Banking on Customer Awareness - Interview with Debbie Wheeler, CISO of Fifth Third Bank
Fifth Third Bancorp is a diversified financial services company headquartered in Cincinnati, Ohio. As of December 31, 2008, the Company has $120 billion in assets, operates 18 affiliates with 1,307 full-service Banking Centers and 2,341 ATMs in Ohio, Kentucky, Indiana, Michigan, Illinois, Florida, Tennessee, West Virginia, Pennsylvania, Missouri, Georgia and North Carolina. Fifth Third operates five main businesses: Commercial Banking, Branch Banking, Consumer Lending, Investment Advisors and Fifth Third Processing Solutions. Fifth Third is among the largest money managers in the Midwest and, as of December 31, 2008, has $179 billion in assets under care, of which it managed $25 billion for individuals, corporations and not-for- profit organizations. Investor information and press releases can be viewed at www.53.com. Fifth Third's common stock is traded on the NASDAQ(R) National Global Select Market under the symbol "FITB."
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic is banking trends, and I am privileged to be speaking with Debbie Wheeler, CISO with Fifth Third Bank. Debbie, thanks so much for joining me today.
DEBBIE WHEELER: Thank you for having me, Tom.
FIELD: Debbie, as you know, the industry has just been befallen by so many circumstances over the past year, certainly economic and security. Of all of these economic and security issues, which are the ones that are the greatest concern right now to your institution?
WHEELER: Well, I think there is probably a variety, but from my particular perspective obviously we are most concerned with maintaining the strength of our current security program and continuing to keep our customers and our employees aware of what we are seeing in terms of security issues.
FIELD: Now what do you think has been the biggest economic impact on information security programs. We all know that resources are tight, whether they be financial or human resources. In your experience, what has been the biggest impact?
WHEELER: Well, obviously like everyone else we are being asked to make expense reductions as well. So I think from our perspective the biggest impact is trying to find creative ways to address the security needs of the bank corp while at the same time having to undergo some expense reductions and resource reductions.
FIELD: Any trick you can share with us? What have you found that so far has been very successful for you?
WHEELER: I think the most successful aspect of realigning resources and realigning priorities is really looking at risk and making sure you have a strong risk assessment, risk management program in place. That helps you to better prioritize the areas and the applications or the aspects of your technology infrastructure that require the most attention in terms of remediation and security.
FIELD: Debbie, just for context, can you give us a sense of how large your information security group is?
WHEELER: Our information security group is currently 36 people, and the bank at large is 22,000 employees.
FIELD: Now what about customer confidence? This is something that gets talked about a lot in the industry right now because we realize industry-wide that people have had their confidence in the financial services industry shaken, but not necessarily in individual institutions. What is your experience with customer confidence in Fifth Third?
WHEELER: I think our customers have a high degree of confidence in Fifth Third. The brand has been around for 150 years, and we have demonstrated repeatedly strong performance in the areas of the footprint that we operate within. And I think that we have shown repeatedly a strong interest in educating our customers and making them aware of not only our service offerings as a financial institution, but the ways in which we are helping to protect and secure their information.
We also have done a large number of awareness events aimed at the customer directly in terms of educating them about steps and measures they can take to better protect their information assets. So I would say that our customers have a high degree of trust in confidence not only in our brand, but also in our service offerings and in knowing that we have their best interest at heart.
FIELD: Now how does this come down to your group Debbie? How does the information security team contribute to this strengthening of the confidence?
WHEELER: I think apart form the things that we do to physically protect and secure our customers' information assets, the greatest contribution my team has had to our customer base has been from an education and awareness perspective. We have gotten out into the community. We have been active in community events. Anything that gives us an opportunity to get in front of potential customers or current customers and educate them, not so much about the things Fifth Third is doing to protect their information assets, but things that they can do, steps that they can take and measure they can implement to protect their information assets as well.
Many, many of the attacks that we are seeing today in this industry are attacks against the customer, social engineering types of attacks designed to get the customer to give us his information that is then used to either breach their financial assets or is used to confiscate their identity and commit other forms of fraud. So the more information we can pass to our customers about the types of activities we are seeing and steps they can take to protect themselves, the better off they are and the better off Fifth Third is.
FIELD: Well that sounds good. It sounds like your group isn't distant at all from the customers but rather they understand that they are in service to the customers and work well with them.
