The boards of Australia’s top four banks increasingly see information security as an issue worthy of their focus, according to the security chiefs at ANZ, Commonwealth Bank, National Australia Bank and Westpac.
Taking part in a spirited and congenial discussion at the annual AISA conference in Melbourne, the four executives described how their organisations today regard the IS function as essential and no longer view it through the narrow lens of compliance and cost.
Over the past 12-18 months, information security “has become very topical for boards and among institutional investors,” said Ben Heyes, general manager of cyber security privacy and operational risk at the Commonwealth Bank.
Today’s information security function is concerned with bigger issues than securing IT assets, Heyes told the audience.
“It also feeds into the trust relationship we have with our customers,” he said. “That has framed our approach to incident response – it frames the stakeholders that need to be involved.”
Such is the focus in executive ranks that CommBank has gone to the extent of preparing playbooks for key stakeholders across the business.
“There is a thirst for knowledge,” Heyes said.
Richard Johnson, CISO at Westpac, agreed that after 15 years in his role, the broader business is more ready than ever to be part of the conversation.
“Five or six years ago, it you looked at who was in the room during a scenario planning meeting, it was very much limited to the technical level," he said.
"Now, we have scenario planning for cyber security related incidences all the way to the top.”
That focus wasn’t necessarily driven by “check-box” compliance, the executives noted, each urging financial industry regulators APRA and ASIC to take a “principles-based” approach to regulation over a prescriptive one.
It goes without saying, said Dave Powell, chief security officer at NAB, that bankers aren’t especially big fans of regulators. He said he would prefer regulators to provide a list of things a regulated entity “should” do rather than a list of things they “can’t”.
“Our regulators are progressive, and I respect that,” he said, highlighting that like the banks, financial services regulators are warming to a “risk-based approach” to regulation.
He said while it was "good 101 security principles" to apply the measures on checklists for PCI or SOX compliance, "what if that’s not how criminals are breaking in?"
If most threats are coming via phishing emails, zero day malware and the escalated privileges that result, he said, he can think of better ways to spend a capped budget than on compliance measures.
"We need to spend it where the real threat is rather than to meet the compliance obligation,” he said.
Westpac's Johnson said the regulators have an important role to “set a minimum level of controls a competent organisation to have”.
“It’s where you are doing compliance for compliance’s sake that you get into muddy water, because you consume all the oxygen in the room doing amazing security in one area, when from a business risk point of view some of that investment might be spent better somewhere else.”
Heyes described this scenario as a “negative opportunity cost for investment.”
“The role of the regulator is critical and it is to make sure the underlying environment is right,” he said. “A principles-based regulator expects and obligates the right set of behaviours.”
Heyes said the best argument for principles-based regulation was comparing the industry’s investment and changing cycles to the speed at which criminals can change tack.
“The criminals can respond so quickly, we can’t keep a rules-based set of regulations up to date. You might do a fantastic job of [complying with] it, but it doesn’t stand the test of time.”
Cloud, big data tools need to mature
The one area the CISOs did not agree was on the subject of cloud computing, with each having a markedly different appetite for absorbing the risks of using highly automated third party services.
“Cloud presents an undeniable opportunity, in terms of agility and cost value,” said Steven Glynn, global head of information security at ANZ Bank.
“It gets the business excited, but it also comes with gotchas – it presents a security constraint. There are concerns around data security, data sovereignty, privacy and third party risks."
Heyes noted the Commonwealth Bank - already an aggressive adopter of cloud services - has already worked through some of those 'gotchas'.
“We see cloud as an opportunity at a capital level - to reduce the capital you spend on infrastructure and spend it elsewhere – and spend it on innovation and engagement channels.”
Heyes said some of the same attributes of cloud computing that make it scalable from an infrastructure perspective can also be applied to the security domain. If you deploy a set of controls into the base instances, he said, it can be replicated across your fleet.
“There are security considerations, absolutely, but there are a set of relatively new technologies that allow you to make use of cloud,” he said, citing the bank’s use of third party encryption tools.
Banks should be advocating for the vendor community to continue to build out and mature these tools, he said.
Powell was less enthusiastic, despite NAB's investment in public cloud for its public facing websites. He recommended his peers factor in the additional governance costs required when engaging with cloud providers before assuming they offer a better value proposition.
“You have got to do security operations management on every cloud provider you work with,” he said. “It’s not always as cheap as what you think it is before you add that stuff in.
“We all want to use cloud for the advantages we’ve talked about, but the security controls in the cloud aren’t where they need to be right now. There are some tools around that will allow you to encrypt data. So while it’s in the cloud, it is encrypted. But when an application needs to use that data, we need to unencrypt it and run it in the cloud, making it vulnerable while that application uses it. The solutions are there, but very limited, and most of them are application-specific. This is the big issue most of us are grappling with before we truly move with confidence.”
Powell was equally skeptical of much of the tooling promoted to security teams under the banner of ‘big data’. The industry needs better data integration tools to bring disconnected islands of data together, he said, and also better tools to visualise the results.
Heyes agreed there was a lot of value to be eked out of pulling together telemetry data from various systems to create a data-driven, responsive approach to IT security, but “none of us have cracked it yet.”
“We have some good data analytics tooling, but there is quite a big void between the sources of intelligence that are available and the ability to convert those into meaningful actions that you might triage or perform, based on indicators of an attack or a compromise,” he said.