vendors are transacting with your systems and the libraries that are included when you talk about technology and firmware updates. Because we’ve seen a lot more in terms of supply chain attacks and accessed library files. When I speak with CISOs in the financial services sector, a common thread is around identity and access management. Now CISOs in this sector and others are dealing with a lot of threats and disparate solutions. For those looking to improve cybersecurity, one word commonly comes up and it’s “visibility”.
For more information please visit keeper.io/protect