AT: Barclays' innovative approach led to its roll-out of Barclays Launchpad, voice biometrics, and contactless payment – what drives that approach?
TO: “I believe it is not something new. There has been an innovative spirit in the bank that has enabled us to continually do something different instead of just looking at our financial role. Looking through 325 years of our history, Barclays issued the UK's first credit card, introduced the first ATM, and had the UK's first ever female bank manager. I'd guess I'm the only GIS head in the world that has (a) director of innovation in my team who is looking for innovation to do something different about password, attack monitoring, incident response, etc.”
“You'd see again that Barclays is again one of the few banks that really invest a lot in startups and accelerators. We have seven startup all over the world and we have huge facilities for young people dealing with new online based inventions. What we try to trigger here is innovation that makes it easier and more prosperous to be a customer at our bank, but never forget the security.”
AT: You have written on your LinkedIn profile that as the CISO of Barclays you are responsible to deliver four strategic goals:
Protect the Estate
Innovate to stay safe
Enable our business to get fast to market with apps and platforms offering privacy, security and convenience
Educate by integrating 'security' to become part of the DNA of our colleagues
Innovate to stay safe is one of your strategic goals but, as an innovative financial organisation not an IT solution provider, what is the limit, and where should boundaries be formed?
TO: “What you'd see in banking is that the majority of customers want convenience. If you have a very secure tool but it requires you to remember all kinds of the strange settings, then probably you won't use it. It is so easy to create security and privacy, just very difficult to work with, but the trick is to deliver security, privacy, and convenience at the same time, that can be achieved through innovation and that is a driver for Barclays. That is why we work so well with the business. If we know about what they want to deliver, then we can build security by design and provide security, privacy, but also convenience.
“I have a wish list with me when I visit our accelerators and I ask them if they could do what we need, so we influence the development of innovation a bit, instead of just waiting for innovators to show up.”
AT: From your perspective how do banks provide apps and platforms with security and convenience at the same time, given that they are two ends of (the) spectrum?
TO: “If you say to me, Troels, the goal is to be secure with privacy, then my guys will do everything they can to only look at that and that would be a conflict with the business and customers.
“We go mobile, most of us, and in the future we'll do everything on mobile. A lot of innovation must be in this space. Imagine, in the future could have a phone where you have your application on, the first thing you do is you put in your fingerprint, the second is you have built-in face recognition so it knows what Troels looks like. It also has a microphone, so when I talk it recognises me, then it has a GPS. Is Troels here or in China or Ukraine or wherever? So if it is my fingerprint, it looks like me, it sounds like me, it is in the place I should be, it is probably me. I have not done anything. I don't have to remember a password because everything is done and very convenient. If we could make this work, I think we would have found a methodology to make passwords even stronger without adding much.”
AT: (Regarding SG4) How have you managed to do that and what really worked for you that you might recommend others to also do?
TO: “I think the human firewall is always the weakest firewall and we live in a very online world where everything employees do in business and everything they do private with social networks, reading articles, news, whatever is online. You see there is a blurred line between whether I'm actually working, or I'm off and sometimes working from home but we are interacting with our secure systems. So to prepare for future for digital employees, we have specific obligation to train our people to understand the threats, look for phishing mail, to look for scams, not to click on attachment, not to do stupid things on the Internet, to have dual factor authentication on their Gmail. Because sometimes criminals want to conduct social engineering on me because I'm a bank employee with privileges, so they can take over my private account, maybe they can find something so that they can blackmail me, so all of that.
“I think we should talk about crime and security not about cybersecurity or cyber-crime, because the criminals who go after us, are organised criminal networks and cyber is just another tool in their toolbox. So they want our money, information. They want to get them whether through cyber, insider, or a combination of both. So, we need to look at security much more holistically than in the old days because the criminals just want to get money or information, and often the easiest way is from insiders.
“We need to make security as part of DNA of our staff because they work in a bank that holds a lot of information, and money. They don't need to be technical experts, they just need to be a bit more cautious than the average, because the criminals they will go for the weakest spot and that is normally human beings not machines.
“We run a number of tests on our staff with phishing emails, so we make campaigns where I send an email to the staff, to see how many click on it and then we follow up with a training programme dedicated to that issue. We try to make all our staff aware of what it is you should be afraid of, where should you be cautious, where you could be relatively relaxed.”
