|Today’s Conversation with a CISO was hosted by Paul Roberts (Editor, Security Ledger) & Anup Ghosh (CEO, Invincea). They spoke with the CISO of Synchrony Financial, Daniel Conroy. Reporting directly to the CIO of Synchrony Financial, Daniel Conroy is responsible for establishing and maintaining the vision, strategy and programs necessary to ensure Synchrony’s information assets and technologies are protected.
Below are highlights from the webcast and key takeaways from the discussion with Daniel Conroy.
What is FS-ISAC (Financial Services Information Sharing & Analysis Center)? How does this help automate and operationalize some of the threat intelligence and information sharing that goes on?
FS-ISAC is used for sharing information across the financial industry and is a way for financial institutions to share a methodology and better defend themselves. Daniel mentioned that many institutions are not at the level where they can use tools like FS-ISAC. Therefore, it is important that a threat indicator that one institution picks up on should be put into a feed for other institutions to benefit from. The agility factor is a great way to automate the process.
What can enterprises do to stop attacks?
Daniel commented that most organizations have to take a step further back and really understand how agile their organizations are. Normally, enterprise organizations have an annual cycle for budgeting and are locked in to formalized projects. Daniel changed the way that his company operates, by evaluating threats on a quarterly basis and changing the nature of his program based on these more frequent evaluations.
What is the nature of budgeting for the financial industry?
Daniel said that some financial institutions have ample budgets, but it essentially comes down to how it is spent. It is vital to have one person who can translate the technology aspect, the controls, and the threats back into business language to then have important discussions. Daniel provided the example of airport security, where a great amount of money is spent on this, but the most important aspect is to be smart and strategic about spending.
What are the threats in finance and what is at the top of mind for financial institutions?
It is important to consider that the nature of the role of CISO has changed significantly over the past 10 years. There are many threats that did not exist 5-10 years ago, like Hacktivisim. These new threats must be evaluated on a regular basis and we must use intelligence to make decisions relating to threats. Daniel believes that cyber security is a team sport and that the only way to be successful is to collaborate with everyone in the business and industry.
What is the nature of PCI and what is the space beyond it?
PCI is a baseline for what the industry should have. Daniel uses the NIST Cyber Framework and applies his strategy to see how to increase controls. PCI is only 5% of where a security program should be, the other 95% are things that the company should constantly be working on.
What are some of the lessons learned from attacks that are more “hunting” (hacktivism, cyber-crime, nation-sate) versus “destructive”?
Daniel mentioned that the lesson learned is "this it is hard". It is hard because hackers are motivated and they have the means to do harm to companies across the United States. Daniel believes that we must partner together and make security a team sport through information sharing. For Sony, it was not the first time that that particular code was used, and if it had been shared, the breach might have been avoided. Daniel emphasized the importance of combining forces to slow adversaries down.
Question from Katie Haug, K logix: What is the relationship you have with your board? How do you align with the business’ objectives?
Daniel meets with the board regularly and has great conversations with them. The board understands the challenges of cyber security and they have a very transparent organization as a whole. His strategy is to always align with business. In order to defend, you must understand what the business is doing and why they are doing it. His architecture team partners with business for every single project to make sure both parties understand the goals.