BBVA: What it Takes to Secure Tomorrow

As the first in Europe to launch a crypto custody service and the first to partner with Google on a security analytics platform, BBVA sees staying at the forefront of new technological trends as a critical differentiator in the market. Insights spoke with BBVA CISO Alvaro Garrido to discuss how he sees cybersecurity evolving over the next several years.

BBVA was the first bank in Europe to launch a crypto custody service. What kinds of security skills are needed to protect crypto and DeFi infrastructure that may be different from the traditional cyber skillset?

In terms of crypto and DeFi infrastructure, cybersecurity teams must understand cryptography, smart contracts, and the different consensus protocols of blockchain networks. The crypto ecosystem is evolving quickly so security teams must always be learning. They must also stay in close communication with other teams such as risk, compliance, and legal so there is a two-way transfer of knowledge.

How can a bank decide whether to build crypto custody services or partner with third-party providers?

The decision about launching one’s own service or having a third-party provider depends on the available internal talent and the desired time to market. Creating a custody service is complex and takes time, so working with third parties may make the most sense if the institution wants to enter the market quickly.

How do you manage for the changing regulatory environment in the EU regarding data and third-party providers?

The new regulations coming into force (GDPR, NIS, PSD2 etc.) are great news for the financial industry, as they introduce cybersecurity policies, standards, and guidelines for those that are not currently applying the necessary due care and diligence to cybersecurity.

As we operate across multiple geographies, we see a need for alignment between different regulators and governments. Regulations coming into force should be harmonized and aligned on the balance between security, privacy, and user experience. Cooperation between public and private institutions must be enhanced, as global scale and real-time collaboration is needed to fight cybercrime.

Effective and efficient sharing of intelligence is also critical. BBVA is member of several cybersecurity associations, such as the European Banking Federation, Institute of International Finance, European Financial Services Roundtable, and FS-ISAC.

Talk about your partnership with Google Cloud on Chronicle.

Google is a strategic partner in our journey towards becoming a data-driven bank, with the cloud at the core of this strategy. The relationship between Google and BBVA has evolved over time into a full-fledged collaboration to evolve products and add new capabilities, both in the functional and the non-functional (risk and control) spaces.

BBVA is the first bank in Europe to deploy Chronicle, Google Cloud’s security analytics platform. Chronicle allows our security teams to store and analyze all our security data in one place and to detect and investigate threats at scale, reinforcing our forensic analysis capabilities and minimizing the probability and impact of security incidents.

How do you use machine learning to mitigate cybersecurity threats?

Machine learning can help automate threat detection and make cybersecurity teams more efficient at processing large amounts of data. However, it is not a silver bullet. Cybersecurity teams often have a lot of useful knowledge about the nature and behavior of threats. The important thing is to be able to channel both human and machine knowledge into detections, whether through advanced analytical models or traditional rulesets and other conventional methods.

In our case, we are applying models to our data sources to be able to prioritize the most critical events and determine the potential impact, based not only on the threat characteristics but also on the criticality of the impacted asset.

What is the SOC of the future? How does it look different from a current SOC at a large FI?

The future SOC needs to contend with a few key trends: the expansion of software supply chains and resultant risks; identity-centric access models superseding network-centric security models as a result of cloud adoption; new high-persistent threats that are undetectable without advanced hunting capabilities; and a cybersecurity talent shortage.

SOCs will be fully automated when it comes to dealing with the daily, low importance events and attack attempts. They will be continuously improving automation of preventive techniques as well as developing hunting capabilities to manage the deeper, more important events that cannot be easily detected with current tools and techniques.

Despite this increased automation, cybersecurity talent will remain in short supply and high demand. However, the skills our teams need are changing. We are hiring data scientists, intelligence analysts, architects, and developers with knowledge of working in the cloud. We are also looking for people who understand how to balance the critical need of security in a digital environment with positive user experiences to help differentiate the organization.

You have a cybersecurity commission that reports directly to the board. How does this elevate cybersecurity as a focus at the top of the organization?

The Technology and Cybersecurity Commission, composed by BBVA´s president and members of BBVA´s Board of Directors, has increased the focus on cybersecurity at the highest levels of the organization. The Commission’s work takes an executive approach, presenting topics to leadership in a non-technical way that highlight the business risks and impact on BBVA’s clients. As such, it has become a key lever in incorporating cybersecurity strategy into our overall business strategy.

Cybersecurity is, of course, part of the conversation when discussing all new business initiatives. One of the main pillars of BBVA´s Cybersecurity Strategy is “Security and Privacy by Design”. Therefore, a risk control model governs the lifecycle of any IT initiative, including a risk assessment, a security plan, pen-testing and the necessary compliance controls. Additionally, security is integrated within software development circuits in order to identify potential vulnerabilities and correct them before new products come to market.