AT: You've come to your current role from Europol. How does a background in law enforcement contribute to your current role? What skills or bodies of knowledge helped you the most?
TO: “I think I am intelligence-led and that contributes to my current role from my background in law enforcement.
“I know what is hitting me now. Once you know what can hit you, you can prepare for that. In order to do that, I need to have very good intelligence that can bring me this information so that I can make sure that Barclays is in the right position. Crime changes all the time and it gets more and more difficult, the neighbourhood is the whole globe. We can be attacked from anywhere and anytime and people try because we have the money, so I believe that it is helpful that I can put it in context.
“When I was in law enforcement, I realised that it is very difficult for law enforcement to fight cyber-crime because we don't have any international norms for fighting it. So we help each other, just as all law enforcement agencies do if we have a serial killer, rapist, whatever, we have various tools for that. But we have not really found a good tool for fighting cyber-crime. I think we need to find these norms because it is helpful for me to see how, from the inside, we can defend. I'm also trying to reach out to have closer cooperation with other banks. I don't think that fighting crime is a competitive differentiator, I think that it is something we should be doing. We can compete in anything else in the world but not fighting crooks and making the internet a safer place. I think we banks should work much closer. We should also work closer with law enforcement to make it unattractive to be a cyber-criminal. We need to invest more in this area.
“I strongly support threat intelligence sharing, that's why we created the cyber-defensive line together with four other banks and the police. I think within a trusted group we should share everything because if I am hacked on Monday, RBS could be hacked on Tuesday. But If I tell RBS, how I was penetrated then it can patch and change its procedure. If they try to use the same methodology, they will not get in. The next time, maybe RBS tells me how I can protect myself, in that way, we share in-depth information and not just this surface information, but really good information about how we have seen ourselves being vulnerable to attacks.”
AT: “From your perspective as the CSO and CISO of Barclays bank, what are the biggest challenges you face in the year ahead?
TO: “You will see that the era of the big heists is just starting right now. First of all you will see more sophisticated attacks against financial institutions. You will also see that most stealthy and deep attack like the SWIFT attack. Also attacks targeting our physical access systems not just our online access system so also security cameras, and other systems. I believe that you will see criminals move up the value chain, so that is a big challenge for us. On the plus side, there will be a reduction in banking Trojans, because we have actually managed that very well, at least at the Western world. So they will move that crime to Asia and Africa and for us they will concentrate on having much more sophisticated, dedicated and longer attacks. These won't just be ‘hit and run', but they seek to undertake reconnaissance, penetration, dwell in the network and then activate, and that is a different threat that we need to be prepared for in the future.”
AT: You studied business between 2006 to 2008. How has this helped you at your current role? Do you suggest an MBA or similar course in business would help future CISOs?
TO: “I have a very good relationship with my board and we have very good discussions and I get really good backup, I think because we understand each other.”
“For more than 30 years I have been in law enforcement and now I'm in a commercial business, so it was a very a good bridge for me to have studied a bit to improve commercial understanding because when I'm here I am handling budgets, triggers, drivers, so I still get what it is about.”
“I think that security is about people, processes, and technology and then everything is underlined by its commercial business context. A bank needs to earn money to continue its business. That is the goal number one. We deliver a financial service that hopefully many people wants because it's good, it's inexpensive, secure and all of that. But I need to deliver that through several professional, technical, and process people and will not do that alone. I think that given this combination, along with marketing, it's good to have this background.
“Everything has changed since we had gold and coins in a vault protected by a sheriff and thieves came and threatened us to hand over physical things: now that my money is ones and zeros, for proper protection you need to have a holistic view because it is about tech, process, and people, and I think the commercial background needs to be there too.”
AT: While time is a scarce resource at your seniority level, I'm personally very impressed by your strong presence on social networks especially Twitter and LinkedIn. What is the motive behind all these efforts? Is it part of your leadership philosophy to act as a role model and go ahead of the followers in Barclays and even in the industry?
TO: “I like social media and the way (to) communicate and I can reach out to a bigger audience. I see that as part of actually being an evangelist in security. You try to have a discussion about what is good, what is bad, what is needed, and by reaching out, I think that's part of my overall job. I very much like that and I get lot of good feedback - and sometimes critics, but that's fine with me and that is part of discussion, otherwise I should unplug and do my job and I don't think that is enough.”
