Information security requires understanding of cultures

Dr. Michael Kelly is Global Head Information Security Officer for T&I and Group Functions, Standard Chartered Bank, Singapore. He shares his thoughts in an interview with Khaleej Times. Excerpts:

Security technologies are continually evolving. "We are seeing more specialised technologies to combat specific threats. Determining how to use these effectively and in an integrated manner is a challenge," says Dr Michael Kelly, Global Head Information Security Officer for T&I and Group Functions, Standard Chartered Bank, Singapore, in an interview with Khaleej Times.

"Since digital banking is driving our industry to consider how to use partners and new technologies in new ways; these moves are forcing us to consider new capabilities and ways to apply security technology and governance. We certainly see the use of more machine intelligence and other analytics to identify potential threats and respond quicker," Dr. Kelly adds.

He confirms that banks are implementing emerging technologies. "The drive to digital banking means banks are adopting cloud, mobile apps, and DevOps, as well as more advanced open API, fintech and blockchain initiatives. The wide variety of new capabilities requires us to similarly look at what is needed to secure these initiatives and our banks in this new environment. We believe that in the midst of applying these new technologies we also need to improve our security risk governance," notes Dr. Kelly.

Referring to the importance of security for a banking information system considering recent technological advancement, Dr. Kelly says, "Our customers increasingly value security, as revealed in recent surveys.  For instance, in a Capgemini survey in 2017, 64-75 per cent of customers say they would move companies in the event of a security breach, and 65 per cent consider privacy and security important in selecting a bank. And some customers, especially millennials, at least indicate they would pay more for security. However, this contrasts with customer behaviour where 21 per cent of online customers never change their login passwords, and 74 per cent of millennials are willing to share their personal data for benefits."

Dr. Kelly stresses, "There is a need to instil more of a security culture throughout our organisations, from the business through to architects and developers. We need to have more architects, designers and developers who understand that security needs to be part of any system and application from the very outset. And fintech initiatives need to build in security, not try to add it later."

Organisations need to ensure that they impose information security risk and governance along with the technology and processes to operate the security. "None of us have infinite resources so taking a risk-based approach to information security helps to prioritise funds being spent on the right technology to address the biggest security risks. Risk and governance also give an internal oversight to help banks continually improve information security capabilities and culture," he notes.

Organisations also need to be aware of the way regulators and governments are responding to technology and industry changes. "For instance, regulators in the Middle East are issuing standards for Open Banking, and some countries are heavily supporting fintech, such as the UAE where fintech start-ups have grown by 270 per cent in 2017 alone. This trend will result in more government digital services and exchange of data across the banking sector. Banks will need to determine how to ensure security and operational resilience as their services integrate with other banks and government digital services," advises Dr. Kelly.

According to him, Standard Chartered is both fortunate and challenged in its geographical spread. "Operating in so many countries means that we have many places to protect and regulations to follow, but it also means that we can draw on talents from many countries as well. We are recruiting both technical and non-technical talent, and we are taking steps to encourage more women to join our security teams - these initiatives help to create genuine diversity of thought, a vital component for tackling cyber threats. Having said this, it is always a challenge to find the right talent, and more so in information security."

IT leaders are leveraging this FutureSec platform to transform their organisations. "Sharing experiences provides us with insights to review our operations and see how we can improve them. Those of us with operations in the Middle East also can see what is important in this region compared to other regions, and use this knowledge in determining security risk and the resultant technologies and capabilities to deploy," says Dr. Kelly.

Although cyber-attacks can start anywhere and technology is similar worldwide, information security requires understanding cultures. "For instance, some cultures and locations seem more resistant to social engineering than others, perhaps because strangers are recognised quickly. So, this summit can help us to gain a better understanding of cybersecurity issues in the Middle East and account for those in our risk determination and global planning. Holding this event in Saudi Arabia emphasises the important position Saudi Arabia holds within the Middle East on the vital topic of information security."

- suchitra@khaleejtimes.com

• Supplements