Financial institutions working in the cloud face a complex challenge: they not only have to protect and manage their customers’ data, but they also have to ensure that their security practices meet regulatory compliance standards. What do successful security practices for financial institutions look like?
As part of our monthly CISO webinar series, Wiz’s VP of Product Strategy, Raaz Herzberg, spoke with Tony Spinelli (CIO at UrbanOne and former CISO at Capital One and Equifax), Charan Singh (Managing Director of BMO Financial Group), and David Cass (Managing Director and CISO at GSR) to learn how each of them are prioritizing cloud security and extending the reach of good security practices across their organizations.
Their top takeaways:
Moving from on-prem to cloud is a large undertaking that requires expertise and careful planning.
The issue of regulatory compliance increases accountability for fintech organizations, making their cybersecurity journey significantly more complex.
Today there’s more emphasis on creating more personalized, customer-centric service delivery; but this urge to move quickly with innovative tools requires strong guardrails and governance.
Moving from on-prem to cloud
Herzberg kicked things off with an observation and a question: “The role of CISO has always seemed like a stressful job to me, and in the financial sector you’re taking it to the next level. Do you have experience working at organizations that are in earlier or later stages in their cloud security journey?” Regarding their experiences working in the security space and the process of moving organizations to the cloud, panelists spoke mostly about how to align tools, and how to change organizational thinking.
Spinelli explained that in 2013, he was at Capital One, building a cyber program and a cloud program when “there wasn’t really any tooling available, so teams had to build cybersecurity programs themselves.” The difference he saw between cloud and on-prem was that with on-prem, teams had to make sure that data was uniform across various cybersecurity products.
Getting those formats right and making good decisions – combined with threat intelligence – is always a daunting task. In the cloud, it’s not hard to get data. You have so much data. So the question becomes: how do you use that data well? How do you make good decisions, how do you stay strong with governance, and thoughtful about your cyber program? Vulnerability management used to be a six-week process of testing and staging, but now it’s a process of going to the cloud and deleting stuff that has vulnerabilities.
He added that from a transformation perspective, a CISO or a CIO could look at the task as a fresh start. However, with so many legacy systems, as those systems age out, big cyber problems arise. “But the most important element is that you must have the talent, the expertise, and the know-how in order to do it.”
Singh noted the complicated nature of converting to cloud. “How do you ensure that while you have on-premise tools, you also have modern tools that work the same way in the cloud? That creates challenging learning.”
Security in fintech: compliance is key
Next, Herzberg asked about the difference between the work for CISOs in financial services organizations and the work of CISOs at other tech companies. On this question, panelists aligned on the issue of compliance regulation.
Cass said that regulations are significantly more onerous, with more potential downstream consequences. “As a former regulator, having conducted these examinations… (I can say that) nobody ever gets an ‘A.’ You have matters that require attention or immediate attention; these represent risks for the financial institution, or a systemic risk, if it’s something egregious.” Cass pointed out that as organizations embrace new cloud technologies, everyone tends to want to run fast into new tech, but that strategizing and planning a move to cloud are much more important than a “lift and shift” approach.
Singh agreed with Cass, citing different regulations coming from the angles of both cybersecurity and privacy. He added that in large institutions, with regards to M&A activities, there’s an increased attack surface to secure. Singh also made an interesting point about the changing role of the CISO. He noted that the CISO role has changed, pointing out that CISOs today have more face time and influence with CEOs.
Cybersecurity leaders have a good opportunity: how do we use cybersecurity as a business enabler? For example, with Apple face ID, how can we use biometrics as a customer experience enabler, but also, how can it also be used as a cybersecurity business advantage?
Handling risk: what works?
Herzberg then turned to the question of risk, asking: what are some of the biggest challenges financial institutions face when it comes to handling risk in the cloud? Panelists aligned on the importance of building customer trust, embracing the cultural shift into DevSecOps, and understanding your risks.
Spinelli pointed out that in Fintech companies, there’s a drive to provide great service, bring new products to market, and especially to be “more personalized” in service delivery. This demand to provide services that customers want – that are very personalized to them — pushes tech teams to use the newest tools and to stay agile. But when teams are moving quickly, he says, “the ultimate problem is having the right safeguards. If you have safeguards and guardrails to leverage the cloud and maintain strong governance while you’re using the greatest tech.”
Singh spoke about the cultural shift to DevSecOps. He emphasized the importance of aligning teams. “A whole dev team on one side, ops somewhere else, cyber somewhere else… you won’t get the benefits of cloud. How do you bring dev, cyber, and ops together? Having that cultural shift with modern tech and the right processes can help us.”
Cass emphasized that understanding risk is critical.
If you’re a regulated organization, the key thing is to understand your risks. From a business perspective, it’s acceptable to outsource anything. But from a regulatory perspective, you can never outsource accountability for a decision. You can put whatever services wherever you want… but from a regulatory point of view: accountability stays with you.
Automation for improving security posture
Herzberg moved on to a popular question: what are some of the best practices you follow to improve security posture? Among all panelists, the focus was on automation.
Spinelli said, “We look at automation. We used to say if it's possible to automate policies so that there's no divergence... that’s a great opportunity. Things that require paper-pushing or human toil? If you have expertise, you can automate that.”
Cass added: “Algorithm, trading apps -- everything runs in the cloud. There’s no time for manual intervention. Manual intervention costs money now. So you have to have a high degree of automation, and a high degree of visibility.”
Learning from experience
Rounding out the discussion, Herzberg asked: “As security experts, what’s one mistake you’ll never make again?”
Cass: “Underestimating the amount of training the team requires on recent technology. I thought it would be a shorter learning curve.”
Spinelli: “If you want to do cloud right, do not skip steps. Take your time, and really think about governance as you do it.”
Singh: “Your job is never done in cybersecurity. Priorities are changing, new tools and technologies are coming… all of this makes you very busy. "