NAB makes 'secure by design' the centrepiece of security strategy

NAB has made “secure by design” the centrepiece of its security strategy, supported by people, process and technology that collectively aims to keep the bank and its customers safe.

Speaking to the iTnews Podcast, chief security officer Sandro Bucchianeri said NAB had worked hard to “shift the conversation [on security] left”.

“From our branch tellers to our concierge services when you're coming into a building, to our executive leaders and board members, it's about making sure security is front and centre in everything that we do,” Bucchianeri said.

“[We’re] making sure security is front-of-mind: that you're not just clicking on a link or opening up random files.

“That's why when we say ‘shift left’, secure by design gets baked into everything we do.”

The bank has progressively put in place a number of support structures to achieve its security vision and ambition.

As the CSO title suggests, Bucchianeri has central oversight over both physical and cyber security domains, supported by “hundreds of colleagues globally” based in Australia, India, Vietnam and New Zealand, and a “global operations centre” that sits in the Technology organisation.

“We needed to make sure that we had one function that was responsible for driving security culture within the organisation,” Bucchianeri said.

All three of those functional areas - physical and cyber security, and the operations centre - come together for threat intelligence and incident response under what is known as the ‘Fusion Centre’.

“The intent was to bring physical security, cyber security and our global operations together under one roof so that we can respond to incidents much faster than we would have done in the past,” Bucchianeri said.

“The main outcome that we've seen so far [from the Fusion Centre] is that collaboration across the different spaces has improved significantly.”

In the three years since the Fusion Centre was established, Bucchianeri said that additional improvements had been made to ensure “seamless incident management and collaboration” between the various contributors.

“Where [incident response] used to [involve teams with] a very siloed view of the world, it's moved to be much more collaborative so that we can understand how things impact different parts of our business,” Bucchianeri said.

“In addition, the different security and operational teams sat across multiple sites, so that collaboration has helped bring them closer together, and because we have operations globally, we have a follow-the-sun model so that we make sure that we have 24x7 coverage.”

Unpacking the security strategy

Further supporting the goal to be secure by design is a security strategy that comprises five pillars, which, in turn, are underpinned by 11 “capabilities”.

The first of the five pillars is to “protect” the bank using a “threat and data-led approach”; the second pillar is around security culture and mindset to protect the bank, its customers and their data.

Then there are pillars to simplify the bank’s environment, cutting out complexity and ensuring things are easy to operate and provide a good user experience; to standardise security capabilities; and a partnership pillar to govern how the bank works with academia, government and others around emerging security risks.

On the vendor side, Bucchianeri said that NAB partnered with security product and service providers where their offerings were “best-of-breed”, fit for purpose and deemed to be cost-effective or otherwise providing value.

Lately the bank has been looking to extend enterprise-grade protections to its business banking customers as well, with 12 months free access to CrowdStrike services and cyber assessment services in partnership with Microsoft, as well as other security-related supports.

“As we are Australia's leading business bank, we try to play a key role in helping small to medium businesses be more secure,” Bucchianeri said. “We have done a lot of work in this space.”

Cyber hygiene

Bucchianeri also emphasised the considerable positive impact that practising good cyber hygiene brought to the bank.

“The most important thing we focus on, and that I've been trying to focus on for the best part of 25 years, is security hygiene and getting back to our basics,” he said.

“Anybody that you talk to in industry will probably say the same thing: that patching is a problem or identity access management is a problem.

“What we're trying to do is make sure that the different tools that we do go after can help solve those challenges, so that we can provide a much safer and secure environment for the organisation and for the customers.”