For an organisation like Absa, threats come from every direction, every day. Group chief security officer Sandro Bucchianeri is responsible for ensuring the bank doesn’t succumb to any of the myriad attacks.
Kathy Gibson spoke to him about his passion for security.
Security can’t be one-dimensional when the data and money of thousands of Absa customers, plus the safety of employees, are in your hands.
Sandro Bucchianeri, group chief security officer at Absa, looks after all security matters – both physical and cyber – in South African and the 14 countries where the bank has a presence.
It makes sense to take a holistic view of security, he says, and organisations across the globe are starting to view security from this point of view.
“We live in a converged society, so cyber security, physical security and reliance are all equally important,” Bucchianeri says. “So we look at threats holistically.”
He cites the example of recent strike action, which touches on resilience functions, physical security in terms of people’s safety, and cyber security.
A lot of his job involves monitoring risk factors, to which end the bank subscribes to several threat intelligence services.
For instance, keyword monitoring on social networks and the broader Internet can help to alert bank officials about Absa mentions and help to determine the bank’s risk appetite.
“We also monitor the dark web to see of there are any active threats; and if they are focusing on Absa in particular or banks in general.”
Constantly looking for threats could seem paranoid, but it’s very necessary, Bucchianeri adds.
“Like any organisation we are attacked on a daily basis, and we have to have the people, processes and technology on hand to manage the threats. There is always something going on.”
In fact, threats are almost business as usual for Bucchianeri. Constant threats are nothing new for the bank. “There is always something going on and, as we and our customers move online, the threats simply shift online as well.”
The bank is prey to the same threats faced by many other organisations, Bucchianeri points out. “Some of the basic things are always a challenge. Things like phishing, where an email pretends to be something it is now. These mails paly on fears or desires. At the moment we are seeing a lot of Covid-related phishing that exploits people’s fear of illness or financial losses. Phishing emails often look, feel and sound legitimate.”
Tax season, elections, holidays, weather events and more are all subjects that phishers can use to get users to open their mails.
The bank has also experienced a lot of distributed denial of service (DDoS) attacks, Bucchianeri says.
“And there is stealing of information from insiders,” he adds. “In fact, the insider threat is starting to increase.”
Ransomware remains a big issue for an organisation. “If your systems are not up to date, when you clicked on that dodgy link, the payload could have installed ransomware.”
The problem, Bucchianeri explains, is that cybercrime is such a lucrative business. “It is run just like other businesses. In fact, crime will surpass oil and other normal businesses by the end of the year.
“And this is why I have a role.”
Compounding the issue is the fact that the vast majority of individuals who work on corporate systems are sensitised to the threats.
This means that organisations are going to be breached. “We do know that breaches happen, but we don’t get traumatised by them.”
The important thing about a breach, Bucchianeri says, is how you deal with it. “It’s your response to a breach that differentiates you.
“It is important that our response it fast. We talk about the dwell time – the amount of time the attacker is in the network before you detect them. The global average is 55 days, and the worst I’ve heard about is six years.
“But ideally that number should be days or hours.”
A swift response is the best way to deal with a breach, and South African banks all share information about attacks to improve their combined security posture.
“If I get attacked, I share all the information I have with Sabric and through other channels as well,” Bucchianeri explains.
“In the past, each bank may have viewed security as a competitive advantage, but not anymore. Now we want to work collaboratively to protect everyone. It is in all of our best interests to work as a community.”
Being tightly regulated makes this kind of threat information sharing easier.
The cybersecurity industry has been prolific in offering technology to prevent, identify and mitigate security breaches. But no organisation can rely on just the tech, says Bucchianeri.
“Sometimes vendors who are intent on selling a product will tell you their tool will solve all problems. But this creates a dangerous expectation that it will do that.
“Any solution is made up of people, processes and technology: and you can have the best technology and processes, but if the train driver has a rough night, the train can derail. And it’s the same from a security perspective: if users are not paying attention to what information that are moving around or sharing, they could also put a company into a dangerous position.
“So user awareness is incredibly important, which is why we focus a lot on awareness.”
