In this Help Net Security interview, Sunil Mallik, CISO of Discover Financial Services, discusses cybersecurity threats for financial institutions. He also shares insights on balancing compliance with agility, lessons from regulatory audits, and Discover’s approach to risk management and workforce development.
What are the most pressing security threats facing credit card and digital banking platforms, and how should organizations adapt defenses to counter them?
The most pressing security threats facing credit card companies and digital banking platforms include sophisticated social engineering attacks, payment fraud and account takeover (ATO) fraud. To counter these threats, financial services organizations should implement advanced threat detection systems, conduct regular security assessments, and educate customers about potential scams. At Discover, we use security protocols such as de-identifying customer data, which involves removing or altering identifiable information to protect privacy and comply with industry regulations. De-identifying customer data helps reduce the risk of data breaches and misuse while still unlocking the data for business purposes.
It’s also important to reduce the organization’s attack surface by minimizing potential entry points for attackers and implementing an architecture that assumes no user or device trust by default. This approach strengthens authentication and reduces the risk of data breaches. Finally, continuous education and awareness programs for employees and consumers are vital in protecting customer data, maintaining trust, and strengthening the human defense layer. In my view, these combined efforts can help companies to stay ahead of emerging threats and ensure the security of digital banking platforms.
What are the biggest gaps in traditional risk management approaches for financial institutions, and how should organizations address them?
Traditional risk management approaches often struggle to keep pace with the rapidly evolving regulatory landscape, emerging cybersecurity threats and market volatility. One significant gap is the reliance on static risk assessments that may not account for a changing threat environment.
Additionally, traditional approaches may lack integration with modern technologies and fail to provide a holistic view of risk across the organization. To address these gaps, financial institutions must invest in robust compliance frameworks that are adaptable to changing regulations, threat environment and change in business processes. Furthermore, leveraging technology to streamline compliance processes and improve efficiency is essential.
Proactive cybersecurity measures, such as continuous monitoring and threat intelligence sharing, are essential to stay ahead of potential threats. At Discover, we’ve enhanced our data classification and handling standards to ensure sensitive information is appropriately identified and protected. We’ve also launched a security-focused practice that integrates security into all aspects of our operations, from development to deployment, ensuring a comprehensive approach to risk management.
How can CISOs stay ahead of evolving financial regulations without compromising agility in security operations?
Staying ahead of evolving financial regulations requires a strategic approach that balances compliance with operational agility. CISOs can achieve this by embedding compliance into their cybersecurity strategies from the outset. This involves designing security frameworks that are flexible and can adapt to new regulations without requiring significant overhauls. Leveraging AI and machine learning for regulatory monitoring can help identify and respond to changes in real-time.
Regular training and collaboration with regulatory bodies is essential, as well. By staying informed about upcoming regulatory changes and participating in industry forums, CISOs can anticipate and prepare for new requirements. At Discover, we prioritize continuous learning and upskilling for our team, enabling us to adapt quickly to regulatory changes while maintaining robust security operations. For example, I’m involved with the National Cybersecurity Alliance, American Transaction Processors Coalition and Financial Services Information Sharing and Analysis Center (FS-ISAC), which helps me stay connected with industry standards and best practices, ensuring we remain agile and compliant.
What lessons have you learned from recent regulatory audits or compliance assessments that might be valuable for other financial CISOs?
Recent regulatory audits and compliance assessments have reinforced the importance of collaboration and proactive engagement with regulators. Clear communication with regulatory bodies and internal stakeholders is essential, as well as conducting comprehensive risk assessments that go beyond technical analysis to include business and operational risks.
At Discover, we’ve focused on integrating security Non-Functional Requirements (NFR) into our development processes to ensure security is considered at every stage and we are compliant by design. Enhancing our analytics environment has also been a priority, allowing us to better monitor and respond to potential threats. Continuous improvement based on audit findings is key to maintaining a strong security posture. By addressing identified gaps and implementing recommended changes, we can enhance our overall security and compliance efforts.
How do you balance cybersecurity investments between proactive measures and reactive capabilities?
Balancing cybersecurity investments between proactive measures and reactive capabilities is essential for a comprehensive security strategy. Proactive measures, such as threat hunting, regular vulnerability assessments, and security awareness training, help prevent attacks before they occur. These measures require ongoing investment in tools, technology and talent to stay ahead of emerging threats.
Reactive capabilities such as resiliency, incident response plans and disaster recovery strategies are equally important to minimize damage in the case incidents occur. Investing in robust incident response teams and ensuring they have the necessary resources and training is critical. Talent is front and center to your strategy as well. At Discover, we emphasize developing and retaining top talent, which is key to both proactive and reactive cybersecurity efforts. Our strategy includes providing opportunities for continuous learning and upskilling, ensuring our team is always prepared for any challenge. We offer an internally built professional certification for employee development. By maintaining a balance between proactive and reactive investments, we can effectively protect our customers’ data and maintain their trust.