Cybersecurity in the financial sector – Interview with Kevin Fielder, CISO at FNZ
In one of our previous articles, we discussed cybersecurity in finance. Financial institutions such as banks, broker companies, and insurance firms have large amounts of sensitive data stored. Banking information, login credentials, identification numbers, and more. This sort of data is extremely sensitive, and is therefore a high priority to protect. But how do you keep up with the current trends, and face the security challenges in this sector? We asked Kevin Fielder, the CISO of FNZ group.
Tell us a little bit about yourself
Hey, I’m Kevin Fielder. I guess you can sum me up as a proud father, sports and health lover, and cyber geek / CISO. I’ve been working in technology and security roles since the mid-90s (that definitely ages me!), doing everything from working on a helpdesk supporting dental software and BNC networks, to supporting online retail web sites, to solutions design and architecture, to various security roles.
Outside of work, I’m pretty devoted to being the best dad to my little girl that I can be, and bringing her up to be as confident and happy as possible. My other main passion is health and fitness!
What do you like most about working in IT and security?
Challenge and learning!
I love to learn, and while many of the challenges we have in security don’t change, how you best solve them in different organizations is always different. This, coupled with the fact that adversaries are always looking for new ways to get to your systems and data, means you have to keep learning to stay ahead. This neatly segues into my other reason for liking working in security – the challenge… We always have to try to stay one step ahead of those trying to do bad things.
You have been in security-focused roles for more than ten years. In your recent years as a CISO, what are the biggest challenges in the role?
I’m still comparatively new as a CISO, this is my second CISO role. Between this and my previous role, I’ve been a CISO for just over four years. I’ve been in various other security roles for quite some time though!
I think one of the biggest challenges is balance. It’s easy to end up working a lot of hours, and it’s hard to switch off. An attack or issue can happen at any time, so you can end up thinking about this, and all the work you need to do, even when you are not working.
Ensuring you have ways to manage this and ‘turn off’ is critical to avoiding burnout or too much stress. For me, having a team you trust really helps, as you know things are in good hands when you are taking time with your family etc.
Exercise really helps as well – it keeps me healthy and provides me time when I am not able to worry about security.
Prioritization is another challenge; we all have a lot to do. I think we, and often our teams, want to improve everything at once. We need to realize we can’t do this and have to agree on what we will fix first and what will have to wait.
Breadth. Security is a pretty broad topic, so staying in touch, even at a high level with everything that is going on, can be very challenging.
What is your advice to other financial institutions as to why take cybersecurity seriously?
In many ways the risks are similar across multiple industry verticals, however, some verticals are ‘bigger’ targets than others. Financial institutions are often seen as valuable targets for a couple of reasons. The first being potential ‘cash out’ where the criminals may see an opportunity to get actual money from the crime – this could be card fraud, access to bank accounts, or something far larger depending on the specifics of the financial organization. The second reason is data. Due to the nature of things like identity checks, financial services firms will often hold a high volume of very sensitive and valuable data that could be used for stealing identities, opening accounts, phishing, etc.
As such, criminals often target financial services more than other verticals.
In terms of what to do, as always, focus on your security fundamentals – know where your assets are and how they are being used, perform good security hygiene (patching, turning off unnecessary services, nothing on the internet that shouldn’t be, etc), protect your assets at rest and in use.
Make sure you engage with all levels of your business – focus on the people and process elements as well as tech, and take the time to get buy-in to the security mission. Security really is everyone’s responsibility, so training and engagement are critical!
What are the most important steps to build the first line of security?
Understanding your organization is number one – what it does, what the key risks are (not just security, but risks across the business), who the key players are, what are people’s key concerns (so you can identify how you can help them!).
Build relationships – no matter how large the actual security team, you’ll need the organization to be engaged and to understand why doing things securely is important. People are our best line of defense.
Choose your battles – we can’t fix everything at once, so identify the biggest gaps and areas of concern. Focus on those. Agree on what you are not going to fix (yet).
Build a great team – you are only as good as your people. Hire awesome, enthusiastic people. Remove obstacles and get out of their way – empower them to be awesome, your teams’ success is your success.
The pandemic has caused a lot of businesses to increase their presence in the online space, and the external threats have increased at the same time. In general, how would you address these increasing threats?
I think the answer to this really depends on where your organization was pre-pandemic.
If you were already a very flexible organization with a distributed workforce and a ‘work from anywhere’ culture, you were likely already remotely managing and patching stuff and allowing secure remote working and access. In this case, other than some uplift in phishing, you likely saw little or no change in security requirements or posture.
If you were at the other end of the scale and entirely office-based, you likely saw fast and huge changes!
Obviously, this discussion only focuses on businesses where remote working is possible…
Fundamentally, it’s about ensuring you have secure and reliable remote access and remote management of your user devices. Plus a healthy dose of ongoing security culture and awareness engagement to remind people about safe remote working and phishing or other social engineering scams.
In your opinion, what are the best steps to raise (cyber)security awareness?
Keep it short, sweet, and relevant.
I genuinely don’t believe annual compliance training has moved the security needle in any organization. In fact, if done badly, it can potentially make things worse as people moan about the training and it creates a bad impression of security.
Short, frequent ‘nudges’ using multiple types of messaging are what is required. Different people respond best to different ways of engaging.
Relevant – make it relevant to their lives and their role. No one outside of infosec needs to know what the CIA is. They do need to think about things like – when I am on a call in the garden, could the neighbors overhear confidential information, when I am working in a café, can anyone see my screen, etc.
Talk about how things impact their life – e.g. good password or 2FA practice stops people from accessing their social media and devices in their home.
Use data – track the engagement and responses to different campaigns – especially in multi-national organizations, you may find you need to run different messaging in different regions to get things to land.
Make things easy – why have five data classifications if three will work? Enable easy reporting – one click to classify and encrypt a document, one click to report phishing. Have multiple channels to contact infosec, and try to make every engagement with your team a positive one.
As a CISO, one of your main responsibilities is to develop and drive the security strategy and roadmap. Could you share with us your top tips to make this successful?
This is a huge question!
Come back to some of the things we have covered already – talk to people, understand the main concerns and risks to the organization. Make sure you address these in your strategy so people understand how you are helping manage the risks they are concerned about.
Get buy-in for your program, try to deliver some quick wins as this helps build trust that you will get things done.
Have a clear plan. Report on progress. Build trust in your delivery. Demonstrate risk reduction.
In your opinion, what are the key security topics to focus on for 2021?
Fundamentals. Fundamentals. Fundamentals.
Lots of talk about AI / ML / buzzword X.
Breaches still occur from phishing, lack of patching, poor configuration (stuff on the internet that shouldn’t be), lack of CMDB – services and servers you don’t even know about, stuff left on trains or in cafes, and the OWASP top 10 is still basically the same.
Get good at the fundamentals of security.
Then add AI magic for the next level once you have the fundamentals in place.
And remember – just because we use terms like fundamentals or basics, that doesn’t mean they are easy!
In our upcoming post we’ll discuss the impacts of the pandemic on cyber attacks.
Ready to engage your team with secure coding training?
Reading Time: 6 minutes For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities.
Reading Time: 6 minutes To build an enterprise security program, one has to go back to the well-known fundamentals of organizational change: People, Process, and Technology (originates from Harold Leavitt’s “Applied Organization Change in Industry”, 1964).
Reading Time: 8 minutes If you are working on Java projects you might have heard about other languages that run on the JVM, like Clojure, Kotlin, or Scala. Programmers like to try new things out but is it worth it to pick one of them over Java?