This is a click up!

As cybercrime becomes ever more sophisticated, continuously evolving strategies, technologies and partnerships are required in order to stay one step ahead of the bad guys, says Bank of America’s CISO Christopher Higgins.

“To keep pace with the creativity and persistence of our adversaries, we invest heavily in the sure and sustainable route to solving problems and creating value.”
-Christopher Higgins

A reporter once asked the famous bank robber Willie Sutton why he robbed banks. He replied, "Because that's where the money is."

Sutton didn't actually say that - a reporter made it up to spice up a story - but Sutton was one of the most successful bank robbers of the "gangster era." From the 1930s through to the '50s, he stole more than $2 million, which in those days was an enormous amount of money, the equivalent of more than $30 million in today's dollars. While he always carried a gun in his straightforward "stick-'em-up" robberies (he famously quipped, "You can't rob a bank on charm and personality"), he was actually most successful using identity theft and social engineering. He accomplished some of his most successful heists by dressing up as an armored car guard, a letter carrier, a messenger, a maintenance worker, even a policeman - whatever personality he could borrow to get through the door and into the vault.

Our industry has successfully dealt with the Willie Suttons of the world. Armed bank robberies are, thankfully, much less common than they were in Sutton's day. And we are sharp enough not to give the vault keys to a guy whose credentials are a mop and a bucket.

But we are dealing with Sutton's successors - bad guys who are far more dangerous than he ever was. They're increasingly sophisticated and organized, often internationally, and they have an even wider and far more elaborate array of tricks, disguises and deceits that they use against unsuspecting victims every day, around the globe.

We - the banks - are still where the money is. And, perhaps even more important, we are where the information is - customer and company information that is currency to modern criminals. To protect both the money and our information, we must combine two efforts: innovating relentlessly to holistically manage information security risk, and building effective partnerships to share information and best practices, uniting in common cause against a common enemy.

More than policy

Many companies, including in financial services, position their Information Security as a policy setting function. But we believe that effective information security requires more than policy - it requires comprehensive planning and action in analyzing threats, creating innovative controls and monitoring for compliance with mandates.

For example, some companies currently focus primarily on watching the perimeter for attacks, fighting them off, then installing controls to prevent them from recurring. Indeed, this is a model that has served us and our customers very well. We are proud of the extremely effective perimeter Bank of America's information security team of technology professionals and risk managers has built.

But at the same time, we believe this model is not the future. Things have changed. Many security experts say the very notion of building a perimeter to keep the bad guys out is no longer enough, because Internet and mobile services have taken banking beyond our perimeter.

We must, and we will, continue to vigorously defend our perimeter. But that is yesterday's task. Today's task is securing our applications - and tomorrow's will be to secure all data, regardless where it is, how it is getting there, and who is using it. So, led by Information Security Executive Chad Renfro, we are advancing our Information Security. Though we retain the capability to react when necessary, we are well underway in moving from a reactive model of "detect-respond-control to remediate," to a more active model of "analyze-control to prevent-monitor."

We have aggressively integrated our Information Security within the larger Enterprise Information Management function, with other capabilities like data analytics and risk management, to augment and direct the work of our IT, Information Security, resiliency and other subject matter experts.  

We have developed a "web of controls" to identify, prioritize and manage threats, consistent with our company's fact-based risk management approach. We have built a patent-pending combination of advanced information analytics and Six Sigma methods in process, control and risk management, and we are applying it from end-to-end throughout the information lifecycle, from data acquisition through its management and storage, through use (access and availability), to final disposal.

The resulting control portfolio has four inter-related segments:  applications, infrastructure, insiders, and suppliers.

In applications, we are scoring risk and setting priorities by applying proprietary methods to combine multiple considerations, like Internet exposure and data sensitivity. Even after investing whatever is needed to manage top-tier risk, we still invest in lower-level preventive controls that are less expensive and scale well to match our risk appetite in lower-tier applications. And we place emphasis on educating our associates on the importance of writing secure code and enforcing standards.

In infrastructure, we again set risk priorities by combining and scoring risk parameters, including factors taken in combination across hardware, operating systems and databases.

In our insider space, we set priorities with a sensible, disciplined approach that takes into account the simple but important fact that not all situations embody equal risk. We have built a proprietary tool that assesses risk by pulling data from multiple systems, looking at such factors as access levels, privileges, and the activity of bank-owned devices. We correlate results against dynamic lists we can customize with algorithms we can change in minutes. Real-time alerting allows investigation within hours. The tool's reports are followed up by information security specialists.

Finally, we have built assessment methods to rate the risks of our suppliers, so they are as prepared and protected as the bank itself. We evaluate and test our suppliers to ensure they handle Non-Public Information to our exacting internal information security standards.

In all, we have a deliberate and disciplined process to anticipate and prioritize risk through data analysis and process discipline. Using algorithms built by our Ph.D.-level experts, we build controls to prevent risk effects by priority, and we monitor outcomes to assure results and to adapt our controls to the changing environment.

To keep pace with the creativity and persistence of our adversaries, we invest heavily in innovation, the sure and sustainable route to solving problems and creating value. We've filed for patents on many tools and processes, such as the process to import multiple frontline security controls to risk-rate activity and differentiate malicious from normal.

