Rizal Commercial Banking Corporation (RCBC) begun as a small development bank in the Philippines and has grown to encompass a wide range of financial services and branches in the U.S., Europe, Australia and New Zealand. Like any financial institution, it must comply with a host of regulations and is a prime target for malicious actors. Recently I had the opportunity to talk with RCBC Chief Technology Officer Jed Lumain to discuss how the bank balances the risk of a breach with the ability to innovate to improve business productivity and client service.
As a financial institution, what are the unique cybersecurity management challenges you face?
Every day we experience millions of attempts to compromise our environment and steal sensitive information. It’s a 24/7 cat and mouse game. We must constantly be on our guard to ensure that our security arsenal is as effective as possible and as effective as it was the last time we checked. It’s not a matter of if we’ll experience a breach but what the impact will be when we do. Our job is to make sure that there will be no impact to services, clients, or anything related to bank assets.
Given the constant bombardment by malicious actors and high stakes of a breach, how do you balance risk and innovation?
I have learned over the years that risk will always exist, so what matters is how you manage that risk. Instead of saying no to business requests, I tell my team to give me solutions that enable us to mitigate the risks of those requests. I do appreciate them highlighting the risks, but we need to find ways to work around the risks. We have to remember that enabling and growing business is our main objective.
BYOD is a perfect example. We realized we had to allow personal devices to be used to expedite work and better service clients even though doing so introduces more risk. We had to find ways to work around that risk and mitigate it with technology. Same with moving workloads to the cloud.
In addition to personal computers and other managed systems, you have ATMs and other IoT devices. How do you make sure they’re all secure?
We have implemented various technologies to detect threats and actively hunt for them as well as the network access control provided by your platform. We have also set compliance thresholds – specific versions of running anti-malware software, encryption, operating system versions and device configurations, for instance – for all devices connecting to the network. If we’re not 100% sure a device is compliant with our policies, Forescout won’t let it on the network. Take the BYOD example. If somehow, despite not having admin access, you were able to install a new app on your laptop, Forescout will catch it and block you. The ability to automate compliance gives us a lot more confidence in our ability to manage threats.
Despite the pandemic, you have made some impressive gains in security operations productivity. Can you elaborate?
We really have. When we added up the savings just from automating operational tasks with Forescout, we found that we were saving 30 hours weekly, from reduced time spent on endpoint compliance as well as on desktop support and remediation. We also saved 25 hours each week on inventory management, which had always been elusive before despite all the work that went into attempting to maintain an up-to-date asset inventory. Now we have an accurate inventory anytime we want it with just a few clicks.
If you were talking with another CTO or industry peer who had never heard of Forescout, what would you tell them?
That’s easy. I have shared my experience with Forescout multiple times to other IT practitioners. I told them that the Forescout platform is a fundamental requirement for any organization that is serious about protecting everything on their network. When you get to a certain size, you can no longer enforce compliance and network access manually. You need the visibility and control that Forescout provides.
To learn more, check out this case study of how RCBC Bank partnered with Forescout to dramatically boost their cybersecurity efficiency and effectiveness.