An Interview with Harvey Deak, Head of Security Strategy and Architecture, NAB
"Disruptive market forces are creating rapid change and also offer a fantastic opportunity to innovate and raise the profile of security."
As NAB's digital security chief, Harvey Deak has been the guiding hand – and steadfast protector – behind the bank’s cloud-first adoption strategy.
In the lead up to his presentation at the FST Future of Security conference, we sat down with Harvey to explore key developments in cybersecurity practice across FSI, revealing the viability of biometric technologies as a primary security mechanism, and why he believes Australian banks are among the most resilient in the world.
FST Media: What is the most pressing cybersecurity threat facing today’s financial services organisations?
Deak: Disruptive market forces are creating rapid change and also offer a fantastic opportunity to innovate and raise the profile of security. Market disruption has had a positive impact on financial services organisations who are now delivering features to customers faster by leveraging continuous delivery practices and automation of the system development pipeline.
Of course, this cadence of delivery could increase the risk of exposure if security is ‘rushed’. So this is the perfect time for security teams to truly partner with their business stakeholders to ensure that security is inherent in products and services from the outset of the build. This is a positive step change from the past, where security has traditionally been the final milestone in project management.
FST Media: What particular biometric technologies would you like to see play a more prominent role in banking security?
Deak: Innovation in consumer devices, such as biometric technologies like fingerprint and facial recognition, drive public acceptance and adoption. The banking industry can leverage these technologies to provide a more convenient digital banking experience and better usability. However, they still don’t replace today’s multi-factor authentication approach for anything other than low-risk functions. Given there are no common global security standards for biometrics, there is a potential that some technologies will be inferior to others, which may result in misplaced trust in the efficacy of one or more biometric solutions.
FST Media: How can cloud-backed or XaaS services facilitate better security practices within FSI? Where do you see their limitations?
Deak: Cloud services can certainly facilitate better security practices. Given the richness of data available through cloud application programming interfaces, real-time telemetry and monitoring can provide continuous assurance of the security posture of cloud environments. It can also provide internal and external stakeholders with instant views of the security of their environments, along with automated response to shut down any vulnerabilities. However, the stability of cloud environments relies on an organisation’s expertise in managing the real-time, on-demand nature of cloud.
FST Media: What role can traditional banks play in driving digital security innovations at the customer level?
Deak: Banks have a great advantage in that customers inherently trust us with their money and personal data, and we stake our reputation by honouring that trust. Accordingly, banks know their customers better than most organisations, and there are opportunities to drive digital security innovation in areas such as verifying and authenticating customers digitally and protecting customers from digital fraud, partnering with various industry verticals.
FST Media: How well have Australian banks embedded resilience measures into their security processes? How do they compare against their global counterparts?
Deak: If you look retrospectively over the last decade, you could say financial services organisations in Australia have all embedded these measures well. For example, last year, the WannaCry outbreak was a massive global cyber security scare and Australia’s banks proved to be resilient against that threat in comparison to banks in other parts of the world. However, as that ever-present disclaimer tells us, ‘past performance is not an indicator of future results’, so it’s important to continually review, adapt, and improve our cybersecurity processes.
FST Media: What benefits can traditional banks derive from their partnerships with fintechs?
Deak: Partnerships between banks and fintechs will create new offerings for existing customers. For cybersecurity, by working with fintechs and partners we can foster innovation in better knowing our customers, their digital interactions with us, and protecting them from fraud.
FST Media: How can financial services organisations overcome the evident shortage of cybersecurity professionals in the jobs market?
Deak: We contribute to the cybersecurity industry by proactively collaborating with universities, TAFEs, and schools to build a strong pipeline of talent that is required for future roles. We also understand that the skills of our workforce will need to evolve as cyber threats and controls evolve. We collaborate with cybersecurity organisations internationally to leverage the global pool of talent.
FST Media: Looking beyond the financial services sector for a moment, what cybersecurity innovation would you like to see imported into the industry?
Deak: Traditionally, many of the innovations in cybersecurity imported into financial services have come from defence and military organisations. Recently, I’ve seen some impressive innovation in the identification and monitoring of advanced threat actors in the context of defending the state.
FST Media: How do you foster a culture of innovation in your team?
Deak: I try to give the team an outcome we need to achieve and a problem to solve rather than a solution or technology that I think needs to be implemented. Additionally, given that I lead a department focused on security strategy and architecture, I’ve specifically carved out a function with dedicated roles within the practice which focuses on proactive strategic thinking and planning of where our security capabilities need to evolve. The intent is to lift our gaze from day-to-day tactical and operational decision-making to plan and focus on where we need to be long-term.
FST Media: What are you hoping to achieve from your participation at FST's Future of Security conference?
Deak: I’m hoping to share my own personal experiences in NAB’s cloud and infrastructure security journey over the better part of the last decade, both what worked and what I would do differently. In that time, we’ve gone from managed infrastructure service providers to dipping our toe in cloud computing to hosting material workload in public cloud and looking to the future with a cloud-first adoption strategy. Hopefully it will resonate with peers in the industry who might be at various stages of that curve and they can learn from our journey. I’m looking forward to meeting peers facing the same challenges and learning from them too.