The intricate world of online security

Emma Lindley [00:00:02] Hi there and thanks for joining us for another episode of Architects of Change, a podcast brought to you by Mambu the cloud banking platform to help you evolve your business. I'm your host, Emma Lindley, co-founder of Women in Identity. In this episode, we're going to be chatting about cybersecurity and we're going to discuss how organisations balance customer experience alongside security. We're going to be talking about education and initiatives that should be considered when using and innovating modern technology. I'm thrilled to say I'm going to be chatting to someone who can unpick this topic more than most. Bronwyn Boyle - Chief Information Security Officer at Mambu. Hi, Bronwen.

Bronwyn Boyle [00:00:47] Hi there, Emma. It's great to join you today.

Emma Lindley [00:00:50] I'd be super interested to understand a bit about your career and what led you to become a Chief Information Security Officer at Mambu. Was this always a subject like a passion of yours and a subject area that you were, you know, you were always interested in?

Bronwyn Boyle [00:01:09] So it's a very interesting question because I'd say the answer is no. I was quite a late adopter compared to many more technical folks in my field. My background is I studied classics in university, which is possibly the exact opposite of kind of the future forward cyber world. But I did some computer science post-grad work and that got me into programming and I really, really enjoyed the coding and development side of it. So I started my career really kind of in the first wave of digital banking coding, online banking applications back in the, dot com era. And that really piqued my interest in security because obviously I was starting to see first hand how the security of applications was so intrinsic to supporting, you know, ever increasing use of digital application. So I pivoted then to security, took some time out to study, and I've been working in various different elements of cyber, cyber risk, information, risk, privacy and compliance ever since. So we've been delighted to be able to work with some really great organisations, including Big Four companies. I've worked with a couple of the UK's leading banks, a number of start-ups and reg techs, and it's also been delighted to support the open banking implementation entity over the last few years as we've been growing at the approach to open banking across the UK. And now I'm here at Mambu and I'm delighted to be helping support, make a difference to a huge range of customers across the world who are using our services for digital cloud adoption.

Emma Lindley [00:02:36] Absolutely love that. That was from classics to deep cyber security in my less than 60 seconds, that was awesome. So huge amounts of experience of this subject matter of cyber security. So what are some of the biggest or the macro threats you see in the cyber security space today?

Bronwyn Boyle [00:02:58] So I think it's becoming ever more important and that is, you know, very well recognised as we see the effects proliferate quite broadly. I don't know if you are aware, but last year there was a fairly major internet security incident called Log for Shell. It was the biggest internet vulnerability in the history of the Internet. And, you know, many folks around the world and security researchers were working really hard to keep online services safe. And that, for me, was a really a really powerful moment of truth, kind of to show the pervasiveness of the Internet now to our daily lives and how important it is to maintain that security and maintain the safety of the services that we now rely on that are Internet based. And so from my perspective, I think looking at that interconnectivity and looking at how the threat landscape has changed, the elements of open source codes, the elements of software development and software security are now vital to make sure that we can withstand threats from an increasingly adversarial threat landscape, be that cyber criminals who are looking to drive financial gain or disruptors I mean, we've seen a lot of nation state activities that have been more focused around disruption. The Ukraine and Russia conflict, which is terrible to see ongoing, has also driven increased cyber threats that we've had to respond to. And obviously things like ransomware are ever present as a moneymaking scheme for those who are more nefariously inclined. But these sorts of impacts can really cripple a business. And again, I think harking back a few years to some of the ransomware threats that we saw, we saw the NHS very badly hit with an attack back in 2017 and a really stark example of how, you know, something that maybe was not intended to hit a national health service could still proliferate and bring a service to its knees. So I think supply chain threats and ransomware remain very much on our on our radars as kind of key threats. One of the other really important elements to think about from a threat perspective, which often goes a maybe less noticed is the idea of business email compromise. And that's where cybercriminals take over an individual's email account and they use that to scam or extort money out of individuals or companies so they can pose as legitimate suppliers. And indeed, big companies, big tech companies, sophisticated companies like Facebook when they were before they were Meta. And also Google saw so some of that that's kind of type of business e-mail compromise fraud where criminal actors posed as vendors and got millions of dollars of invoices before that was discovered. On the flip side, you've got individuals who are being contacted by scammers. They may lose their life savings. And I think it's a really important element. It falls slightly outside organisations perimeters. It's much more on end users and end customers and that's why it's often neglected. But it is a multibillion-dollar business for criminals and it's something that can be absolutely devastating for friends, the individuals who are victimised. So I think it's an area that I certainly feel very passionate about doing more to protect.

