AT: How do you communicate information security issues to the board, how often, and what's their attitude?
HP: Cyber and information security risks are huge in this connected world. We have different mechanisms (with) which we reach to the board. If there is major incident internally, then we have immediate incident reporting processes which would highlight to the respect of management team, what's happened or what's going wrong. Moreover, if there is a major incident externally such as what has happened with the Bangladesh bank, we always take back to our management and make them understand if it was to happen to us, what we would do or how we would react or can it happen to us. so I think from that perspective, now the board get started to realising and understanding seriousness of these kind of risks and the fact that they can happen to us.
AT: Do they see it as an IT or a business issue?
HP: We definitely don't treat it as an IT issue. Security is a combination of both, it would be wrong to say it's not an IT issue, but it is also wrong to say it's business issue. So, it could arise in business side or IT side.
AT: From your perspective how important is awareness and who is responsible for it?
HP: Respective stakeholders and relevant people need to talk to each other. We have been running quite a few programs to educate the board members, senior managers, all our employees to inculcate the culture in people to understand and appreciate what information security is and how they or their family members can be compromised. That's a big challenge, and not everyone understands and appreciate what it takes, and what it compromises of, so we keep reiterating it in various methods and techniques, to make them understand how to protect themselves and how to safeguard the information and data they hold.
We educate the human resource, legal (and) compliance team. These are very specific functions that touch a lot of data and a compromise can be bad for any organisation, so we have specific sessions for them.
I think from my side, the key thing I'd like to emphasise is that all of us in Information Security, if we make sure that not only our staff are aware everything but also tell them pass on this knowledge to their family members, that would be a plus sign, because we will be improving the information security posture as a society.
AT: From your perspective, what kind of experience and skills are required from a CISO today and in the future?
HP: I think open-mindedness, willingness to learn (and appreciation of) what you are getting into. One of the thing which I have done whenever I have gone into a kind of engagement, I have always taken that as an opportunity, and I ensure if I'm learning something new, I will try to get a related certificate because it forces you to learn new aspects of that. For instance, recently I was doing a lot of work on the cloud side of things and I saw a certification on the cloud, so I picked up a well-known certification (ISC2 CCSP).
AT: How can business degree or understanding could contribute to success of a CISO?
HP: Sometimes business does not understand what information security wants or the other way around but understanding what the business team are doing has helped us and takes us further. It's helpful when you can understand what the business is doing and how you could safeguard them. From that perspective when we collaborate effectively with management, for example regarding unseen risks and their impacts, that's when they start appertaining and you start building upon this relationship.
AT: Is there a skill shortage in the information security industry and what is your organisation doing to overcome skills shortages in the sector?
HP: Truly speaking, there is a gap, there (are) not sufficient people if you look at the industry as a whole outside of the financial industry, if you start looking all the other SMEs, yes there is a huge gap because people do not realise what problems they have.
One of the challenges we have to keep in mind about information security is that we all depend a lot in technology and need to learn how to protect various technologies. So that's why getting the right skill-set becomes a challenge but if you have the right mind-set about how you need to proceed with things, that would help in solving quite of few things. So from that perspective, I have had an intern program in my teams for the last four years (which) gives them exposure into information security and that's how we are trying to make awareness and ensure that this gap is filled.
AT: Maybe because banks act as a magnet for talents?
HP: Exactly. That is also another challenge as such that banking industry pays the best whereas other industries would not be able to do that, that itself causes disparity as such.
AT: What is your suggestion to women and newcomers who wants to follow their career in information security industry?
HP: I think women make a great part of the team because they are very inquisitive and like to find (details). That is a very good from the natural tendency perspective. They make very good resource in a team, definitely bring a lot of values in terms of thinking and knowledge and help out in balancing the culture within the team. So I now and then try to ensure that my team is balanced and have ladies on board and we as an organisation promote diversity quite a lot and encourage ladies to participate in the information industry.
AT: From your perspective as the group CISO of ING, what are the biggest challenges you face in the year ahead? And What would be your focus in the next 6 months?
HP: First of all, the key challenge for us as an industry and as bankers is definitely awareness. It is definitely a key thing and not only awareness inside the banks but also for our clients because they have become victims of brand abuse. So, we are running various programs to ensure that our clients are aware that (the) ING name could be used for carrying out invoice fraud or other types of fraud.
Secondly, I think, APT and these constant malware types of attacks are also a key issue and problem for us. Because they can get into your organisation and steal your data and damage (you) in terms of (money) or information.
The third challenge is the insider threat as we have seen with the Sage program, it could be anyone of our insiders, so the whole industries have been working throughout the years and safeguarding against insider threat and putting controls to ensure such kind of incident should not lead to a huge damage.
And lastly, patching in any organisation. The technology keeps evolving and developing and catching the patches is a big issue for the whole industry, not just for banking. It's the basic hygiene to maintain, once you start missing on your basic hygiene, you would fall (victim) to (these) kind of things.
AT: Do you think that banks should actively monitor the Dark web in order to be able to take necessary actions against cyber-criminals in advance?
HP: It's part of defence in depth and knowing your enemy. I think they need to monitor in terms of what is happening and if you know your enemy you can look at how you can prevent or if you know that this is a kind of attack which is going to come to you, you can build a counter attack for it.
It's intelligence gathering and depends on the size and resources of the bank, where they are in the journey of cyber, what they are really looking for, what they are trying to prevent and achieve, what skill-set they have, and what understanding they have about their environment.
This is a kind of joint exercises we do with lot of common agencies, people get into the dark web to just get an understanding and idea of is there any ING data on it, if something has been compromised, or do we have a ING customer's name on it? or do we have ING related information?
AT: Does your organisation share threat intelligence with public bodies or commercial rivals or others - and what do you gain, and what are the risks? is it worth it? How can the public and private sectors share threat intelligence better? and what impact will Brexit have on this practice?
HP: I think Brexit is not causing any impact on intelligence sharing and we have seen no impact so far. information sharing happens with contacts and organisational relationships you've established. We have very well-established mechanisms and continue to share information. Last year we as ING signed a Memorandum of Understanding (MoU) with Europol in order to further strengthen and expand cooperation in combating cyber-crime targeting the financial sector. This MoU allows for Europol and ING Group to exchange strategic information, information on trends and statistical data (Taken from Europol website). We participate with CERT, National Crime Agency, National Cyber Security Centre (NCSC) that launched a few months (ago). We as a bank participate in various forms and share intelligence on a very regular basis.
AT: ING won the award for Western Europe's Best Digital Bank by Euromoney magazine. How important is innovation for information security in the financial industry?
HP: Innovation is very key because we need to keep up with the pace of the technology industry in delivering to our customers and clients. There is so much of innovation which has happened in (the) information security world and the number of small firms which are solving very niche areas in information security is increasing day by day. Now you need to look at user behaviour analysis, DDOS scrubbing, risk engines and (so on).
There are some projects and pipeline to look at the whole authentication pieces, for example this kind of vein tracking, instead of just looking just at fingerprint, it looks at your vein pattern and pulse. We have been reviewing and investigating those kind of technologies.
AT: Banks have enhanced password based authentication in online banking by adding additional layers such as tokens, but the recent introduction of biometrics speaks of a different strategy in financial industry. Are banks looking for a solution to substitute traditional password-based authentication completely?HP: I'd correlate it to the innovation that makes life easier for people and our customer and in terms of authentication. It needs to be a very balanced approach between what we provide and how secure, safe and easy to use (it is). We always keep looking at innovative ways of providing authentication which could enhance and improve the experience of users and client getting authenticated, but ensuring that it is still safe.