From: American Banker
by Penny Crosman
om Sanzone has a resume few in the bank technology field can rival: Chief administrative officer of Merrill Lynch. Chief information officer of Credit Suisse. CIO for the Corporate and Investment Bank, the Private Client Group, and the Global Transaction Services business at Citigroup. Managing director and head of global application development at Salomon Brothers.
He recently landed at the consulting firm Booz Allen Hamilton, where he is an executive vice president in charge of the commercial financial services practice. He recently chatted with Bank Technology News about how chief information security officers can protect their banks against the growing army of cyber criminals and how the role of data security watchdog has gained importance.
BTN: Are you seeing CISOs get more respect in banks?
Sanzone: Definitely. The title CISO is standard now. When a security issue becomes the concern of the executive committee and the board, the person responsible for that function at a minimum is required to report to those bodies on a regular basis on the status of the environment. With cyber risk and security issues, it’s done. If you look at the security events that have occurred this year, there’s probably not an executive team or board that’s not been briefed on this topic and is concerned. In Lloyd’s Risk survey, two years ago, cyber risk wasn’t in the top 10 list of executive concerns, now it’s number three.
Do you think cyber risk should be number three on the list, or should it be number one?
The prioritization of risks depends on the nature of your business model. In financial services, a hedge fund will have a different risk prioritization than a large bank, versus an exchange, versus a trading firm. A hedge fund that makes a significant amount of income and profit on proprietary trading models may prioritize intellectual property theft as number one. A wealth management firm might prioritize sensitive client data as the key cyber risk.
For cyberattacks such as distributed denial of service attacks, malware, and others, do you have a sense of which financial firms are the biggest targets and why?
Different types of attacks have different motivations. You have organized crime that’s looking to cyber techniques to commit fraud. Then you have denial of service where people are looking to damage the franchise from an infrastructure perspective. It depends on who the actor is and what they’re trying to accomplish. Clearly malware has been a constant, evolving battle over the years on PCs and other types of devices.
So now you work with banks and you’re trying to help them improve their cyber risk strategies and plug in the holes?
We do benchmarking, we bring CISOs together to share information and talk about challenges. We try to help them get better and stronger at cybersecurity and protection. We help them develop strategies, develop stronger policies, and implement solutions that will help them improve security.
How can CISOs better work with other executives in the company?
Leave a Reply