Emma Lindley [00:06:06] And I think identity is right at the edge of the perimeter, isn't it? You know, that's an obviously that's the area digital identity that I come from. So I absolutely agree with you there. If you were to predict what you think is going to be happening in the future, what would you imagine the some of those areas that you think are going to, you know, are going to develop more of you know, you've talked about supply chain ransomware, you know, business compromise.

Bronwyn Boyle [00:06:33] Well, it's really interesting that you brought up identity, Emma. And I think that idea of like an individual's identity being the new perimeter, I think is exactly where we're going as an industry and as a as kind of this technology evolves with so many organisations now choosing to host data in the cloud and use cloud based services, that idea and also with remote working indeed that idea of going to an office with a data centre and a perimeter that you can secure is very kind of archaic and we've really moved on from that. So the idea of having remote workers around the globe accessing servers, services that may be hosted anywhere across the globe has very much shifted that paradigm of security. So I think there's going to be increased focus on identity as the key hub of supporting access paradigms like Zero Trust, where you move to this continuous verification, it's no longer okay just to trust that somebody inside a perimeter is safe and and authorised to access services. Instead, we're switching to that paradigm of continuous verification using indicators like geo location, device metrics, biometrics to continuously authorise and authenticate identities. I think that's probably where we're going and where we need to continue to go. And it's also interesting, you know, there's a lot of debate about blockchain and obviously where we're in a new crypto winter. Arguably, there's a lot of volatility in the market there, but I think blockchain does offer some interesting opportunities to solve for some of the conversations and questions around things like software, integrity, supply chain kind of verification as well. Now that obviously comes with kind of high computational cost levels. And I think again, we're probably still only tapping into some of the opportunities that that technology can provide. But we need to look at how that can happen at scale and how that can happen within a reasonable a reasonable kind of operational cost envelope, I guess. And I would also say the other piece that's kind of looming on the horizon is the whole idea of quantum cryptography. So we've seen really exciting step changes in the application of quantum crypto and I think it's really being heavily invested in now. Obviously, it's kind of a bit of an arms race to see where that will go and who will choose to adopt it first. I mean, that will significantly change the landscape of the encryption that we all know and rely on right now. So it would be very interesting to see how we can use that to more accurately defend and protect assets that are safeguarded in any cryptographic form. And then finally, I would just say AI and machine learning, we continue to see great developments from the whole artificial intelligence applications. And again, that can be very helpful in helping to crunch through massive amounts of data that might be giving organisations insight into what's going on within their technology estates and kind of help that signal to noise ratio. What I would also say is the flip side is that the as in the bad guys and the attackers are also using AI machine learning. And you know, we touched on business email compromise earlier. I mean, that's a really interesting case where they're using AI and machine learning to kind of really synthesise and understand and emulate an individual's voice, tone of voice, tone of writing to more accurately kind of impersonate them and to craft very convincing to convincing attacks. So very it's always interesting to see kind of how any step change in technology can be used. Both. For good, but also on the on the cybercriminal side to kind of get a head start. And it would be very, very telling over the next few years as we see how that continues to evolve.

Emma Lindley [00:10:09] Lots and lots of technological change, you know, and advancement. You know, absolutely. I agree with you. Tools and weapons, when we think about from a customer perspective, particularly from an identity perspective and, you know, identities being at the perimeter, we're also talking about humans, not just technology know absolutely humans and how they interact with that technology. So how in your really vast experience, how do we create secure experiences for customers but really optimising those customer experiences as well when we've got all of these new threats and threat factors that are emerging?

Bronwyn Boyle [00:10:52] It's a really great question. And, you know, I love your focus on individual's right, because at the end of the day, there's always somebody at the other side of a computer somewhere. And often as technology evolves very quickly, we can tend to forget that. And I'm a big advocate of making sure that we're not leaving customers behind. We're not we're not putting unnecessary barriers or kind of confusing obstacles in their way, particularly as the pace of digital change evolves so quickly. It's a steep learning curve, and that learning curve is getting steeper all the time. So what I would say is I think two things. One is making sure that that we are looking at how to streamline security controls into processes in a kind of as frictionless a way as possible and very much aligning those controls with the risk profile of the activities that are being carried out. A great example of that is in online banking and mobile banking, the idea of kind of step up controls, step up security, that increases the burden and the onus of authentication or authorisation, along with the risk of the activities that are being carried out. I don't necessarily need to provide my full banking pin or banking one-time passwords if I just want to of get read access to my balance. But if I want to create a new payee on my bank account, you know it's great to be able to be given prompts to say, okay, now you need to provide extra inputs, extra authentication, use your biometrics on your mobile phone, use your one time passwords that are, that are randomly generated, etc.. So I think that idea of kind of step up control is a great way of trying to ease controls into user journeys in a way that makes sense to them. It doesn't it doesn't seem counterintuitive, and it helps kind of think raise awareness of the risk profile to the end customer as well. I think on that as well. I think the other area that's worth thinking about is how we make increasing use of some of the biometric technologies that are already embedded in our mobile apps. So again, people are comfortable using that type of technology on their mobile phone. There's great progress being made with industry groups now who are looking to see how they can take those biometrics and seamlessly integrate them into user experiences. Again, as a take this as step of control, but one that hopefully would minimise any noise and interruption for users. And I think that's a that's a great paradigm, I think to kind of make sure that users are more comfortable moving forward. The third element, I'd say, as well as some of those in the moment messaging that you can provide for your customers. And again, obviously coming from a banking background, I'm probably more familiar with some of those types of controls, but a great step forward has been in confirmation of payee. I'm sure you've seen this yourself, if you if you've been online banking over the last while, there's a facility that will match the name of the person that you're looking to pay with the account number that you've given them. And if there's a disconnect there. So if you want to pay Bob and Bob's account number is X one, two, three, four, five, 5 that you're paying into doesn't match Bob's name. You'll now get that notification. And this is a really, really great step forward, particularly in helping against scams, because if somebody is pretending to be somebody they're not and the account number doesn't match, you will now see that and you have an opportunity to review those as you're making transactions. So yeah, I think those sort of in the moment controls increased use of kind of seamless and frictionless step-up controls I think will really help drive better user understanding, but also drive kind of faster throughput and better customer experience.

Emma Lindley [00:14:21] And who would you say is from an information security kind of that customer experience? Who would you say is doing it really well right now?

Bronwyn Boyle [00:14:31] There was a recent announcement by Meta that they're looking to now support inline payments on Instagram. And I think that's a real game changer. And it's it's a really interesting example of where, you know, a number of different innovations and kind of changes in security control have been stitched together to now support and allow that type of payment option within social media apps. You know, Meta will be leveraging customer's existing comfort factor and familiarity with their authorised. Asian mechanisms on their own phones and their understanding of how they interact with the Instagram app, and then allowing that to take to the next step further and making payments, which is a real a real game changer, I think, for the industry and a real game changer for the industry and also incumbent financial services providers, because it's demonstrating, again, that those payment opportunities are really kind of proliferating in new and varied forms. The flip side, I would say as well, so, I mean, security it's more than a hygiene factor now, right? It is an existential requirement for pretty much any business. Nearly all businesses are digital businesses. And I think again, it's been very interesting to see increased pressure in the US to make sure that there are board level and subject matter experts who can advise on cyber and who can help companies to kind of really ensure that that's very firmly on the leadership's horizon. Likewise, there's also kind of increased scrutiny around reporting of cyber incidents and events. And I think that just tells us as well, you know, nobody gets this 100% right. It's always a learning journey. And it's really important to kind of keep transparent and make sure that we're keeping the customer's best interests at heart.

Emma Lindley [00:16:10] We've touched a little bit on some of the new methods that we're putting in front of customers. And if I think about in the UK, we've got open banking, we've got open banking Psd2 sca, you know, they all require new security methods like biometrics and one time passcodes. You've talked about some of the things and ways in which we can help people understand and, you know, put prompts in front of them having step up control in the moment messaging. What are some of the other ways that we can get customers to understand some of these new security methods and enable them to stay secure?

Bronwyn Boyle [00:16:49] I think you're at your point is super valid. I mean, think there are steep learning curve as we've touched on. And that view of the digital divide, I think, is something that we need to think of as a kind of society level. And I think some of the digital natives may not struggle with these new types of control, but people who may be less familiar with online technology, who may be less comfortable using online apps or mobile apps, there's a real risk that those folks get left behind or that we need to kind of cater for them from a security perspective in a different way that is more inclusive and is more aligned with kind of how they perceive and how they interact with online services. So I think that's something I feel needs a lot of focus and attention, particularly just as the risks of digital inequality are kind of manifesting more clearly. And I think the other piece as well is there's my time at Open Banking was a really, insightful opportunity to see where the industry was changing and where there were those maybe friction points or kind of maybe understanding gaps, shall we say, in the in the broader customer base. And we really had had some great initiatives to see how we could better support them, including just providing consistent customer messaging. So, I think with the panoply of different payments opportunities, now comes a vast variety and different types of security messaging. And if you look back many years ago with the first advent of online banking, there was a real push of an industry level to consolidate around messaging, around fraud, because it very quickly became clear that without that type of dedicated education and consistent messaging, fraud losses would really, really hurt the online banking proposition and customer trust would erode. I think that really drove great collaboration and great consistency of messaging. So people knew, don't give away your password, don't give away your pin details. You know, make sure that you keep those safe and secure. Again, with new payment channels coming in and new opportunities to interact online, there are new mechanisms and new requirements for customers to keep other types of data safe or to keep aware for the types of scam. And I think what we're missing right now maybe is that very harmonised and very consistent user messaging at an industry level.

Emma Lindley [00:19:03] I agree with all of that. I think. And, you know, one of the other things is when we think about, you know, you and I, we think about a lot of the people that are working within the you know, within the digital space, within the security space, within the digital identity space. We're also not representative necessarily of the population. And I think having that empathy for the user, really, as you say, putting them at the heart of everything that we do, all users will really enable is to think about the challenges that they and the ways in which we can help educate them around some of these topics rather than just assuming perhaps the user is, you know, is like us.

Bronwyn Boyle [00:19:47] Yeah, that's a great point, Emma. And I think you've touched on again just something that's at the heart of what we need to think about from a technological perspective, which is how we make sure we've got the most diverse representative. Diverse elements in our if we're using training datasets, how do we make sure that we are constantly and consistently looking for ways to make sure we've got like the diversity of the populations of customers that we're serving end to end as we're developing products and services.

Emma Lindley [00:20:14] What would you say are some of the best ways, best practice ways to roll new features out with all of that in mind?

Bronwyn Boyle [00:20:22] I think the idea of having a representative customer is at the heart of how you're developing your products is a great rubric to follow. With the rise of more kind of continuous development and kind of rolling out of new and agile services, the idea is having customers very much involved in your user experience and your design and your interface and collaborating and integrating into that I think is paramount. I also feel that the industry knows as we have more kind of rapid development practices, agile development and a kind of increasing mechanisms to kind of do things like  AB testing where you can kind of pilot two different mechanisms of, of getting a service to market and see which one resonates better. That gives you a great opportunity to get a broader set of user feedback. And I think also kind of having the customer at the heart of how you're also implementing those security controls and testing through that and getting that feedback directly from the voice of the customer is really helpful. It's been very good to see the industry now kind of coalescing around things like, you know, the voice of the customer end to end customer experience, customer advisory boards where you have kind of that representation from a broad population of your customer base. That's a great way for just making sure that you have that constant and continuous feedback loop that allows you to really keep that customer centricity and make sure that whatever you're putting in from a security perspective isn't inhibiting the effectiveness and the efficiency and the attractiveness of your customer proposition. But it's also kind of maintaining that inherent security and supporting them on their journey with your products and services.

Emma Lindley [00:21:53] I mean, we're all customers as well. Practically, how should customers be adapting to new changes in their online life? You know, should they, you know, in terms of like sticking still methods that are working for them already? Or is there any way that people can help themselves with some of these new security methods or educating themselves?

Bronwyn Boyle [00:22:13] Can they stick to the old methods? I think the answer is no. You know, the things have moved on so quickly. And it's funny, you know, sometimes, like when I talk to my mom, you know, she'll say, oh, you got to have a password for this. And it's like, you know it's not enough to have one password anymore. Times have changed so much. And I think that idea of focusing on customers who may need that re-education and may need to be brought on the journey to say, why do we need these extra layers of security? Why do we need to change our behaviour? You know, the why is very important to get across and I think, you know, the idea there are some simple things that people can do absolutely. To maintain security. And I would always say, you know, switch on multi-factor authentication wherever you can. It makes things so much more difficult for attackers and something so simple and straightforward. A lot of people still kind of use a little bit as an inconvenience, but believe you me, it's far more convenient than the alternative if something was to happen and likewise, I think the idea of making sure that, you know, customers and all of us are using unique passwords. Using password managers, if passwords are still are still needed, you know, that is essential. Right? So the amount of people who reuse passwords is pretty shocking. And you'll probably have seen for that, you know, there's millions of accounts online, but actually when they do analysis, they find that there's time and time again, they find very simple passwords that are reused. And of course, that's a dream for an attacker for very little effort. They can cause a lot of damage. So, again, that idea of using strong, unique passwords for everything is really imperative. And that is a shift, right? Because I think people are used to kind of the old world of I have having one pin and I stick with them and that's enough. You know, that that messaging, I think, has really changed. And I think the other final piece, I think I would say that is a simple, a simple kind of practice to put in into our kind of everyday behaviour. But again, it has a lot of impact, it's just really to kind of be mindful about not trusting messaging coming in over different channels. We've seen increasingly sophisticated SMS types of phishing attack email types of phishing against using artificial intelligence. You know, I think the idea of anytime you're getting a request to send money or to kind of take action, the idea of kind of just pausing and saying, okay, I'm going to validate this through a different mechanism. If I got a text, I'm not going to text them back. I'm going to look at their phone number online and I'm going to call that number that's kind of registered to the company’s account. Or if you get an email and you say, actually, you know what? Again, I'm not replying by email, I'm going to phone them, or I'll use their online chat facility. Just breaking that pattern is very, very powerful way of making sure that customers can stay safe.

Emma Lindley [00:24:47] Some absolutely brilliant practical advice there from Bronwyn. Thank you so much for joining me.

Bronwyn Boyle [00:24:53] Thanks a million for the discussion, Emma. I enjoyed it! Thanks again.

Emma Lindley [00:24:56] Absolutely loved hearing Bronwyn’s journey from classics to cybersecurity. Listening to her talk about some of the really big threat vectors that we've got, you know, supply chain, ransomware, business email, compromise and the fact that, you know, something that's kind of at the heart of everything I do. An identity is the perimeter of security nowadays, things that organisations needs to be thinking about in terms of putting users at the heart of the design, thinking about making sure that we're developing security for diverse groups and really, you know, putting the voice of the customer, doing AB testing that was really critical, I think, from what Bronwyn was saying and what can we do individually to help ourselves and secure our own services? Multifactor authentication and then using a password manager, making sure that you've got strong, unique passwords. And that brings us to the end of this Architects of Change episode brought to you by Mambu. Thank you to my brilliant guests, Bronwyn Boyle, Chief Information Security Officer at Mambu. If you'd like to delve more into her work, please head to mambu.com/insights. For more Mambu podcasts head to wherever you get your podcasts and don't forget to subscribe to our channels, so you don't miss an episode. I've been your host, Emma Lindley. See you next time.