Glenda Crisp
Chief data officer, EGM enterprise data, NAB
Austr AliA’s big banks lead the way in cybersecurity. With the data of NAB’s nine million customers to protect – and the upcoming open banking regime – Glenda Crisp is at the front line. Her job involves ensuring equilibrium between data sharing to meet bank customers’ expectations and keeping their data safe. At the heart of the issue is trust – banks must be transparent about what they will and won’t do with customer information. Here, she talks about NAB’s approach to data security.
What’s the focus of data security for NAB?
The security of customers’ information and money is always our number-one priority. There’s no longer a distinction between personal data and identity so protecting this information is of the greatest importance.
We’ve assigned data stewards, who are the guardians of data across internal business units; they identify issues with data and resolve them. We’re also creating an ethical-practice model for data use that goes beyond simple rules about access
control and specific-use cases. For example, how can AI and data analytics be used to look for fraud? Where do we draw the line between privacy and identifying potentially illegal activity? These are challenges we must face.
We hear a lot about data as a business tool. How much of your role involves protecting it?
I partner very closely with our enterprise chief security officer, David Fairman. We’re investing in tools and systems to automate some of our processes and to improve monitoring and controls for protecting customers against fraud or internal error.
Hundreds of NAB employees work on the central data team to manage legacy data warehouses and reporting platforms, run data governance and management capabilities and create insights for various teams across the bank as we build a new data lake and analytics capabilities in the cloud.
On top of this, NAB’s converged security model has brought the cybersecurity, fraud and physical security teams closer together, which allows us to pinpoint issues and better identify opportunities to uplift customer awareness.
Can you tell us what strategies the bank uses to protect data?
NAB has adopted a public, multicloud strategy to move many internal applications to the cloud through the likes of Amazon Web Services and Microsoft Azure. Big cloud providers invest hundreds of millions of dollars annually in systems and their security – far more than we could invest ourselves.
We’re responsible for security inside the cloud. That includes encryption, partitions, access controls, monitoring, testing, operating systems and more. Our security strategy continuously looks to mature cyber capabilities via well-established technologies, innovative startups, partnering with academia to research emerging threats and collaborating with government intelligence agencies – domestic and international – and law enforcement. We’re also using advanced analytics – machine learning – to identify, detect and take a more predictive approach to responding to threats.
What is the biggest risk for a bank as it works to keep data safe?
That we don’t get this right and it leads to an erosion of the trust that customers place in us to keep their money and information secure. The consequences of getting data security wrong can be terminal for an organisation. Cyber threats keep evolving and we need to keep adding to our defences.
From 1 July, people will be able to share their banking data with third parties via open banking. What does that mean for banks and their customers?
Open banking will give customers more control, enabling them to securely share personal financial information from one financial service provider with other accredited companies. It should lead to more choice and innovation across the industry, ultimately improving convenience for customers.
This is a new horizon for the industry and implementation will be complex and challenging. It’s imperative that we get it right collectively and that speed is not prioritised over safety.
“THE CONSEQUENCES OF GETTING DATA SECURITY WRONG CAN BE TERMINAL FOR AN ORGANISATION.” GLENDA CRISP
How do you stay on top of cybersecurity risks?
Our team of five security experts reviews our risk management framework monthly to ensure the business stays on top of risks and remediation scenarios. We enforce a “job zero” culture of security – it’s everyone’s job. Employees are regularly trained to help them deal with potential scenarios and this includes social engineering attack simulation [exercises that test staff’s receptiveness to assaults via email].
We also use agile methodology [a popular approach to project management], which encourages constant information sharing across the entire tech team based at our Sydney HQ. And we work closely with both our local risk and global audit and security teams at our parent company, Global Fashion Group.
How important is data security to your customers?
It’s a legitimate concern for everyone who’s shopping online. If a customer’s account is compromised, we have automated processes to quickly prevent the malicious actor from making any orders by immediately revoking its access. Then our customer service, security and fraud teams work together to explain the situation to the customer and discuss next steps for changing passwords and preventative techniques. Have you had to deal with a major data security incident? We have experienced accounthijacking attacks in the past. Our incident response playbooks ensure we take the best course of action to resolve all incidents as quickly as possible. For us, “the best defence is a good offence” so we employ professional hackers to find vulnerabilities using the latest techniques and fix any potential threats.
Online customers often want fast transactions. Is there a trade-off between speed/ convenience and security? There’s no trade-off for two reasons. First, we use the latest, most trusted cryptographic protocols to provide authentication and data encryption. Decreasing the level of encryption would not increase the speed of our service. Second, security controls take place in the back end and don’t interfere with the customer experience on our website or mobile app.