As the first in Europe to launch a crypto custody service and the first to partner with Google on a security analytics platform, BBVA sees staying at the forefront of new technological trends as a critical differentiator in the market. Insights spoke with BBVA CISO Alvaro Garrido to discuss how he sees cybersecurity evolving over the next several years.
In terms of crypto and DeFi infrastructure, cybersecurity teams must understand cryptography, smart contracts, and the different consensus protocols of blockchain networks. The crypto ecosystem is evolving quickly so security teams must always be learning. They must also stay in close communication with other teams such as risk, compliance, and legal so there is a two-way transfer of knowledge.
The decision about launching one’s own service or having a third-party provider depends on the available internal talent and the desired time to market. Creating a custody service is complex and takes time, so working with third parties may make the most sense if the institution wants to enter the market quickly.
The new regulations coming into force (GDPR, NIS, PSD2 etc.) are great news for the financial industry, as they introduce cybersecurity policies, standards, and guidelines for those that are not currently applying the necessary due care and diligence to cybersecurity.
As we operate across multiple geographies, we see a need for alignment between different regulators and governments. Regulations coming into force should be harmonized and aligned on the balance between security, privacy, and user experience. Cooperation between public and private institutions must be enhanced, as global scale and real-time collaboration is needed to fight cybercrime.
Effective and efficient sharing of intelligence is also critical. BBVA is member of several cybersecurity associations, such as the European Banking Federation, Institute of International Finance, European Financial Services Roundtable, and FS-ISAC.
Google is a strategic partner in our journey towards becoming a data-driven bank, with the cloud at the core of this strategy. The relationship between Google and BBVA has evolved over time into a full-fledged collaboration to evolve products and add new capabilities, both in the functional and the non-functional (risk and control) spaces.
BBVA is the first bank in Europe to deploy Chronicle, Google Cloud’s security analytics platform. Chronicle allows our security teams to store and analyze all our security data in one place and to detect and investigate threats at scale, reinforcing our forensic analysis capabilities and minimizing the probability and impact of security incidents.
Machine learning can help automate threat detection and make cybersecurity teams more efficient at processing large amounts of data. However, it is not a silver bullet. Cybersecurity teams often have a lot of useful knowledge about the nature and behavior of threats. The important thing is to be able to channel both human and machine knowledge into detections, whether through advanced analytical models or traditional rulesets and other conventional methods.
In our case, we are applying models to our data sources to be able to prioritize the most critical events and determine the potential impact, based not only on the threat characteristics but also on the criticality of the impacted asset.
The future SOC needs to contend with a few key trends: the expansion of software supply chains and resultant risks; identity-centric access models superseding network-centric security models as a result of cloud adoption; new high-persistent threats that are undetectable without advanced hunting capabilities; and a cybersecurity talent shortage.
SOCs will be fully automated when it comes to dealing with the daily, low importance events and attack attempts. They will be continuously improving automation of preventive techniques as well as developing hunting capabilities to manage the deeper, more important events that cannot be easily detected with current tools and techniques.
Despite this increased automation, cybersecurity talent will remain in short supply and high demand. However, the skills our teams need are changing. We are hiring data scientists, intelligence analysts, architects, and developers with knowledge of working in the cloud. We are also looking for people who understand how to balance the critical need of security in a digital environment with positive user experiences to help differentiate the organization.
The Technology and Cybersecurity Commission, composed by BBVA´s president and members of BBVA´s Board of Directors, has increased the focus on cybersecurity at the highest levels of the organization. The Commission’s work takes an executive approach, presenting topics to leadership in a non-technical way that highlight the business risks and impact on BBVA’s clients. As such, it has become a key lever in incorporating cybersecurity strategy into our overall business strategy.
Cybersecurity is, of course, part of the conversation when discussing all new business initiatives. One of the main pillars of BBVA´s Cybersecurity Strategy is “Security and Privacy by Design”. Therefore, a risk control model governs the lifecycle of any IT initiative, including a risk assessment, a security plan, pen-testing and the necessary compliance controls. Additionally, security is integrated within software development circuits in order to identify potential vulnerabilities and correct them before new products come to market.
Cybersecurity is central to innovation and adopting new digital technologies which are critical for market differentiation in a highly competitive financial services landscape. This requires a new skillset for cybersecurity teams as well as integration of cybersecurity considerations into all phases of product development and digital transformation efforts. Cybersecurity must therefore be a key consideration at the highest levels of the organization, including the executive team and the Board of Directors.
© 2021 FS-ISAC, Inc. All rights reserved.
Currently the Group Chief Security Officer & Group Chief Information Security Officer at BBVA since 2018. Álvaro Garrido García has had 25 years of experience, holding several roles including, Group Chief Information...Read More
Officer at Nordea, Global Head of Technology at Standard Chartered Bank, Global Head of Infrastructure Service and Operations at Standard Chartered Bank, Global Head of Technology at British American Tobacco, Global Head of Engineering at Roche Farma, and Several IT Operation & Managing roles at Sun Microsystem. He has a Master in Telecomm Engineering, Telecommunication from the Escuela Técnica Superior Ingenieros de Telecomunicación of UPM. He also holds an International Management Program, Business Administration and Management, and Advanced Certificate for Executives in Management, Innovation, and Technology from Massachusetts Institute of Technology - Sloan School of Management.