AI’s strategic role in cybersecurity and safeguarding data

Key Takeaways:

AI in cybersecurity needs proper controls. It’s a mixed bag as AI in cybersecurity matures. For every six data breaches across all industries, at least one can be called an AI-driven attack, according to an IBM report. And roughly 97% of the compromised organizations lacked proper AI-access controls. At the same time, companies using AI and automation to bolster safeguards reduce breach costs by $1.9 million on average. It’s little wonder that the banking industry, while cautious, wants to explore the possibilities.

V is for vendors and vetting. Many FIs leverage AI capabilities through third parties. Here’s where stringent vetting is a must, says BOK Financial cybersecurity head Erin Rogers. Among a bank’s primary questions: Do these vendors have a governance framework? Are there strict data access controls they will enforce? Do they have version control for their AI models? What level of testing will they conduct? And that’s just the start of her checklist.

A practical AI action plan against breaches. Wondering what applications to first consider? An AI, or even agentic AI, solution for cybersecurity in banking might initially address remediation or autonomously deploying security patches, says BOK Financial’s Erin Rogers. Eventually, the industry could consider AI for helping adjust firewall settings.

TRANSCRIPT:

Rachel Koning Beals: Erin, I always like to get the lay of the land at a bank, these days cybersecurity risk and fraud risk, both moving faster than ever, requiring their own expertise, and their split is dependent on institution size of course, but your role is cyber-specific and data breaches … fraud has its own department. These are separate demands at the bank these days. Can you talk a bit about your role and how this role might take shape within our industry?

Erin Rogers: Yeah, it’s a great question to start off with. So again, thanks for having me. I really appreciate you know the conversation for today. So, I’m really responsible for what we would call two programs within our cybersecurity group. So, the first is identity access management, which ultimately controls who has access to what from a system and a data perspective. The second is a security risk management program that we have, which is responsible for identifying, assessing, and mitigating our cyber-related risk. And so we’ve got, I think it’s seven different programs, formal programs that we have within cybersecurity as a whole, and then just from an organizational perspective, the way that we do it at BOK Financial is we have our Cybersecurity Group and then we have actually a separate Fraud Group as well that’s outside of cybersecurity, but both of our departments roll up organizationally through the Chief Risk Officer, which I think makes sense, right? Because that’s what we’re talking about here. We’re talking about cyber risk, fraud risk, how we prevent those things? How do we prevent, you know, a breach? So we’re great partners. We work hand in hand, even though we’re two distinct departments within our organization.

Rachel Koning Beals: I, you know, think about AI daily in banking from both sides, right? Is AI bringing in new risks to our industry? Yes. Is AI bringing in new opportunity to our industry? Yes. You sort of live at the crossroads of that. How does your department then start to approach the question, the problem?

Erin Rogers: Yeah, I think, it really kind of goes back and, you know, in the [IBM] report itself, it’s really talking about breaches against, I think, organizations that have implemented some type of AI solution or capability. And so if we’re talking about, well, how do we mitigate against those types of situations, we’re really looking at, you know, our supply chain. And I read a report earlier this week that said something to the effect of, out of organizations that are adopting AI, I think 46% said were solely just purchasing a capability from a vendor solution versus developing it themselves. So I would think that just reinforces the importance of having a strong third-party risk management program.

So if you don’t have one, it would be something to the equivalent of, you know, how are you protecting your house? Maybe you put into place this gated drive or a driveway at your house, and then you have the most advanced security system with cameras and alarms or whatever. And then you’ve got commercial grade locks on your doors, but you maybe have this absent-minded housekeeper that has a bad habit of not locking the door behind her or leaving the gate open. So you know, if you don’t have a solid program in place, you know, start looking at the building blocks of one when it comes to third-party risk management. Do you have an accurate inventory of all those relationships? Are you able to categorize them on some risk-based level, based on maybe their criticality, or how much data that you were providing to them. What sort of due diligence process do you have for vetting them before you even sign a contract? And that could be, you know, there’s a number of different ways you can do that. It’s through questionnaires or obtaining a SOC 2 report, or several cybersecurity rating tools that are out there that provide great solutions, and you have some sort of ongoing monitoring process.

