A few days ago, we had a chat with Santiago Moral (CISO of Grupo BBVA) about various issues related to security and technological risk management.
We hope you find the results interesting and, as always, we’d be delighted to receive your comments.
What value does BBVA attach to security?
Security in Grupo BBVA, as a concept within the financial business (which is based entirely on trust), is not an attribute that can be measured or quantified, because there is no other option: Banks have to be secure by their very definition; BBVA is no exception.
What’s more, at BBVA we don’t conceive security as a value we want to be competitive in, because we understand that the whole financial sector has to be secure.
In light of this, it is our job to add value from an engineering perspective, so that security enables us to make progress on two fronts: On the one hand, to make the cost of running the institution competitive within the market, and to make important strides in a technologically globalised world on the other.
So, given this ‘non-competition’ in terms of security, is there collaboration?
In the financial sector, you don’t win because somebody else has a security incident. In this field there is a fairly modest direct collaboration between security managers in different institutions: we know each other, we share forums and it’s a fairly small world.
Where we do have a little friendly competition is in seeing how each of us manages to make security cheaper to operate, simpler, more efficient and less expensive for our respective companies; thereby contributing towards a more competitive position. However, this is competitiveness in engineering, not as a business function.
When we talk about Logical Security, we usually think about the purely technological aspect, forgetting the human factor. How does BBVA approach this factor, both in terms of the (internal and external) workforce and with a view to its customers?
The whole financial sector is working hard so that what can be done with information systems, is done in a more natural and user-friendly way, improving the usability of security.
This is not usability in the classical sense of the term, that something is easy to use, because this should be the case by definition. What should be easy is the integration of the different platform security mechanisms; meaning that within a uniform environment there can be elements with different security levels.
For example, the site where I swap photos with my friends and where I store my payslips. I need to have both things on hand, but with different levels of security.
At present there are some very interesting trends that will become a reality before too long. One of these is “Bring Your Own PC“. This basically consists of you using your own computer, smartphone, etc. (tools on which people are increasingly storing much of their productive capacity) as corporate tools, for which your respective company/organisation pays for part of the annual cost. In this case, we are entering a different world and a different strategy; it doesn’t matter where you are, you always log on using the same means and with the same applications as your work environment. Security is clearly an essential lever if this is to work properly.
What are the most typical threats at the moment?
As a society we are undergoing a radical change in worldwide infrastructures that allow us to become technologically globalised. In this new world we are unaware of the risks we must assume and manage. Citizens, businesses and governments are all working to ensure that this new playground of global networks and their platforms can be a comfortable place to live and to share.
Regarding the issue of critical infrastructure protection, do you think we are progressing fast enough, or has this also been affected by the financial crisis?
In serious countries, we find serious institutions and corporations, for example, in the case of Spain, when they request what is essential for a critical infrastructure in the country, I already have it.
Serious companies are already making sure they have adequate levels of availability. It may be that at certain times there will be a request that is a little more demanding, but in general terms, Spanish corporations have a good starting level when it comes to complying with critical infrastructure regulations.
As to the speed of adaptation, I believe that the administrations are doing this well, as an organisation and as a sector in general, I think it’s going fast enough, insofar as this is possible. There are ideas that have to come down to earth a little.
What is your opinion regarding integral security?
In the financial sector, security departments have to work as one, because there is a continuum in the security problems that we have to manage.
One security problem might begin in the physical world and then move to the virtual world before going back to the physical, being the same problem and the same action, so you have to work in a very co-ordinated manner. Nevertheless, the corporate security department and the information security department require different levels of specialisation.
All corporate security technology is based on information security. This enables us to have single processes and technologies, so that there is no technological dispersion with regard to identity management. However, on the level of departmental management, we are different; because the things they manage and the things we manage (even sharing a common area), are radically different. We have organised ourselves in such a way as to have the benefits of integration and the benefits of non-integration both at the same time.
