Cybersecurity is a moving target. Within the financial services industry, including banking and insurance, the threat of fraud is a reality all too familiar for employees in the sector. According to the IBM Institute of Business Value report, 2023 Global Outlook for Banking and Financial Markets, the cost of data breaches to the industry was 37% higher than the global average in 2022.
A strategy that has proven most effective so far
For the longest time now, we have been told that humans are the weakest link when it comes to cybersecurity. However, this awareness is not reflected in cybersecurity investments. According to Lance Spitzner, director at the SANS Institute, organisations are most likely spending 10x to 20x the time and resources on security technology as it does security the HumanOS – the people who work there.
Lance Spitzner
“Technology is important, we must continue to protect it. However, at some point, you hit diminishing returns. We have to begin investing in securing the HumanOS also, or bad guys will continue to bypass all of our controls and simply target the human endpoint.”
Lance Spitzner
Asked which cybersecurity strategy has proven most effective in 2023, Alvaro Garrido, group chief information security officer at Standard Chartered, commented that having a people-centred cybersecurity strategy always works out well for the bank. He further clarified that this approach is not specific to 2023, however, suggesting that the practice applies to every condition.
“When it comes to cyber threats, the question we face is ‘how prepared, organised or ready to respond?’ because cyberattacks are not an if, but when. It is the art of seeing further, understanding more, correlating better, and then responding faster. Hence, people are our best defence when they are properly trained and have the awareness levels needed,” he continued.
He also stressed that cybersecurity is not just for the cyber team, that it is a shared responsibility across any organisation that hinges on behaviours, decisions and actions when it comes to engaging with colleagues, clients, and regulators.
He acknowledged that to sustain a healthy risk culture, the team needs to live by these behaviours:
Have a high awareness of potential risks and an ability to identify them.
Be able to exercise good judgment and make informed decisions promptly.
Take accountability and create a safe environment for people to call out risks, threats, vulnerabilities, and incidents.
Take proactive and prompt action and escalation to assess and treat risks.
Stay open to continuously learning from past successes, failures and experiences and make sustainable changes.
He further added that the sharing of threat intelligence and best practices plays a key role in helping organisations collectively defend against new and emerging threats.
“For instance, we are a member of global networks and organisations which are committed to improving cybersecurity including the Financial Services Information Sharing and Analysis Centre (FSISAC). This allows us to remain at the forefront of security developments in the financial services system, engaging regularly with the sharpest minds in more than 70 countries," concluded Garrido.
Most significant learning in 2023
For the longest time, banks and credit unions have been targets for robbery – because that’s where the money is. In this respect, things have not changed in the digital era. The good news is that banks and regulators recognise the crosshairs that are pointed at the industry.
In the unrelenting escalating cyber warfare, Gartner suggests APAC banks can leverage their standards of data security and compliance within the regulatory framework by embracing cloud-enabled architectures.
For his part, Garrido says the use of numbers to its advantage has always been critical. “Data plays an important role given that cybersecurity is highly systematic, data-driven and even repetitive,” he continued.
Alvaro Garrido
“Knowing where we stand and how we can improve through numbers has helped us understand where we can better simplify, standardise and digitise our processes. It ensures we continue to be safe, compliant and easy to bank with.”
Alvaro Garrido
What keeps CISOs awake
What role, particularly one in the executive suite, is without stress? That said, a cynet study suggests that 74% of CISOs concede that stress is responsible for the high churn in the security team. While CISOs are said to be expected to be more strategic, the same cynet study revealed that 93% of CISOs still spend more time than they should on tactical tasks.
For Garrido, he opines that breach, stress and boredom are the top three things that would keep cybersecurity professionals up at night. “I am a believer in working actively to avoid all three as much as we can,” he continued. “Keeping the organisation safe round the clock is not just something cybersecurity professionals have to do but there is far-reaching impact if we don’t.”
“What we do in Standard Chartered is to first hack ourselves on an ongoing basis before someone else does it. We try to be the bad guys and think about what they might want to steal, and methods used to do so.
“We have a daily (or even hourly) endeavour where we use and develop the latest technology to protect and identify new risks. This is necessary to help us anticipate and implement the necessary measures to protect our systems and data.
He concedes that targeting to be the CISO of the safest organisation in the world is not the best solution. It could mean innovation, digitisation and simplification are not happening fast enough.
