“BBVA’s cybersecurity project attracts top talent”

He speaks about “the bad guys” with familiarity. His extensive career in the world of cybersecurity has allowed him to build a profound understanding of how criminal organizations work; he’s aware that they have access to cutting-edge technologies, and that they are constantly on the watch to launch their attacks as soon as they detect a vulnerability. Digitization and telework have dramatically expanded the perimeter that needs to be protected at BBVA. This adds a new level of complexity to the work of this telecommunications engineer, who has previously worked in the Middle East, Asia and the Nordic countries. In this interview Garrido speaks confidently about BBVA’s strategy. A strategy that, according to him, sets the Group apart from its peers for its use of advanced data analytics and the commitment of the top tiers of the organization.

Raising awareness and training people to remain vigilant and prepared to prevent fraud and recognize digital threats is another key pillar of BBVA’s strategy. The company is celebrating ‘Cybertraining Week’ this week, with an agenda full of workshops and conferences for employees and their families. “I’m looking forward to the technical challenge of ‘Catch the flag’ and my kids will surely take part in a social media workshop to understand the risks and dangers that children and teens face when using these platforms,” says Garrido.

Question: Cybersecurity has become a critical issue during the COVID-19 crisis, following the spike in cyber-attacks and online fraud. Do you think that this demanding period has helped us become more aware of the threats we face when we go online?

Answer: More than a spike in the number of attacks, what happened during the confinement period is that we became much more dependent on technology, and this led people to become much more aware of the need to protect their personal and professional devices, and to pay more attention to their habits in the digital world.

According to the statistics we have access to, the level of materialization of these attacks has remained the same. The ratios are much the same as last year, if not a bit lower. But it is also true that the level of effort, focus and resources that we’re devoting to tackle this issue is higher.

What we’ve noticed is that criminals have started using new colors to package their attacks, they’ve adopted new approaches, intimately linked to the health crisis. What’s changing, clearly, is the type of bait, but now we’re starting to see that they’re going back to their former, pre-COVID-19, ways.

Q: Have learned any insights worth mentioning?

R: One of the things we’ve been discussing with other banks companies or regulatory authorities is the importance of raising awareness among users. At the BBVA Group level, we had already amassed a very relevant training and dissemination experience. For years, we’ve been carrying out all sorts of activities aimed at employees and their families. During lockdown, maybe because people had more time or were more interested in it, we trained over 14,230 people in two months. It’s been incredible. That’s why we decided to double down on our approach and celebrate this cybersecurity training week from July 6 to 10, full of workshops and conferrences by prominent industry experts.

Q: Some people have been talking even about the need to forge a great alliance between financial institutions to weave a common front against cybercrime. Would BBVA be willing to collaborate with its competitors to boost the effectiveness of fraud prevention measures?

R: This has already been done in other parts of Europe, such as the United Kingdom, the Nordic Countries… in Spain we already cooperate a lot on a regular basis, always within the boundaries outlined by existing regulations and the GDPR. We share information about threats and our temperature readings of what’s going on out there. But not only with other financial institutions. We participate in many forums, and try to reach out to the whole ecosystem, including law enforcement agencies, to come up with a comprehensive picture of what’s happening and where attacks are coming from.

We’re happy with our level of cooperation with other companies, but there’s always room for more. I think that right now we’re on track to expand this collaboration to move ahead and build up our strength to take on the bad guys.

"In Security we’ve fully embraced advanced analytics as a tool for tackling extremely complex issues"

Q: What do we know about these criminal organizations?

R: This has changed over time. In the early days of computers and the internet, hackers were just kids messing around for the sake of fun or recognition, but they soon realized they could reap huge profits.

Now, we’re in the midst of a second stage, dominated by organized criminal enterprises, extremely sophisticated, operated much like a regular company. Their investment capacity is astonishing. They’re very focused on their goal. That’s wherein, maybe, some of the asymmetry lies, because they’re very focused on specific attack vectors on which they deploy their full power, and we have to protect the whole geometry of the bank, against all types of attacks on a 24/7 basis. Also, these players have tremendously advanced organizational models and invest heavily on R&D and top technical talent. Their motivation is monetizing their investments, and their goal is to obtain money, a clear profit.

The third great wave, which is already being felt, has more to do with state agencies and geopolitics, an area that’s harder to act upon. But it is there and we need to respond. The impact is much more global in scale and pursues goals that include destabilization or industrial espionage, not just making a financial profit in the short-term.

Q: Technologically, are cibercriminals at the level of corporations?

R: Totally. Also, ‘crime as a service’ is quite a hot trend right now. Today, you can buy all sorts of tools to attack specific targets on “darknet” markets, at a very reasonable price. It is brutal. This type of technology that hackers have access to is, at least, the same that those of us that are on the defensive end have access to, and many times it’s much more lethal.

Q: How can you explain that they seem to be always ready to immpediately exploit vulnerabilities?

R: Businesses have to deal with attacks on a daily basis. Players are constantly scanning our perimeter, the perimeter of our supply chain, our employees’ accounts, automatically, to try to find weaknesses that they can exploit. That is why we need to move ahead of them and run attack drills against our own assets and put them to the tests to try to detect those vulnerabilities before cybercriminals do.

