Cyber Trends in Financial Services
Ann Johnson: Welcome to "Afternoon Cyber Tea", where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. Today I'm joined by Sharon Barber, Chief Information Officer at Lloyds Banking Group. Sharon is responsible for group-wide IT service, cloud and traditional technology infrastructure, security and technology resilience at Lloyds. And prior to this, as Chief Resilience and Security Officer, Sharon headed up teams responsible for cyber, physical, and information security activities, along with sourcing, supply chain management, and divestments. As part of this role, Sharon led Lloyds' operational resilience strategy and implementation, and the group's response to regulatory policy requirements. Sharon also led the group's incident response to the COVID-19 crisis. Sharon is co-chair of the UK National Cyber Advisory Board. That's a lot, Sharon. Welcome to Afternoon Cyber Tea.
Sharon Barber: Thanks, Ann. Great to be here.
Ann Johnson: So you're the CIO for one of the largest financial organizations in the UK and around the world. And you've had this fantastic stretch at Lloyds, having served in many leadership roles. Can you tell the audience a little more about your career journey and what led you to your role today?
Sharon Barber: Yes, sure. I've always loved tech, even as a child, and I did computer studies at school. So I started in the tech journey, went to security, and back into tech. My technical experience started as an IT systems administrator back in 1994, and was predominantly systems administration for mid-range and Windows. I also did a little coding in COBOL 74, 75, if you can remember that far back. And then I progressed through normal career path, technical team leader roles, and into technical management roles, running 24 by 7 production support, running large infrastructure delivery teams, and managing large outsourced services and contracts. And then back when Lloyds and HSOS merged in 2009, as part of that, I ran a large technical integration program, migrating our Windows infrastructure, predominantly Active Directory Exchange and our branch counter platform, which was on a Windows platform. I also did some network security during that period. And I acquired some much-needed structural planning skills as part of that. So it sort of set me up for my next role, really. And also as part of that, I volunteered, a bit out of my comfort zone, to be one of the four group incident directors, which meant when you're doing an integration, working 14 proving weekends over one year, running the incidents on the weekend of the formal integration. And so that sort of set you up for your security career, really. And it was just after that, in 2011, I was appointed the group IT security director to run our day-to-day and but also transform our IT services. So I originally took that on to maybe do it for a year or so. 10 years later, I was still in the security field and loving it. So love security, you know, it's dynamic, it changes every day. What I would say is the move in security was technically smooth. The development for me was very much in the learning of the policy side of things and the governance side, as well as building the new set of business stakeholders that you need in security, rather than it's more back end in the IT world. And so did lots of things, as you said, I've also done IT risk and major program roles. And then in 2017, I was appointed the group chief security officer. That's the first time we had a CSO type role in the group. So we created that to give us more teeth, really, and to be able to set the mandate as we went forward. And as part of that, I took on operational resilience. So with operational resilience came COVID and running the COVID incident during the crisis, which was a pretty busy period, as you would know. So trying to get at this end, trying to get 20,000 colleagues productively and safely working from home, which is a bit of a task itself. And then only last year, January, I was asked to take on the CIO role. And so it's all going from where I started in IT to security back into IT. So I think it's a good grounding, actually.
Ann Johnson: It is. It's a diversity of experience. But once you've worked on the ground in security, it's hard to understand the actual work that's done by the security analysts and the incident responders. So it's a tremendous background for you to have empathy and appreciation for those jobs. So a few years back, you made this transition. You went from chief security officer to the chief information officer role. And that's not a super common transition in the industry. At least it hasn't been over the last decade or so. Do you expect to see more of that in the future? Do you think that more CISOs have ambitions to rise to the CIO role?
Sharon Barber: I'd like to think so. Maybe they don't realize they have the ambition to do that. I think we should definitely talk about it more. And it does depend on your background and experience. I think if the CISO is technical, which more and more is the case these days, and has either IT experience or work closely with the IT teams, then I think it's a great career path and opportunity, and people should start to consider it. And if you think in many areas, technology and security are very closely linked. Everything is digital and online. And so it is very similar. And the non-technical skills are very transferable, especially those leadership skills you need in security and managing stakeholders at executive and board levels, and then also building high-performing teams. So I definitely think it is a good transition. Though I would say it's a different hat that you wear. No surprise. You go from setting the security standards, running the operations, and setting expectations, and security being top priority, to having to trade off the risks across the ecosystem. And it doesn't mean security isn't top priority. It just means you have to think about it end-to-end on the risk side. But what I would say that has been great is that as a CIO with a security background, it gives you the experience and the mandate to drive security ownership right through the organization and ensure that security is considered at the outset rather than if it's somebody else's job to consider.
Ann Johnson: Yeah, and I do think that -- I agree with you, by the way. I know a lot of CISOs that are great business leaders and are really great executives. And seeing them broaden that and also bring, again, appreciation of how security, how important is the organization's CIO role, feels like it'd be a natural fit, right? So can we talk a little about the financial services sector? It's been and continues to be one of the most targeted industries from a cybercrime perspective for probably fairly obvious reasons. What are you seeing in the way of threat trends and issues that the industry is facing today?
Sharon Barber: I don't think it'll be any surprise to you. The top threats that are front and line in our industry is still ransomware, data theft, and third-party compromises. Ransomware is key. It remains one of the highest threats to the UK financial sector. And we fully expect to see the formation of new ransomware families and TTPs continue to change. I know the industry has seen ransomware morph towards a straight theft of data, which requires payment in return, rather than the deployment of ransomware or destruction within an organization. But the threat is still really high in that space. And then if we look at supply chain attacks, they're also increasing quite significantly. And we're seeing suppliers being targeted by phishing and business email compromised attacks in the main, of which we work with our suppliers quite closely. But ultimately, as we see, I think, consistently through the industry, as big organizations invest more in their security, the threat actors are looking to target weaker areas in the supply chain, where their capabilities and investment might be quite different. And then the one that I probably haven't mentioned is nation states, and we probably have to mention those. They're always a threat to all of us. And you all know that better than most, just how volatile the geopolitical environment remains, and particularly the threat to firms that are part of their country's critical national infrastructures we're seeing in Ukraine. So that's pretty key. And then also, the other part of nation state is the threat of espionage and data theft, which we all obviously worry about. So some key threats we're all managing, Ann.
Ann Johnson: Yeah, I think that they're pretty common, pretty well understood. But it's a good refresher for the audiences, people, you know, sometimes you get flooded with so much information, you lose focus on what actually is happening out in the world. So thank you for reinforcing. As the industry level, the threats have evolved along with technology, right? And I'd like to talk a bit about that as, you know, here we are the hyperscaler at Microsoft and financial services has been in some way a bit of a laggard in adoption of the cloud for some regulatory reasons and for security concerns. But what is your perspective now on that? How do you feel that organizations are thinking about moving critical workloads to the cloud?
Sharon Barber: Yeah, it's definitely taken us some time. As an industry, we're really heavily regulated and have significant responsibility to our customers, which means the bar is often higher for our industry than many others. Where cloud has matured to today, though, you know, it's absolutely providing great opportunity for growth at pace, whilst also improving our security and resilience capabilities. So you know, the ability to automate standards and guardrails and embed them at the core is a real difference. And actually, it pushes us towards actually using cloud today. And it has taken us a little while for the regulators and the industry to get comfortable with that. And not just about the technology, but about having the appropriate skills and capabilities to run and develop in the cloud as well, because you do have to run it and things do go wrong. And you've got to be able to have that capability within your team. So that's taken a while, I think, for the industry to acquire that. So I think that's a key one as well. And in the environment we're operating in today, any breach or misconfiguration can leave data exposed to the internet. And so I think that's a real challenge for us and we can't afford anything to fall through the cracks. So one mistake can be, I think, fairly costly in that. So it definitely took us time. I think the time it has taken, though, we've now built, I think, really good relationships with the cloud providers, and we have been able to implement the control frameworks that provide us with the confidence that we do have the right controls in place and we have got the right capabilities. So I'd say in today's terms, in moving critical workloads into the cloud, we're definitely supportive of this. And of course, you still need to ensure that the controls are in place to secure your data and the appropriate resilience patterns are there. But the capability has moved on so much and we're definitely supporters.
Ann Johnson: Yeah, and I think it was balance, right? You were the first person who gave me the Bank of England's document they wrote several years ago on operational resilience. And having the most sophisticated and most highly regulated customers challenge us in what the controls we put in the cloud has been really good, right? It's been a really good evolution. And now having that confidence that there is actually a lot of value in being in the cloud and we can keep you secure and compliant, it's a good place to be. We're always evolving, but it's a good place for the hyperscalers to be pushed like that from organizations as sophisticated as our financial services customers. So let's change, Sharon. You know, we can't talk tech at this moment in time without talking about the buzzword of the moment, which is artificial intelligence. Can you talk a little about AI, what you think the challenges and opportunities are within financial services, even above and beyond cybersecurity or tech, and more broadly, the challenges and opportunities ahead with other emerging techs like confidential computing and quantum?
Sharon Barber: Well, you just can't have a conversation today without talking about AI, can you? Absolutely. I think with all emerging technologies, you've got the two sides to the coin, haven't you? They all present brilliant opportunities and they all present vulnerabilities. So, you know, we have to consider each one sort of as they come through. With AI, there's some brilliant opportunity there for us. I don't think the threat landscape will materially change this year, but it certainly will in the medium term. But it does give us some great capabilities. You know, there's certain things we can use in our security capabilities to improve our monitoring and detection and provide better behavioral analytics and adaptive defense mechanisms as well, just to name a few there. So I think the opportunity is great. The threat actors will undoubtedly start to exploit new AI tools for malicious purposes. You know, we're already seeing some of that as well, but, you know, and they will start to develop malware in that space, enhancing social media engineering and enhancing lower function steps on the attack path. So I think there's definitely a lot of vulnerabilities coming and it's pretty huge in everyone's agenda. So I think in that area, we've all got to get stuck into it and make sure that we understand it so that we can utilize it and also help defend ourselves against it. Similarly, the development of quantum computing, not an immediate threat, but it will be in the medium to long term. You know, as we know, cyber actors with quantum capability will be able to defeat encryption and potentially compromise data and network security. So those that have been harvesting data today, and we know they are, it could bring strategic and commercial advantages for them. So that's one that everyone's concerned about. And it's one that we've got to make sure that we stay abreast of what's happening in that space and how to move forward in it. So I think all of these, Ann, are key ones where we've got the opportunities and the vulnerabilities as we go through. And the same is for quantum computing. So you know, with that, we'll come to vulnerabilities as well. I think the challenge we have is to make sure we do understand the technology and threats so that we can build those capabilities.
Ann Johnson: Yeah, I think that's right. And I think all of those technologies, I promise, but they also all have their own level of threat and something the bad actors can exploit or potentially use, right? So, look, one of the reasons I love cyber and I've been doing it forever is it's a rapidly evolving industry. That rapid evolution, though, also requires constant innovation. Can you talk about your perspective on innovation in cyber?
Sharon Barber: Absolutely. I'm a firm believer that innovation is not just a nice to have, and it's critical for all of us to keep pace with the threat and stay ahead. And that's not just in cyber, that's in all of our businesses. What we need to do is individual firms and as industries, we need to be thirsty for new and innovative ideas. There are some great startup hotbeds here in London, but particularly in the US and Tel Aviv, we're trying to support the UK as much as we can. We're a founding partner of LOCRA, the London Office of Cybersecurity Rapid Advancement. That's not easy to slip off the tongue, but I think it's really important that we work together and we support the government cyber security strategy. So that's a key one for us in the UK. And as you interact with these great startups, you know, over the years, we've found some really useful technologies through these engagements. But it is wider than just, you know, leading edge technologies. It's important to build a culture and build innovation into business as usual and what you do every day, making sure that your labs are building innovative ideas into their backlogs and strategies and not being afraid to fail as well. You know, so it's very much a mindset. We have to think differently and ensure innovation is a core part of our business processes and not just something exciting done by a few people on the side.
Ann Johnson: I think that last statement is key, right? We should be innovating to solve real problems and we should be talking to our business stakeholders all along the way to make sure that we're solving the most important problems. So with that, let's talk about talent. Look, we continually talk in the cyber industry about how the talent shortened, right? Reports vary, but it's estimated there are millions of open cyber roles around the world. And I often say if we want to alleviate that gap, we need to start rethinking the skill sets. We need to start rethinking diversity and we need to be more open about the talent we hire. What is your perspective on this? What skills does one really need to be successful in the industry? What should leaders in cyber security be looking for?
Sharon Barber: So Ann, I agree the skills and capabilities are absolutely critical. We often always think about it in one dimension. I think the governments are doing some great things building diverse talent pipelines at the lower end, but there's definitely a lot more we can do. And from a skills perspective of leaders, we need to be looking at how to build pipelines for the most critical skills we need and identifying where these can be best found. And they're not often, you know, where people are looking. So firms often look for cyber skills when there are many transferable skills out there that are perfect for cyber roles. So if we take networkers, sysadmins and software coders, you know, they make the best cyber security technicians as they know how the architecture and the software hang together. And we can teach them security. That's the easy bit, I think, is having that background and knowledge. So that's a great combination. And then I think the skills that we're also looking for are those that are curious by nature and having great problem-solving skills. And those are really transferable skills from other industries. And I don't often think we look in those spaces. So I think the individual, if they have the right aptitude and desire to continually learn, you know, that's a key factor. So we often look for the ready-made person when I think it's much more about looking for talent and potential and maybe in other IT areas as well.
Ann Johnson: I agree with you, by the way. Having a baseline, because I had a long career before I went into cyber, right, and it was all infrastructure work, network and storage, it really helped me understand the systems that we're securing. So I think that background, you can teach people cyber skills. I also think diversity and inclusion plays a big role here. While some progress has certainly been made over the year, there's so much more we can do to improve the representation. Can you offer your perspective on this? Why do you think diversity inclusion is important?
