Security and DevSecOps in financial services

Limited mobility, business closures, and economic downturn— these were just some of the cascading effects the pandemic dealt to enterprises, regardless of size or structure. During this period, organisations were forced to speed up their digital transformation, because refusal to do so would mean industry extinction.

Unfortunately, malicious actors saw a huge opportunity to cash in on security cracks among businesses that are increasingly going digital. API vulnerability became a concern, and ransomware skyrocketed.

On the bright side, the digital refresh allowed enterprises to assess their vulnerabilities, and precipitated an IT transformation that is anchored on tighter security protocols.

To flesh out issues and strategies amid this digital refresh, Jicara Media gathered senior IT experts in a panel entitled “Digital Transformation and Cybersecurity – Baking Security into the IT Stack” as part of the IT Security Frontiers 2022 online conference.

For Arivuvel Ramu, Group CTO of all-digital bank Tonik, security is an inevitable component of business strategy, especially for a financial institution.

“Banking is all about trust, and building that trust within regulatory entities. For me, a transformation is a change in user experience, automated process, process reengineering, integrated experience, and product and customer experience, which link to data travel and access control. Because when you say transformation, you’re (talking about) transformation of a physical touch point, which is an on-prem security strategy change. (Then there’s the) digital touch point, which is the cloud security strategy change,” Ramu said.

“When you’re working with a modern cloud SaaS provider, you’re bringing vendor cloud security. So overall, CISOs need to be engaged and look at your physical touch point change, digital touch point change, and the vendor ecosystem touchpoint change. If you want these changes to be smooth within the transformation journey, the CISO must be a key person, along with your product officer, your infrastructure (officer), and your finance (officer),” he added.

While most people usually refer to technology when talking about digital transformation, there are a lot of other elements included in the overall process, said Mark Frogoso, the CISO of GCash.

“As a start, you need to identify what are your drivers and pillars of that digital transformation. It’s probably not just technology on its own, but more about culture, people, operations, and your customers, and it’s pretty much aligned with your balanced scorecard as an organisation. In terms of role, security is pretty much an enabler. It enables the digital transformation to be more successful, but at the same time, once you’re done with your transformation, it enables you to reap the benefits of that digital transformation initiative,” he elaborated.

Security challenges

With the range of security solutions and the multiple number of vendors in the market, how then can enterprises navigate the complexity?

For Ramu, one of the significant challenges rests on access.

“The biggest problem in the world of SaaS – bring your own device (among your) remote workforce – is what level you are confident to outsource those touchpoints, or what level of control can you give it to managed services. If I want to do an audit, do VAPT (Vulnerability Assessment and Penetration Testing), or I want to do an app scanner, yes, go ahead, (you can outsource it). But when (it comes to) managing my IM, managing my SSO, putting my antivirus and anti-malware and centralised monitoring, still, I want the internal team to do it,” Ramu said.

“If the organisation is new to this kind of transformation, then it is better to work with a managed service provider, learn the skill over time, then find out what kind of controls (you can retain), and what kind of controls you can give. (This is where) cost efficiency comes in, because most managed services are expensive, and (just) how many million dollars (do) you (actually) have?,” he added.

Frogoso, meanwhile, acknowledged the manpower issue when onboarding new technology.

“I think it’s inevitable that we’re in this particular environment that we have lots of technologies out there. I think it’s always going to be a collaboration between IT and security. That’s really paramount. It’s one of the challenges of a security professional, establishing that relationship with IT people. There are different kinds of security professionals, some of them are not really in technology, in terms of background, (so when) having conversations with tech-savvy folks, you have a disconnect, and probably frictions. So collaboration between IT and security is really very important. From a security perspective, the word is really to be comprehensive, to be holistic,” he explained.

Over at DANA Indonesia, incident detection and response are top of mind when it comes to cybersecurity, noted Andri Purnomo, its Vice President for Information Security.

“You are dealing with massive data, which is coming from different solutions, so you need to streamline and make sure that your detection team can do a quick detection (of vulnerabilities). This is so that you can respond, otherwise you will have a breach. So the purpose of detection is just to make sure that we can probably have a quick action once we see that one of our products is (failing),” he said.

DevSecOps mindset

As many organisations embrace the concept of DevSecOps in rolling out their technology refresh, more and more security flaws prevalent during the height of the pandemic are being eradicated, in favour of sturdier long-term solutions.

But how exactly does the DevSecOps approach benefit enterprises? And how can it be integrated with existing business strategies?

For GCash, slow and steady wins the race.

“Right now, we’re embarking on a massive cybersecurity transformation strategy. It’s a multi-year strategy, and DevSecOps is definitely one (part) of that. In terms of what it’s going to look like in the future, I’m just very optimistic and hoping that security will have to be embedded by default, to a point where you no longer say DevSecOps, because this is already given,” Frogoso said.

For Tonik, implementing DevSecOps was not without its unique set of challenges.

“You need to break the last 20 years of the enterprise model whereby the CISO is isolated by process, by enterprise, and by organisation. We can talk about concepts, but you cannot execute when the CISO is outside, hence you need a big transformation within your organisational structure. So I brought my engineering capacity, operational capacity, and CISO— all three under one umbrella,” Ramu said.

“This cross-functional technology team starts from product ideation to product rollout and product operation, until the particular experience, product, or feature is going for retirement or end of life. Until then, these layers are all working together. That is the kind of process we started in 2019, and we have successfully (ran with that for the) last three years with minimal conflict,” he added.

Over at DANA Indonesia, the cost of not embracing DevSecOps is unacceptable.

“The thing that DevSecOps addresses is how to quickly remedy those vulnerabilities the first time. Just imagine if we had not put that in the beginning. In case of a big security issue, (there will be a big) cost charged to the development side, (so much so) that they would have to reinvent the wheel,” Purnomo said.