PODCAST
Cybersecurity: Current and Emerging Industry Priorities and Threats
Over the past year, cybersecurity has only increased in importance as huge swaths of the workforce began—and continue—to access networks remotely, resulting in a significant shift to the cybersecurity landscape.
On this episode, we hear from John Brady, FINRA’s Chief Information Security Officer (CISO), and Eric Pickersgill, FINRA’s Deputy CISO, on how FINRA handled the transition and areas of focus for the year ahead.
Plus, we learn why you should think twice before trying to brush that piece of hair or dust off your phone screen.
Resources mentioned in this episode:
Listen and subscribe to our podcast on Apple Podcasts, Google Play, Spotify or wherever you listen to your podcasts. Below is a transcript of the episode. Transcripts are generated using a combination of speech recognition software and human editors and may contain errors. Please check the corresponding audio before quoting in print.
FULL TRANSCRIPT
00:00 – 00:22
Kaitlyn Kiernan: Over the past year, cybersecurity has only increased in importance as huge swaths of the workforce began and continue to access networks remotely, resulting in significant shifts to the cybersecurity landscape. On this episode, we hear from two of FINRA's cybersecurity experts on how FINRA handled the transition and what keeps them up at night as we look ahead to the coming year.
00:22 – 00:32
Intro Music
00:32 – 00:54
Kaitlyn Kiernan: Welcome to FINRA Unscripted, I'm your host, Kaitlyn Kiernan. Today, we are welcoming back to the show one of our very first guests from three years ago, FINRA's Cybersecurity and Chief Information Security Officer John Brady, and a new guest, Deputy Chief Information Security Officer Eric Pickersgill. Eric and John, welcome to the show.
00:54 – 00:56
John Brady: Thank you, Caitlin. Good to be here.
00:56 – 00:56
Eric Pickersgill: Thanks for having us.
00:57 - 01:19
Kaitlyn Kiernan: So now that we've been remote for about a full year, I wanted to talk about some of the lessons learned as we've been working remotely and look ahead to some of the emerging priorities in the cybersecurity space. But before we get into all of that, John, since it's been a while, since you've been on the show to kick things off, can you just tell us a little bit about yourself and FINRA's Cyber and Information Security team?
01:19 - 02:46
John Brady: I've been with FINRA for a little over 18 years now and have had a variety of responsibilities. But by far, the one that I've enjoyed the most and certainly found the most challenging is as CISO for the last eight and a half years. And since the last time I was on our podcast, there's a lot of things that have changed here at FINRA and a lot of things have stayed the same too. What hasn't changed is our overall commitment to cybersecurity. We take it very seriously and we put a lot of resources and energy and investment into our cybersecurity program.
But what has changed is we have more now in the way of cybersecurity programs now. As we took over the Consolidated Audit Trail project, we created a separate security team focused on that system because it is so important to the industry and handles so much data, some of which is sensitive. So, there's a dedicated CISO for CAT. That's David Yacono.
And then also in the FINRA cybersecurity program, we have added more leadership, talent, and capability in the form of Eric Pickersgill who is on this podcast. He is my deputy CISO and he is ready to take over in any way needed if something was to happen to either David or myself. It's nice to know that we have the leadership capability here to quickly fill in and keep the programs running smoothly.
02:47 - 02:50
Kaitlyn Kiernan: And Eric, how about you? Can you tell us a little bit about your background?
02:51 - 03:16
Eric Pickersgill: Sure. So, I started at FINRA in June, so it's been seven or eight months now. It's been phenomenal so far. Before that, I worked in security leadership positions at Wells Fargo, Capital One, Verizon. I also provided security consulting services to Fortune 500 companies and federal government agencies at organizations like KPMG and Booz Allen Hamilton.
03:17 - 03:27
Kaitlyn Kiernan: Great, so you have a little bit of a unique perspective as someone new to FINRA and someone who had to deal firsthand with some of the cybersecurity concerns with onboarding remotely.
