An Interview with David Fairman, Chief Security Officer, NAB
"The ability to identify patterns using clustering analysis and neural networks, and applying machine learning models to data, is incredibly important to us. If applied correctly, it will enable us to combat this ever-evolving threat."
FST Media: NAB is the first bank in Australia to bring together cybersecurity, fraud, investigations and physical security. How does this holistic approach to security management set NAB apart when it comes to protecting customer data and gaining digital trust?
Fairman: This model is common across some UK, European and US-based banks today, and has been for some time. These banks have realised the insights that are gained by bringing not only these teams together but also their supporting datasets that are otherwise disparate and siloed. Looking across this superset of data, and identifying patterns and networks, enables security functions to be much more intelligence-led and data-driven, moving from a reactive to a predictive and proactive capability. This is one of the priorities I will be focusing on in the coming year.
Furthermore, the situational awareness that is gained by having these teams work more closely together is another great benefit. Each of these functions plays a key role in protecting our customers and ensuring a more integrated, holistic security function and supporting operating model that will ensure our customers are protected to the best of our ability. As a result of this, our team will be well-connected, have access to the same data and insights, and we will be able to connect more rapidly and effectively.
FST Media: Financial services are increasingly connecting the dots between data and security intelligence. How can FSIs combat the proliferation of fake data created by generative adversarial networks (GANs) that try to pass as the real thing?
Fairman: I see this as more of an issue for customers than the bank itself, so the question for me is ‘how do we, NAB, help to protect our customers from this?’ As mentioned above, by gaining deeper insights into the data that we have, utilising customer-specific behaviours and patterns, as well as both external threat data and internal systems data, we can and will be able to identify threats to our customers more effectively, and this will enable us to respond more rapidly in order to protect our customers.
FST Media: Artificial Intelligence (AI), Machine Learning (ML) and data analytics are said to be the way forward for cybersecurity resilience. However, these technologies are also being exploited by cybercriminals. How can FSIs stay ahead of the ‘bad guys’ and maintain resilience in the face of persistent threats?
Fairman: Our adversaries will continue to exploit advances in technology, just as NAB needs to do. As our adversaries are using these technologies against us, we must learn how to best use these advancements to our advantage. I believe that we (NAB) have an advantage, as we have the data specific to our systems and customers; it’s the analysis of this data that is powerful. The ability to identify patterns using clustering analysis and neural networks, and applying machine learning models to data, is incredibly important to us. If applied correctly, it will enable us to combat this ever-evolving threat.
FST Media: With the steady increase in phishing activities, such as fake sites, apps, and fraudulent authentication text messages, how is NAB creating awareness and educating customers on best practices for cybersecurity?
Fairman: NAB has a mature security awareness program, with protecting customers at its very heart. Our converged security model has brought the cybersecurity, fraud, and physical security teams closer together, which allows us to pinpoint issues and better identify opportunities to uplift customer awareness.
Our focus is on providing up-to-date, accurate, and practical security and fraud advice for different customer segments: individual consumer customers, small-to-medium businesses (who are especially vulnerable in this space), not-for-profits, and corporate and institutional clients. For our individual customers and small-to-medium businesses, we have a great Cyber Safety Hub, full of pragmatic and relevant articles, videos, and training modules to equip these groups with the information and tools they need to be aware of to protect themselves. We regularly publish security alerts on the website when we see new threats and identify trends to provide timely advice to our customers.
FST Media: Operating in today’s hyper-connected age with highly complex digital supply chains, how can financial services organisations build new security capabilities to address security blind spots and vulnerabilities?
Fairman: Visibility is the key. Understanding the supply chain (not just third parties, but fourth and fifth parties), having the telemetry needed for your own organisation, and knowing where your data is going and how it is being managed and handled is imperative.
You can’t protect what you don’t know about or can’t see, so having the visibility over this complex network and environment is clearly the most basic requirement; from this, an organisation can craft a robust program. In addition, coming back to the big data analytics topic above, using techniques such as AI, ML, and clustering analysis will allow us to better identify the unknowns. Security today is very rule-driven – ‘if you see this, do that’ – so it’s very important to identify those unknowns that you might not typically be aware of so that you can determine the right response and mitigation plan.
FST Media: As a security leader, what do you feel is lacking in the current cybersecurity talent pool and workforce, and how can organisations fill those skills gaps?
Fairman: We know there is a skills gaps today, and that will only get greater in the coming years. I think, globally and domestically, we have all the right building blocks to help combat this with primary and high school education programs like the Cyber Kids and Schools Cyber Security Challenges, Cyber Security Diplomas offered at TAFE, and various universities with very good cybersecurity programs. So, we have this throughout the education system, but the challenge is that this takes a long time to cultivate and our demand grows faster than this takes; however, it is important and shouldn’t be overlooked.
A new program we’ve embarked on is in neurodiversity, bringing people on the autism spectrum into Enterprise Security. This allows us to harness skills in specialised areas, like quickly and effectively analysing information and identifying patterns, while providing these individuals with meaningful work.
Another area that needs to be further exploited is big data, AI and automation. This challenge needs to go beyond simply getting more people into the workforce – it needs to be about using these advanced techniques to reduce the need for people resources. We need to look further at automation and, eventually, have systems that learn and adapt and can respond within seconds, not minutes or hours. For me, it’s a blend of these two factors that will alleviate the current challenge seen today.
David Fairman will be a featured keynote speaker at the Future of Security, Sydney (2 April) and Melbourne (4 April). Spots are filling up fast! Register now at the Sydney or Melbourne event pages to secure your spot.