Interview with Al Tarasiuk, Chief Information Security Officer of Deutsche Bank

„The more complex the IT infrastructure,
the harder it is to secure.“

Cyber ​​attacks on enterprise IT systems have grown drastically. Can security be guaranteed for the entire IT landscape of a company?

Foto: John Lund/getty images

We read a lot about cyber-attacks around the world. Are such attacks a real danger or are they rather a hype?

It’s not hype, it’s real. The threat actors, whether they be criminal gangs, hacktivists or nation states, all are very creative and they all have different motivations for why they are going after certain targets. Some are for political reasons, some for financial gain, some are for disruption, but it’s real. And that’s why we take it very seriously.

How does Deutsche Bank defend itself against cyber-attacks? In a proactive way or reactively?

Ideally any organisation needs to be proactive. It needs to put in the right types of controls to be able to detect, prevent and respond to an attack. The challenging part is that threat actors will always try to be one step ahead. You can never be complacent in defending yourself. You are well advised to build in multiple layers of security. We call it “defence in depth”.

How do threat actors operate?

Typically threat actors start with surveillance to identify where the vulnerabilities exist. Then they use that information to determine how to attack that vulnerability. It’s a series of steps often referred to as the “cyber kill chain”.

And what can you do about it?
Detect threats as early as you can in that chain, because the earlier you detect them, the less damage they can cause.

Sounds plausible …

Yes, but the threat actors are very creative and, depending on their motive, they may allocate a lot of time and dedication to infiltrating an organisation. However, when it’s not an easy break-in opportunity, there are a lot of threat actors who will go away and try another target. When you look at the data of where they exploit vulnerabilities, it’s the easy ones that they go after, the ones that organisations just don’t pay attention to.

Is it a question of speed then? How swiftly we identify and block new ways of attacking organisations?

A lot of it has to do with early detection. So continuous monitoring is very important. One of the new concepts that we are adopting is “threat intelligence driven”. That means having an understanding of what the threat environment looks like and how the threat actors are adjusting their operations to target your industry. To do this well, you must be connected to a network of intelligence capabilities. For example, using the services of companies that monitor the internet, providing you with information allowing you to adapt your internal approach accordingly.

Against this background, is it possible at all to guarantee security for your complete IT landscape?

It’s an ever-changing threat landscape that you have to deal with. You have to stay alert and focus on maintaining strong “IT hygiene”. You need to understand how your organisation is connected to the outside world, stay on top of all your assets and then keep up with technology enhancements. The internet was never built with a security model. Just about every kind of technology has been exploited by the threat actors, who know where vulnerabilities lie. And they are constantly adjusting tactics and malware to avoid detection. This is why you need layers of protection, because you are probably not going to consistently detect the variants of malware that threat actors are putting out there, particularly the most sophisticated actors. So there never will be perfect security. A holistic approach with early detection is one of the best ways to protect ourselves and to stop them as soon as possible.

Are there any methods or solutions to simplify this complex IT security world?

One way to simplify the information security world, particularly in large global organisations, is to simplify IT. The more complex the infrastructure, the harder it is to secure. In addition to reducing costs, many companies have focused on consolidating their technology infrastructure in order to make it simpler and easier to protect. It’s also very important to have robust security architecture and framework in place. If you don’t, the danger is that you start applying security in an ad hoc way and end up with security technologies that don’t work together. They may solve a specific problem, but it doesn’t help solving the larger issues that you are dealing with.

From an organisational point of view: Is cybersecurity assigned to a certain department or is it rather an integrated function? A task that every department and every employee is responsible for?

I have strong beliefs that you need a central organisation to do programme and implementation planning and to make sure that you have central policies, to ensure standardisation. But I also believe in the need to have people in the business areas to help the business implement these policies. So it’s both, a centralised and a distributed or hybrid model, but it cannot be seen as a function that’s separate and apart and in the corner. It has to be seen as an integrated function in the company.

Do you see an increasing demand for IT security specialists?

Absolutely. Because of a better understanding of the threat by all sectors and all the kinds of breaches that have occurred, everyone is chasing the same kind of talent now. The academic systems in every country have not kept pace with supplying the increasing demand. And because cyber security is relatively new, it’s also not easy to find experienced practitioners. This problem is going to be with us for some time but I do see some positive signs that education is producing more and more programmes to train people properly.

In your opinion: What is the next big issue in cyber security?

The internet of things (IoT). Everyone talks about it, but not many are paying attention to the security of all these devices. Cameras and even refrigerators will increasingly feature network-connected computers. All have IP addresses and can be exploited and used in Botnets to form attacks. I think that’s the big challenge. The other one is that threat actors are more and more virtually connected across the world. It’s not like they are physically located in one place. They might not even know each other. But they get together in this virtual world and they go after a target. How do you defend against that? I don’t want to leave you thinking that there is no hope. I still believe that if you implement a very robust, holistic information security programme that looks at things end-to-end, from the people-process-technology-and-policy-perspective, you can defend your enterprise. If you don’t, you can get into trouble very quickly.

Wir haben die Kommentarfunktion wegen zu vieler Spam-Kommentare abgeschaltet. Sie können uns aber trotzdem Ihre Meinung zu diesem Artikel direkt per Mail an zusenden.