03:27 - 04:15
Eric Pickersgill: Yeah, it was very seamless. I had started on Monday. My computer came in first thing Monday morning and I was on email that very same day. I was really impressed by how seamless it was. And I've worked at places where it took two weeks to make that happen, and that was before COVID and the pandemic. So, from that perspective, it was great in terms of operating with the team and everything, I think everyone's really mission focused and very diligent. And we have the tools and infrastructure to support the distributed workforce. So, the ability to work and meet with people on a regular basis has been parallel to what you would experience with the office. So, if you're a new person coming in, I feel like I've been a member of the FINRA family for a while. That's partly because of the people here, but also because of the technology we have to allow the remote collaboration.
04:15 - 04:25
Kaitlyn Kiernan: John, you mentioned a little bit about working with FINRA CAT and the leadership team, but how does your team work generally with other groups within FINRA?
04:26 - 06:16
John Brady: We have multiple missions in the cyber and information security team here at FINRA. One is to operate our own controls and make sure emails that arrive or files that are downloaded via the web are free of malware and safe for users to open and interact with. But another is to guide the organization as a whole. For example, the tech teams that develop the software that FINRA uses to do its business as a regulator. We guide them on how to design and develop and test the security of those items to protect data and ensure that it's only accessible to those users that should have access to it as part of their job duties, and that otherwise the data is well protected not only from unwanted access by FINRA staff, but certainly outside attackers.
Now, for CAT, the Consolidated Audit Trail, we also have multiple roles, one of which is operating the security controls that CAT depends on. So, we are essentially a security service provider to the Consolidated Audit Trail. But then Eric and I are also part of the Consolidated Audit Trail's Security Working Group, which is a group of CISOs and other security professionals from all the self-regulatory organizations that are participating in CAT. And we meet on a weekly basis and discuss issues, concerns, risks, threats and develop plans, whether those are new controls or enhancements to existing controls or establishing policies and procedures, whatever it might be. As a group, we discuss them, we figure them out. And David Yacono I mentioned earlier in his role of making sure CAT is secure.
06:17 - 06:27
Kaitlyn Kiernan: And on this podcast in the past, we've had Dave Kelly, who works with our Member Supervision cybersecurity specialist team, do you work with that group as well?
06:27 - 07:22
John Brady: Absolutely. We collaborate with David regularly and in a few different ways, one of which is if a member firm reports a cybersecurity issue, quite often David will reach out to me or my team and ask us, what would you do to respond to this cybersecurity concern or incident? And so, we'll offer our expertise as to what we would do if a similar thing were to happen to FINRA. But then we also work with David and his team on coming up with reasonable guidance for firms. And we recognize that firms come in a variety of sizes from very large, much larger than FINRA, to very small, and that it's difficult to come up with one size fits all guidance, but we try to do so working with David and other members of the Member Supervision staff as they're publishing white papers and other guidance or just interacting directly with firms on cybersecurity issues.
07:23 - 07:30
Kaitlyn Kiernan: As I mentioned, we've been remote for about a year now. How has that impacted FINRA's cybersecurity program?
07:31 - 09:35
John Brady: So, the impacts were relatively small, and the reason is, is FINRA always has had a large contingent of remote workers. For example, our examination staff spends a lot of time, or at least used to before the pandemic, spent a lot of time on the road out at firms conducting our examinations. So, we've always had to accommodate that. And then also we had the goal of when there were snowstorms in the major metro areas that FINRA has a lot of staff, that those would have minimal impact on the organization. And we had plenty of capacity for staff to be able to connect remotely and work from a laptop. Now, it doesn't mean there weren't some issues, there were some minor things, one of which was capacity and performance. It's very different having 50 or 60 percent of your organization working remote during a snowstorm versus one hundred percent of your staff working remote all the time. So, it definitely put different load on our systems and some upgrades had to be made early on.
But then also vulnerability scanning. So, we scanned all the computers in the FINRA environment on a weekly basis to identify any missing patches or configuration issues that represent a security risk for FINRA. When those systems were in the office most of the time, like end user workstations, we could scan those over the network. What we found initially in the move to remote work is quite often when we ran those scans, a large fraction of the end user workstations wouldn't be connected via VPN so we couldn't scan. And that was a blind spot that we weren't comfortable with. So, we had to take an alternative approach. We deployed an agent out on every single workstation that does a local scan and then reports the results back to a central database whenever that system connects back to our network. So, we have a continual picture of any security risks on all components in our network, including end user workstations that may only connect to the network a few hours a day.
