Bugcrowd’s Group Chief Information & Security Officer Nick McKenzie, who oversees all aspects of the company’s information technology and security strategy, architecture, operations and governance, discusses the top cybersecurity challenges facing financial institutions.
Security: What is your background? What is your current role and responsibilities?
McKenzie: I recently started my new role at Bugcrowd as Group Chief Information (CIO) & Security Officer (CSO) in April and (interestingly enough) came in as a Bugcrowd customer from the banking industry! I’m loving the change.
My role wears three hats - running enterprise technology and the cybersecurity function globally and as the General Manager for APAC.
Prior to this role, I have held cybersecurity leadership positions for the past 20 years, most recently being the former Executive General Manager and Chief Security Officer at National Australia Bank (NAB), one of Australia’s four largest financial institutions. At NAB, I oversaw the enterprise security portfolio, including cyber, physical security, architecture, partnerships and ventures, and operational fraud capabilities to protect customers and employees, support business growth and enable an operationally resilient bank. I’ve also worked in various IT Risk and Cybersecurity leadership roles at Standard Chartered Bank, J.P. Morgan, and the Union Bank of Switzerland (UBS) while serving as an advisory board member for Google, Amazon Web Services and Digital Shadows.
Security: What are the top cybersecurity challenges facing financial institutions?
McKenzie: Growing and retaining internal capability and talent, protecting customer data from attacks and fraud, fostering external public and private partnerships while establishing a more frictionless cybersecurity experience for both customers and staff is top of mind at financial institutions. This is all against a backdrop spurred by the pandemic where internal and external fraud is increasing, technology regulatory mandates are compounding, and organized crime groups and nation-states have constant bulls-eyes on these companies’ backs due to the data they hold. It’s a true perfect storm for financial institutions right now, quite apocalyptic juggling all these risk verticals, so I tip my hat every day to the CSO/CISO’s and security teams living through such dynamics.
Security: How does that differ from 1-2 years ago?
McKenzie: The perennial dilemma faced is that blue cables have now become largely obsolete and rapid digitization agendas with new work from home (WFH) norms have accelerated sprawl and pace. The traditional controls you would expect to invest in and focus on years ago have been thrown out the door. Cyber strategies need to adapt to this change in the threat landscape quickly.
As the digital attack surface and remote access channels spun out of control in this cloud-operated world we now live in, threat actors are increasingly targeting organizations’ weakest links—from WFH users to 3rd party supply chains. The digital rush to enable the business or staff also leads to basic design control failures, sometimes caused via ‘security shortcuts’ or trade-offs made with the businesses to get them moving. This has further opened the door to enterprise-wide destructive cyberattacks - the kind you read about pretty much every week these days, it seems. To mitigate these risks, organizations must adopt new educational tools, technical solutions, and business strategies.
Security: How can crowdsourced security help financial organizations solve these issues?
McKenzie: At its core, cybersecurity is principally a human problem - it requires a diversity of intelligence to uncover and troubleshoot security issues in technology, and (on the flip side of the coin) it requires fixes, trade-offs, or ‘bumps’ in the changes of behavior of the people who interact with or design the technology on a daily basis.
While all banks and financial institutions traditionally have a plethora of security tools and technologies that pick up some ‘known’ issues or exposures in systems or code, these tools simply lack human ingenuity and diverse thinking. There is a lack in the ability to continuously learn, understand and navigate laterally across multiple business processes, infrastructure, or application logic flows like a motivated threat actor would. This is where you unearth all the high-value findings that will ultimately protect against further exposures to the organization and its customers. This is where connecting to the researcher community, and crowdsourced security models come into play.
To meet the challenges mentioned above, financial institutions need a ‘human’ force multiplier for their security strategy that allows them to leverage (en masse) highly skilled security professionals, extensible technology and actionable cybersecurity intelligence to keep employees and customers secure. That is why organizations are increasingly adopting crowdsourced security programs, such as bug bounty programs or vulnerability disclosure programs (VDPs). By making crowdsourced security programs an integral component of their security posture, financial organizations can ditch the ‘one-size fits all’ perspective in favor of a layered security approach with continuous access to skilled security professionals tailored to fit their needs.
Security: What does it take to be an exceptional security researcher, and what qualities do they need to succeed?
McKenzie: Researchers play a tremendous role in the success of any security program. They must understand tech stacks front to back to identify vulnerabilities, but most importantly, they must be able to think differently and go outside the box - thinking multiple control steps ahead. To be an exceptional security researcher, they also must be willing to adapt and learn continuously, including learnings around the non-technical and business processes side (e.g., how does a particular company or industry vertical operate, which systems are traditionally used and interface with one another, which business processes chain together, and so on). With an ever-changing technology landscape, researchers must constantly keep educating themselves with new tools, business acumen and cybersecurity concerns specific to particular industries. This can be done by taking advantage of offers for individuals or organizations to gain access to knowledge sharing and the co-creation of security resources. Naturally, this encourages more creativity and helps organizations arrive at solutions to their problems sooner.