“The most advanced banks take a pro-active approach to cyber-security. They think like hackers: conduct external penetration testing against themselves, mine the dark web for their own information leakage, apply data classification products to prevent data loss (DLP). They do not rely on major product vendors alone, but experiment with leading-edge technologies from start-ups to evolve their defenses.”
Troels Oerting is Global CISO at Barclays Bank, which has been working with numerous security start-ups, partnered with Europol on sharing threat intelligence, and even ‘hacked’ its own systems to ensure they are secure. The international bank is reportedly boosting its security spend by 20 percent.
Speaking to CSO after delivering his latest cyber-security strategy to the board, Oerting detailed how important start-ups are to the bank.
Oerting, formerly of Europol’s European Cybercrime Centre, is mentoring a handful of start-ups in New York, Tel Aviv, Cape Town and Mumbai – and is leading accelerator programs in New York and London.
“We’re increasing our footprint on the accelerator program and on innovation too. We want to see if I can find companies that provide us with things that we want to be researching and developing. It could be blockchain technology, the replacement of the password, increasing endpoint security, the elimination of anti-virus, or DNS security.
“Privacy and security protection is such a big part of what a bank sells – because a bank sells trust. So, instead of waiting for security companies to deliver something when they see fit, we thought why not identify how we could improve the security by design in our own applications, platforms and endpoints…and maybe assisting customers too.”
Oerting says it is important to first identify the bank’s vulnerabilities before asking for help from security start-ups. The start-ups he now mentors includes one that tracks Bitcoins and other digital currencies on Blockchain, another which uses Blockchain to secure diamonds, and a third which provides interactive security awareness training online using virtual reality and 3D glasses.
The Barclays chief admits that all this won’t stop the bank being breached – so instead he is prioritizing the bank’s incident response through red teaming which tests internal applications, perimeter defense and staff against phishing attacks.
“If we get penetrated, we want to make sure we react very fast. It’s about shortening the time from detection to reaction. We acknowledge we probably will be penetrated, but we need to detect it, and isolate or kick them out as soon as they are in.”
“The aim is to make it too costly for a criminal gang to steal our money. Any criminal gang looks at risk, investment and profit and if that doesn’t match up, they will go elsewhere”.