09:36 - 09:40
Kaitlyn Kiernan: What do you say are the biggest lessons learned over the past 12 months?
09:40 - 10:49
Eric Pickersgill: I've been to places where the workforce was either centrally located or decentrally located, and there are times where it was commingled. And one thing that I've noticed is you can have the same level of camaraderie and collaboration with a decentralized workforce if everyone's on the same playing field. So what I've noticed is when I've had people working from home, they feel disconnected with the office because you have everyone that's sitting at a conference room working on the whiteboard, and then the two or three people that are on the conference call don't get that same experience.
So one of the things that I've become very cognizant of as a result of everyone working remotely is how seamless it is working from home, because everyone's on the same playing field, everyone's working on the same platforms, everyone's communicating the same way. So, something we need to think about once we return to normal is how do we replicate that where some people will be working in the office versus some people working remotely? How do we establish those standards to make sure that we're giving everyone an equal experience to collaborate and continue their work from wherever they are? That, to me, is the biggest lesson I've had in this remote lifestyle.
10:50 - 11:03
Kaitlyn Kiernan: That's interesting. And I definitely experienced that working on a team where I'm based in New York, but the vast majority of my team is in D.C., so it was always the odd man out. I'm interested to see how we address that going forward.
11:04 - 11:39
Eric Pickersgill: One other lesson learned I had is that you don't realize how much is done via the water cooler or just tapping people in the hallway. So one thing that we've really been focusing on, in our organization is documenting as much as possible, doing self-service as much as possible and really kind of doing a grassroots approach amongst the application teams, the people that we provide security support to. Helping them understand what tools are at their disposal so they can be secure without having to go to the water cooler or tap on someone. So, making it easy as possible to consume our tools and services and to ensure vendor security.
11:40 - 11:46
Kaitlyn Kiernan: Do we have any thoughts in mind for tools or processes to address that in the future?
11:47 - 13:13
John Brady: There's a lot of work going on in technology, looking at collaboration tools that enhance the collaboration experience in this remote environment and to Eric's point, as FINRA at some point begins to return to the office, it's likely that a very large fraction of the workforce will choose to remain remote and you'll create this situation of the haves and the have nots. That immersive experience of being in the office and being able to have a quick chat when you run into somebody in the hallway is not available to those that are connecting via Zoom. But it's going to be important for us to create that level playing field so that the organization remains as collaborative and productive as it is right now.
So there are tools we're looking at that create shared whiteboards and shared collaboration workspaces that persist over time so you can get together, have a meeting, people can share their thoughts in the shared workspace and then come back to it days and weeks later and it's all still there. And they can continue to work on it separately and everybody gets notified when there are changes. So, it's very much a paradigm shift compared to how business was done pre-pandemic. But I think in the end it's going to create an organization that is even more resilient and more capable, despite the fact that people will be geographically dispersed during the workday when they're trying to collaborate and get stuff done.
13:14 - 13:19
Kaitlyn Kiernan: Yeah, sounds like the past year has accelerated some existing trends in the space.
13:20 - 13:21
John Brady: Definitely.
13:21 - 13:31
Kaitlyn Kiernan: And is there anything that you would have done differently if it was March 2020 and we had to start this whole process over again?
13:31 - 14:53
John Brady: When we first started working 100% remote, I created a happy hour series for us to get together weekly. And at first, I made that series three months long thinking, oh, this will all be over soon. So, one thing I definitely would have thought about differently going in is not having that short term "it'll be over soon" perspective, but instead saying to myself, you know what, this might go on for years. And so, I think we were a little slower to figure out the importance of collaboration.
Eric's point about the water cooler talk is something you really have to make an effort to make sure there's time for those conversations. You got to set it aside. You got to schedule it with your teams or even with individuals on a regular basis. So, we've had to work that into our schedules deliberately now when previously you just relied on those informal get togethers. So, I think that's a big thing, just figuring out how to enhance collaboration, manage the culture of the team, keep people engaged and productive and informed. It's very different in this pandemic world where we're working remotely than it was previously. And I certainly think we would have recognized that sooner and taken steps to address it sooner.
14:54 - 15:01
Kaitlyn Kiernan: What do you think were some of the biggest wins for your team when we transitioned to the remote environment?
