CISO Profile: Joe Bernik, Fifth Third BankIn a New Role, He Melds Business and Security
In an exclusive interview, Bernik discusses:
Bernik is a risk professional with 15 years of experience in information security. He has developed risk management practices, procedures and standards for several Fortune 100 companies including several global banking organizations. He was formerly Director of Operational Risk at the Royal Bank of Scotland and CISO of ABN AMRO and its subsidiary, LaSalle Bank. He has a bachelor's degree from the University of Mary Washington and completed graduate work at the City University of New York.
TOM FIELD: What are some of the top risk management and information security challenges that banking security leaders are facing today?
Hi, this is Tom Field, Editorial Director with Information Security Media Group. I am talking today with Joe Bernik with Fifth Third Bank.
Joe, thanks so much for joining me.
JOE BERNIK: Thank you, Tom.
FIELD: Joe, just to give some context to our audience here, why don't you tell us a little bit about yourself, your role at the bank and your background please?
BERNIK: Sure. Well my most recent, up until joining Fifth Third about two months ago as their Chief Information Security Officer, I was Senior Vice President and Director of Operational Risk Management for Citizens Bank. Citizens is a retail and commercial bank in the northeast and the mid-Atlantic, and they are a wholly owned subsidiary of the World Bank of Scotland; that was my job.
For the last few years before that I was an employee of ABN AMRO, which is a Dutch organization, and I focused particularly on information security. I was the Chief Information Security Officer for their U.S. Subsidiary, LaSalle Bank out of Chicago. Prior to that I had worked for many years as a consultant within the risk area for KPMG advising financial services organizations on best practices to address information security as well as technology and business risk.
FIELD: Well, Joe, I was certainly impressed by your resume, and one thing that jumped out at me was just the depth in the profession you had. And it leads me to ask you: What are some of the major ways that information and security and risk management have evolved in your time in the profession?
BERNIK: I think the best way to answer that is to focus on the way that we are now dealing with more of the business aspects of day-to-day business operations. Just to give you an example, just before this meeting I came from a meeting with one of our senior vice presidents in the retail business to talk about some new processing opportunities they had and to discuss the risks associated with that opportunity.
So prior to the last couple of years, I would say, the information security space was more focused on infrastructure security, really focusing on how to unite and implement networks and how to protect desktops (so really the nuts and bolts of technology), and I think over the last several years, really I would say 20 years, it has obviously gotten a lot more about business and how we can secure our organizations, specifically in my case banking and financial services, and provide a level of service to the business and advise them as to how to best implement controls around their processes. So I think that is probably the evolution of the area.
FIELD: Well, Joe, you have just joined Fifth Third recently. What do you see as your top challenges as you start this position?
BERNIK: Top challenges - I would say that the top challenge is to improve and expand the relationship with the business. That is a challenge that is not particular to Fifth Third, but true of any organization. It is relationship building and building trust, not necessarily trust from our organization but from myself to show that I can be a trusted partner to the business and that I am here to sort of assist them in expanding those business processes that they employ. That is a challenge, and it takes time to establish that, and oftentimes it is not just an evolution for the individual, in this case myself, but a cultural evolution that occurs both for their organization as well as the individual, in this case the Chief Information Security Officer.
FIELD: Now, Joe, there are several topics that we talked about before we sat down here that are sort of near and dear to you, and one of them I want to ask you about right now is criminal activity. What are the attempted crimes that you are seeing most frequently at the bank now?
BERNIK: I couldn't lie to you in that we are noticing a sort of trending across all financial institutions at this time is really organized crime syndicates that are preying upon not the banks directly, but the banks' clients, looking to use the bank's client both as vehicles to move money as well as targets of theft. Essentially what it amounts to is robbery, but in this case it is electronic, basically looking for ways to compromise the clients and steal their money essentially. And these criminal rings tend to operate out of eastern Europe as well as parts of Asia.
They are well organized and well funded and they are more and more successful, as you can see from the recent articles and press releases that have come out with regards to some of the things that Citibank has been dealing with some eastern European groups as well. Obviously, our own domestic criminals that have sort of popped up recently, referring to Albert Gonzales and the group that was just arrested for the TJ Maxx hack that occurred over the last couple of years.
I think that organized structure and that more sophisticated method of attack and the evolution of attack is really what has got a lot of individuals as well as criminal law enforcement agencies mobilized, and we are being more assertive and aggressive in how to defend ourselves and our clients from these types of threats.
FIELD: Joe, intrusion prevention is another topic I want to talk with you about, and it certainly is a good segue from what you were just discussing. What have you found to be most effective in preventing these intrusions?
