Signal vs. Noise: Banker Cloud Stories by Craig Balding

A good question to ask any professional in any line of business is: which "industry events" do you attend and why? Over a few decades of attending a wide variety of events - and skipping many more - my primary driver is "signal to noise" ratio. In other words, I look for events attended by people that are shaping our industry - specifically deep thinkers, leading experimenters, policy makers, risk takers and of course, "in the field” practitioners. Skip the "talking shops" and seek out people "walking the talk". This is the reason I look forward to attending the regional meet-ups of the CSA Financial Services Stakeholder Platform. The FSSP is a members-only group of banks and financial services organisation focused on cloud security.
In June, 23 of our broader group met in-person in beautiful Leuven, Belgium, where we were generously hosted by Roel at KBC headquarters. We spent the day sharing experiences and discussing emerging practices under the Chatham House rule.

What topics did we cover?
The day comprised of valuable presentations, book-ended with networking sessions. Each presentation served as a launchpad for in-depth question and answer sessions - a natural consequence of peers coming together. For every 10 minutes of presentation, there was an equal amount discussion: digging into the challenges, the alternatives considered, the nuances of organisational fit and the methods and measures that matter.

• A financial institution’s cloud native journey,
• Compliance monitoring and automation
• Key management & Protection: evaluation of hardware, tokens, TEEs and MPC, KUL
• Continuous compliance (on AWS resources)
• Modern Cloud Risk Assessment

Each cloud journey is different and no-single person or entity in the group can lay claim to all the answers. Certainly, some are further in their journey than others, but each is delivering solutions in banks with a different profile, history and organisational culture. The trajectory is the same though: step-by-step getting to "cloud first", striving for "control parity" whilst operating within the banks risk appetite.

What's next?

Our members appetite for cloud is never satisfied! Not only do they bring their “A game” to our events but they challenge us at CSA to facilitate and drive working groups (formal and informal) to work on things that matter. This already happened a while back with the formation of the dedicated CSA Key Management Working Group. So as our session concluded, members shared what's on their mind and as a group we coalesced on the following topics for future focus:

• Container security: check potential synergies with the Container & microservices WG - but not interested in container “use cases” but addressing underlying security aspects.
• Understanding, quantifying, assessing, simplifying and benchmarking cloud complexity as the cloud adoption scenarios are becoming more and more complex (aka “complexity risk”)
• With increased focus on innovation and increased transformation of waterfall to agile operations the FSSP members would like to more actively share cloud change stories in the financial industry.

If you have responsibility at a bank or financial firm for cloud security policy, architecture, engineering, risk management and/or controls assurance ...you really are missing out if you miss these meet-ups. Skip the low signal/noise events and join us at a regional FSSP meet-up near you. Get in touch to find out more.

CSA Financial Services Stakeholders Platform: https://cloudsecurityalliance.org/research/working-groups/financial-services-stakeholder-platform/