We have also implemented a data visualization system that lets us - and, crucially, our business partners - "see" the risks in real time so we can better prioritize and remediate them. Additionally, we have also built a Control Automation Tool to collect and distribute all aspects of a control, including discrete management and corresponding metrics. We created another tool that provides personnel, organizational hierarchy and access management functions.

We're all in this together

Much of what we have accomplished internally has been the result of effective partnerships among subject matter experts, risk managers, and business partners across the enterprise. We have established an information security governance board, bringing together leaders from every line of business and support organization, to foster enterprise-wide thinking, and, more importantly, to help establish strategy, tactics, resource allocations and accountabilities at the business level.

Because we know first-hand the power of effective partnership, we are also working to build partnerships of all kinds outside the company as well, to share information and best practices, and to seek opportunities for mutual action to protect our customers and clients, our companies, our nation, and the international economy. We are committed to broadening our situational awareness and partnerships -across the financial services industry; across industries in the broader economy; and finally, and very importantly, within the public sector as well.

Across our industry, we participate in the Financial Services - Information Sharing and Analysis Center, (FS-ISAC), our industry forum for collaboration on critical security threats facing our financial services sector. We participate in the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC), the group of more than 30 private-sector firms and financial trade associations that works to help reinforce our sector's resilience against threats to the nation's financial infrastructure. We also contribute to many other cross-sector industry groups, such as the President's National Security Telecommunications Advisory Committee (NSTAC), because we know interdependencies among critical sectors make a secure information infrastructure essential.

And we have named Greg Garcia as our partnership executive for cybersecurity and identity management. Greg, who was assistant secretary for the Office of Cybersecurity and Communications in the Department of Homeland Security, will focus on developing our partnerships as well as expanding our work with the public sector.

We need and welcome even more partners. We need to pull together - as a business, as an industry, as partners in a global economy. And we need to continue making partners of our customers and clients, helping educate them so they can contribute to the active defense against predatory criminals.

Anyone reading this magazine is in a position to be a partner, advance information sharing and best practices. We are all in a position to help make common cause against a common enemy. I invite you do just that, and join us in this important work.

And should you think that such partnerships are unlikely or unworkable across business lines, across industries, across public-private or international boundaries, there is a final lesson from the great robber Willie Sutton. Sutton's last job was "legit": He was a spokesman for a credit card with picture ID - a product developed to help fight identity theft. Willie Sutton went into partnership - with a bank!

Banking Bandits

'Slick Willie' was just one in a long line of slippery, deceitful and sometimes downright ingenious American bank robbers of yore. Here, FST resurrects a few more.

[Image - http://en.wikipedia.org/wiki/File:Jesse_james_portrait.jpg] Jesse James - Active between 1866 and 1876, Jesse James is perhaps the most romanticized of America's great outlaws. Suave, handsome and with a terrifying propensity for knee-jerk violence, James was something of a 'smash n grab' bank robber, using force rather than deception to get his hands on relatively modest sums of cash. He met a violent end on April 3^rd 1882 when he was shot in the back of the head by trusted 'friend', Bob Ford.

[Image - http://en.wikipedia.org/wiki/File:John_Dillinger_mug_shot.jpg] John Dillinger - If Jesse James was romanticized, Dillinger was sensationalized thanks, in part, to the age in which he was most active: Great Depression-era 1930s Midwest. Violent and unpredictable, Dillinger's crimes ranged from the murder of police officers to impersonating alarm salesmen and film company location scouts to gain access to banks. In total it is believed that Dillinger got away with more than $300,000, approximately $4.1 million in today's dollars, before being gunned down by police in July 1934.

[Image - http://en.wikipedia.org/wiki/File:PrettyBoyFloyd01.jpg] Pretty Boy Floyd - Charles Arthur 'Pretty Boy' Floyd was an immensely prolific bank robber who got his first taste of criminal life aged 18 when he stole $3.50 worth of pennies from his local post office in Kansas. Alas, Floyd would go on to commit countless more bank robberies over the course of his illustrious 'career', including a daring prison escape in 1930. So far, so comical, but his actions took a darker course later that year as he was implicated in the murder of a gang rival. The law finally caught up with him in an Ohio cornfield in October 1934 when the newly formed FBI claimed its first big scalp.

Company overview

Bank of America is one of the world's largest financial institutions, serving individual consumers, small- and middle-market businesses and large corporations with a full range of banking, investing, asset management and other financial and risk management products and services. The company provides unmatched convenience in the United States, serving approximately 58 million consumer and small business relationships with more than 5,900 retail banking offices, more than 18,000 ATMs and award-winning online banking with nearly 30 million active users. Bank of America is among the world's leading wealth management companies and is a global leader in corporate and investment banking and trading across a broad range of asset classes, serving corporations, governments, institutions and individuals around the world. Bank of America offers industry-leading support to approximately four million small business owners through a suite of innovative, easy-to-use online products and services. The company serves clients in more than 150 countries.

Biography

Christopher P. Higgins is the Enterprise Information Management Executive for Bank of America, and serves as the company's Chief Information Security Officer. Higgins leads a team of professionals responsible for managing the company's information assets, including storage, security and analytics. He also is responsible for the enterprise data management program and managing the company's data warehouse. Higgins joined Bank of America in 1993 and has served in a variety of leadership roles across technology, operations, risk management and audit functions at the bank.