But when we’re talking about AI specifically, I think it was back in 2022 that, you know, we had all this hype, right? We’re hearing a lot about LLMs (large language models), and you know what’s coming out, ChatGPT, those sorts of things. Well, at that time, we really took a fresh look at our third-party risk program and said, What are we doing specifically around AI? And so that’s when we started making sure, as part of that due diligence process, we’re using ongoing monitoring. We’re making sure that we’re looking at who is offering these types of capabilities and our products and our services.

And then, do those vendors have a governance framework, right? Are there strict data access controls that they have to enforce? Do they have version control for their AI models? What sort of testing do they do? Do they have secure development practices? How secure are their systems? Are they utilizing encryption, so those types of things. So you want to make sure that you know, regardless of AI or whatever the new technology is, just make sure that you’re adapting your current processes to kind of account for, like you said, with new opportunity, because it comes new risk, right? So you want to make sure you’re adapt as you kind of go along.

Rachel Koning Beals: Banks are stretched with resources. Can AI, once vetted, start to reinforce where human power can’t always fill in all these gaps, right? Are your cybersecurity teams starting to engage AI in some of these battles specific to data breaches too?

Erin Rogers: Absolutely. And you know, it probably first started with us with automation, right? So even before, you know, we have this AI hype that we have today, and that’s been around for years in helping us reduce our, what we call our breach response times. And so tools like your SOAR, or it’s a security orchestration, automation and response tool, or your endpoint detection and response. Those types of tools have provided a type of, you know, automation through rule-based actions, so some sort of conditional trigger based on if/then logic. So, if this happens, then this predetermined response occurs, right? Well, what we’re seeing now in the industry is the use of agentic AI that enabled some type of autonomous analysis of threats and more real-time decision making and adapted responses based on learning: ‘Hey, the decision that we made, did that work out? Was it the right decision, or do we need to adapt? How are we going to respond in the future?

And so we actually have a director on our team right now who is currently developing an agentic AI solution that will help act as a Tier 1 incident response analyst, you know, analyst in quotes, which we’re hoping will create greater automation capabilities for us and allow us to reallocate some of those resources that we have to other other tasks. And so really, I think the cost reduction and the response times, we’re not looking at cutting necessarily head count, but it’s, hey, we’re able to do more with less.

Rachel Koning Beals: Does this sort of AI defense make more or less sense, and that may be too binary, but depending on the size of the institution… Makes you think it gives smaller institutions a more level playing field. But then you kind of wonder if larger institutions have more resources to even experiment with. So, you know, I can kind of see the argument going both ways, right?

Erin Rogers: I think you could say this probably for any type of cybersecurity defense, not just limiting it to AI. So how scalable are cybersecurity defense measures in general? But I would say, yes, absolutely, they’re scalable. I saw that the IBM report also mentioned, I think it was like 16% of breaches involved attackers using AI. So again, really want to make sure that we’re also leveraging it to our own capabilities. And so just because you’re a small institution, don’t assume that you can’t implement something like this to help.

So I’ll give an example. So two years ago, we implemented a solution that would analyze email behavior, and so it’s looking, or looking to detect signs of business email compromise and automatically block or quarantine suspicious emails. So we were, we were actually performing the POC for this product when it caught a $2 million fraud attempt for us. So having something like this type of tool can be quite helpful if you’ve got a vendor or a client that’s had their email compromised. So that’s just one little way where we’ve implemented something or some type of AI capability that’s helped us.

You don’t have to necessarily boil the ocean, you know, when you’re looking to adopt AI, but it’s really kind of looking at your program as a whole and figuring out, hey, where do we need to supplement, where do we have maybe some potential weaknesses?

Rachel Koning Beals: When you’re sort of dreaming a little bit or you’re just talking and you’re wondering about the near-term future of AI when it comes to solving for cyber risks, where does that conversation go?

Erin Rogers: So near term, I see security teams investing in AI, like we said, not because they’re looking to reduce head count, but they’re just overwhelmed by the sheer number of threats and vulnerabilities that they’re having to defend against. So, you know, like we said earlier, you know, they (cyber attackers and fraudsters) have to be successful once; we have to be successful 24 hours a day. We’re making investments and looking to mature our own incident response capabilities through agentic AI. I also saw that CrowdStrike has announced this new acquisition, and through that, they’re calling, they’re kind of promoting this SOC for the agentic era.

