Security Expert Interview Series: Ray Irving
In this interview, Ray Irving talked about what makes cyber security challenging within the financial services field and how financial institutions can get ahead and stay ahead of their adversaries in cyberspace. Ray is a Cyber Security Executive and Leader with significant international experience. He successfully grew a global business and delivered substantial cyber security programs. Now, enjoy reading the full interview below.
1. When did you first think of “Cyber Security” as a career?
I always saw myself as an IT infrastructure specialist who happened to have managed a lot of risk remediation projects until 2010 when I joined UBS to run the Cyber Threat Management Program. Managing that program was a lot of fun -we implemented Arcsight SIEM, FireEye, intrusion detection – and I realised that security was what I wanted to do as a career.
2. You have over 10 years of professional working experience in the financial industry. What are the 2 greatest cyber risks that presently threaten the financial sector?
Third party risk is a growing challenge due to the unique control and complexity issues associated with ensuring your suppliers and their sub-contractors take the necessary steps to mitigate your risk. We are seeing that threat actors have realised this is a weak spot so we can expect further threats in this domain.
That said, firms should ensure responses from supplier management are realistic, sustainable, and proportional to the threat. A new form of malware or ransomware exploiting a common place vulnerability is probably the other most significant ever-present danger.
3. What makes cyber security challenging within the financial services field?
The stakes are high. First, we have a complex and evolving threat landscape with highly motivated and incentivised threat actors. Second, the technological and business landscape is changing: COVID-19 has accelerated the digitisation of financial services that was already in progress and most firms are transitioning many services to the cloud. Finally, the regulatory pressure on financial institutions to show they are properly managing their cyber risk is significant.
4. Financial services companies are often high-profile targets and have to be particularly vigilant when it comes to cyber security. How financial institutions can get ahead and stay ahead of their adversaries in cyber space?
All firms need to maintain a baseline level of cyber hygiene. It is not possible to respond to new and evolving threats if you do not have an accurate asset inventory and ownership process, effective entitlement management, a robust vulnerability management program, technological controls for network and endpoint protection, incident response processes, and so on. Many firms have all these but they must be constantly maintained as the threat landscape, business processes, and technology change.
Next, I urge firms to incorporate threat intelligence into how they manage risk. FS-ISAC members confidentially share threats and incidents they are experiencing with their peers on our platform, thus helping to build an industry-wide threat landscape and to understand where they stand in relation to their counterparts. Such peer-sourced intelligence is highly actionable and enables firms to effectively apply scarce resources where they can do the most good. Examples include deploying a particular signature detected by another organisation, deciding to implement a particular control, or conducting a meaningful penetration test using a realistic threat.
Finally, I advise firms to also take a big picture view and look at operational resilience – this is a top-down approach where you link business and cyber risk and ask what is needed for a reliable continuation of minimal business services after a severe disruption.
5. How does the implementation of Machine Learning (ML) in the financial sector can help combat cyber-attacks?
ML is a promising innovation to ease existing labor-intensive manual activities so as to free up scarce, skilled professionals for higher-value activities. The potential benefits are high but it is not a solution that can replace good people nor is it a magic bullet.
ML will struggle with bad data or poorly defined processes just as much as a human would – the old maxim “garbage in, garbage out” still applies. If ML is, for example, suggesting social media posts, a 50% hit rate is quite sufficient. However, in security that would result in a huge number of false and missed positives – we need a much higher degree of accuracy. Thus security is not the easiest domain in which to implement ML.
6. What is the greatest transformation in cyber security domain you have witnessed in your career?
The development in the degree of automation and correlation possible first with SIEMs and now with machine learning is impressive. I remember when log reviews were first accomplished with shell scripts and eyes on glass – this is no longer the case and the amount of data such as security events and network flow that we can process now is impressive.
7. How do you see the cyber security world evolve in Switzerland during the rest of 2021?
On the regulatory side, the Swiss Federal Council intends to strengthen Switzerland’s cyber resilience by regulating reporting of cyber incidents. Depending on the implementation this could make cyber security more transparent – potentially increasing the reputational impact of an incident and placing pressure on firms to improve security. There is also an opportunity to not just use these reports for statistical reporting (as happens in many countries) but to share them in real-time for sector defense.
In financial services, this ties into the National Cyber Security Centre plan to establish a Swiss information sharing group that will provide sector-specific information and warnings for the Swiss financial market. The key here is to ensure Switzerland is linked to the rest of the world for information sharing (organizations like FS-ISAC can help) and also does not marginalize foreign headquartered firms who are present in Switzerland.
The development of a regulatory-endorsed Swiss Cloud label is an interesting development too and I expect the trend for firms to migrate systems to the cloud will continue in 2021.
8. What are your 2 go-to-sources of information when you are stuck?
Referencing the famous “never be the smartest person in the room” quote I’d say my first source is my staff. I am lucky enough to work with some fantastically talented people and if I don’t know something the odds are that one of them will. Failing that, my second source is to go to the cyber community.
You are never alone and almost everything has been seen and done before. Find someone in your network, the Swiss Cyber Forum, or sharing groups like FS-ISAC who can help you with your problem. In cyber, we know that the bad actors collaborate, so we need to do the same.
9. What is the most important piece of career advice you would like to give to people who are just getting out of university and are interested in a career in cyber security?
Go for it – cybersecurity is a fascinating area that makes a real difference in the world. As well as the latest trends in cloud computing, machine learning, and AI, it also requires an understanding of the fundamentals of how systems and networks work. I would also encourage new entrants not to miss out on opportunities to learn analysis, leadership, project, and risk management skills as they are all timeless and will serve you throughout your career.
A good information security professional has not only a very broad range of knowledge but also has a deep understanding of context at all levels. Most importantly, network – don’t hesitate to introduce yourself and meet people. The field is full of peers who are more than happy to provide guidance, advice, and introductions.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.