Also, the bank’s data-driven approach plays as a strength. In Security we’ve fully embraced advanced analytics as a tool for tackling extremely complex issues, such as the detection of anomalous patterns in our infrastructure or our transactions.

Q: Within BBVA’s cybersecurity strategy, which elements would you define as unique?

R: We have five elements that, maybe, make our approach a bit different:

• The first: We have a comprehensive approach to security, which encompasses physical and logical security, and the anti-fraud strategy.
• The second: We have a “data centric” approach. On one hand, we place data, at the most atomic level, at the very heart of our strategy; and, at the same time, being a representation of a financial asset or a repository of personal information, we view data protection as a critical element.
• In third place, the use of advanced analytics in the broadest sense of the term. We’re using telemetry to detect signals and try to understand what’s going on that may be odd or shouldn’t be taking place. In a company this size – with about 130,000 employees, thousands of servers, thousands of networks, millions of accesses, billions of daily transactions – spotting these unusual signals is hard using traditional methodology.
• The fourth differentiating element is our incredible human team. Our project, BBVA Security’s groundbreaking approach, our culture and our work methodologies allow us to attract, retain and develop top talent in an extremely demanding market.
•  Lastly, our global model, which combines the power of core capabilities (anything which may require scale or that incorporates a 'boutique' component that is hard to activate across all countries) with the local power and talent that best understands local risks, as well as user and customer risks. The transfer of knowledge, technology and talent between the countries that comprise the BBVA group is absolutely essential to the success of the function.

Q: Is the existence of a cybersecurity commission at BBVA, which directly reports to the Group Executive Chairman and the Board of Directors, an advantage at the time of establishing global strategies or securing more resources?

R: BBVA’s governance organs started addressing cybersecurity matters many years ago. The commission’s dynamics are very positive, because it’s always trying to support us. The commission reflects the importance of cybersecurity at the bank, where it is considered one of its critical risks. We get great support and a lot of attention.

Although cybersecurity is enshrouded in an aura of mystery, with technology, hackers, information management etc … and the reality is that all these elements are part of it, at the same time, it is a very systematic discipline. It entails a lot of process management, systematized execution, risk assessment and prioritization and implementation of a governance system that meets the requirements of such a critical and regulated sector.

"We are seeing a gradual shift from physical to digital crime"

Q: Does the fact that digitization is increasing make us more vulnerable?

R: Yes and no. What is clear is that, today, our attack surface, compared to 10 years ago, has grown exponentially. Product portfolios, as well as the operations and interactions with them are virtually 100% digital, and this has, inevitably, caused criminals to pay increasing attention to the digital world beyond the more traditional or physical crime.

In recent months, this trend has multiplied, with most of our staff working remotely, and the sudden change this situation brought to the bank’s geometry in a matter of days. And this has required us to adapt our strategy and security services very quickly.

Q: Your responsibilities as CSO include both cybersecurity and the more traditional physical security. Where do you think more threats come from? The online or the real world?

R: The thing is that incentives have changed. Now, if you are a criminal, you have less incentives in robbing a brick and mortar branch. Depending on the country, the punishment for robbing a physical branch is still much more severely than for carrying out a digital heist, at the same time, in many countries the use of cash is declining; therefore, we are seeing a gradual shift from physical to digital crime. But the situation depends a lot on the situation in each country. We have this end-to-end vision of all processes that allows us to swiftly pivot.

Q: Which new threats are going to mark of cybersecurity looking forward?

R: Access to new technologies such as machine learning or quantum computing. We can envision a future where criminals use AI-powered models to detect bank weaknesses and automatically launch tailored attacks. Or quantum computing applications capable of deciphering the encryption algorithms than we currently use to protect transactions.

From the point of view of the motivation driving attacks and the relevance of their perpetrators, we will see more and more episodes of cyberterrorism, cyber wars capable of having a systemic impact and increasing global instability.

"We can envision a future where criminals use AI-powered models to detect bank weaknesses and automatically launch tailored attacks"

Q: Will biometrics be the solution to make passwords a thing of the past?

R: Personal identification solutions consist of two parts: authentication and authorization. Who are you and what do you have the right to do? And it is always said that the best way to design security strategies is considering three questions: who are you, what do you have and what do you know. "Who are you" includes biometrics; “What do you have” refers to the devices we use (we analyze behavior patterns in relation to access devices to detect possible suspicious movements based on which we can automatically detect possible breaches or attacks); And then "what do you know" would consist of the classic personal questionnaires.

The sum of all this is that we are making fast progress towards a passwordless world.

Q: What do you think the future will bring us?

R: Advanced data analytics are critical to understanding what's going on and identifying and anticipating areas for improvement. The key is understanding the data and being able to ask the right questions. Many people get into data projects without knowing what to ask or how to ask for it. And that’s wherein lies the difference. There is always going to be crime. What’s important is to protect yourself better than the others do, even better than the bad guys.