15:02 - 15:47
John Brady: The big win was that it was seamless. We're just part of the technology solutions here at FINRA, but being able to continue to hire staff and get them equipment so that on their day they started, they could be productive was something we had to work out because we had to figure out how to do that in a very different way than we had before, but without compromising security to FINRA. So, fulfillment processes had to be adjusted and then just enabling a secure remote workforce was important obviously. It went smoothly. So that's why I feel that's a big win. Not that we had to do a lot because we were prepared for it through all the remote work that efforts had undertaken over the last several years.
15:48 - 16:51
Eric Pickersgill: As someone who came in with the middle of the pandemic, I can say that that investment paid off. Like I said earlier, I was starting work on day one. I think it also came with the collaboration tools. So FINRA has invested in a lot of collaboration tools that have really helped us replicate that physical colocation camaraderie and have that collaboration.
And I think one thing that I thought was really impressive is not just the speed at which we've onboarded those tools, but the due diligence associated with it. So, when you have these collaboration tools, there's obviously risks that are introduced with them, potential for people to put up inappropriate data, access controls, data leakage, whatever that may be. So making sure that we weren't rushing it, we were still doing the right thing, making sure that we were vetting the security of the tools, then making sure that they were implemented in a secure manner, and then educating our staff in a secure way to use the tools I think helped us continue the collaboration and continue to deliver at the immense speed that we've done at FINRA the past, but also do it the right way. I feel like that's a huge win too.
16:52 - 17:05
Kaitlyn Kiernan: That brings me to another question I had generally is about how you are thinking about vendor app security during this period. Was it similar to how you thought about it during the normal work period or did you have to make some changes?
17:06 - 18:31
Eric Pickersgill: All of these tools that we're discussing are largely cloud based tools. I don't know if the pandemic was the impetus of leveraging cloud tools. I do think that it probably accelerated the use of cloud services in the collaboration space. For those in the audience who don't know, cloud is basically the consumption of IT on a service based model where you're not physically building the device in your data center and managing yourself, but rather you're consuming a service provided by someone else. Usually with that service through what's called the shared responsibility model when it comes to security.
So, understanding what security the provider is responsible for versus what security the consumer is responsible for is very important. And then for the stuff that the provider is responsible for, you want to vet them and make sure that they're providing a level of security commensurate to your needs. And then for the items that you're responsible for, you want to make sure that you clearly understand what are the things that are within your control? What are the tools at your disposal to control them? And how do we make sure that we're proactively and continuously implementing those controls in the environment? So from that perspective, I think it was leveraging our existing capabilities and processes and knowledge or just applying at a more rapid pace for newer technologies that we may have not embraced had it not been for the pandemic, like John had mentioned, the virtual whiteboarding solution.
18:32 - 20:43
John Brady: There were some concerns that surfaced early on in the move to 100% remote, one of which was Zoom. So FINRA had been a Zoom user for over a year before the pandemic hit and we're very happy with the service. But when it did hit and the entire world started using Zoom, a few bad things happened, including something known as "Zoom bombing", where somebody could guess your meeting ID and disrupt meetings, often in vulgar and very inappropriate ways.
So, we quickly worked with Zoom themselves, talking to their security leadership, to figure out how to counter that. What controls did Zoom need to develop and deploy? To Eric's point about the shared responsibility model, I think it was a great example. They're responsible for creating a secure platform, but then they offer security features that we, as a user of that platform, can choose to enable or disable.
And early on, they were missing some key features that would fight things like Zoom bombing. But they also did have some features that we were choosing not to use because they represented a hurdle that our users would have to overcome, something that would get in the way of their collaboration in an easy and frictionless manner. But when security becomes important, you have to accept that friction. And so, we made adjustments and solved those issues very early on.
We do that with basically every tool that FINRA uses. Our goal is always to be proactive, anticipate the need, understand it, establish the security standards before you start. But then there are cases where the world changes, the complexion of things changes, and what was secure all of a sudden now isn't and you got to revisit it and figure it out again. So, we're always doing that and certainly keeps Eric, myself, and our teams busy because the bad guys are always out there innovating and creating new ways to create havoc and attempt to steal money or information out of organizations like FINRA. So, we always got to try and stay a step ahead, anticipate what they're going to do and thwart it before they do it.
