CBA looks to GenAI to assist 1200 ‘security champions’

CBA is looking to support its security engineers as well as 1200-plus “security champions” embedded across the bank with generative AI tooling that is currently in pilot.

CIO for group security Harvey Deak told the AWS Summit Sydney that the tools, based on AWS Bedrock, could “augment and accelerate”, for example, security assessments performed for software products and features developed at the bank.

“Some of the ways the technology can help actually reason and do what’s usually between the two ears of a security professional has been pretty powerful,” Deak said.

“We’re looking forward to rolling this out en masse to the [security champions] program to augment both the human side of it, but also augmenting some of our security assessments as part of scaling the program out.”

The security champions program has been running for several years inside of CBA, but only surfaced publicly at the start of this year via an obscure case study published by the BBC.

In the case study, Deak notes that CBA wanted to embed security culture and secure-by-design practices across the bank.

To do this – in a way that did not overtly rely on a centralised security team – the bank “created the security champions program, which trains team members across departments to address security risks relevant to their specific roles,” the case study notes.

“By embedding security champions within key areas, [CBA] effectively scaled its security practices while ensuring collective responsibility across the organisation.”

Deak told AWS Summit that the program supported the bank’s ambition to move quickly from a product perspective while “maintaining high security standards”.

The bank is deeply invested in the effort, with current results “three-to-four years in the making”.

“We’re up to the point now where 70 percent of our upfront security review work is being completed by a champion,” Deak said.

Champions – typically a “technologist, product owner or engineer” employed in various parts of the bank – receive training to develop a “security skillset”.

So far, the training is internally created, but the bank is considering augmenting it with an external certification to reflect the champion’s skills.

“We developed a lot of the internal collateral ourselves, and I think one of the debates we’re having now is that’s great, you’re getting the skills and the benefit, but do we need to bring in some external certification or accreditation to help support that should people choose to move outside the organisation?” Deak said.

“It’s one thing for us to maintain it internally – that’s allowed us to maintain it quite easily and update and iterate it – but being able to give people something they can take with them as a certification is something we’re re-evaluating now.”

So far – and without the use of generative AI – the bank has seen some strong outcomes from its security focus: notably, at a high level, its efforts have allowed it to double the number of technology changes it is introducing, while cutting the number of incidents by two-and-a-half times.

“There was a 4x increase in the speed of our cyber security reviews and our processes in the software and system development lifecycle. That ultimately sped up the delivery of features and changes to our systems and products, translating into two times more technology changes, but also quality increased, so there have been 2.5 times [fewer] incidents as we’ve scaled this program out,” Deak said.

“Most importantly, the number of security issues and defects that were making their way through [to production] fell off a cliff.”

Generative AI could aid the work of both security engineers and champions across the bank in future.

In a slide deck, the bank indicated that the technology could assist with automated threat modelling and architectural reviews, or in underpinning an ‘AI security engineer’ chatbot.

It could also play a role in compliance checking within the software development lifecycle, and in the suggestion of “smart next best actions” to take, presumably, to improve the security posture of a product or product team.

Ry Crozier attended AWS Summit Sydney as a guest of AWS.