Generative AI (GenAI) is changing the cybersecurity landscape at a phenomenal pace, creating both new challenges and opportunities. As cyber attacks become increasingly sophisticated, preventing them requires information sharing. Ann Barron-DiCamillo, Managing Director and Global Head of Cyber Operations at Citi, talks about the difference between traditional attacks and AI-powered threats. Ann, also the current Chair of FS-ISAC's Board, discusses supply chain risks, the importance of information sharing and nurturing the cybersecurity talent pool.Notes from our Discussion with Ann(0:50) - GenAI in CybersecurityGenAI has helped accelerate time to market. The use of advanced technologies, especially in the financial sector, centers around acceleration. On the cybersecurity front, the opportunities are reversed. With acceleration, there’s a growing need to ensure we are not bypassing validation or losing control. There’s also the need to differentiate between traditional malware and AI-powered threats. ChatGPT has resulted in the merger between security tool capability and business logic, allowing security teams to reverse engineer the use of AI to find vulnerabilities quicker. (4:51) - Threat Actors Using AI95% of breaches begin with a phishing email and threat actors are adopting highly sophisticated phishing techniques. The emails no longer have obvious errors, making detection harder and they are combined with more sophisticated payload links. The threat actors pivot so quickly that your controls are unable to catch up before they move on to other things.(6:18) - Threat Vectors in FocusGeopolitical factors have infiltrated cybersecurity and hacktivists have become a key attack group. (8:10) – Recommendations for Firms with Less Sophisticated Defense Join and engage in a community like FS-ISAC. Information sharing helps institutions with less investment dollars get up to speed with the latest developments. It helps to close the gap between more sophisticated organizations and ones that are still evolving. (10:13) – Supply Chain RisksThe Cyber Risk Institute (CRI) Profile incorporates the NIST Framework for considering third-party partners. It’s important to have a framework to evaluate third-party providers and elevate their security depending on their criticality to an organization’s operations. It helps if you are sharing information in a community like FS-ISAC because partners, stakeholders and vendors can have open discussions. (14:39) – Bringing Partners on Board with CybersecurityOrganizations like Citi must lead by example. There is the need for partners to provide visibility into the state of their network, security practices and control, without violating privacy or creating additional vulnerabilities. Vendors need to be part of the conversation because they have a lot of information. The partnership must be furthered to enhance awareness. (20:27) – Stress and Burnout Among Senior ExecutivesOrganizations must collectively think about how to empower delegation and build teams that can share the load. This helps senior executives have a better work-life balance. Leveraging a hybrid model can also keep senior talent in the industry longer.(22:44) – Advice to Talent Aspiring for Senior PositionsIt’s important to vocalize that you need work-life balance. This also empowers others to create space for their families while pursuing a stressful career. People can also attend events and create a network. It’s a great way to create opportunities for yourself. Embrace ambition.(25:51) – Where is The Community Heading?While communities may have a regional component, it does not mean they will not benefit from a global perspective, especially because cyber has no borders. FS-ISAC has created such communities and is well positioned to be a great source of information.

