Right now, somewhere in the world, someone is trying to crack Barclays’s cybersecurity. But to do it, they’ll have to get past the Chief Security Office, and that won’t be easy.
Out there in the online universe, highly organised, well-funded teams of hackers are waging everyday cyberwarfare against global industries, and financial institutions are a prime target because they are key to destabilising the economy.
Ransomware is the current weapon of choice. Across the industry, around 220 victims are hit with a ransomware attack every month. By infiltrating a piece of malware into business-critical systems, threat actors seek to gain control of a system’s data and block all access to it until a ransom is paid.
Unfortunately, ransomware is just part of the story. Shadowy organisations, criminal gangs, tech-obsessed teens and even hacktivists are constantly trying to gain access to our networks.
Just ask Asha Cullen, one of the Chief Information Security Officers at Barclays Execution Services, the global service company that provides technology, operations and functional services to the entire Barclays Group.
In Asha’s world, “things are always changing, new threats are always emerging.”
The turbulent geopolitical situation has created a surge in attacks. And COVID meant homeworking for a much larger percentage of our people. That brought new vulnerabilities, like the increased use of personal devices for work purposes.
Asha’s team had to adapt fast and work through the risks carefully. Among other initiatives, they created a tool that checked the level of anti-virus protection on a device. Fortunately, that has set us up well for a hybrid working future.
Threats can be as blatant as someone sticking an external drive into an ATM to steal money. Solutions can be as subtle as advising staff not wear their lanyards out of work, so that they aren’t targeted for blackmail online.
It's no wonder then, that the Chief Security Office at Barclays offer a wide range of roles and challenges for tech people – and non-tech people too.
Asha trained as an accountant. She joined Barclays, ten years ago, as the Finance Business Partner for Security, based at Barclays’ state-of the-art tech campus at Radbroke, Cheshire. Being a good partner to the business meant finding out all about the team. Pretty soon, she was hooked.
I started to understand there is so much to security. There’s such a range of roles - from tech people writing scripts that constantly check our systems, to intelligence teams working closely with global intelligence agencies. I found it fascinating.
Barclays’ Security teams follow the National Institute for Standards and Technology Cybersecurity Framework. There are different multi-skilled teams that identify risk, protect our security, detect threats, respond to incidents and recover systems after an attack.
There are intelligence teams, working with law enforcement and scouring the Dark Web for threats. Vulnerability management teams sweeping the network at all times to look for weaknesses in our apps and software. Engineers and architects, data scientists and project managers who make sure that what we’re developing is secure from the get-go. Fraud experts who work closely with customer-facing teams. And insider threat teams who ensure that nobody is working against the bank from within.
Pretty soon, Asha was looking around for a role that would be her natural stepping-stone into cybersecurity. She started out in the Security Business Management team, as the Head of Resourcing.
“I think what sold security to me is that it’s so tangible. You can really see how what we do benefits colleagues and customers. For me, even though I was good at finance, it was just figures on a piece of paper. I couldn’t see the real end customer benefits.” explains Asha.
From there, her journey took her to lots of different roles, moving over to the change team as the Business Engagement Manager and then the CISO team where she ultimately worked her way up to CISO for Risk, Finance, Treasury and Functions.
As CISO, it’s my job to bring everything together and partner with the business. It’s a mix of relationship-building, risk, control and technical understanding. Barclays is always changing. It’s vital that we understand the aims and operations of the functions we support, so we can identify and mitigate the inherent risks as they transform.
The scale of attack landscape is huge. Barclays can’t watch every bank transaction and track every piece of code a developer writes throughout the day. So we have automated scripts which specifically look for indications of compromise or data leakage.
Threat actors often have their own signature, be it in the type of malware they use or the code they write. So we’re constantly on the lookout for rogue bits of code with those signatures. We analyse and learn from it, constantly evolving our approach.
We look at ways to ensure that the most valuable parts of our network are ringfenced and that others can be quickly isolated. That way, if malware does get into the network somewhere it can be eliminated before there’s any real impact. And we work proactively to reduce risk at any potential weak points. For instance, our third-party security team ensures that partners who need access to our networks and data are upholding the levels of security we require.
We get most of our intelligence directly through attacks on our own systems. But we also share intel with other member organisations of the Cyber Defence Alliance.
Barclays detects around 53,000 cases of ‘card not present’ fraud each month. That’s the kind of fraud where someone uses stolen card details online without physically presenting the card. And you wake up one day to find out that you bought a sofa in Arizona and took a cab ride through Budapest, all while you were asleep in Cardiff.
There are also an average of 12 different phishing campaigns running in any given month; targeted at tricking a wide range of Barclays customers into sharing sensitive data.
One trend at the moment, is an increase of ‘man in the middle’ attacks, aimed at breaking the chain of two-factor authentication security by intercepting the messages sent to customers.
Unsurprisingly, threat actors work even harder to compromise the security of people who work for a bank like Barclays. On the Dark Web, where cybercriminals go to share system vulnerabilities and sell stolen data, you’ll find around 2000 ‘insider’ posts a month. These are messages on underground forums that aim to recruit people working in banking into criminal schemes.
That’s what makes security so fascinating. The technology is always evolving. The threat landscape is ever changing. So there are new risks all the time and we constantly have to update our approach
There are two key concepts guiding the way we look to the future. SecDevOps means building security knowledge and vulnerability checks into the development pipeline. Educating developers so they are secure by design and giving them the tools to check as they build.
The Zero Trust security model is a strategic approach based around the idea that you should ‘never trust and always verify’. That means that devices should not be trusted by default, even if they are already connected to a permissioned network and have been previously verified. Every device has to prove who they are. And earn trust every time they connect.
But while these principles might seem pure tech, making things secure in the real world comes down to a whole range of roles and skills.
People think that if you haven’t studied computer science, you can’t work in cyber. But many of the skills I already had – around risk, analysis and management – were transferable.
And she explains that this is the kind of environment, where taking on a whole new career path is really possible.
“Barclays was amazing. I’ve had lots of support from colleagues to get the experience and qualifications I needed to get where I am today.”
Asha says her network within Barclays was vital to that growth.
“You need three core people to be successful anywhere. You need a confidante – someone you trust who can provide constructive feedback and support. A mentor – someone who has the skills you aspire to, who can coach you. I’ve had more than one. And ultimately you need a sponsor – a senior person willing to give you the opportunities to develop.”
People with cyber experience are rare. And there are lots of people with the right attitudes and aptitudes to be a success in this constantly evolving sector.
That’s why Barclays is currently running an internal career mobility programme called ‘Destination Security’. The programme promotes opportunities in security to different teams and departments across the business. It’s the chance to develop your skills with one of the most advanced cybersecurity teams in the banking industry.
Life-changing opportunity. It’s happening here.