The skills crisis in the cybersecurity field in South Africa is so severe that the major banks have reached a “gentleman’s agreement” not to poach each other’s staff for fear of exacerbating the situation.

In an interview with TechCentral, Absa chief security officer Sandro Bucchianeri said that although the bank has been able to secure the skills it needs, it’s been with “great difficulty”.

“I have a gentleman’s agreement with the other banks that we will never poach their people and they won’t do the same. We can’t stop people from applying for roles, but we won’t actively go and poach them, because that just compounds the problem,” Bucchianeri said.

An edited transcript of TechCentral’s wide-ranging interview with Bucchianeri follows.

TechCentral: What’s your career background?

Bucchianeri: I’m a kid from the Cape Flats, but spent the best part of 14 years abroad. I worked for the likes of VeriSign, which bought Mark Shuttleworth’s Thawte Consulting business in the early 2000s. I worked for VeriSign for about 11 years, living in the US, then moving to London, then to Abu Dhabi before ultimately coming home in August 2017 to join Absa. In total, I’ve spent about 22 years in cybersecurity.

TechCentral: Absa is currently going through a separation from former parent Barclays. How does that affect your portfolio?

Bucchianeri: The separation programme is a three-year journey. It will be done in June 2020. I was originally brought in to look after technology security as chief technology security officer. When the previous incumbent left, I was given the role to take over the security function. In essence, we are setting everything up from scratch. In the past, Barclays looked after everything security related. They would send through policies and solutions and the team here would implement them. We have now flipped it, where we have had to set up a security function from scratch, which we have now done.

TechCentral: What does your day-to-day job entail?

Bucchianeri: Meetings, and lots of them. Most of it is about driving the strategy forward and maturing the function we provide to the organisation.

TechCentral: There have been significant distributed denial-of-service attacks against local banks and Internet service providers in recent months. How has Absa been affected?

Bucchianeri: We have been attacked, just like the other banks. Fortunately, the solutions we have in place have successfully mitigated those attacks. While we may have been attacked – and we are attacked on a daily basis, just like any other organisation that’s connected to the Internet – the solutions and teams we have in place have ensured there is minimal to zero impact on our customer base.

TechCentral: Has there been a dramatic acceleration of these attacks in recent months?

Bucchianeri: Yes, but it’s a global thing, not just South Africa. You also hear a lot more about breaches around the world, not because there are more breaches necessarily, but because people are talking about them more. People are sharing a whole lot more. From a security perspective, we don’t talk about competitive advantage anymore, we talk about collaboration, because if something is happening to me, I can help the blue bank or the green bank mitigate an attack and vice versa. We try to share things – not sensitive information, but indicators of compromise that we can utilise to better defend ourselves as the financial ecosystem collectively.

TechCentral: What are the most common attack vectors?

Bucchianeri: Denial of service is one; phishing is a massive one. We are seeing a huge increase globally in insider threats, too, with syndicates paying insiders to install malicious software in the internal environment.

TechCentral: How do you tackle that?

Bucchianeri: We have an “insider trust programme”, which looks at different risk indicators and uses that data to better defend the organisation – understanding what’s happening in a given area, using multiple data sources to feed into our defence controls.

TechCentral: The financial services sector is heavily regulated. How do regulators deal with cybersecurity?

Bucchianeri: The regulators ask how we protect ourselves – our customer data and our systems. We have to give them assurances and the comfort that we are protected. From 2020, you will see regulators demanding a whole lot more.

TechCentral: What are the rules around disclosure after an incident?

Bucchianeri: We subscribe to the guidance notes from the South African Reserve Bank. If there is an incident, we have to inform the regulator and we take the approach of being open, honest and transparent, whether it’s with the regulator or the customer base, because it’s much easier to manage the message that way. These things do happen – breaches and attacks do happen. It’s how you manage it that will determine your success or failure and help you manage your reputation.

TechCentral: If there was a significant successful attack on the bank, what would your steps be to deal with it? Who would you inform first?

Bucchianeri: We run the scenarios in our incident response plans. Also, when we do our crisis management planning with our board and with our exco, we run through these scenarios. Depending on the severity of the data that was lost or compromised, we have certain playbooks we would invoke. The playbook would then inform us exactly who we call in, who we don’t call in, who we inform, all those kinds of things. The relationship we have with marketing and communications (the PR team) is vitally important. We have engagement with our exco and with the CEO specifically so he understands his role in the incident.

My direct line into the exco and the board is very clear. The support I receive from both those two entities is phenomenal. We have quarterly updates with the board so they understand the cyber-risk and the physical and resilience risks. It’s better to be prepared. We can’t cover for everything, but we cover for the bulk of what our risk position is.

Understanding what your risk appetite is, is important. There isn’t a bottomless pit of cash for security, so you have to manage the risk versus the benefit.

TechCentral: How has your spending on cybersecurity changed over the years?

Bucchianeri: Because it’s a new function, it’s been on the high side. But the typical average globally is 6-12% of the IT budget, but we are always looking to reduce that number. If the cost of protecting an asset is more than the asset is worth, it makes no sense. Understanding your risk tolerance is very important when you talk budgets.

TechCentral: What advice would you give to the boards and CEOs of other companies that must have conversations with people like you in their organisations? What questions should they be asking?

Bucchianeri: Typical things include, where does security sit in your organisation? How important is security? Who gets fired when something goes wrong? Where does the accountability lie? You still see security people reporting in through the CIO. That’s a massive conflict. I don’t report in through the CIO, who is my peer. If I did report into him, and I raised issues around vulnerability management, he could veto my concerns because it serves his interest and the agenda he’s shaping. That’s why security needs to be on its own. Everything needs to feed into risk in the sense that you need to raise those issues on your risk registers. Ninety percent of the time, the CSO or CISO (chief information security officer) reports into the CIO. That is slowly changing but depends on the risk profile of the organisation. It’s not an IT problem, it’s a business problem.

TechCentral: Given the pronounced skills shortage in cybersecurity, can you find the skills you need?

Bucchianeri: With great difficulty. I have a gentleman’s agreement with the other banks that we will never poach their people and they won’t do the same. We can’t stop people from applying for roles, but we won’t actively go and poach them, because that just compounds the problem.

We have set up a Cybersecurity Academy with the Maharishi Institute in Johannesburg. We bring marginalised youth through the institute, giving them a hot skill and financial empowerment so they can earn a living. We started this programme in March 2019 with a group of 24 kids. At the end of their certification, they become qualified cybersecurity analysts. They are either hired by us, or one of the many companies that need these skills. We want to set an academy up on the Cape Flats and, ultimately, we want to train 300 people a year.