So for the near term, I really feel like AI is going to play a big piece into considered response. But I read a report the other day that really kind of talked about some potential opportunities when it comes to vulnerability management, and I think that’s really that next big area where AI can help. So in this report, it said that there’s, like, an average, I think, of six vulnerabilities on each asset. So if you’re at an institution, and let’s say you have 5,000 workstations and 10,000 servers, you might have 40,000 vulnerabilities that you’re looking to remediate or patch or whatever. And so a lot of it’s probably remediated through the normal patching cycles…

But what about the vulnerabilities that aren’t and so how do you find the critical vulnerabilities, like the movement vulnerability in your [unclear] that you’re trying to work through? And so that’s where I think AI is really going to help in the future, and so you can have maybe one scanning tool for your on-premises access, another one for your cloud. How do you normalize that data to help prioritize your work and to really see, what do we need to concentrate on? Where do we feel like that? The where? The vulnerabilities that the threat actor is most likely going to go after? So I think an AI or an agentic AI solution can really help evaluate maybe potential impact, prioritize those vulnerabilities for you for remediation, autonomously deploy patches, upgrade security settings or just firewall settings.

Rachel Koning Beals: This makes me think that cybersecurity professionals constantly have to be upskilling, constantly have to be recruiting top-skill folks to have a cursory understanding of financial services in addition to being cybersecurity experts. [TRIM] Talk to me a little bit about how you think the financial services can continue to attract high skills participants in cybersecurity and, you know, is there a shortage? Or how are you feeling, sort of about the outlook of that space?

Erin Rogers: I do feel like when it comes to a shortage of skill and talent, you know, and at our organization, we’re actually making investments in the community and partnering with our local community colleges, the University of Tulsa, in some initiatives to help with that and to help grow the local talent here, when it comes to cybersecurity, and, you know, as far as AI and how it plays into that, I think it’s going to help supplement our skills, right? So we’re always being asked to do more with less, and at the same time, we feel this internal pressure of we have all these things to defend against, and everything’s moving so quickly, and you know, how do we keep up? And so there’s just such a great potential, I feel like, for using AI to help ensure are we coding things securely, right?

And though our job as cybersecurity professionals is maybe to look at what our developers have done, and you know, we’re looking and scanning, dynamic code scanning and looking at what they’ve put together. But if we’re using AI on the front end to really help make sure that they’re coding something securely before it either comes to our part of the process or those other checks, it just makes it a little bit more efficient on their end. And we’re just kind of building that defense in depth, right, and kind of building off of that.

So I think there’s, I think there’s a lot of opportunities where AI can help, like I said, you know, supplement some of this. I don’t feel like it’s going to entirely replace, or, you know, entire programs or automate all of this. It’s really just, How do we make things more efficient to where we’re not having to spend dedicated time and resources on, you know, the smaller, maybe the more mundane type of work for us.

Rachel Koning Beals: Because listeners are no doubt at varied places in their AI journey, what are some practical steps that institutions can take to better protect themselves against breaches?

Erin Rogers: So I’m always an advocate for strong access controls. Most breaches at the end of the day, even with AI coming out there, most of them are related to an attacker gaining access through compromised credentials. So I think the more that you can limit excessive privileges access data, really making sure you have strong privileged access controls, you can reduce your attack surface and impact of a breach. So I would say, you know, if you’re only going to do something or what you know are a couple of things, four things, right, implement MFA [multi-factor authentication] wherever possible. So MFA everywhere. Create alerts off your access logs. Really look at how quickly you’re invoking access when it’s no longer needed and then limit access as much as possible to sensitive data. So those are the things that we really kind of concentrate on.

Rachel Koning Beals: Erin Rogers of BOK Financial, thank you so much for jumping on today to talk about this really important topic. I learned a lot, and I feel a little bit safer, so I’m really grateful to have some time with you.

Erin Rogers: Thanks so much for having me. I appreciate it.