Cyber enabler or cyber enforcer… Why not both? – Keith Howard, CISO, CommBank

Keith Howard CBA CommBank Commonwealth CISO

There is often a great divide between individuals who believe that cyber is either an enforcing or enabling function… At CommBank, we strive to strike the right balance, acknowledging that we play both roles – the enabler and the enforcer.

It may be Australia’s biggest and most digitally advanced bank, and a magnet for top tech talent, but The Commonwealth Bank has been no less parched by the nation’s cyber talent drought.

In the face of a rising tide of sophisticated malware, DDoS and nation-state attackers, Keith Howard, CommBank’s Chief Information and Security Officer (CISO), has recognised that a modern cyber defence demands a creative, and diversely skilled, brains trust.

We speak with the CBA veteran on the biggest cyber threats facing the industry, the challenge of balancing risk with CBA’s overriding innovation imperative, and a creative solution to replenish the bank’s cyber talent pool.

FST Media: Ransomware, nation-state threat actors, and DDoS attacks have grown exponentially over the last few years, causing significant grief for cyber defenders. What do you rate as the biggest cyber threat facing Australia’s financial industry today?

Howard: Ransomware is arguably one of the biggest cybersecurity threats we face today – and one that is not just unique to Australian financial institutions but can also have devastating impacts on any organisation, in any industry.

We are also increasingly aware of malicious insider threats and the impact of phishing and scams on both employees and customers. We have, in particular at the height of the Covid-19 pandemic, observed the rise of these cyber-attacks and the impact they can have on organisations and their supply chains.


FST Media: Considering these threats, how has CBA’s cybersecurity posture evolved over the last six months? 

Howard: One of my main focuses at The Commonwealth Bank has been in ensuring our cyber posture is understood across the organisation as not just a reflection of the state of our protective controls but, more importantly, an awareness of the increasing external threat landscape. We have aimed to strike this balance whilst ensuring all levels of the organisation, cyber professionals and non-cyber professionals alike, recognise that they all play a role in keeping CommBank and its customers protected from cyber-attacks.

Within CommBank, we’ve recognised that our greatest defence is our people.

I’ve said this on a number of occasions, but I truly believe that to treat cyber like a ‘technology’ problem is misguided.


At the heart of it, these attacks are conducted by people and, theoretically, it’s your people who will be your greatest protective asset. So, spending time educating them, making sure they are aware of their cyber accountabilities, and empowering them to put cyber principles front and centre of their decision-making is the greatest way to prepare against security threats.


FST Media: The Federal Government’s Security Legislation Amendment (Critical Infrastructure) Bill 2020, currently before Parliament, is likely to increase regulatory requirements for organisations responsible for key infrastructure assets in designated ‘critical’ sectors (including financial services), as well as the Government’s powers over these assets.

What direction do you see this piece of legislation taking and, moreover, what steps should industry take to prepare?

Howard: I have always been a firm believer that legislation, while critical, still only solves part of the problem. I am definitely pleased to see the government taking the right steps to recognise the impact of cyber risk on our critical infrastructure, and the direction I see this piece of legislation taking is going to be informed by the industry response and collaboration with government.

The other part of the problem, in my opinion, is solved through partnerships and collaboration. In the context of the environment we’re operating in, this is underpinned by the need for ‘Team Australia’ – that is, the government, industry, and higher education providers working together to raise ‘raise the tide’ on Cyber risk management and response.


FST Media: Cross-border and cross-industry collaboration has proved crucial in strengthening industry’s collective cyber defences and mitigating attacks. What can Australia’s financial sector do to better promote transparency and mutually beneficial intelligence-sharing?

Howard: All industries benefit from mutual intelligence sharing. We’ve been pleased to see this collaboration in motion as steered by the Australian Cyber Security Centre. We know that our threat actors are increasingly collaborating also, strengthening their ability to cause real impact and, sometimes, irrecoverable damage.

The better interconnected we are, the better Australia’s cyber defences are.


As such, the only appropriate response is for the finance sector and others to continue to participate in such cross-collaborative partnerships.


FST Media: Faced with a dearth of qualified cybersecurity professionals, how can financial institutions ensure they have the right talent to maintain a viable defence and tackle malicious actors? Do you also see opportunities to nurture and grow your talent pipeline in-house?

Howard: I have many times said that the best way to tackle the cyber skills shortage is to widen the funnel. By that, I mean attracting people of diverse backgrounds to the cyber profession, as I believe it takes the right problem solvers and strategic thinkers to make a strong cyber team.

At CommBank, our cyber team is made up of individuals from a truly broad range of disciplines and professions that include ex-historians, lawyers, technical specialists… the list goes on.


We encourage anyone who is keenly interested in the field to apply for a job in cybersecurity at CommBank.


FST Media: Security is a dynamic discipline with persistent, often inscrutable, threats. In your view, what are some of the key characteristics of the best security leaders?

Howard: As I mentioned earlier, cybersecurity is often misunderstood as purely a technology problem. While this does play a big part, it is also, in part, a people problem too.

It is a people business and humans are the first line of defence for any good cyber protection. A dynamic leader is one who intimately understands this.


As a CISO, I did not come from a purely cyber background but was selected for the role as I come from a vast experience of leading large-scale transformation programs, problem-solving, and risk management.


FST Media: As the country’s most digitally progressive bank, how does CBA balance the imperative to innovate on customer experiences with the mandate to operate within appropriate risk boundaries, particularly around data privacy and protection?

Howard: There is often a great divide between individuals who believe that cyber is either an enforcing or enabling function – that is, is the function of cyber purely to set the policies and standards and monitor compliance, or is the role of a cyber team to develop and enhance protective controls?

At CommBank, we strive to strike the right balance, acknowledging that we play both roles – the enabler and the enforcer.

We [as the cyber team] want to enable innovation and emerging technology for our customers, safely. We also want to enable our business and support units to lead with the cyber front of mind.


We do, however, also need to balance that with the right enforcing mechanisms that reduce ambiguity and provide clear guidelines where required as we respond to the rapidly changing and increasing threat landscape.


Keith Howard will be a featured keynote presenter at the Future of Security, Sydney 2021 on the rescheduled date of Tuesday, 30 November. Register now to confirm your spot!