Episode NotesJayaraj Puthanveedu - MD, Global Head of Resilience, Cyber, and Digital Fraud of BNP Paribas - dives into fraud, what the landscape looks like for financial firms, its impact on customer trust, tips on customer awareness, and much more.Notes from Our Discussion with JayarajFraud Landscape for the CustomerFraud is of utmost importance for the financial sector. It is increasing in both complexity and magnitude. Only about 20% of fraud is reported, making it more difficult to measure it.Rising Agility of Fraudsters Fraudsters respond very quickly to changing situations. Now they can leverage AI, which makes it even more difficult for customers to recognize suspicious sites or activities. Neither individuals nor the largest organizations are immune to fraud.Which Customers are Most Susceptible to FraudFraudsters are enterprise businesses now, which operate across countries. It’s easier to target the older, less tech-savvy generation. Fraudsters have data analytics to profile customers and evolve their targeting strategies. They also adapt to different themes, like the cost-of-living crisis.Impact of Fraud on Trust in the Financial SectorFinancial institutions focus on securing their own infrastructure, their websites, applications, assets and information. There’s a need to be external looking and protect customers. It’s challenging to keep customer’s data and money safe, while ensuring they have access to banking services when they need it. Building trust is about creating communication protocols to raise awareness and train customers.Considerations When a Customer Becomes a Victim of FraudEven if a bank does everything right, a customer who is defrauded may lose trust. Banks need to think beyond the regulatory aspects and encourage customers to report fraud and train them to know when, what and how to report it. This helps financial institutions to understand the latest modus operandi of perpetrators in cross-jurisdiction fraud. Also, the fund recall process has become far more complex because the money moves quickly between countries.Fraud Proof by DesignFinancial firms need to follow a holistic approach to building machines, processes and products to detect non-standard behaviors and patterns. Fraud prevention must be a consideration in application development, product design and delivery. Intelligence gathering is also important, like identifying websites that look like your own to reduce phishing. Getting Customer Attention to Increase Fraud AwarenessDespite the rapid evolution of fraudulent activities, banks cannot communicate too frequently, as customers will just tune out. Awareness needs to be part of the customer journey, from onboarding to the transaction process and account maintenance. Sometimes personal data is stolen on other websites, but customers don’t get to know till their bank account is impacted. Customer awareness of different ways in which data may be compromised is key. Customer education is better driven by contextualizing the message. Collaboration to Get Ahead of FraudstersThere’s a need to share actionable intelligence and information on trends and patterns. There is currently no central or global data source to understand the real loss from digital fraud because it is hugely underreported. There needs to be regional and international coordination to tackle fraud.Privacy Issue with Sharing Fraud DataFraud reporting may not require sharing customer specifics but will definitely include customer profiling. There are privacy issues with this as well. Conversely, there are things that can be shared that are not yet being shared. 

Episode NotesWith over 20 years of experience as a CISO, Phil Venables, Chief Information Security Officer at Google Cloud, talks about creating an AI framework, key use cases for AI in cyber, Google Cloud joining FS-ISAC's Critical Providers Program, how he approaches operational resilience, and gives advice on how CISOs can maintain work-life balance.Notes from our Discussion with PhilGoogle Cloud’s Security AI FrameworkAI has presented new risks and very specific types of threats. The objective is to create a foundational framework on a basic set of control principles that can be replicated in other processes. It’s important to extend detection and response capabilities to include AI systems. This is particularly important when deploying large language models (LLMs). AI is the best defense against AI. There’s a need to embed AI in tooling, so that everyone doesn’t need to be an AI expert.Expectations from the FrameworkGoogle Cloud is looking to partner with organizations to develop the framework. This may not become “the” framework, as there are others like the NIST AI Risk Management Framework. The aim is to build on the framework to include other, more detailed recommendations and tooling. It should have a broader use, beyond Google and the customer’s use of Google’s AI. Key Use Cases of AI in Cybersecurity There are 3 areas – Threats, Toil and Talent.Threats: Google is using LLMs, AI and GenAI to analyze, monitor and manage threats, like analyzing new malware discovered via Google’s VirusTotal service and using Sec-PaLM 2 LLM to decode and provide threat advice. LLMs need to be trained using a large corpus of security and threat data.Toil: Security operational jobs have a lot of overhead and ineffective tools. Google Cloud is focusing on using Sec-PaLM 2 to help organizations automate security operations.Talent: AI will be the great democratizer of talent. Giving people AI assistance to develop, expand and extend their skills can increase security talent.AI Risks for Financial Services OrganizationsAI as a democratizer of talent and a tool for enhancing people’s skills can also extend the capabilities of threat actors. Organizations will need to bolster their current defenses. For example, deepfakes across voice video and images are being used to confound authentication systems and organizations are strengthening their traditional authentication systems, like using hardware tokens.Impact of AI and Strategies to Secure the Cloud EnvironmentAI is driving an accelerated cloud adoption. Even the largest companies will need to migrate to the cloud for the processing capability to deploy the new LLMs. There will not only be a drive to the cloud to get access to AI, but also the use of AI tools to securely manage cloud configurations.Google Cloud Joins FS-ISAC's Critical Providers ProgramAs a cloud provider, Google provides support for many critical infrastructures and the financial services sector is among the most critical infrastructures in the world. With more banks moving to the cloud, it makes sense for Google to stay in touch with the community and make sure we’re meeting customers where they are. By joining FS-ISAC, Google Cloud wanted to be part of an organization that is promulgating best practices and sharing information and intelligence.Maintaining Work-Life BalanceTwo big lessons. Work-life balance is not about achieving the balance every day. You can think of it on a weekly or monthly basis. If you’re aiming for a balance every day, it may add to your stress during weeks when there’s a crazy amount of work. Secondly, maintaining work-life balance requires discipline. The answer is to talk to your future self. Often you say yes to meetings that don’t add much value. Talk to your future self to judge your decision about attending the meeting.

