A popular meme that circulates in IT security circles illustrates the vulnerability of a network by depicting a medieval knight clad in armor with an arrow protruding from his visor’s eyehole, the one place that can’t be protected, or the knight couldn’t function.
“That arrow represents your users making a mistake. The biggest security events that have occurred over the last 10 years, 98 percent had a user genesis, where a human being was being a human being and made a mistake,” says Endre Jarraux Walls, executive vice president and chief operations and technology officer at Customers Bank, a community-based, full-service bank operating in Pennsylvania, New York, Rhode Island, New Hampshire, Massachusetts, and New Jersey.
Five years ago, cybercriminals attacked companies and their networks. Today, they attack individual employees, using a range of social engineering tactics to induce users into divulging sensitive information, be it personal or business. Walls—referring to the IT professional himself, not the cybersecurity barrier—mitigates such attacks and protects banks, customers, and their assets by managing risk and overseeing governance and compliance and developing security operations.
Banking customers have an expectation that their institutions are consistent and reliable stewards of their personal information, an expectation that Walls considers very reasonable. This requires banks to “walk the walk.”
Walls integrates governance and cybersecurity directly into business culture, focusing on individuals rather than implementation and details. At its core, managing cybersecurity requires educating people and arming them with adequate tools to protect against cyberattacks, he says.
“It can’t be about the technology; it has to be about the people. Security now has to be about personal self-awareness and the ability of people to control their own data, technology, and interaction with people from the outside world that might have nefarious intents,” Walls asserts
Walls came to Customers in 2018 from Ricoh where he served as a managing partner for global advisory services. Before transitioning into his latest position in October 2022, he was Customers’ chief information security officer and an EVP. As CISO, Walls and his security team created a portfolio of consumable security products that allow customers to bank seamlessly without security risks.
“They reduce the amount of friction in the authentication process and make it easier for people to log in without having to remember twenty passwords using biometrics,” Walls says.
Currently, seven SVPs report to Walls, who relies on the 80/20 percent ratio as part of his leadership style: listening 80 percent of the time and teaching and sharing insight only 20 percent of the time. As a leader he feels his role is to ensure that his direct reports have the necessary tools and support to achieve their strategy, making him accountable to them. It’s incumbent upon him to share Customers’ overall business strategy with his direct reports so they understand how their plans fit in.
“The 80/20 percent rule is important because your job, especially at C-level, is not to micromanage, not to tell people how to do their job, even if you are a subject matter expert in something as a C-level executive,” Walls says. “You shouldn’t be dictating. We shouldn’t be in the weeds. You should have people in your organization that you trust enough to lead and be accountable for a strategy. Your job is to hold them accountable.”
Typically, the relationship between banks and banking regulators is viewed as adversarial. Not so at Customers. Good banks, Walls says, consider banking regulators their partners. “We don’t look at them as eyes over our shoulders [but instead as] people who help us ensure that the controls and things we are doing and putting in place are not just sufficient but exceed the standards we have in our industry,” he explains.
Walls has formed relationships with regulators, solidifying Customers’ reputation as an institution committed to protect its customers’ and employees’ data. Customers was one of the first banks in the nation to offer its commercial institutions an instant payment rail, allowing them to transfer large sums of money.
To implement this technology, Walls worked closely with regulators to gather feedback during the process without compromising on security. “This is a solid example of how we’ve leveraged our regulatory relationship to create and innovate in an industry that does not create and innovate very often,” he says.
Walls has a cybersecurity mission, but knows that others have a counter mission. “Hackers are their own industry. They do this for a living. The wise security practitioner must keep this in mind,” Walls says. The difference is the cybercriminal only needs to be correct one time to cause a breach. The security team must never be wrong.
The key to cybersecurity in the future is implementing strong internal hygiene, while preparing people to tackle those challenges that create a lack of security. Walls advises institutions must blend good technical discipline, solid data hygiene, and strong training programs to mitigate human influence that can cause security breaches.
PhillyCom, Inc. is a leading consulting and technology integration company serving Pennsylvania, Delaware, and New Jersey. We focus on bringing “Best of Breed” technology and solutions to clients by combining our broad spectrum of technical knowledge and a deep comprehension of your business values in order to drive the right solution.