“This is where we have to know how to take risks while protecting ourselves so that we will not have to be kept awake at night unnecessarily,” he elaborated.
Tips for staying relevant
It can be argued that among the different personas in the executive suite, the CISO is a 24/7 role. As security becomes a regular part of board meetings, it can be expected that the CISO will need to step up to the advisory role.
“Many others in the field would agree when I say delivering outcomes is important, but managing senior stakeholders is our other main job,” asserts Garrido. “Hard skills are essential but so are soft skills such as knowing how to communicate, and manage stakeholders, in our line of work.”
He stressed the importance of overcommunicating where possible, so stakeholders are aware and updated on what is happening. “They need to know the risks involved and what we are doing to mitigate them so they can in turn communicate to other key stakeholders,” he elaborated.
Aside from feeding the formal channels, work systematically to develop informal ones such as collaborating with other functions. “Our success relies greatly on how other functions are delivering so we need to bring people along in our journey,” he continued.
“For organisations and especially where I am at, I like to think of myself as a CFALAHRFI – CISO for a large and highly regulated financial institution. My primary responsibility is to ensure we have covered all our bases to prevent ourselves from being an easy target.”
Alvaro Garrido
“How we do that is through technology as it helps us do less with more. It is important to take a holistic view of the advancement of digital technologies to stay ahead of the curve. Being a CFALAHRFI is not about chasing the bad guys, it is about thinking ahead of them and preventing ourselves from falling into their traps,” he added.
In the financial services industry, money and data are valuable commodities but also a significant goldmine for malicious actors. Garrido suggests that one way to better anticipate and address tomorrow’s cybersecurity challenges is to prioritise risk management over mere compliance. “This is key to long-term success and resilience, especially in our ever-evolving industry,” he continued.
The tech that worries CISOs the most in 2024
Generative AI (GenAI) is a definite concern. Garrido says the type of cyber threats the industry is seeing due to GenAI have been especially alarming and many have been getting away undetected.
“We can only expect more AI-enabled incidents to come but I do not want to think it is all bad news. We need to keep up with its development to know how we can use Generative AI to our advantage. That is where reskilling and upskilling comes in.”
Alvaro Garrido
Top 3 CISO challenges in 2024
The Proofpoint Human Factor Report 2023 noted that the fluctuations in the threat landscape are a constant challenge for security teams and researchers. “The most agile threat actors change social engineering strategies and malware payloads regularly, making them a moving target that can be tough to pin down,” concluded the report.
Garrido also acknowledges that geopolitical tensions and conflicts are accelerating the volume of vitriol on social media. This rate of flow, he adds, is proportional to the likelihood of a possible data breach and its perceived potency when it does. There are tools such as computing and automation to help reduce labour-intensive tasks but the challenge is to be fast enough to prevent a breach from happening.
Garrido believes that technology advancements will continue to be an asset to cybersecurity teams and unfortunately, for cyber criminals too. Hackers are increasingly relying on advanced technology such as automation and GenAI to tamper or steal assets.
Global organisations need to invest in preventive measures which include adopting cutting-edge technology and collaborating with enforcement bodies, regulators and other financial institutions to anticipate new threats. We also need to continue to bolster our best defence, our colleagues, to safeguard our assets and remain vigilant to the onslaught of cyber threats.
Allan is Group Editor-in-Chief for CXOCIETY writing for FutureIoT, FutureCIO and FutureCFO. He supports content marketing engagements for CXOCIETY clients, as well as moderates senior-level discussions and speaks at events.
Previous Roles
He served as Group Editor-in-Chief for Questex Asia concurrent to the Regional Content and Strategy Director role.
He was the Director of Technology Practice at Hill+Knowlton in Hong Kong and Director of Client Services at EBA Communications.
He also served as Marketing Director for Asia at Hitachi Data Systems and served as Country Sales Manager for HDS’ Philippines. Other sales roles include Encore Computer and First International Computer.
He was a Senior Industry Analyst at Dataquest (Gartner Group) covering IT Professional Services for Asia-Pacific.
He moved to Hong Kong as a Network Specialist and later MIS Manager at Imagineering/Tech Pacific.
He holds a Bachelor of Science in Electronics and Communications Engineering degree and is a certified PICK programmer.
