CISOs say the best IT security programs build risk management into everything.
CISOs say the best IT security programs build risk management into everything.

In many cases, follow-up from these high-profile incidents find that companies don't have the necessary people or security policies and programs in place. But, experts agree, that's part of what's changing. CISOs report that CEOs finally understand the potential risks their companies face and are starting to pay more than lip service to their IT security personnel. The smart ones are developing mature risk assessment programs. 

Trittschuh says the financial sector focuses on risk much more than other industries. He says the regulations are so stringent in banking and finance that they must continually assess the company's risk posture and take appropriate actions to protect the company, its employees and clients and customers.

In adapting to this changing and more dangerous threat landscape, Trittschuh says it's important to have an intelligence-driven information program. Synchrony Financial uses many of the same intelligence sources as does Seattle Children's Hospital. He says companies must prioritize the threats and focus on those that are most important to their organization. 

“It's also important to be forward-looking,” he adds. “The cyber threats we face today will continue to evolve, and our business will evolve to meet the needs of the customer. In our role as security advisors, we help the business understand the potential future cyber risks.” 

Trittschuh (left) says his team also assesses risk as the technology trends in the industry change. Mobile banking, for example, represents a fundamental evolution in the banking industry – and in society as a whole. But with that mobility comes many new security risks. Consumers who now depend on mobile banking must be educated on how to more safely make bank transfers and pay bills on their mobile devices.  

What if the device gets into the wrong hands? It's one thing if it's a corporate device protected by a mobile device management system. But, millions of people use mobile banking with limited protections. He says to be successful, Synchrony Financial must identify the risks associated with mobile computing and put the programs in place to protect the company's clients and customers.

“We have recently made announcements about our work with Apple Pay, Samsung Pay, LoopPay and other mobile banking initiatives,” he says. “Our security team gets engaged in each of these conversations to make sure we are balancing risk appropriately.”  

For example, Samsung Pay uses PINs and passwords, making it immediately more secure than a traditional wallet. And all Synchrony private label card accounts in Samsung Pay are device-specific and use domain-restricted tokens, meaning the tokens will only work in a specific merchant's store.