Episode NotesDaniel Barriuso, Global Chief Transformation Officer at Santander and Chairman of the FS-ISAC Europe Board of Directors, talks about the importance of addressing cybersecurity globally and holistically, while also taking regional differences into account. He draws on his experience as Global Chief Information Security Officer (CISO) at Santander and his current role to discuss how bigger organizations can collaborate with startups to fight cybercrime.Notes from Our Discussion with DanielChairing the FS-ISAC Europe Board of DirectorsCollaboration, information sharing, and collective response to address cyber problems can create a much stronger cybersecurity ecosystem. The cyber community is keen on this approach, which makes it a pleasure to Chair the FS-ISAC board.State of Sharing and Collaboration in EuropeEurope certainly understands the importance of collaboration, but FS-ISAC brings the platforms, protocols, and trusted community to enable that to happen in real time.Key Focus of FS-ISAC Europe BoardCyber challenges are consistent around the world. But there are regional differences. For example, in Europe, the focus is on resilience, with DORA (Digital Operatonal Resilience Act) coming into effect.Convergence of Fraud & CybercrimeStakeholders often cannot distinguish between cyber and fraud. A cyber attack can lead to fraud or a fraud scam may have a cyber component. For these stakeholders, cybercrime and fraud are a single disciple.Merging Cyber and Fraud Prevention DepartmentsThis has been a very natural integration at Santander. Also, the diversity of skills and backgrounds makes cybersecurity more effective.GenAI Impacting the Fraud LandscapeCriminals leverage the latest tools and employees need to be aware of them. At Santander, every transaction is monitored using AI and other advanced tools. These also help to continuously identify new patterns to enhance response.Santander Working with Innovative StartupsIn order to remain agile, Santander keeps in touch with innovation and new developments across the ecosystem through its work with startups. Santander has partnered with Forgepoint Capital to advance cybersecurity investment and innovation, and also launched the X Global Challenge to identify startups with the highest potential.Addressing Cybersecurity Talent Shortage with PartnershipsThere is a range of things Santander does to overcome the global shortage of cybersecurity professionals. Diversity is very important to look at cyber holistically. Being aware of cybercrime should also be part of the education system.Spreading Cyber AwarenessSantander is passionate about spreading awareness to everyone, employees, customers, and society. The foundation of cybersecurity is the people behind the computers. Santander conducts cybersecurity training called Cyber Heroes in a game format, which is available to everyone. It also launched a thriller podcast series called Titania.Strengthen your cybersecurity capabilities with information sharing and collaboration - Join the FS-ISAC community.

While the Board sets up broad policies and priorities for companies, there’s a whole cyber universe that Board members may not fully understand. Jerry Perullo draws on more than two decades of experience, including as CISO at Intercontinental Exchange/New York Stock Exchange (ICE/NYSE), and recently as interim CISO at Silicon Valley Bank, to explain his framework for presenting cybersecurity risks and solutions to the Board.Notes from Our Discussion with Jerry(3:03) - CISOs as Board membersCISOs want a seat at the Board table and want to be part of the discussions. To do this, they need to be cross functional, with knowledge outside cybersecurity. (6:05) - Board TrainingDoing board training (such as with the NACD) as early in your career as possible will help you understand how board directors think about risk holistically – an important tool for CISOs briefing boards. (7:53) - Addressing Cyber Risk Management and Regulations with the BoardRisk management isn’t new for Boards. It’s been critical for years and meant different things. Yet, cybersecurity isn’t on the list. On the other hand, regulators have requirements, which brings cybersecurity into Board discussions. Tactical intelligence sharing should be digestible and actionable by the Board.(10:52) – TRIC – The Cybersecurity Framework for the BoardTRIC (Threats, Risks, Incidents, and Compliance) is a framework for presenting cybersecurity programs and progress to the Board. (11:26) – Understanding ThreatsBriefing on threats is about setting the mission. Threats can be identified by understanding the organization’s risk appetite for focusing the cybersecurity program.  (13:46) - Risks are Standalone VulnerabilitiesRisks are very specific vulnerabilities. An organization may face thousands of them and there should be a constant discovery and identification process. CISOs should also identify which of these risks to take to the Board.(15:45) – “Incidents” Defines When to Approach the Board  The Incidents piece is about defining the severity levels and getting agreement with the Board. A lot of governance is focused on when the Board is alerted and when they should get involved. These should be included in the incident response plan.(17:32) – Compliance Data Presenting data in the form of a Gantt chart can make it easier for the Board to understand the progress in cybersecurity and compliance.(19:13) –Adding a narrative executive summary and an appendix to the presentation. (20:18) –Advice for CISOs who aspire to be on the Board and discusses the possibility of cybersecurity being deprioritized by the Board.   Fight cyber threats with the intelligence and knowledge of the whole industry at your fingertips – join the FS-ISAC community.

