At RSA conference today, CISOs at the multinational financial organization describe security strategy.

Sara Peters, Senior Editor

April 21, 2015

2 Min Read

RSA CONFERENCE -- San Francisco -- Eight years ago multinational banking group BBVA first decided to enable customers to do 100 percent of their banking activity remotely and from any device. No easy feat for a bank that has 51 million customers, 110,000 employees, and €650 billion (approximately $696 billion) in assets. Today, Juan Francisco Losa, CISO of BBVA's Digital Bank and Santiago Moral, Global CISO for BBVA, explained the security strategy for this "global digital bank."

The main challenges, as Moral described them, are that they have customers using applications that are not developed or managed by the bank, that the bank's data no longer resided within the bank's datacenter, and that the software development lifecycle had entirely changed to become more agile.

When the infrastructure is no longer under the organization's control, said Losa, "the architectural design to address security has to be infrastructure-independent."

BBVA is trying to take advantage of new identity and access management tools. The authentication method can adapt to best suit the channel and the device, as long as it is "at least as reliable as 'traditional' mechanisms," Losa said.

What if something goes wrong? Losa also said that BBVA has a "panic button," to react quickly to an emergency -- for example, activating a requirement for a second factor of authentication on the fly, if fraudulent activity increases through a particular vector. Losa says this was a job for BBVA's internal developers, not the third party.

Regardless of who's going to do the development work, the important thing, the speakers said, was that they need to develop and deploy updates as often and as quickly as necessary, even if that's within a time frame of just one week. How can they do that without sacrificing security?

Part of the solution, says Losa, is to automate testing as much as possible, but another has to do with people, not technology. The way to work without knowing the complete functional analysis, he says, is by being part of a collaborative security dev ops team. "Start making security decisions in a decentralized way," said Losa.

About the Author(s)

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights