Information security can’t stand in the way of business goals. Ultimately, if security professionals can’t keep customers and shareholders happy, the business suffers, said Erika Mata Sánchez, director of information security and CISO, at Grupo Nacional Provincial, or GNP Seguros, one of Mexico’s largest insurance companies.
Mata Sánchez’s information and IT security career spans 18 years. She’s mainly worked in the banking and financial services industry and has served as director of information security and CISO, Mexico, for Scotiabank; head of business information security risk services at HSBC; subdirector of internal audit for Citigroup’s global technology; and corporate operations and CISO at Prudential Bank.
She also passes along the knowledge gleaned from being on the front lines of information security to undergraduate and graduate students at Tecnológico de Monterrey and Iberoamericana University, both private universities in Mexico, where she’s taught for five years.
Mata Sánchez explains how CISOs benefit from learning about business and the challenges of teaching information security to a generation of students who grew up using technology.
What unique security challenges does the banking and financial industry face?
The biggest changes are more philosophical than technical. With the technical, it’s true that it’s not only information security, but also IT and communications. IT has progressed very fast in the last couple of years and has developed into information security. We went from firewalls and simple antivirus to building information security systems to meet business requirements. We need to protect information from misuse or unauthorized access from internal employees, third parties, even from the competition.
This has been very hard to practice. This implies there’s a culture of information security and risk at companies. But this isn’t always the case. You need the support of the board of directors and other executives to have this culture across an enterprise When you do, it makes information security stronger.
How can a CISO balance innovation and security?
Execution is not simple because you can’t stop trying to achieve your business goals. Enterprise competitiveness, operations, market share are all important for business. If you don’t keep your shareholders happy then you’re lost.
The business goals, the business needs and the business strategy are key ingredients in information security. A general director once asked me when he needed to call me for security help with a project. I answered, “As soon as you dream up a new product, call me. This lets us assess security risk from the beginning and consider security in all product development stages.”
This approach makes the development process faster. When business knows what they want, and security is there to give them advice, and they understand why they need to consider security, they’re happy. We want product to know that security is a business requirement and to implement it from the beginning.
What unique security challenges does the banking industry face?
The first one is regulation changes. Other challenges aren’t unique to the banking industry, but the way they are executed is unique. Regulators around the world are becoming a bit crazy about all the controls that should be put in place for banking because we continue to see disclosure of customer information, fraud in electronic banking or customers affected by phishing. One of the biggest challenges is regulations because governments want to protect the distribution channels, including the tellers, ATMs, branches and credit cards. And they want to protect the market from nontransparent information so the market cannot be influenced by it. The banking sector has to deal with these challenges, which causes a bigger operational cost for them, so products are not necessarily cheaper and sometimes the regulatory requirements hurt the customer experience. We need to be smart and provide greater customer experiences and comply with the different regulatory requirements.
The second challenge is internal fraud. Tellers are potential social engineering victims. And they are in front of the customers and are the end users with transactions systems and operations so they have all the knowledge. They know how the bank operates. They know who their customers are and maybe they have a reason to conduct internal fraud.
I already mentioned phishing and ransomware as challenges. These aren’t unique to the financial sector but we see a lot of these attacks since banks deal with money. The last one that’s been getting more relevant since 2014 is ATM and POS [point of sale] attacks. There is malware like Ploutus that lets you carry out an attack with exploiting an ATM. You only need to install malware and then you have all the money in that ATM.
Ploutus is linked to organized crime looking for money, at least in the case of Mexico and Peru. This is organized crime getting easy funding for their activities.
What should corporate boards know about conducting information security?
They need to know that we are there to help them conduct business. Information security is a business requirement and that’s the approach I use when I talk the board. Security should work with the business heads to identifying risk and develop adequate controls commensurate to the appetite for risk.
