An Interview with Troels Oerting, former Group Chief Security Officer and GCISO, Barclays
"The password is outdated and no longer fit for purpose. We need to find new ways of securing our data, mail and applications... The challenge is to make security simple and convenient for customers – otherwise, they’ll refuse to use it."
Troels Oerting has established himself as one of the foremost authorities in global cybersecurity. Over the course of his distinguished career, Oerting has served as head of the Nordisk Copyright Bureau (NCB) in his native Denmark, director of operations in the Danish Security Intelligence Service (DSIS), and assistant director of Europol, the European Union’s chief law enforcement agency. In his most recent role as Barclays’ Group CISO/CSO, Oerting took on a multifarious task sheet, assuming responsibility for the company’s cyber and physical security, as well as its investigation, protection, intelligence and resilience functions.
FST Media sat down with Troels to explore the latest developments in corporate cybersecurity, strategic insights for building better resiliency, and his predictions for the next wave of cyber threats facing the banking sector.
FST Media: What is the most pressing cybersecurity concern facing today’s financial services organisations?
Oerting: I don't think it’s possible to boil this down to just a couple of issues. The sophistication of the threat in cyberspace continues to increase, and with more and more nation state-developed spy tools getting stolen and/or shared, this threat seems to be increasing day by day. Criminals don’t need to develop the malware; they just need to ‘weaponise’ existing advanced nation state-developed malware.
The complexity of security around IoT (Internet of Things) will also pose a challenge in a number of ways. First of all, we need to make sure that IoT will not provide a gateway to more important applications and platforms. Secondly, we will see a huge increase in firepower around DDoS attacks utilising IoT devices with limited or no password protection.
The lack of norms in cyberspace makes it nearly impossible for global law enforcement to cooperate in this space. There's very limited – almost zero – cooperation between police in the West on the one side, and China/Russia on the other. So it is almost risk-free to be a criminal and, for this reason, online crime will surge.
FST Media: What role can traditional banks play in driving innovations in security at the customer level?
Oerting: In my security world it’s KYC – ‘Know Your Criminal’. To that end, we need to know how to differentiate criminals from legitimate businesses and we need to detect changes in patterns. We also need to automate the use of all our data to predict, prevent, and protect our customers. And, critically, we need to admit we eventually will get breached and, consequently, our focus should be on minimising the time the criminal has on our platforms after breach.
‘Detect - React - Respond - Recover’ needs to be implemented in minutes and, for this to happen, we need powerful tools to fuse all our security information with customer information as well as information from our partners. Last but not least, we need to make sure we build in ‘security by design’ into any new feature invented by clever customer relation managers in banks. In order to do so, we need security staff to be part of our innovation and programming teams and not just wait to ‘pen test’ at the end of the process.
FST Media: How are developments in biometric technologies shaping modern banking practices?
Oerting: The password is outdated and no longer fit for purpose. We need to find new ways of securing our data, mail, and applications. It might be biometric, like fingerprints, face recognition, location, voice recognition, the way we use our keyboards, physical tokens, or a combination of all of those listed and more. The challenge is to make security simple and convenient for customers – otherwise, they’ll refuse to use it.
Future applications need to be safe, secure and convenient – to offer protection, privacy, and be easy to use. Before the days of the internet, the discussion – when you produced things – was to make them fast, cheap, and reliable. And you knew you could only choose two; the option of choosing three simply wasn't available. We need to make all three – safety, security and convenience – work in banking. That’s our future challenge.
FST Media: What benefits can traditional banks derive from their partnerships with fintechs? How well can these partnerships advance innovation in cybersecurity?
Oerting: I believe that ‘trust’ will be a competitive differentiator in banking and other areas in the future. Customers will assess if they want to bank with us based on our ability to keep their sensitive data safe, and that will play a bigger role than getting 0.5 per cent more in interest payments.
If you are a full customer at a bank, we basically know all about you: your salary, address, family, mortgage, spending behaviour, electricity bills, travel patterns, credit card use, online shopping etc. – essentially everything that needs to be secured. This is where fintechs can help by providing new models, tools, functionality, and ideas to improve security, without offering convenience, but also enabling new encryption models to prevent data from being read and/or used if exposed by criminals.