AT: What would you suggest to newcomers to the industry including women who want to follow a career in information security?
“I think it is all about dedication. It is the strength of your will power that makes you conquer everything. If you really want that, really want to do this in security, you can. It is all about dedication and devotion more than it is about engineering, or a degree. My advice is to try cyber-security; first of all, it is the future; secondly it is very rewarding, because I think (safe use of the Internet) is a fundamental human right, so to work to make the internet a safe place that you can operate without becoming a victim of crime. So the more we can attract people to help achieve that, the safer we will all be whereas right now it's a bit the like ‘Wild West' and we now need to change that, but to do so we need more people on board. So come, try, see, grow, learn, it will never be wasted. Even if you don't stay it will be a very good experience for you.
“I very much support moves to encourage more women into the security industry though sometimes this is difficult to achieve. I'm trying to do more in that area and I do try to promote articles and discussions that talk about that. It is not just about studying engineering; we need everybody to be engaged in this.”
AT: What is your organisation doing to overcome skills shortages in the sector, and if availability were not an issue, would you increase your cyber-security team. If so, by how many people (or percent)?
TO: There is a shortage, especially in some areas, and we should have more people available. We try to reach out to universities including Mumbai and Johannesburg to create curriculums and part of a Masters degree that will ensure we have security people who are not just theoretically good but also practically good in what we need. I don't think we are doing enough but we are trying to do more in that area.”
AT: Barclays has enhanced password-based authentication by adding additional layers such as PINsentry, but the recent introduction of voice recognition to the customers is a different strategy. Does this mean that Barclays is still looking for a solution to substitute traditional password-based authentication completely? If so, when do you want to achieve it?
TO: “I think maybe it is too early to say that we will eliminate passwords completely, but we are looking into new technologies to obtain security but reduce complication. Voice recognition is a good example. In the first minute that you speak with us, you have already proven that you are the right person and you can go on instead of having millions of security questions that anybody can obtain by social engineering then copy and paste. We will pursue that road and introduce more biometrics and other approaches that will maintain security safer for us and make access easier for our customers.”
AT: Apart from voice, do you think that other types of behavioural biometrics such as keystroke dynamics have the potential to be used in online banking in the next five years? Or even other than online banking?
TO: “The aim is to undertake more innovation in this area, in everything, biometrics, voice, face, location, fingerprint, whatever. The downside is how can you cheat biometrics. Keystroke has a role to play in different settings. Maybe more inside the banks so you can see who is actually behind a certain computer at the moment. I think the password is a dead heroine in security but it is the best we have now, but we need to find a better way of identifying ourselves.”
AT: Based on the novelty and complexity of behavioural biometrics, I assume most banks might prefer to outsource and purchase the solution from a third party. From your perspective how can financial organisations be assured that integration of these services does not open a backdoor or simply makes them more vulnerable? What has really worked for you to mitigate this risk that you would recommend others to do?
TO: “We have (a) vendor assurance programme, so we assess all our vendors to certain levels depending on what they deliver. We have very in-depth monitoring and also third parties that help us assess how good vendors are. My strategy is to protect the bank regardless of whether the information is on premises or with a third party. So I have an obligation to reach out to partners and make sure the data they hold for us, they hold it in the same way as if they were part of our own system. When we outsource more and more of our data to the cloud, they need to have the same security standard as us. So it is about assessing the security of these companies and then only deal with those you trust.”
AT: Security and usability are two ends of spectrum. We cannot sacrifice one for the other. From your perspective, how does continuous authentication in online banking, which Barclays uses, help balance these two extremes?
TO: “I think you are right, to constantly authenticate is probably the future for part of our life on the internet. There is an opportunity here and there are several companies who are looking to that specific area to continue to authenticate. We need to know that it is actually you who is asking for your money or your information, so we can be sure that we're not handing over anything which is not yours.”
AT: What message or insight would you like to leave our audience with?
TO: “In the future, we will not talk so much about the internet or cyber. It will be just like electricity, an enabler for everything we do. As a society we need to see that we will have to automate much more as we are overwhelmed with information which is a positive and negative challenge for any society. But I think that any successful road to a bright digital future entails security in one way or another and that is why we should take it seriously. It is not just about being first to the market or having the sexiest application, we need to innovate in a safe way, and as a bank we need to be especially security-focused, but we will also take advantage of the opportunities afforded by technological advances such as Internet of Things.”