JP Morgan security chief warns that cyber defences ‘will fail’

Cyber experts speaking at Sibos argued that firms should prioritise resiliency and recovery over prevention.
By Jonathan Watkins

Major financial institutions have been told to focus less on the prevention of cyber attacks and more on dealing with the inevitable breaches by a panel of security experts. 

JP Morgan’s chief information security officer, Rohan Amin, advised an audience at the Sibos conference in Toronto that “prevention will fail, it’s about resiliency and recovery”. 

“Shift investment from preventative to regular exercise for your teams,” he added. “Test them out; who will make decisions and when. Prepare for eventuality.”

His comments followed stark warnings from hacker, inventor, entrepreneur and technology futurist, Pablos Holman, who said cyber criminals will always be one step ahead.

“Attackers have more time and attention to waste on messing with your stuff than you do,” said Holman. “Change your perspective. It’s a risk management problem, assume you’ve been compromised and act accordingly.

“Economic value is in computers and the companies that run them.”

Cyber security has become an increasingly large problem for major financial institutions, prompting major investments and also a shift to the training and educating of staff.

While commending these efforts, the panelists agreed that technologies need to be engineered to withstand attacks rather than throwing ‘manuals’ at staff on how to prevent attacks.

“There’s no manual with iPhones now,” added Holman. “It’s about getting technology to work with humans, rather than getting humans to work the way computers did.” 

Admiral Michelle Howard of the US Navy concurred, explaining that people need to stick to their day-to-day work rather than trying to think like a hacker, adding that safeguards need to be built into technology and processes.

“When turning a light on, do we want people to run an electronic power plant or just flip a switch?” she explained in an analogy.

Research conducted by MetricStream last year revealed that 66.2% of surveyed financial services institutions have faced at least one cyber attack in the last 12 months.