FST Media: Moving forward, what emerging technology would you like to see play a more prominent role in financial services?
Oerting: Banks will go mobile. PCs are on their way out, and IoT, mobile, 5G, and hyper-connection is the new reality and future. Identity, proof, and security play a big role in banking, and that will drive more innovation in security and convenience in the use of mobile devices, particularly combined with new IoT technologies.
Cloud technology will also need to improve and so will the software that can secure transactions based on the new PSD2 directive. Antivirus, firewall and proxies are old-fashioned ways of security and have proven to be worthless anyway. So we’ll need to replace these technologies and I'd suggest significant innovation and funding is being dedicated to these areas right now.
FST Media: What future do you foresee for blockchain across the banking and insurance industries?
Oerting: Blockchain has been around for 10 years and has been struggling to gain traction; nevertheless, many strong use cases have been found. Blockchain offers transparency, first of all, and changes to transactions cannot be made. While I’m very positive towards blockchain, I do not see it as the ‘silver bullet’ for security (which doesn't exist anyway). It will be increasingly used as a ledger for various transactions and, when that happens, we will also see organised criminal groups and nation-states investing in malicious tools and procedures. I have seen very compelling use cases for blockchain in, for example, the diamond trade, as well as in insuring specific high-value goods. Of course, the innovation will continue, but I’m not so sure blockchain will change online security overnight.
FST Media: How important is in-house strategising in mitigating cybersecurity risks in the banking sector?
Oerting: I am a big believer in ‘holistic security’. At Barclays, we removed words like ‘information’, ‘cyber’, ‘physical’ in front of ‘security’ – for us, there is no distinction. We are not fighting ghosts. Behind any keyboard is a human being in the form of a criminal. They will try to steal our information, our money, intellectual property, or identity – either online, offline, or in combination. They will try from the outside, from the inside, or through the blackmailing of employees or use of insiders.
That’s why a modern security organisation must deal with all kinds of security and all incidents, and be able to combine and use all data from incidents, activities, access management, log files, sandboxes, open sources, intelligence, investigation, forensic – using ML and artificial intelligence and executing through a 24/7 Joint Operation Centre. That’s the only strategy that works and that needs to be implemented throughout.
FST Media: What country or region do you consider to be the centre of innovation in cybersecurity for financial services?
Oerting: I’ve had a long working relationship with developers, start-ups, and VCs in Israel and find that country ahead of most other areas when it comes to cybersecurity. They are very skilled, agile, forward-looking, and receptive to dealing with the threats we anticipate rather than developing solutions and searching for a problem. Other regions that I also find promising include the UK, South Africa, and Mumbai, India.
FST Media: How do you predict the ‘threatscape’ will evolve in 2018?
Oerting: By my estimation, we’ll see more crime, more breaches, and more leaks, unfortunately. Already in January, we’ve seen loads of new cases and this trend will continue. But I also think that we’ll get better at working together to prevent, disrupt, and fight crime. And I feel that, amongst public and business leaders, you’ll see an increased understanding of the need to promote cybersecurity, using better technology, better education of staff, and updated processes. But criminals will maintain the upper hand; they still have a very limited risk of being caught. In cybercrime, you have a high profit, limited investment, and almost no risk. That is a dangerous cocktail and will drive more crime.
FST Media: And, on a more personal note, what is the best career advice you’ve received?
Oerting: I’ve had many well-meaning bits of advice across my 40 years in law enforcement and security. However, they’re all a little clichéd: ‘follow your passions’, ‘be humble’, ‘work hard’, ‘it’s about people’, etc.
I’ve tried to keep things simple, maintaining passion for my job, and have never looked back with any regret. For me, it’s all about teamwork: I’ve always sought to identify good staff and empower them, as well as create strong teams.
I’ll end with one of my favourite quotes from Harry S. Truman: “It is amazing what you can accomplish if you do not care who gets the credit.”