Smartphones are spreading, which means a world full of possibilities, more functionality and more power in the online mobile channel. But from a security point of view, what recommendations can you make to users?
Well, I would basically say to any user of mobile services that the important thing is who you do business with, not what you use to do it; for example, doing business with BBVA will always be a sure thing, because you are dealing with BBVA regardless of the means you use.
The medium doesn’t have to be something we are scared of; BBVA is positioning itself so that all possible devices and channels can be a gateway for customers to connect with and do business with the bank. As a company we have a vocation for cutting-edge technology, and the challenge is to make this happen without diminishing the level of security.
What we really need is to be good risk analysts from a security perspective. To achieve this the main problem is that we need to have a very good knowledge of is really going on in order to adjust the risks effectively. If you set about placing more controls than you should, you end up out of the market because other competitors will analyse the risk better and you fall behind, then you’ll have problems that will eventually have an impact on your image.
Speaking of risk analysis, in recent years this has almost become a structural element of more and more organisations, especially financial institutions. How does BBVA handle risk analysis from the perspective of Logical Security?
At BBVA, we have the CISO (Chief Information Security Officer) model, which is an enlarged security model, in which all responsibility in the area of technological risk management, i.e. what is security and what isn’t, falls under the umbrella of the CISO. The risk management part of all IT governance is assumed by the CISO.
At BBVA we understand that our most volatile risk is always related to security and to the continued maintenance of this security level, and that we as Information Security, depending on the area concerned, are responsible for between 40% and 60% of the total risk that has to be managed in the IT area. That’s why it doesn’t seem exaggerated for a financial institution to see itself as a leveraged figure in information security, but one which is moving towards technological risk management, as one of the mainstays of good governance.
Cloud computing is a fashionable subject at present. In a few words, what is your opinion of cloud computing and security?
We are a bank, and as such we are a highly regulated institution in everything involving our financial business. This brings with it a certain level of security; however, we also do many other things and we have many other business applications due to the simple fact of being a company. This is something that has a different level of security.
In this second case, we are open to everything that appears in this globalised world that enables us to reduce costs and improve processes. However, in terms of our regulated business and everything that goes with it, we want to have the utmost guarantees and control, not only for our customers but also for the bodies that regulate us.
BBVA is making a substantial commitment to technology and innovation. What issues would you like to highlight in terms of security?
On this point, I should talk about the agreement that we have with the Universidad Rey Juan Carlos, by which we created the Technological Risk Management Research Centre, where we are working on various lines of research.
The first of these is the search for new algorithms that will enable us to search for anomalies; i.e. to find unusual data within enormous volumes of data, so as to improve our effectiveness by trying to anticipate what might happen in the bank (attacks from the Internet, on cards, etc.).
We are also investigating the natural mechanisms for identifying people, so that information systems can offer an increasingly natural relationship with customers. That’s why we’re working in the area of biometrics, in an attempt to facilitate the recognition of individuals through their behaviour.
The third research line is on specific risk-analysis methodologies (whether to assume risks or not). One interesting area is the analysis of intentional behaviour based on game theory, and its application to the behaviour of organised criminal groups.
Finally, could you give us any tips on a professional career in the field of security?
There’s no better advice than to work hard, be passionate, and never stop training. Of all the IT disciplines, the world of Information Security is especially fascinating. Here, there is an added point of interest: You have an adversary, which makes it extremely appealing intellectually. On the downside, it’s a job that is demanding as regards dedication, not just in terms of the hours, but because incidents can happen at any time and not just when it’s convenient for you.
Last of all, I’d like to mention the topic of continuous training and development. Information security professionals are among the top experts in all kinds of new technologies that are appearing. One of the keys to success in training (and in professional activity in general) is to surround yourself with people who are smarter than you, and that way you’ll be lucky enough to be learning all the time.
Many thanks, Santiago. Now we wait for our readers to send us their opinions.