Bucchianeri and his team at Absa do this by making security more personal to users. “It’s about telling them to lock their machines. The focus is rather on how to protect their kids online; and how to protect themselves from loss.
“We make it personal to people, and they pay more attention to it.”
For most South Africans, their physical security is almost second nature, Bucchianeri explains. “When you go to bed, you lock the house and put the alarm on; when you go shopping you lock the car. And you do these things almost instinctively.
“Why should cyber-security and shopping online be any different. We need to get to what security is automatic.”
The key to instilling a security culture is to make is human, he adds.
Chief security officers (CSOs) and chief information security officers (CISOs) have to learn how to engage better with the board.
“But we know that the board member still eats dinner, buys electricity, buys data for his kids – you need to bring the human element into the conversation, make security more about being human. If you are open, honest and transparent, you get a lot further with support.”
At Absa, Bucchianeri starts with understanding the business’s risk appetite. “Some companies have a large risk appetite – we don’t. so we need to have the people, processes and technology available to protect our customers and ourselves.
“We look at international framworks and best practices and implement a strategy based in them but fine-tuned for our particular needs.”
The last few months have been challenged for a lot of organisations having to quickly pivot to a work from home model.
“But my security strategy built in a way to pivot and adapt,” Bucchianeri says. “It is still all about the triangle of people, processes and technology, and how to apply them to the organisation.”
The strategy appears to be working: the Absa Group’s cybersecurity team was named the ‘Not for Profit Team of the Year’ at the 2020 Cyber Security Awards.
Key to this achievement, Bucchianeri says, is the people within the organisation and the passion they share.
“The team has a common cause, which is to protect the organisation and we want to do that in order to stay successful
“We are very mindful of the bigger picture and Absa’s role as one of the bigger banks in South Africa, and the pivotal role it plays in the ecosystem of the country.
“What we do could impact real lives; and interfere with people’s ability to put food on the table, clothes on their backs, or a roof over their heads.
“Understanding why we do our jobs has helped us to do them successfully.”
Possibly the biggest threat companies are facing is the cybersecurity skills shortage, Bucchianeri believes. He cites reports that put the global shortage at 3,5-million by the end of 2020.
“But I am a glass-half-full kind of person,” he says. “There is always a positive side to any situation.
“In this case, we have a crisis, so we have to solve it.”
The only way to eat an elephant is one bite at a time, Bucchianeri quips. In the same way, we can solve the global skills shortage by tackling it at a local level.
Driven by Busshianeri, Absa has partnered with the Maharishi Institute (MI) to set up the Absa Cybersecurity Academy to address the local skills shortage.
He explains that youth unemployment in South Africa is now 55,9%. “There are many young people who need an opportunity to do better and be better.”
The academy takes in marginalised youth and gives them skills in cybersecurity along with good employment prospects.
So far two cohorts of 20 students have completed the course, and a third cohort has kicked off. “So we will soon have about 80 students coming through, who will feed back into the wider community.”
Bucchianeri has visions of this initiative leading to South Africa becoming a hub for security skills outsourcing.
“I also want my people to stop leaving the country for greener pastures,” he explains. “Because skills are in such demand, our people can work anywhere on the planet.”
He believes South Africa can use its youth advantage – the average age in Africa is 19.5 years, compared to 40 or more in Europe – to build an outsourced industry.
“If we can tap into the youth and give them fourth industrial revolution (4IR) skills, why couldn’t we get the big software and cloud companies moving some operations to South Africa.”
The other part of Bucchianeri’s vision is to start offering IT and security skills at high school. “We are in conversation with various ministers to make this a reality.
“The idea is that when young people finish their matric they will hold a certificate that allows them to start working in meaningful job immediately, using skills they have learnt since Grade 10.”
With 30 000 schools potentially participating, Buccianeri has a vision of South Africa joining Estonia as one of the most digitally-developed countries in the world, able to offer technical support to companies across the globe.h
The beauty of cybersecurity is that students don’t need to do maths and science to participate in the training. “It’s something that everyone can do.
“In fact, I am encouraging all of my peers to sponsor a kid through the online training.”