The Accidental CISOOctober 1, 2019
On 1st October, we had the honour of having Cheri McGuire, Group CISO of Standard Chartered, as an ICE71 guest speaker at Cloudflare’s shiny new Asia HQ. Cheri shared insights across topics like how she got into cybersecurity and what traits a CISO should have.
The Accidental CISO
“It’s a very long story, but you could call me an accidental CISO,” Cheri said. Coming from a political science background, she worked for the US Congress for over 6 years before she went back to school for an MBA, and then worked for a telecommunications infrastructure company. “I had to learn about that business in a short period of time,” she said.
Her mix of telco and government experience turned out to be a draw for Booz Allen, which got her into consulting. About a year after she started, 911 occured. She then got into US Homeland Security’s national cybersecurity division in its nascent days, where “You couldn’t even get a chair if you weren’t early,” she said. Stints at big names like Microsoft and Symantec followed later. Today, she is CISO of Standard Chartered.
3 most important traits of a CISO
“CISOs need to communicate and translate. They need to have courage. And they also need to have a good blend of technical and business skills.”– Cheri McGuire
Terms like ‘256-bit encryption’ and ‘TCP/IP protocols’ may seem basic for cybersecurity professionals, but not for finance professionals or non-tech people. Cheri said, “I had to put myself in the shoes of my audience and be able to speak their language, in real business terms, when it comes to describing the impact of security.”
CISOs need to have courage to call out on challenges and issues to an audience. For this reason, CISOs are often not the most popular—some people who are listening would rather not know about or have such challenges. When bringing up an issue, CISOs need to understand the motivations of the audience and speak to them in simpler terms, making it real and relatable. For example, a CISO can say, “Look, if we don’t patch that system, these are the things that could happen to the business.”
Cheri also believes CISOs should have a good blend of both technical and business skills. “You don’t have to be the smartest,” she said, but having a good understanding of business risks, coupled with a solid foundation of technical knowledge, will help CISOs get ahead of their game.
Commoditisation of the threat landscape
It has become cheap and easy for anyone to launch cybersecurity attacks. For the “bad guys”, they only need to “get it right” once, and yet the victim organisation has to protect against everything that follows. This is one of the biggest threats that banks and financial firms face today.
“A small breach can have a significant impact.”– Cheri Mcguire
Cheri cited an example of the Tesco Bank cyber attack in 2016, where in actuality the breach cost over $2 million, small by financial institution standards—but the reputational repercussion huge, and the regulatory fine was about 10 times the actual cost of the breach.
Managing risks in the cyber world
Cheri believes it takes a multi-layered approach to cybersecurity risk management—people, process and technology.
90% of attacks usually happen through phishing. “Employees are the first-line of defence,” Cheri said. This is why it is important that banks train their employees to be consistently cyber risk-aware.
Despite cyber awareness training for employees, there remains a possibility for human errors, and people might still click on a phishing link. So, processes and technical controls, like those put in place to prevent phishing attacks, are still necessary.
There’s room for startups, but it’s challenging
Regulatory requirements are preventing the quick adoption of technology from startups, as much as CISOs want to work with them.
The complexity and size of an organisation like Standard Chartered also pose a challenge to onboard new vendors. “With footprints in 60 countries, close to 100,000 employees and complex environments, it’s challenging for us to onboard new vendors,” Cheri said.
There are other considerations before onboarding can happen, too. Like whether a startup product is well-thought out, whether the startup has enough backing, what scale the startup is at, and whether it’s been around for awhile— factors linked to its longevity.
Early this year, SC Ventures, the innovation, ventures and fintech investments unit of Standard Chartered Bank, has created SC Ventures Fintech Bridge, a platform that connects and matches partners (startups, investors and accelerators) from the fintech ecosystem to the Bank. Through this platform, ecosystem partners can propose solutions to challenges posted by the Bank’s business units or request for investments.
Silent Eight is one of the startups in the SC Ventures Fintech Bridge. Its AI technology simplifies anti-money laundering checks and processes done in banks, such as name screening, payment screening and transaction monitoring.
Built-in security is a business proposition
As banks continue moving towards digitalisation of services, trust and security become important.
She urged companies to put security in mind when building their products. “Please build security into your products, so you’re ready when you come knocking at our door,” Cheri said, and adds, “if your products are not secure in the front end, it’s hard for us to adopt it.”
For more articles and updates like this, follow us on our ICE71 social media pages!