Sharon Barber: So we have a diverse set of threats. So we have to be diverse in our thinking, our gender and our culture. So when we look at diversity, a lack of diversity in cyber puts us straight at a disadvantage as the thinking and problem solving that we do will be much narrower and means that our solutions and defensive capabilities will be less than those of the adversaries. We all know it's really important that, you know, we have to embrace people's differences, but not just gender and culture, but the way we work and how we think. I've always thought of diversity of thought is really key and is a real game changer. And we really need that representation at all levels to ensure that we're challenging the way we do things. So diversity is really important. And then if we do nothing else, research tells us that diverse teams perform better. So we all need to do better in this area.
Ann Johnson: Yeah, we like to say here, our team seems to be as diverse as the problems we're trying to solve. And that diversity of thought, experiences, educational backgrounds, et cetera, is also incredibly important. And we need to think about those things. As we think about how we skill and diverse inclusion, what advice would you give to your peer leaders who are grappling with the same challenges and issues? And what advice would you give to aspiring cyber defenders? For leaders, I firstly think it's about being deliberate. Unless we start measuring diversity, taking specific action to address the gaps, and particularly building the pipelines, it's going to be much harder to build the diverse team that you need at the pace that you'd like to go at. So I think that's key, being deliberate first. And then once you've been deliberate and you've got the team that you need and you want, and you've got that great diverse team, keeping and retaining high performing teams are critical. So once you've got them in your organization, I think that must be a key focus for leaders. Not just looking outside, but keeping the ones that you do have are critical as well. In terms of aspiring cyber defenders, I'd go back to the point I made earlier. There's a huge amount of opportunities out there, and it's about continuously developing yourself and having that restless curiosity about everything that you always want to learn and move forward. So the advice I'd give them is to continually make time to learn and always be where you want to go to next. There's lots of support and lots of opportunities in cyber, and you've got to be prepared to really get stuck in and build that career and put the time in for that development. I completely agree. And one of the things that people have to realize is it is a lot of learning, but you have a ton of peers in the industry that will help you. So, well, I know you're super busy with lots of irons in the fire. I'd love to you share for our listeners a few of the exciting things you're currently working on.
Sharon Barber: Well, on a day-to-day basis, it's pretty standard stuff. Keeping our customers safe and secure, keeping our key technology platforms and services running and resilient, you know, that pretty well keeps you busy mostly. On the security side, we're building the next phase of our security strategy. We tend to do it in three-year chunks, but keep it live as we go through. So looking at how we need to face into the threat and how do we continually look to embed security across the organization and how do we make our security services much more consumable for the businesses. So ultimately, you know, we set ourselves some goals to how do we help the business go faster but safely. So there's some key things we're doing on the security side. On the tech side, we're continuing to build our cloud platforms. We have a big transformation program in that area, moving to self-service capabilities, embedding agile practices across the workforce. So there's a huge amount of transformation going on across there. And then from a personal perspective, outside my day role, I'm really enjoying the role I have as co-chair of the National Cyber Advisory Board, working with the Cabinet Office and the UK government. So that's great trying to bring the industry and the government much closer together. I'm a true believer of collective responsibility and, you know, that is a great opportunity to support the UK and its cyber strategy and also help to build out the cyber capability of the future. So plenty to keep busy with at the moment.
Ann Johnson: I know, you're so busy. We talked about that at the beginning. I really appreciate you making the time to join us today. And, you know, despite the rise in cyber crime, I believe our cyber defenders continue to be one step ahead of the bad guys for the most part. And so I'm always an optimist, right, about the future. And based on the conversations I have with folks around the world, I think they are also, including you. So I'd love to hear what you're optimistic about and your perspective on how we can continue to come together and defend our digital world.
Sharon Barber: I think it's all about the people. And I'm with you. I'm an optimist as well. We know we're in an arms race and we know that the threat actors will continue to innovate and find new ways to attack us. And they're well resourced, you know, and they work well together. But we have some brilliant people across the globe and in our industries who are as good or better than the adversaries. And they're really motivated to do the right thing and be the best and really want to defeat the criminals and the nation state actors. So I'm with you. I'm really optimistic the future. There's always more we can do, of course, but I think if we work together more collectively, you know, I truly think we'll be successful. So for me, it's all about the people. And I totally agree.
Ann Johnson: Completely, Sharon. And thank you so much for taking time out of your busy schedule and for joining me today. It's always a pleasure to speak.
Sharon Barber: Thanks, Ann. It's been great to be with you.
Ann Johnson: And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea". I chose Sharon Barber, who's the chief information officer at Lloyds Banking Group, to join me for Afternoon Cyber Tea because she is just an incredible leader across many dimensions, technical dimensions, culture dimensions, people dimensions. And she has such a broad and vast experience and is a recognized leader in the UK. It's a great episode, and I'm sure everyone will enjoy it.