20:44 - 20:57
Kaitlyn Kiernan: Now, that's interesting. I don't know, a lot of people would think, oh, well, I can go to Zoom and make asks for them to change their platforms, but it sounds like that was an important step in ensuring that we were able to continue using the platform.
20:57 - 22:13
John Brady: We do that with all of our providers. Whenever we run into a situation where we say, you know what, it'd be really good to have this feature or capability, we're not shy. We go to those vendors and we make the requests.
We make feature requests of Amazon Web Services all the time. They're huge. And yet we still have their attention. We meet with their product managers regularly, with their security leadership regularly. I'm a member of the Amazon Web Services CISO Advisory Council. And so, as a CISO, together with a couple of dozen other CISO, we meet with Amazon twice a year and give them direct feedback on what they're doing well and what they could do better.
It's a level of interaction and insight that I've never seen before in the typical Silicon Valley world where the computer companies create products and just throw them out there and they use sales to determine whether or not they hit the mark, not customer feedback. In this cloud world, it seems like the vendors are generally more nimble and more open to customer feedback. It's been a good partnership with all of our vendors, but especially with Zoom and with Amazon, we've seen a really good dialogue back and forth.
22:14 - 22:29
Kaitlyn Kiernan: Yeah, it's great to hear that that collaboration exists. Just to switch gears a little bit, I wanted to look ahead. We focused a lot on what happened over the prior year. But what are some of the areas that the FINRA cybersecurity team is focusing on in the year ahead?
22:30 - 26:17
John Brady: We practice continuous improvement. We don't rest on our laurels. Just because we had a good year stopping the attackers in 2020 doesn't mean we're going to have a good year in 2021. As I said earlier, they never sit still, they are always innovating, they're always coming up with new ways.
And there's been something in the headlines recently that I'm sure a lot of the listeners have heard about. It's called SolarWinds. It's a network management tool which is central to a big data breach that happened in December of 2020 that involved a number of government agencies, as well as some high-profile US based companies like FireEye. And FireEye, for those that don't know, is basically the preeminent security services firm in the United States. So you would think if they can get hacked, well, then it's clear everybody can get hacked because they're head and shoulders above the average company in terms of their own security capabilities that they provide to all their clients. So, it was a disturbing event, but not unprecedented.
There had been a similar event back in 2017 called NotPetya, where Russian operatives were believed to be targeting Ukrainian companies through a tax software product and that their goal at the time was really just to damage the Ukrainian economy. But the way they went about doing that was very similar to SolarWinds. They broke into the company that published the software and they used that company's software update process that sends new data, new files, new updates out to all their customers, they use that to deliver malware into those customer environments.
SolarWinds, very similar. The bad guys broke in and figured out how to inject malicious software updates into the SolarWinds Orion product set. And then those updates were sent out to customers, over 18,000 organizations. And those updates contained a back door, which would allow the hackers to infiltrate those networks and then use it as a toehold to do further hacking of those environments and steal information.
Now FINRA did not use and does not use the SolarWinds Orion product set, thankfully. But even so, we're looking very closely at that and adjusting our processes and our practices just to make sure that we have all the right things in place, whether it is evaluation of products and tools that we're adopting, the security standards we're talking about earlier, because everything you adopt and use in your environment, whether it's a cloud service or a software product you license and deploy on your own servers, you need to configure it in a secure manner.
But then also we take the view that at any point in time there could be malware running in our environment. So, this is what security professionals refer to as assume compromised. Assume you have malicious software running in your environment. With that mindset, you build controls that limit the bad things that can happen, so you do entitlements to data in the least privilege matter, you segment your network into multiple security zones so that if one section gets compromised, it's nearly impossible for that compromise to move to other parts of the network. You restrict outbound connections so that malware that's able to find sensitive data can't easily get it out of your network without tripping alarms and things like that. So, it's an approach that we take here at FINRA and we've always taken here at FINRA, but it's more important than ever now.