BERNIK: Well, the traditional intrusion prevention had a lot to do with putting devices out on the perimeter of the network and trying to identify malicious activity, but it was mostly too--historically these technologies sat too low in the model. It was really looking at network layer activity, which really would only defend you against more basic level attacks and really isn't designed to defend against application layer business-rule based exploits that we are seeing more and more of these days. Sort of the IPS as it is referred to, and it really has evolved over the last couple of years to be more behavioral in nature and analyze the behavior of the user so it can protect against malicious abuse of the systems and the business rules that are employed within those applications.
Unfortunately, what we have seen over the last few years is more and more of the trends have been focused again on the exploit of the client, and we have to therefore look for new technologies that can help us in mitigating and where possible remediating, which is usually not possible, but mitigating as it may be the risk of these types of attacks. So we are challenging the vendors of these products, the large vendors of these technologies, to implement more intelligent analysis, really anomaly-based analysis, but not just at the protocol layer, but at the application layer, really looking for how the application should behave under normal circumstances and how it would behave in non-normal circumstances in order to allow us to target this type of behavior and investigate it further when it occurs.
FIELD: Joe, you talked about emerging technologies, and something we hear a lot now from the banking vendor community is identity access management. Which systems and strategies have you found to be particularly effective here?
BERNIK: That is an interesting question. So, identity access management is the bane of a lot of security professionals' existence. It is a very complex proposition. What we really want to do is leverage enterprise solutions for identity management where possible and in doing so create efficiency and control of access and administration of that access.
So really, where possible what we have been trying to do, and what all larger organizations have been trying to do, is leverage standards like Active Directory and XML, SAML and SOAP to try to basically build standards around how applications interact and how those applications are administered in a central fashion.
Historically, applications were designed as standalone sort of systems, and in doing so they would implement their own administration, authentication and provisioning and permissioning process, which creates not only more risk because it creates a sort of very monolithic view of control, as well as inefficiency because you have got to now administer every system independently.
So what we have been trying to do is take an architectural perspective or view on security and really embed that into the development lifecycle so that we can move to a more standard and centralized administration method. That also helps in the deprovisioning when you only have to deprovision in a single system, and that will sort of trickle down to all of the various systems that are connected.
So really centralized administration is being one of the sort of, I think, panaceas for the security industry. However, it is somewhat elusive in that a lot of systems are still somewhat antiquated and don't support these protocols that I referred to. So it is a challenge there to sort of figure out how to best incorporate all of these systems into these centralized management processes that we are trying to adopt. That is sort of how we best address the problem internally.
Now there is a whole other challenge presented when we are dealing with external clients and how they authenticate. That presents a great deal of challenge right now because of the additional security measures that we need to take when we authenticate, and historically what we have been doing is using and providing access management, specifically the access part, historically we have been using stronger authentication to try to secure our systems. However, because of the sophistication of these criminals that I spoke of earlier, these methods are becoming less and less successful, so we are having to search out new security measures to overcome the new threats that we are seeing. So things like tokens and out of ban authentication and these other historically used methods of strong authentication have become less successful to the point where we are having to explore and make significant investment in alternative solutions now.
FIELD: Joe, just one last question for you. You certainly have had a distinguished career and you have a lot of experience behind you, and you have done a great job I think of outlining the threat landscape today. For someone stepping into a role like yours and trying to tackle this complicated landscape, what advice would you give to them?
BERNIK: Well, the advice that I would give would be that you have to continuously refresh your knowledge and expand your breadth of knowledge. The technology landscape doesn't stop evolving, so the individuals trying to secure that space can't stop evolving.
You have to continually try to stay abreast of new technologies, and the best way to do that is really communicate with other individuals within your space. I try to stay involved with organizations such as OAS, ISACA, ISSA and other organizations that provide that networking opportunity. And obviously constantly educating yourself via any books that you come across that are insightful, as well as obviously trade magazines are very useful.
Obviously, BankInfoSecurity.com is one source of that information that I use to sort of get insights about how to tackle problems. But I think that constant learning process is really key to be successful in this industry. Without it, you are finding that quickly your skills become outdated, and therefore your value can become somewhat limited in turn.
FIELD: Well, Joe. that is great insight. I appreciate your time today, and I wish you well in your new role.
BERNIK: Thank you very much, Tom. Thank you for the opportunity.
FIELD: We have been talking with Joe Bernik with Fifth Third. For Information Security Media Group, I'm Tom Field. Thank you very much.