Stephen Norman is one of the most knowledgeable banking technology professionals in the world today. During his extensive career he has worked as Chief Technology Officer at Merrill Lynch and was CIO of RBS’ investment bank for an unprecedented seven years, ending in 2012.
Stephen sat down with bobsguide to discuss the issues giving CIOs sleepless nights in 2017, his approach to tacking those challenges, and also tell us how he drew on his own career experiences when penning his first novel.
What are the major cybercrime concerns for CIOs in 2017?
During my time at RBS and before that Merrill we experienced a range of traditional cyber-attacks such as DDoS attacks on infrastructure, phishing attacks on our customers aiming to get their personal details, malware of various kinds, and viruses. However, broadly speaking, my view is that banks’ external infrastructure today is reasonably hardened against these types of attacks. It has been calloused by the fact that banks have been exposed to this kind of attack, particularly on the retail level, for the past 25 years and have evolved defences. Although it is a constant arms war, they are in reasonable shape.
In respects to traditional fraud i.e. credit card fraud and identity theft, banks are somewhat paradoxically in better shape because of regulation due to the enormous focus on KYC.
It’s not like these things have stopped, during my last year at RBS we had literally hundreds of daily attacks on our electronic banking infrastructure, but what is really worrying banks now are newer trends.
The first is the emergence of a new breed of very sophisticated cyber criminals, some of whom appear linked to foreign governments. You may have read about the attack on the Bangladesh Bank, where the criminals issued SWIFT instructions to move money from its US accounts totalling $931m. It was entirely luck that reduced those losses to $100m or so.
Banks are worrying about SWIFT; the SWIFT infrastructure is very old, nobody quite knows its flaws because SWIFT are not very upfront about the details, but there is a belief amongst banks that SWIFT is vulnerable to external attacks and that they are over-reliant on it.
The second area where banks are really concerned is client data. When it comes to client data in general the banks have done a better job than other industries, but today CIOs worry about what they are being asked to put in public infrastructures i.e. the cloud, which are data centres that they do not control and are maintained by people they don’t pay.
There is a tension today between the move to cloud which is driven by the need to cut costs and become more efficient, and the worry about data security.
Wearing your CIO hat, what would your attitude have been to moving client data to the cloud? Would you have been against it?
You can tackle the issue of moving data to the cloud in two phases.
Firstly, you can categorise your systems into two groups; those that contain sensitive data and those that do not, and then commit to moving the systems that do not. Most banks are prepared to move systems which don’t contain GDPR-sensitive data
The second things is encryption; banks don’t want to move data to the cloud unless it can be guaranteed that it is going to be encrypted in place, which may involve substantial application re-engineering.
Ultimately banks are between a rock and a hard place with the cloud, they want to do it but they are still nervous about it. I’m not aware of any bank that thinks it is going to move all of its most sensitive data into the cloud.
How much resource is committed to preventing cybercrime today, and has this changed over time?
The risks for banks today (largescale theft, loss of client data) probably represent the number one concern of not just IT heads, but board members of banks generally. But the issue for them is that they are spending so much time on regulatory projects that the discretionary budget to address that concern is very limited.
Additionally, the large banks have a legacy infrastructure that they cannot replace. So when they look at how they are going to combat cybercrime, it is with the knowledge that they cannot change the core systems. It’s a very complex environment and they cannot be sure that they haven’t left gaps.
So the short answer is banks are spending an awful lot of their nervous energy thinking about cybercrime but they aren’t spending a lot of money on it simply because they don’t have the resources to dedicate to it.
What are your thoughts on PSD2 and cybersecurity?
From the point of view of a CIO of a big bank, PSD2 is very concerning, because essentially banks are being forced to take what is at the heart of their own systems and expose it. And not just to customers and other banks with whom they have deep relationships, but via APIs, which is deeply troubling especially considering the legacy nature of the infrastructure.
Factors such as PSD2 and the change to banking whereby other people can own the relationship with what used to be your customer, is going to open the world to a whole new category of risk. So in that sense the regulators’ demand for transparency and for other people to provide services makes the life of large bank harder and makes it more likely that they will face new cyber threats.
How would you have reacted to PSD2 as the CIO of RBS?
Well, I’d say first of all it was a problem for my colleagues in Retail and Commercial! In Global Markets we were just customers of the core banking platforms. It is a very complex problem for most banks with mainframe core platforms, where ANY change feels like an enormous risk (remember RBS’s problems with its batch scheduler upgrade). New thinking is needed around authentication, performance and cyber detection. The obvious approach is to front the legacy platforms with a new intermediary layer, the equivalent of a demilitarized zone to separate data and processing. In other words to provide the PSD2 transparency through a processing firewall which can be controlled and very carefully limits the kinds of actions an external provider can carry out. This would build a layer of data and very carefully governed set of processes without giving the external supplier access to your core system.
And I don’t think that is a very good answer. If I were still CIO of RBS Global Markets I would be extremely worried about PSD2 and I think we’d be very concerned about how to implement it.
How are banks coping with the issue of rapidly evolving technology?
I distinguish between organisations that are born digital, organisations that acquire digital, and organisations that have digital thrust upon them.
Born digital companies include Google, Amazon, and Tesla. Everything they do is driven by technology. Even Tesla, who you might say is a car company, is driven by its understanding of technology and its desire to use technology.
I don’t think there are any banks that are born digital but I think some of them acquire digital and are quite good at it. The board realise that they need to understand blockchain for example, they know they need to understand payments, and so they invest in it.
And I think the banks that will be left behind are the ones that feel that they have had digital thrust upon them. They’re the people that don’t really understand the technology, they don’t get distributed ledgers or whatever it might be, and because they don’t understand it they try to outsource it. I don’t think those financial institutions will succeed, because they will never evolve.
You’ve just published your first novel, how much of your own experience did you draw upon when writing it?
Trading Down is about a bank which is under cyberattack. Our protagonist is the first person to realise the IT related disasters affecting the bank are the result of terrorism. The first disaster involves a primary data centre where the cooling has failed. Big data centres cook in less than an hour. I have experienced this – though not as a result of terrorism - and never wish to again. Later in the book, we are on the trading floor which is frozen by a data storm in the bank’s network. No-one can trade and can no longer make prices. That is another terrifying situation, and has again happened to me more than once.
The third attack focuses on corruption of data and shuffling of data, which is not something I have experienced, but in the course of writing the book I consulted with a group of industry professionals and we concluded that the ability of an insider within a bank to shuffle the bank’s databases was extremely scary and something that banks need to be careful about. There are programs today – used to anonymise test data - that can shuffle a bank’s database so that the structure remains intact and you only have to run that system for a minute or two before it becomes completely irretrievable. If you could do that to the bank’s major systems you would never escape, I think the bank itself would be out of business within a day. That’s the climax of the book.
That threat is a very real one. I think CIOs that read it will go back and look again at their plans, and particularly the dangers of insiders. A lot of attacks come from the outside of the banks but there is growing threat from the inside. If it makes people think a bit harder and prevents the next disaster that would be a happy outcome.
Stephen Norman's first novel Trading Down, a fast-paced thriller providing an exploration into the increasing threat of cyber-terrorism on the modern world, is available from Endeavour Press as an e-book or paperback.