As one of the largest financial institutions in the world, Standard Chartered Bank is under no illusion that it can’t function without complete protection of its IT infrastructure. Yuval Illuz, Group CISO, COO, Trust, Data and Automation, Operations, Standard Chartered Bank, discusses what it means to operate with a secure approach, how Europe is best placed to deal with cyberthreats and some of the security implications of being such a largely established enterprise.
Yuval, you are the CISO (and COO) of Standard Chartered Bank – what does this mean in terms of the cybersecurity challenges you face?
Protecting our customers’ data and privacy is a top priority at Standard Chartered and essential to maintaining their trust in us as we continue to live our brand promise to be ‘Here for good’. With the behavioural shift underway towards digital banking and channels, coupled with the dynamic cyberthreat landscape, it is imperative to have robust security controls in place. We are committed to industry best practices and compliance with applicable regulations in all the regions that we operate in. While we continue to deepen our cybersecurity capabilities to counter threats, we also place an equal emphasis on strengthening our security culture in the bank by enhancing information and cybersecurity awareness to build a culture of secure conduct among our employees: our own human firewall, if you will.
What cyber trends are looking to be the most prevalent for the year ahead?
The growing number of organisations moving their workloads and operations to the cloud presents a heightened risk for inadvertent data exposure. This oversight can have severe ramifications for data security. The number of financial institutions affected in cloud data breaches has grown dramatically in the last two years. Enterprises will have to continuously improve their cloud approach and strategy to avoid significant regulatory fines that continue to make headlines.
One of the dominating trends in the past year, which has persisted in 2020, was targeted ransomware attacks. We believe that this threat continues to be highly visible, as coordinated attacks by various threat actors could pave the way for even more destructive attacks that could paralyse organisations.
How would you describe Europe’s current cybersecurity landscape?
European policy in cybersecurity and privacy has undergone a paradigm shift in recent years in the wake of a Digital Transformation that has enabled new business models and shaped entire industry landscapes. As businesses go digital, they are collecting more personal and financial data about their customers than ever before. There is also no doubt that Europe remains a region of focus in terms of targeted cybercrime activity. As such, there has been a pressing need to scale up policy and regulation to ensure that businesses operate in a secure fashion and that cybersecurity concerns do not unduly impede the progress of Digital Transformation.
With the introduction of the General Data Protection Regulation (GDPR), the Directive on Security of Network and Information Systems, and the proposed development of an EU Cybersecurity Certification Framework, Europe is now considered to be the epitome of cybersecurity and privacy.
Are there any specific countries within the region that you think are lagging behind when it comes to operating with a secure approach?
In the last 15 years we have seen cybercrime increasing in sophistication, targeting governments, institutions, business and personal lives – and there has been a concerted effort across Europe to ensure that nationwide standards, regulations and law enforcement approaches are in place to respond accordingly.
Still, no country today is ahead of cybercriminals. Threat actors have no boundaries, do not have to wrestle with policy and regulation, and freely trade information with one another. With technology advancing rapidly and embedding itself deeper into our lives and the ecosystem, organisations need to realise the importance of continued investment in cybersecurity. The security awareness aspect must also not be overlooked as humans can play a proactive role in being part of a human firewall, versus being seen as ‘the weakest link’ – an often repeated, but inaccurate, adage.
How is Europe placed in terms of dealing with evolving cyberthreats five years from now?
The EU Cybersecurity Act is an excellent opportunity to define a common and unifying set of cybersecurity regulations and develop an efficient certification landscape by building on existing initiatives, harmonising processes and leveraging on the profound expertise of national cybersecurity professionals. The proposed development of an EU Cybersecurity Certification Framework can be a key instrument to enhance public trust in digital services. The need for security and privacy is no longer limited to governmental applications or payment systems.
Staying vigilant and constant monitoring of the threat landscape must also be part of the governance. As threats and attacks need to be communicated and properly handled across all sectors, the EU should encourage the adoption of industry-wide cybersecurity incident simulation exercises, which will strengthen the overall cyber-resilience of Europe.
What are some of the security implications of being such a largely established financial institution?
As Standard Chartered continues to embrace new and emerging technologies, we will need to enhance security in our design methodologies. For instance, as institutions such as ours continue to connect more gadgetry and services to the Internet, the logical endpoint of our infrastructure will be extended accordingly. Threat actors are increasingly exploiting application programming interfaces, especially the legacy ones, which were designed without connectivity to the cloud in mind. For established financial institutions, such attacks will continue to mount.
Given our scale and size, we have a diverse team which we are very proud of. It’s crucial to create a culture, across all regions and countries, where we are able to position the issue of cybersecurity in a way that it doesn’t mistakenly get considered as just a ‘technology issue’ when it fundamentally involves the business and people. To ensure that our employees and clients stay abreast of developments in cybersecurity and take the necessary measures to defend themselves, we will continue to achieve this via sustained, targeted security awareness initiatives. Continuous learning is constantly being matured to make it more engaging and impactful via gamified techniques that incentivise secure behaviour and encourage employees to take a proactive role in maintaining our customer’s trust.
How important is the protection of consumer data and what safeguarding practices do you have in place to ensure this?
The protection of consumer data is a top priority for us. We use technology to provide a borderless, reliable and efficient service, and are committed to protecting our customers’ and the bank’s data and assets from cybersecurity and resiliency threats. We regularly update our policies, standards, guidelines and tools to protect our information assets. These ensure that cybersecurity risks are identified and managed in a consistent way across the group. Our framework also incorporates comprehensive control requirements set out by key regulators in the regions we operate.
We also continually upgrade our security capabilities to respond to the evolving threat landscape by partnering with leading cybersecurity providers and expanding our security technology, recognising that everyone plays a role in cybersecurity defence.
What best practice advice would you give to someone looking to become a cyber professional in a role similar to yours?
To succeed today, one must be in a constant state of adaptation, continually unlearning some old rules (but do learn from the past) and relearning new ones. That requires continually questioning assumptions about how things work and challenging old paradigms. It is the people who have proactively worked to expand and diversify their skillsets who would be the most well placed. The choice is simple: act or be acted upon.
Collaboration and sharing is just as important as any technical role. Build your connections, inspire a knowledge-sharing culture and it will come full circle. Be receptive to change and adopt the new way of working, reduce risk by shortening the delivery cycles. Most importantly, do not shy away from mistakes as the challenges we have to solve often take several attempts because they are some of the toughest in any industry.
What is the most important lesson you’ve learnt as a CISO?
Collaboration by all means. Firstly internally, to collaborate with the business to understand their needs, priorities and strategy and align our strategy to be an enabler of their vision.
Secondly, collaborate externally, including sharing data. Collaborate with the regulators, peers, governmental agencies and anyone that can help in protecting the ecosystem.
Overall, the CISO needs to hold executives’ attention and build trust among the board of directors and the leadership team.