An Interview with Ian Cameron, Executive Manager for Cybersecurity Strategy & Governance, IAG

"Historically, our mindset has been to think of ways to protect, detect, respond, and recover from a security incident. That has been a very serial way to think about the problem." 
 

FST Media: As custodians not only of the world's wealth but also customers' most sensitive data assets, FSIs remain prime targets for cybercriminals. What do you rate as the most pressing cyber threat facing the financial industry today?

Cameron: There is certainly evidence in the public domain that organised criminals are investing in more sophisticated social engineering methods to exploit weaknesses in business processes with the objective of financial fraud (e.g. transferring funds). For example, we have all seen the increasing frequency of incidents reported in the press of well-crafted spear phishing emails that look very authentic, which request people to transfer funds. Ominously, we have also started to see reports of deep fake techniques, such as phone calls that sound like a known and trusted person, instructing one to transfer funds to illegitimate accounts.


FST Media: Social engineering attacks, to which you alluded, are abounding in frequency and sophistication. How is IAG raising awareness and educating both customers and employees on cyber safe practices?

Cameron: Like many other organisations in the financial services sector, we recognise that we have an obligation to teach our customers as well as our employees better ways they can defend themselves – both in the workplace and at home with family and friends. We run numerous campaigns for our staff throughout the year to continually reinforce our lessons about social engineering. We also run simulated phishing campaigns to help our people become better at spotting a fake or malicious email and we participate in national cyber awareness programs to teach the general public, especially children, how to become more cyber-safe.


FST Media: You’ve acknowledged previously a disconnect between security teams and developers at IAG – a divide you are no doubt keen to bridge. How have you sought to ingrain best practice cybersecurity into the fabric of the business and ensure that all teams understand and embrace your mission?

Cameron: Organisations need to consider a range of initiatives to ensure that we get the best outcomes. Security is both a business and an IT challenge. At IAG we have invested in both general and specialist training programs to ensure people understand why security is important and the role that they need to play. We have also started on a journey to empower our DevOps teams to play a much more active role in engineering security into our IT systems and services. We are putting the ‘Sec’ in DevOps.


FST Media: Increasingly, insurers are expected to manage exponentially greater data loads, sourced from any number of front- and back-end channels. As the data floodgates open ever wider, how can organisations effectively maintain compliant and secure data management processes?

Cameron: The use of well-defined frameworks for identifying, assessing and managing cyber risks is critical. A one-size-fits-all approach is not the right approach. Repeatable patterns and automation of the implementation of security controls are essential to achieving the right balanced outcomes in an agile business environment at scale. If insurers can achieve this, following best practices, then compliance to any relevant regulatory requirements, such as APRA’s CPS 234, will be a natural by-product.


FST Media: With an evident shortage of cybersecurity professionals in the job market today, how can financial institutions stay ahead of malicious actors and maintain a viable cyber defence?

Cameron: I think it’s well accepted across our cybersecurity industry that just throwing more people at the problem is not the answer. Our people are a precious commodity that need to be deployed carefully. Lower value commodity tasks to detect and respond to known attacks need to be automated to free up our people to focus on the really important work. Using technologies such as AI to automate tasks, machine learning for anomaly detection, and data science for predictive analytics are all ways the industry is actively experimenting with and investing in ways to keep pace with the changing threat landscape.   


FST Media: Globally, financial firms are making tremendous progress in using AI, automation, and analytics to combat cyber criminals. However, it’s no secret that attacks today are more sophisticated than ever. How can FSIs stay ahead of adversaries and remain resilient in the face of persistent, often inscrutable threats?

Cameron: The concept of ‘resilience’ is an area of great interest to me right now. Historically, our mindset has been to think of ways to protect, detect, respond, and recover from a security incident. That has been a very serial way to think about the problem. 'Resilience' is taking the concept one step further and challenges us to think more about how we can design systems to adapt in real-time to counter an attack. This means looking at how we can make systems self-healing and self-defending to achieve true resilience. It’s a lot like a human body being infected by a virus, fighting the virus and adapting one’s immunity against a future infection.


FST Media: As a security leader you’ve shown a deft hand coordinating individuals of all stripes. What lessons would you impart to aspiring security leaders to make the most out of their teams and technology assets?

Cameron: The magic word is ‘lead’. My approach is to inspire and empower my team to do the best they can. It’s my job to ensure that they have the training and access to the resources to do their job well. I also try to ensure that my team maintains some perspective and a healthy work-life balance. ◙