26:17 - 26:57
Eric Pickersgill: Now to that point, with the proliferation of cloud services, there's a self-service component to it and people can consume whatever they want. So, there's this concept of shadow I.T. that keeps you up at night a little bit. The idea that someone can use their credit card to buy a service that hasn't been vetted and it's not being used in a secure way. Like John said, we've very strong security program and we're continuously improving. So, we're able to mitigate that through a number of mechanisms, but just staying on top of that and making sure that we're blocking the wrong cloud services and then we're continuously monitoring for any use of unapproved services would be key.
26:58 - 27:06
Kaitlyn Kiernan: Is there anything that is not really a concern yet, but you have your eye on as something that might be a concern in the future?
27:06 - 28:30
John Brady: More and more, our devices that we all use have touch screen interfaces. And so, in the past, when you received a malicious email, it was written in a way to entice you to click on a link or to open a file attachment that contained malware, that's very effective. Humans are easy to trick. With training we get better at it. But even so, the right phishing email at the right time often catches some very sophisticated users into clicking.
These attackers, they've gotten very creative. None of us like hairs or dust on our screens. And so, what they do in their phishing emails is they'll embed an image that looks like a piece of hair or a little bit of dust. And behind that image will be a link that you can't see and that when that email displays on your device, you might be enticed to try and swipe that piece of hair or dust off the screen that doesn't exist. And in the process, you will be clicking on a link. And it's definitely a novel attack and it's not widespread yet, but it's going to come. So, we're watching that and thinking about ways to detect images that represent these imperfections on the screen in a way that we can block those. So, we're working internally and with vendors on ways to do that.
28:30 - 28:42
Kaitlyn Kiernan: That is interesting. More reason never to even open the emails to begin with. Are there any of these concerns that you think would be particularly relevant to member firms, especially small member firms?
28:43 - 31:14
John Brady: Security concerns are relevant to every organization and security is not easy. Even though the attackers innovate and create new ways, they never stop using the old methods that have proven effective in compromising organizations. So, it's important to patch. It's important to have secure configurations. It's important to have third parties perform pen testing on your software and on your networks to make sure there's no easy way in. None of that stops. You've got to keep up on that.
It's also important to train your users and make sure they have a fighting chance at least. Here at FINRA we have a number of things that we do to help fight phishing, one of which is putting a banner at the top of every email that's received from an external source just to help the users know that this might be something they want to scrutinize a little more closely than an internal email. But then also we do simulated phishing training and send out messages that are patterned after current attack methods just to keep it in the front of the minds of our users.
Smaller firms might use and probably do use what are known as managed security service providers, MSSPs. And that's a good practice. It's hard for a small firm to have the technical depth and the cybersecurity knowledge to protect itself. So, they have to lean on vendors who will help them with that. I would just encourage you, if you're a small firm that does that, is ask the tough questions of your vendors. For example, with ransomware, it's important to try and keep it out. But if your users click on it and it executes in your environment, you want to have an easy path to recovery. So, you should challenge that MSSP and say, what will it take to recover me, how long and how much will it cost me? And see how they answer that. If they don't give you a good answer, well, then you should be looking for a better MSSP because it is possible to construct systems in a way that it's easy to roll back to a state prior to when the ransomware hit your environment.
Along those same lines, backing up data is important no matter where it is. Certainly, you want to store it on a system that can be easily rolled back and recovered. But also, there is data that is stored on local drives and laptop machines. So, looking at a backup solution that continually captures those files and moves them to a secure platform is well worth the investment.
31:15 - 31:36
Kaitlyn Kiernan: Well, that's it for this episode, John and Eric, thank you so much for joining us. Listeners, if you don't already make sure you subscribe to FINRA Unscripted on Apple Podcast, Overcast or wherever you listen to podcasts. If you have ideas for future episodes you can email us at [email protected]. Until next time.
31:36 – 31:43
Outro Music
31:43 - 32:09
Disclaimer: Please note FINRA podcasts are the sole property of FINRA and the information provided is for informational and educational purposes only. The content of the podcast does not constitute any rule amendment or interpretation to such rules. Compliance with any recommended conduct presented does not mean that a firm or person has complied with the full extent of their obligations under FINRA rules, the rules of any other SRO or securities laws. This podcast is provided as is. FINRA and its affiliates are not responsible for any human or mechanical errors or omissions. Parties may not reproduce these podcasts in any form without the express written consent of FINRA.
32:09 – 32:15
Music Fades Out