FIELD: Now you mentioned social engineering efforts, and certainly we have seen in the economy that with institutions failing, being acquired, merging, that there is a lot of confusion and from that confusion we are seeing in the industry a lot of phishing attempts and social engineering. What impact do you see form some of these efforts in the banking industry in general and then in Fifth Third in particular?
WHEELER: Well, obviously the financial services sector is the largest industry sector in terms of phishing activity or phishing targeting the financial services sector. But phishing is really a form of social engineering aimed at the customer. There is not a lot that financial institutions can do to prevent their brand from being phished, but there is a lot customers can do to prevent themselves from becoming a victim.
And I think one of the things that surprises me is with phishing having been around for several years at this point, the number of people that are still falling victim to phishing is surprising and frustrating for me and for others in the security profession.
What Fifth Third is continuing to do to combat phishing, apart from the security measure we take internally, is again, educating our customer base. The more aware the customer is of the types of attacks that are targeting them, the more we can empower and enable them to make decisions and to implement technologies and controls to better protect their information.
That is really one of the things that I think we focus on with respect to phishing, which is just getting out and educating the customer. We do a lot of that through our website, our security center on our website, we've done a lot of that through direct mail pieces to the customer and again, we've done a lot of that through community involvement projects where we have direct face-to-face contact with customers.
FIELD: People really are too trusting aren't they?
WHEELER: People really are too trusting, and I think we as a society in general have that tendency.
FIELD: Now one thing I am hearing from people that look at fraud is that they are seeing a lot more multi-channel attempts right now. In other words, it is not just email; it's not just phone, but really a combination of any means that fraudsters can use. Are you seeing that as well?
WHEELER: Absolutely. We absolutely are. Email is just one vehicle. I think as text messaging has become more prevalent, we are seeing a lot of SmiShing. People carry cell phones with them everywhere we go so we have seen quite a bit of vishing. The more technology we use as a society, the more attack vectors they are going to be for hackers and fraudsters to take advantage of.
FIELD: I wanted to hear how many more forms of phishing you could come up with. You introduced some to me (laughter).
Now Debbie you had mentioned your customer awareness efforts a couple of times now, and as you know, industry wide banks are challenged by their examiners even to improve customer awareness efforts. What have you found works really best from your experience?
WHEELER: Wow, there have been several things that we have done here in the bank over the last three years in particular. I'm not sure that any one works better than the others, because again, the key to a successful awareness program is understanding your customer base and what services use.
We have learned, through trial and error, that we have a very large population of customers that prefer internet banking. So going out into the community or going to the branches and doing awareness is not doing a lot to attract that population. We have had to find other ways to communicate with that group. But then again, using email is always going to be questioned by the customer as suspicious, especially if it contains links because of the education and the training customers have had to not trust email and not click on links.
So there are lots of challenges in terms of how we communicate with customers and raise their awareness, but the things that we have found most effective have been direct mail pieces as well as getting out in front of the customer at community based events.
So for example, we participated in a regional awareness activity called Speaking of Women's Health, and that event, which has been held here in Cincinnati for the last three years, has given some of the local businesses an opportunity to establish booths and to do kind of a selling opportunity to different services, and we have participated in that event to raise awareness around electronic forms of crime and fraud and the potential impact to our customers.
So we have been able to get out in front of a very large group of current customers as well as potential customers and offer them some education. We have done other types of community involvement activities, we have had the chance to participate in some local music festivals, and again, just getting out there and presenting information that can help the customer better protect their computer assets at home, better protect their personal information.
FIELD: Debbie, it strikes me that there has got to be some mutual benefit form this. What do you see resulting from your security staff getting out there and getting closer to the customers?
WHEELER: They have really, you know--I have this philosophy that security is a field that you either have to be passionate about in order to do, or you need to find another job. Because 90% of the time you are beating your head against a wall and trying to get people to understand the importance of security. And then 10% of the time when they get it, it makes it all worthwhile. But you have really got to be passionate about it in order to get out there day after day and continue to be an advocate for it.
What I have seen with my staff is that they are not looking at security or their role in the department as a nine to five job. They are really becoming passionate about it. They are looking for opportunities now to get out and educate not just the customers, but their own families and their friends, and they are espousing security principles and best practices whereas before it was something that they did in order to take a paycheck home and support their family. I am seeing them become much more passionate and much more involved in security.
FIELD: Well that has got to be very satisfying. Debbie what do you find to be unique about the challenges faced by your information security department? I've got to say I really am surprised that it is the modest size that it is. I really thought that of an institution your size that the security department would be much bigger but it sounds like you have got a very lean team.
