• United States



CSO Security Standard, lesson one: Build something you can easily adapt

Sep 10, 20123 mins
Data and Information SecurityIT Leadership

Bank of America CISO Patrick Gorman on building an adaptive security program

Bank of America CISO Patrick Gorman was first up at the CSO Security Standard this morning. His main message: Companies need to build a security program that adapts quickly to new threats.

“What we’re seeing is a convergence of threats,” he said. “Attacks are no longer just the work of nation states, hacktivists, criminals and malicious insiders. They are all working together.”

He identified things he worries about as remediation costs, operational downtime, lost revenue, customer dissatisfaction, brand impact and shareholder value. He noted that the company’s top brass are just as worried.

“The good news is that the CEO and the board care about security and are paying attention,” he said. “The bad news is that the CEO and the board care about security and are paying attention.”

He said BOA moves about 2 trillion dollars a day through global networks. Banks are all interconnected because they have to work together on payments and such.

The general security approach BOA has adopted as a result is as follows:

–For customers and clients: Security solutions, awareness and education

–For enterprise security: Monitoring end users, ID and access management

–App security

–Information and infrastructure security

–Vendor security

The program, he said, is based on ecosystem security: Banks are connected through support services and public-private partnerships. Information sharing and a coordinated incident response has become critical. “If one part of the financial industry is impacted you have to assume other parts are affected,” Gorman said. “Instead of approaching this as competitors, we work together to protect the ecosystem.”

The security program is built around being prepared: BOA runs war games and assesses new threats daily with partners and competitors alike. “We run through multiple scenarios and business impacts. We stress test our controls.

Other aspects of the program revolve around the following outline:

Deter: Dissuade attacks by addressing the cost-reward equation through strong controls.

Prevent: Reducing day-to-day incidents, looking at all external activity, patch management, stacking reported vulnerabilities against what we have and need to address.

Detect: The goal has been to reduce the time to detect something out there, from how long it takes from finding the threat to starting a ticket to act against it. Automated monitoring of employees, applications, data, systems and networks are part of the mix.

Respond: Agile incident response, a follow-the-sun model. “We are on guard 24 hours a day. We operate off a playbook and work with overseas partners. It’s all tightly coordinated,” he said.

Recover: Investing in our forensics teams to ensure quick investigations and lessons learned.

“Adversaries are more agile than we are, so we have to look at how to remove beauracracy,” he said. We’re also working on an employee security driver’s license. If we identify a user’s dangerous behavior they have to do certain things or lose points on their license.”