Of course, security requires investments and resources, so we regularly communication with the board and show them an enterprise security index with different parameters. We assess classical things like antivirus, perimeter security, hardening, application security and also awareness campaigns. Once the board understands that internal fraud or disclosure of confidential information is affecting the company, or that competitors may have some of our information, then they’re more open to hearing about information security.
They should know that we are there for them. It’s not only IT. It’s not only about budget. This is about our business. The is key understanding we’re all part of the organization, trying to achieve the same goals. Once they understand that, they are more open to information security.
For security executives who don’t have a strong relationship with their board, how can they improve it?
The first thing to do is get friendly with compliance, legal and finance. Sometimes information security people don’t understand the business and who handles what. If you don’t understand what your business is and what the cost of business is, you are lost. Information security has their strategy, but it needs to align with business goals.
You need to understand what the business wants and what it expects. Then, in the business’ language, tell executives what they need to consider from a security standpoint to hit their profit goals and to protect their customer, financial and employee information. This requires a lot of investment from CISOs if they come from a very technical background. But the board is never going to learn technical language. It’s better for us to speak business language. That’s how you get your budget approved and support from the board.
And, of course, all the attacks in the news help the board everyone else understand what’s going on in cybersecurity. Attacks helps companies get the information security budget that they need. But the news isn’t the only thing you should rely on. Information security should already be a priority, especially in banking and finance.
When speaking the language of business to their boards, are there certain phrases CISOs should be using?
We need to know the business objectives and board expectations and talk about how security helps meet them. We need to start talking money and not scare them. Tell them the opposite; say that we are there to conduct business, achieve results and reduce risks, fines and reputational damage.
Using examples from what’s going on in security in terms of attacks and risk to the business is key.
During your career, you've worked with CFOs, especially around the information security department's budget. What should CFOs know about conducting information security?
At one of my jobs, the CFO said, “We never paid attention to information security until our financial information was in the cloud with another organization.” That’s a very bad example. If you have a good relationship and engage with CFOs from the beginning, they should know that you are there to protect business.
CFOs are interested in reducing expenses and setting the new budget within forecasts. And with the new budget, they usually want you to complete your work cheaper than last year. So, we need to talk with them in terms of optimization and efficiency. The information security strategy and budget must be aligned to that. That’s all CFOs need to hear; that and how much your strategy will cost, how profitable it will be and how much it will save the enterprise.
You've also taught information security to undergraduate and graduate students since 2010. What's the best way for universities to prepare the next generation of information security professionals?
The millennials don’t want to hear about security. They are already IT embedded. They use technology every day in every circumstance. For them, security is not necessary until there are some privacy issues or incidents. They care about security only when things go bad.
My courses are changing a lot. Initially I taught information security from network security to development of applications. Now I’m talking more about information security risk, how to assess risk, how to manage risks and how to help the business. When students leave the university, they are able to articulate how they can help the industry and a business. That’s key.
But there’s still a gap between what enterprises need and what students are taught. The programs are not structured to teach them information security holistically. They are more oriented to technical processes in engineering careers, at least in Mexico. The exception to this is master degree programs, because students have the opportunity to research and write a dissertation in broader fields of information security.
The next generation of information security professionals are millennials or the next generation after them. However, one of the challenges in engineering schools is getting young people curious about how things work and how technology can be developed from scratch instead of teaching them in a way that makes them blind to actual issues. To deal with this, you could have specific courses dealing with writing secure code and other niche areas.
What else should security leaders know about practicing information security?
There’s a lot of confusion out there around what IT security is, around what information security is, around what cybersecurity is. Information security is bigger than cyber and IT security. It requires you to speak business language. It means security leaders need to be close to the board and senior managers in order to get information security aligned with business objectives and the budget to implement it.
Information security professionals need to be able to explain to business leaders why it’s important to do information security. The rationale is simple: Once an individual -- not only a board member but other leaders in a company -- understands why security needs to do something, it’s easier to practice security and help the company meet its goals.
