The data reliance on digital banking means that an AI-driven approach to cybersecurity and risk management is integral to its success, UnionDigital Bank CISO Dominic Grunden told CSO. For him and his team, this became more important given the speed at which UnionDigital Bank was established to bolster the Philippines’ digital economy. The bank empowers the Filipino people, communities, businesses, problem solvers and regulators to leverage digital banking, fintech, blockchain and open finance technologies. It was established in just five months, a timeframe that is unprecedented in the banking industry, Grunden says.
From the outset, Grunden recognized the need to adopt an AI-first security policy to keep pace with both the company’s unprecedented growth and the complexity of the digital banking world. Key to achieving this was a seamless relationship with the company’s Chief Data Officer (CDO), Dr. David R. Hardoon. Working together, the two used autonomous technology to implement a “truly holistic” AI-enhanced security and risk management strategy.
How AI-powered cybersecurity is meeting UnionDigital’s banking needs
The proliferation of digital financial technology is high in the Philippines, as is a growing demand for and reliance on cryptocurrencies and other payment methods, Grunden says. “This presents digital banking with an unprecedented opportunity, but at the same time heralds a new era of digital crime. I say that because it is characterized by complex interconnectivity and undefined geographic areas. It’s not like a traditional brick and mortar bench; we have no technical limits.”
The biggest challenge in digital banking is that the threat landscape is changing rapidly and criminals are constantly evolving, using more electronics and becoming more sophisticated, Grunden adds. “They’re impersonal, they’re complex, they’re interconnected, and they use data and advanced techniques that humans can’t keep up with.”
That’s what drives UnionDigital Bank’s AI-first security focus, Grunden says. “We need to be able to keep pace – to be both defensive and offensive by innovating to protect our customers and their data. AI has given us that mechanism to feel like we’re keeping up with the pace of the industry, where we can also understand the behavior and motivations of individuals and consumers, detect criminal activity more quickly, and enhance our collective capacity to prevent financial crime. fighting and repelling can increase, because that is ultimately what it comes down to in the digital banking world. I firmly believe that digital banking will be more than just finance; we become the custodians of customer data. There will be a need for faster risk decisions, such as real-time payment blocking and fraud detection, and we will need to detect breaches faster and respond to breaches more quickly”, while also meeting higher expectations around the consumer experience as digital banking becomes more ubiquitous .
The potential of AI for data transparency: the most important security and quality of risk management
Data transparency is key to achieving this, and AI’s ability to deliver comprehensive, accurate analysis of data patterns is the key security advantage for UnionDigital Bank, according to Hardoon. “AI is fundamentally about identifying patterns and/or irregularities in patterns, and therefore the ability to provide a hyper-personalized service that can spot anomalies. For me, the premise of security, governance, compliance and crime prevention is an essential part of serving the customer. That’s the goal and embedding anything and everything from a defensive standpoint that data implants require a dynamic understanding of behavior that helps to better manage risk,” he says.
Grunden agrees, adding that this transparency of data also provides different perspectives on threat patterns that can be understood and used to identify potential new risks based on trends within the digital banking perspective, reducing the cost and time to detect and react are reduced.
Hardoon cites an example of when he was asked to use AI-powered data analytics to predict non-compliance before it occurred. “Again, this was all about identifying if there was a pattern and asking if we can learn from it. Sometimes the answer is no, but in this case we were able to predict the probability of non-compliance about two or three months in advance.” He admits that the term “probability” is important here, as there is no way to guarantee 100% risk, but if you can say there is an 85% chance of non-compliance, you can move from just respond as soon as it occurs to take preventive measures in a timely manner. “In a way, this allows you to create an opportunity that you eventually want to be proven wrong, because you can take every control and measure to make sure that something much less likely to happen. That’s a real shift in risk management: using data and using AI to find something that might happen, so you can take preventative action to make sure it doesn’t.”
