BBVA CISOs Give Tips For Securing 'Digital Bank'

At RSA conference today, CISOs at the multinational financial organization describe security strategy.

RSA CONFERENCE -- San Francisco -- Eight years ago multinational banking group BBVA first decided to enable customers to do 100 percent of their banking activity remotely and from any device. No easy feat for a bank that has 51 million customers, 110,000 employees, and €650 billion (approximately $696 billion) in assets. Today, Juan Francisco Losa, CISO of BBVA's Digital Bank and Santiago Moral, Global CISO for BBVA, explained the security strategy for this "global digital bank."

The main challenges, as Moral described them, are that they have customers using applications that are not developed or managed by the bank, that the bank's data no longer resided within the bank's datacenter, and that the software development lifecycle had entirely changed to become more agile.

When the infrastructure is no longer under the organization's control, said Losa, "the architectural design to address security has to be infrastructure-independent."

BBVA is trying to take advantage of new identity and access management tools. The authentication method can adapt to best suit the channel and the device, as long as it is "at least as reliable as 'traditional' mechanisms," Losa said.

What if something goes wrong? Losa also said that BBVA has a "panic button," to react quickly to an emergency -- for example, activating a requirement for a second factor of authentication on the fly, if fraudulent activity increases through a particular vector. Losa says this was a job for BBVA's internal developers, not the third party.

Regardless of who's going to do the development work, the important thing, the speakers said, was that they need to develop and deploy updates as often and as quickly as necessary, even if that's within a time frame of just one week. How can they do that without sacrificing security?

Part of the solution, says Losa, is to automate testing as much as possible, but another has to do with people, not technology. The way to work without knowing the complete functional analysis, he says, is by being part of a collaborative security dev ops team. "Start making security decisions in a decentralized way," said Losa.