News & Highlights

CIO view: Transforming cybersecurity in financial services doesn’t have to be a catch-22

Matthew O’Neill, Financial Services Industry Managing Director, Office of the CTO at VMware

Who’d want to work in financial services? Sometimes it feels like the industry is being assailed from all sides – huge disruption, the demand for new, innovative business models and services, cannibalisation of existing product lines, cost-cutting disguised as transformation, ever-more sophisticated security threats along with carrying personal risk if things should wrong. It all adds up to FS providers and institutions needing to truly transform both their operations and their approach to cybersecurity, and fast.

That’s easier said than done, however – according to a study we conducted with Forbes, one in three organisations still do not have cybersecurity controls aligned to transformation.

What’s causing this? It’s a case of having to balance the demands of running the bank with the need to change it. It’s something we see time and time again – IT decision makers are often tied up running the bank, which means more transformative approaches often get overlooked for more tactical fixes, including adding cybersecurity tools incrementally and reactively. Is it any wonder that VMware’s own CEO, Pat Gelsinger, has previously talked about the conversation he had with the CIO of a major bank, who admitted to using 250 different security vendors? Solutions from 250 different companies that need to be managed, updated, patched, aligned and connected to relevant apps, which in turn need constant management and updates. That’s before we even begin to think about the costs associated with maintaining the hardware and software environment, along with direct license and service renewal fees.

This isn’t finger-pointing at CIOs and blaming them for this situation. To be honest, I reckon most banking CIOs could be forgiven for thinking they’re stuck in a catch-22 situation – they’re operating in regulatory environment that dictates individual accountability such as the Financial Conduct Authority’s (FCA) Senior Managers Regime, with potential personal risk adding pressure for decision makers contemplating sweeping changes. At the same time, while no one wants to be front page news for a breach, equally no one wants to find out that they have been left behind and missed the opportunity to transform.

Just to add another layer of pressure, FS providers are operating in the knowledge that even the regulators are being pushed to do more, with the UK Treasury Select Committee’s demand that regulators improve Operational Resilience in the sector is yet another example of the pressure the sector is facing.

With so much going on, the very complexity of the situation could make finding a solution too much for some. Which makes it all the more important that CIOs focus on the basics.

A foundation for secure success

Why? Because when one in three financial services organisations surveyed by VMware admitted they’ve suffered notable attacks, having effective cyber hygiene is critical.

What does that look like? Firstly, knowing where the vulnerabilities in your estate are. Look at it simply – if a device has an IP address, it’s hackable. Internet-connected CCTV might be great for physical security, but it can get overlooked from an IT management perspective. How ironic would it be if someone were to hack a bank via its physical security infrastructure?

Then there’s encryption, making it harder for attackers to read data, wherever it is. Of course, you can protect that data better if you have multi-factor authentication, which stops hackers from obtaining passwords and then using them as a vehicle to access different systems.

Add to this patching, keeping things up to date to close holes in the system. If we wanted to go even further, how about actually turning systems off if they’re not always required to be on?

These may all seem obvious, but you’d be surprised at how many major breaches occur because organisations, not just in FS, fail to do the basics.

These principles of cyber hygiene provide a foundation on which to run any operation, whether transformed or not. What CIOs now need to do, is look at how they combine both the need to evolve with remaining completely secure.

Incremental vs intrinsic

To combat the growing number of FinTechs and start-ups challenging the established order, CIOs need the sort of environments which support the rapid delivery of new and changing business models, services and applications, tuned to meet the continually evolving customer expectation.  Basically put, banks need to get themselves away from being seen as huge, legacy, monolithic organisations with inflexible processes and systems and into the form of nimble, modern organisations with innovative apps which empower and delight their customers and staff.

Multi-cloud can go a long way to providing that environment, that foundation. Offering unparalleled agility, scalability, and flexibility powers the nimble innovation, the apps, and the future-proofed business models banks need.

But that can’t be realised if new approaches are ‘protected’ by traditional methods of security.

With cyber threats so significant and their systems so interconnected, layering tool upon tool is only a temporary solution and, in some cases, poses even more threats and loopholes. Rather than reacting to new threats, CIOs need to be building cybersecurity in from the start – embedding it at both an application and end point level. In other words, protecting everything that connects, carries and stores data.

This is a great opportunity for CIOs to build security in, rather than the old way of ‘bolting on’, while also recognising that intrinsic security can enable greater innovation – which is increasingly where their strategic focus should be.

Accelerating the journey

Today’s financial services CIO certainly has a lot to tackle when it comes to cybersecurity strategy and practices. But what may look like a catch-22 doesn’t need to be one. The money’s there – if it wasn’t, we wouldn’t have the layering approach. What’s needed is to change from that reactive mindset. Apply cyber hygiene principles, and underline that with intrinsic security, built in from the ground up. That’s how CIOs can balance the need for complete protection with the desire to transform not just banking IT, but the sector as a whole.