This will enable UnionDigital Bank to improve its attack and threat prevention capabilities, from merely “catching the idiots” who fall into simple traps, to implementing a more sophisticated way to stop attackers using their own autonomous technology to attack malicious run campaigns. “Attackers are becoming much more sophisticated than we might like to admit,” Hardoon says. “The systems we set up go beyond that, and we think in terms of better customer service and more relevant and enhanced defenses. Ultimately, I think this should be an industry-wide approach.”
Grunden thinks about plans to go one step further. “We’re definitely going to the extreme, and a lot of it comes down to the maturity of the security function, despite being a new bank.”
Excitement and tuning integral to AI security success
Grunden says he and his team are motivated by excitement about AI’s potential to improve their cybersecurity strategy, which is a key part of their partnership with Hardoon’s division. “We’re looking at what AI solutions David’s team currently has or what can be built to improve things because we might be buying a product that’s ‘out of the box’ but not good enough for us. We want to go one step further, so we are using AI to create enhanced capabilities and push the boundaries of the products, services and platforms we buy.”
Grunden’s team is working closely with Hardoon’s, especially in areas where AI plays a role and how it can improve things, he notes. “I’ve never had such enthusiasm and commitment to previous organizations I’ve worked for,” Grunden adds. “It’s also about keeping the excitement for an AI-first policy there so we can use the technology to make security our own, and my employees are fully embracing that.”
Both Grunden and Hardoon believe that true AI-powered cybersecurity should be holistic, a concept they are keen to safeguard at UnionDigital Bank. This means operationalizing the end-to-end application of AI related to cybersecurity and risk management.
AI is still evolving with challenges to consider
This strategy does not come without challenges – or at least important factors to consider – Grunden and Hardoon agree. “One is a greater call for talent in relation to AI and cybersecurity,” Grunden says. “Currently, AI technology is still in its early stages, so the cost of creating a talent pool that is very good at both AI and cybersecurity is high.”
There’s also the fact that AI can benefit attackers in certain ways if it’s not properly understood, implemented and used, he adds. “Then there’s the old cliché that more data creates more problems, and while that doesn’t bother me at UnionDigital Bank because of the way our CDO has structured data, in general it’s a problem that you have to entrust data to third parties. . That would be more challenging if we were based in Europe with, say, the GDPR to consider. Finally, if there is room for human error in how AI is deployed, you can still be vulnerable to error.”
From Hardoon’s perspective, the most important point to consider when applying AI to security and risk management is establishing a definition of what constitutes “good risk.” “Of course there is always risk, but AI makes the questions a lot more acute – that is, how much risk is okay? It can tell you your risk levels up front, which is very different from an operational perspective where you find afterwards that you missed something because x, y or z happened downstream. So if you decide that you don’t want to accept the level of risk presented to you, it could affect the operational progress of the companies, so careful consideration needs to be given to how best to take advantage of the output.”
Ultimately, though, AI’s cybersecurity benefits far outweigh any drawbacks or challenges for UnionDigital Bank, Grunden says.
AI will be more important to cybersecurity than many think
Looking ahead, Grunden believes the need for an AI-driven approach to cybersecurity will only increase for the digital banking industry and beyond. “It’s going to be more important than many experts think,” he says. “In my view, AI will be pulled into some sort of security standard over the next five to ten years, whether that’s an ISO standard or something else. Specifically for digital banking, I also believe that there is a very good chance that it will become illegal or some form of non-compliance if an organization does not use AI in their cybersecurity. I think AI will be a catalyst to determine whether the digital banking industry can keep up with the threat actor community, and I can see a time where we can see ‘good AI threat-detecting bots’ that work against ‘bad bots’. ‘ change on the fly depending on the threat landscape.”
Hardon agrees. “AI just needs to be an important part of the defense against cybersecurity. If not, you’ll just get beat up – maybe not now, but someday.”
Copyright © 2022 IDG Communications, Inc.