Tom Sanzone has a resume few in the bank technology field can rival: Chief administrative officer of Merrill Lynch. Chief information officer of Credit Suisse. CIO for the Corporate and Investment Bank, the Private Client Group, and the Global Transaction Services business at Citigroup. Managing director and head of global application development at Salomon Brothers. 

He recently landed at the consulting firm Booz Allen Hamilton, where he is an executive vice president in charge of the commercial financial services practice. He recently chatted with Bank Technology News about how chief information security officers can protect their banks against the growing army of cyber criminals and how the role of data security watchdog has gained importance.

BTN: Are you seeing CISOs get more respect in banks?

Sanzone: Definitely. The title CISO is standard now. When a security issue becomes the concern of the executive committee and the board, the person responsible for that function at a minimum is required to report to those bodies on a regular basis on the status of the environment. With cyber risk and security issues, it's done. If you look at the security events that have occurred this year, there's probably not an executive team or board that's not been briefed on this topic and is concerned. In Lloyd's Risk survey, two years ago, cyber risk wasn't in the top 10 list of executive concerns, now it's number three.

Do you think cyber risk should be number three on the list, or should it be number one?

The prioritization of risks depends on the nature of your business model. In financial services, a hedge fund will have a different risk prioritization than a large bank, versus an exchange, versus a trading firm. A hedge fund that makes a significant amount of income and profit on proprietary trading models may prioritize intellectual property theft as number one. A wealth management firm might prioritize sensitive client data as the key cyber risk. 

For cyberattacks such as distributed denial of service attacks, malware, and others, do you have a sense of which financial firms are the biggest targets and why?

Different types of attacks have different motivations. You have organized crime that's looking to cyber techniques to commit fraud. Then you have denial of service where people are looking to damage the franchise from an infrastructure perspective. It depends on who the actor is and what they're trying to accomplish. Clearly malware has been a constant, evolving battle over the years on PCs and other types of devices.

So now you work with banks and you're trying to help them improve their cyber risk strategies and plug in the holes?

We do benchmarking, we bring CISOs together to share information and talk about challenges. We try to help them get better and stronger at cybersecurity and protection. We help them develop strategies, develop stronger policies, and implement solutions that will help them improve security.

How can CISOs better work with other executives in the company?

If you are a CISO and you need to present your cybersecurity risk and threat impact report to the executive committee or board, tying the cyber risk landscape to the risk models the firm uses to manage its business is a nice way of getting everybody to use the same vocabulary to articulate risk in a consistent way, versus talking about cyber risk in pure technical terms. Reputation or financial risk is usually top of mind for executives. Below that are market, credit and operational risk. Talking to business leaders about how a cyber attack will create market, credit and operational risk is a good way to create a common framework that people will use and understand.

It seems in some cases it would be hard to come up with hard data, to say, for instance, that DDoS attacks affect credit risk. How would you make that bridge?

That's part of the evolving art of being able to quantify risk. If you look at cyber risk and the controls and infrastructure to mitigate those risks, it's similar to an insurance model, how much insurance do you want to buy for what protection? When you look at risk, you have to create your definition of risk, determine the probability that an event will happen, and the material impact of that event on risk. You need to over time develop these models with as much public information and benchmark information as you can and then supplement it with your own experience.

Banks have been using risk models for years with varying degrees of success. During the mortgage crisis the assumptions they had made in their models, say for assessing collateralized debt obligations, were not correct. What's the value of such models and are there changes that need to be made?

I think you hit it on the head, the models are only as good as the assumptions they make. What generally happens is models should improve over time with experience. Experience either validates an assumption or invalidates an assumption, then you make a change and an improvement. It's not that you don't want to use models, you certainly want to use models, but they're not perfect and they need to be improved over time. And like most of life in the financial markets, there's a quantitative aspect to the financial market, but there are still human beings. Human beings, human nature, human reaction are not the easiest things to model. During the financial crisis, at some point, there was no market, there was no buyer. If you held securities, from a quantitative measurement perspective they had value, but no one was willing to buy them because of fear. That aspect of human behavior and how it affects markets is very hard to impossible to model.

In the past you've been a strong proponent of virtualization, which I would argue is morphing into cloud computing. Do you think that as this evolution continues, new security concerns will continue to crop up because the IT leadership has less control over where computing is taking place and controls in that environment?

Yes. Technology is constantly pushing to extend further and further outside your walls. Even in the mobile device space. At one point, there was no mobile device. Then companies had complete control over the mobile device. Now you have the trend of BYOD [bring your own device], where people want to be able to use their own devices but still have access to corporate resources. Technology innovation drives the pressure to extend. Cloud is another example of that. We used to run everything within our data centers, within our walls. Now you have this capability where for a lower cost point and a higher efficiency level, you could get access to third party infrastructure much more efficiently. Then there's this push to move outside the data center. All these moves create additional and new security risks and challenges that have to be mitigated.

What do you think of Quantum Dawn 2, the recent fake cyberattack SIFMA staged with many large banks? Is this the kind of thing banks ought to be doing more of?

I think they've done that for some time and yes, I think you'll see more of it. We've done a number of high-level war games for clients. You create scenarios that people are not privy to before the game, then you hit them with them as the game progresses — this has happened, what will you do? War gaming conceptually is a good thing for the industry to do. I think it improves their planning and preparedness for events.