WHEELER: Well, we have partners in other areas of the bank core that assist us in a lot of our efforts as well, so I don't want to point out that it is not just the 36 people in this department that have responsibility for security. Every employee in the bank core has some level of responsibility for security and that is part of our awareness campaign here within the bank. Obviously, our challenge is always going to be having more to do with less resources, but I think that is a challenge that is faced not only here at Fifth Third in general, but across the financial services industry. I think that the opportunity that gives us is really thinking creatively about how we get our job done, how we provide the best security for the bank and the best security for our customers, and making sure that we are always addressing the highest risk areas of the bank and that we are staying viable and adding value to the bank.
FIELD: What do you find to be sort of the most important skills that you need in your department right now?
WHEELER: I think some of the most important skills that we have right now are individuals who understand web application code, who understand how to perform log analysis and event correlation. Those are probably the most sought after skills that we have right now.
FIELD: Now do they tend to come with you with good knowledge of banking of the institution, or do you find that is something they acquire on the job?
WHEELER: I think that is something that IT in general acquires on the job.
FIELD: Debbie I want to ask you about some topics that are in the news now that everybody is talking about in our industry. I guess umber one would be the federal programs like TARP, which I think is a misnomer when people call it a bailout, but really it is more of an investment. But what are your thoughts and the bank's thoughts on programs that aid and invest? And then we've got the new program that they are talking about with the bad bank where it would actually buy up some of the bad debt?
WHEELER: You know I'm not the right person to discuss those types of programs. You definitely would need to speak with someone who is much more educated on those efforts than I am.
FIELD: Well let me ask you about something that I know you are close to, and that is banking regulation. You know there is an expectation that the new administration is going to put some focus on regulation not just for the banking industry but for other financial services businesses. From your position, what types of regulatory changes do you anticipate we might see over the next year or so?
WHEELER: Well, I anticipate there will be tighter regulatory controls around data privacy and security of technology infrastructures, and obviously I think that there will be more regulatory efforts and controls around how banks lend.
FIELD: Debbie, let me ask you about the Heartland Payment Systems breach. First of all, was Fifth Third affected by that or your customers?
WHEELER: Well I think that there are 27 institutions who have indicated that their customers have been impacted, and I think with respect to Heartland, there is a lot of speculation about the root cause of that breach, and until we get the facts it is very difficult to say that they were either ignoring aspects of security or that they were attentive to aspects of security. I don't want to speculate about Heartland.
I think that if you look out form 2005 forward, there have been a number of data breaches that we could hold up as examples, and until all of the facts are on the table I think it is really hard to speculate about what they were doing or were not doing and what other financial services, institutions could or should be doing.
FIELD: Do you know at this point, Debbie, whether any of your own customers were affected?
WHEELER: I cannot comment on that.
FIELD: When you do find out about a breach like this, I mean it is not something that happens to the bank, how do you respond to such a thing with your own customers? What is the sort of incident response plan here?
WHEELER: Well I think that is two-fold. Obviously we work with our public relations and legal departments with respect to the information that needs to get out to the customers, and then we work internally to make sure that our systems have been thoroughly reviewed and analyzed for any finds of a potential breach. So it is a two-pronged approach and one is very customer oriented and customer facing and then one is very internally oriented.
FIELD: You know Debbie it strikes me that the banking industry does a particularly good job with security. I mean, certainly part of it is the regulatory mandates that there is a lot that banks must do, but there are a lot that banks steppe dup to do as well. When you think about security and some of the best practices that businesses like your own have, what are some of the things that non-banking institutions could stand to adopt to improve their own information security practices? Where are banks really good?
WHEELER: I think some of the basic foundations of security are putting things like antivirus and malware prevention in place, intrusion detection systems, and in making sure you have capable and trained staff to do things like log analysis or event correlation. I think those are some very basic principles of security that every organization that has any sort of internet facing presence should apply.
FIELD: And it sounds like you are taking it to the next step as well in educating the customers because ultimately they are the ones that have to protect themselves.
WHEELER: Absolutely. But I think financial services have a greater need to do that just based on what we offer to the customer. I think if you are looking across other types of industries or businesses there may be varying needs to educate customers. I think every organization regardless of your industry vertical has a need to educate their employees.
FIELD: That's well said. Debbie, I appreciate your time and your insight this morning.
WHEELER: Well, thank you very much, Tom.
FIELD: We've been talking with Debbie Wheeler, CISO with Fifth Third Bank. For Information Security Media Group, I'm Tom Field. Thank you very much.