Pat Opet, the global chief information security officer at JPMorganChase, says three trends today play a role in how his team protects America's biggest bank.
The first is that the bad actors have gotten savvier. “Every time the defenders continue to innovate, you've got attackers who are doing so in parallel,” says Opet.
This year alone, cyberattacks have stung big industries ranging from healthcare to car dealerships to telecommunications giants. The average cost of a data breach in 2024 rose 10% to a record high of $4.9 million, according to IBM and independent researcher Ponemon Institute.
“The most significant change to the ecosystem is the sophistication of the ransomware actors,” says Opet, adding that there’s even been some coordination between nation-state adversaries and cybercriminals that can make it difficult to decipher between the two.
Secondly, there’s the increased reliance on cloud-based, software as a service (SaaS) applications, which have proliferated in popularity in recent years and saw an especially strong surge of adoption as companies embraced remote work during the pandemic. “All these changes in technology creates the opportunity for weakness or failure if companies aren’t diligent in how they mature these capabilities to make them available to employees,” says Opet.
And lastly, JPMorganChase has itself become a much more technology-centric organization, embracing machine learning, public and private clouds, and newer technologies like generative artificial intelligence. The firm has said every new hire will be trained on AI and new tools. An AI assistant that rolled out this summer has been made available to 140,000 employees at the financial giant.
As new tools are rolled out and employees get access to more forms of technology, Opet deploys a “federated” approach to cybersecurity. The CISO has a team of security architects and engineers who are embedded into the development teams to build the necessary safety controls of the latest generative AI tools or cloud platforms.
“The workforce, of course, also has a responsibility,” says Opet. “But even there, we build a lot of security technology into the ecosystem to ensure we can offer that level of resilience and that a mistake doesn’t lead to some sort of cyber event.”
If an employee were to erroneously click a malicious link in a phishing email, for example, the web page would open on an isolated container that’s separate from the rest of the computer. This would prevent the malware from infecting the PC.
JPMorganChase buys some cyber solutions from third-party vendors, which Opet declined to name, though he said the company generally believes that if "there's either a scale problem or there's a capability gap that we don't believe we can get from the market, then we'll build."
Across the cybersecurity industry, Opet says some work must be done to make multi-factor authentication more resilient. That is a security method that requires users to provide more than one form of authentication to access an application or online account. Known as MFA, this line of defense has been adopted widely, giving attackers more motivation to figure out loopholes to exploit. The hackers have made inroads exposing MFA in recent years.
As companies lean more on SaaS solutions, there are also instances where two software tools are sharing information without human involvement and also using MFA to authorize those connections. These machine-to-machine relationships present another area of potential exposure. “There’s some big evolution that’s got to happen in the machine-to-machine space,” says Opet, who advocates for better mechanisms to authorize info sharing between software platforms.
He sees the June cyberattack on CDK Global as another cautionary tale. Thousands of car dealerships were stung by an outage that impacted their dealership management system and this points to two trends: Corporations have lately been preferring SaaS solutions and the best vendors end up gobbling up a near monopoly of customers in certain sectors.
“We’re almost sort of systematically headed towards concentration risk in various sectors, based on those two factors,” says Opet. In response, JPMorganChase works closely with vendors to clearly understand their resilience and recovery methods. “We are looking for better ways to manage the performance of third parties as it relates to cyber,” Opet says.
John Kell
Send thoughts or suggestions to CIO Intelligence here.