With a barrage of upcoming cyber regulations, financial firms will need to integrate some of the new requirements into their cyber and resilience programs. Erez Liebermann, Partner at law firm Debevoise & Plimpton, clarifies the key points of relevant cyber regulations that financial firm CISOs should know about. Highlights(1:11) Key trends of the recent cyber regulations(4:26) Pertinent details on the main upcoming cyber regulations for financial firms(12:27) If the four day incident reporting rule is pushed through, do cyber teams need to make changes to their response process to comply?(21:13) Who makes up the council of people in an organization to determine if a cyber incident is "material"?(25:04) The million dollar question: What does cyber expertise on the Board actually mean?(32:45) On the different regulatory approaches across the globe, and how that can put organizations in difficult spots to comply

The scope of the great cybersecurity talent shortage is real. Kristopher Fador, CISO at Bank of America details where the greatest concentration of the shortage is, how to build a good cybersecurity talent pipeline for financial firms of all sizes, and how he views retention and attrition. Highlights(3:44) – The dangers of a lack of mid to senior level talent(7:09) – How Bank of America builds a good cyber talent pipeline(10:10) – Suggestions for smaller firms on building a pipeline of cyber talent(11:16) – How Bank of America focuses on neurodiversity (12:58) – A different perspective on retention and attrition(16:41) – Advice to CISOs and other leaders struggling with talent shortage amid operational changes and economic challenges

With the help of Chat GPT and other AI tools, financial institutions can make decisions more quickly and with greater precision, but how crucial will human oversight be in the future of financial sector cybersecurity? Bashar Abouseido, MD, Chief Information Security Officer at Charles Schwab talks about the benefits and risks of using ChatGPT and other artificial intelligence in cybersecurity.Highlights(3:11) - How Chat GPT and other AI helps financial institutions leverage data to stay ahead of cyber criminals. (10:28) – The risks of incorporating Chat GPT into business operations.(15:11) - How AI enables and accelerates the evolution of cyber threats and the defense against them.(30:22) - How AI will change cybersecurity in the future.(31:37) - Advice to fellow CISOs on their journey to start integrating these AI technologies into their programs.

Tabletop exercises are a crucial component for enhancing threat and vulnerability management plans in fintech. Paige Johnson, Executive Director and Head of Americas Firmwide Simulation Utility at JP Morgan Bank, discusses the origin and development of these exercises. HighlightsHow exercise scenarios are chosen (7:46)Have exercises turned into reality (10:20)The range of tabletop exercises in use today (12:42)The best ways to engage senior leadership in exercises (17:57)How to start an exercise program (20:27)The differences between internal and external exercises (33:45)

As the global financial sector prepares for the advent of quantum computing, security professionals are at the forefront of developing protocols for post-quantum computing (PQC). George Webster, Chief Security Architect at HSBC, and Peter Bordow, Distinguished Engineer and Chief Architect of Post Quantum Cryptography and Quantum Systems, and Emerging Technology for Information and Cybersecurity at Wells Fargo, discuss the impact quantum computing will have on the financial services industry and the reasons why we should prepare now. Highlights 2:25 – Why quantum computing is a paradigm shift for cybersecurity in financial services  11:14 – The importance of preparing for quantum computing now 15:31 – The types of data targeted by "harvest now, decrypt later" attacks. 17:32 – The benefits of quantum computing for the financial services industry 25:51 – How to initiate post-quantum computing planning