So how do leading global companies address mobile security for clients and staff? Where have we been over the past few years and where are we going next? How can security leaders approach this mobile security topic?
To answer these questions and much more, I am delighted to bring you an interview with Eric S. Green, who is a top industry thought leader who serves as the head of mobile security for HSBC Bank.
Eric Green has had an impressive career with diverse experiences ranging from Dow Jones & Company in Hong Kong to leadership at several startups to his current role as global head of Mobile & Mac Security at HSBC.
I first met Eric back in 2009, when he was the program director for SC Media. I was immediately impressed with his insights, knowledge of the security industry, immense network of global experts on different topics, and thought-leading approach to programs and new industry deliverables. Eric is well-known for his strong communication skills and innovative perspectives that constantly challenge paradigms on a range of cybersecurity topics.
Dan Lohrmann (DL): Eric, you have been a thought leader in many security industry roles. How is your innovation lens different as head of mobile security at a global bank such as HSBC?
Eric S. Green (EG): I began learning and working in the “security startup world” with Mobile Active Defense and Cyber adAPT from 2009 or so moving forward, which significantly influenced how I approached a much larger role at HSBC. First, treating the division like a startup within a giant global organization has helped us be nimble, and partner very closely with our counterparts within IT and Risk. When you are small, you quickly learn to successfully work with everyone you can to rise to the top together — this has been a major approach from day one for me at HSBC and as a result has helped us get a lot done in a relatively short amount of time, particularly within such a giant global organization. By the way, this also pertains to being part of “key industry groups” who are “laser targeted” toward mobile professionals with large banks — very important to keep in touch with peers in the community.
Innovation is essential, particularly in mobile and, as it turns out, the Apple Mac world. Whether it is keeping ahead of the latest threats or keeping up with the latest developments coming out of various hardware and software manufacturers tied to our space, in the end it takes a certain amount of agility and innovation, not just be satisfied with the status quo but to make everything fit for purpose.
Mobile was, is and will remain primarily a consumer space, and although we benefit from excellent relationships with our vendors, in the end, much falls on us to work with our IT and Risk counterparts to think well outside the box to deliver the kind of user experience our employees expect from the all-important mobile devices they use — and do it securely.
Which, needless to say, keeps things very interesting.
DL: What changes happened in the online security world when the pandemic hit in 2020?
EG: Well, for one thing, almost at the snap of your fingers we moved to over 220,000 employees working from home. As it turns out, being so global, our organization has always been very “video conference calls centric," so for sure, in the IT and security world that I live in, the transition wasn't too big. We just started doing video calls from home rather than our office desks.
From the mobile perspective, once we put our controls in place, one variable we always look at is “who is touching which device?” In general, and now with everyone working and living around the clock at home, you can bet that employees’ kids get their hands on devices, whether corporate or BYOD. Not getting into the specifics, but as I said in the first question, these are things we need to be ahead of with our controls. That’s just one example of such things.
DL: Most experts think the online “bad actors” are ahead of the Fortune 500 companies. What cyberthreats do you believe require the most attention? Why?
EG: In mobile, OS-level critical vulnerabilities are something we need to keep a keen eye on. As good as your device attestation checks are, as a colleague of mine loves to say, “it is a cat-and-mouse game” when it comes to being able to stay ahead of detecting device jailbreak and routing. Having controls in place for that — multiple preferably are key — and staying on OS CVEs and acting to update entire relevant estates is very important.
I agree that a “bad actors’” attack is hard to defend against, let alone prevent. But again, the block and tackle of good security hygiene, as I said before, working closely with your hardware and software providers while regularly re-evaluating and testing your controls, many of which are built from more than one solution, is critical. But in the end, the most damage can be done by owning the very systems/OSs/devices that are trusted.
DL: How have financial institutions responded to meet pandemic security challenges and new client expectations with working from home and mobile banking?
EG: From the financial institution perspective, mobile/remote banking is nothing new, and a great deal of time, money and effort globally and industry-wide have gone into this. Mobile apps, whether finance, health care or otherwise, are protected by built-in security solutions. I believe in situations like we currently face, phishing protections and security awareness become that much more important, as “bad actors” can use much more fear, uncertainty, emotion and lots of time to get at unsuspecting users.
Again I’d argue this is across industries and not just a finance thing.
DL: What worries you most about cyberdefense in 2021? What is HSBC doing about that?
EG: Another set of global trends which are “no state secrets” are the move to the cloud, increased demand for BYOD and a constant push to be able to do more with your mobile devices — increased efficiencies and more. Just those three things are keeping us all on our toes and constantly looking for new, better controls to achieve all of these things while reducing risk. This is where added solutions for detection, as an example, and using already purchased enterprise-based solutions, like those for vulnerability management and SIEM, become more tools in the arsenal.
Honestly, 2021 doesn’t worry me any more or less, as we are always doing our best to stay ahead where we can.
DL: What innovative changes do you see coming in the next three to five years? How will the user experience change?
EG: First off, we saw, for instance, Mac OS getting closer and closer to iOS over the years and now here we are with the latest Mac and OS, and you can run iOS apps on it. The term the industry throws around is "modern management." Whereas mobile device management (MDM) and the various other terms thrown at it have been used for the last decade or so — those very management capabilities originally afforded the mobile world — then the Mac world is coming to a Windows world near you! This will, in the end, be another significant shift, not just with IT and management and control, but with risk and security. And yes, this very much ties in to that cloud thing.
So how will the user experience change? The idea, ironically enough, is for it not to, right? Same user experience whether you are on a PC, Mac or mobile device with access to the same resources and just as easily. Real anytime, anywhere-type stuff which is talked about a lot today really doesn’t exist.
DL: Thinking about new technologies such as 5G, artificial intelligence, better smartphones and others, how will cybersecurity challenges need to evolve?
EG: Wi-Fi, Bluetooth, RFID, NFC, now 5G and AI. Innovation in technology requires equal if not greater thought and innovation in cybersecurity. I am fortunate to work with very talented people who are great at breaking things because that, in the end, is how you secure them and that’s all I will say about that.
Mobile device technology continues to evolve, but at the same time, thankfully, OS vendors are giving us more APIs (and hopefully will continue to) to work with toward various security controls. It’s no secret that complexity adds to insecurity, so we have that going for us as the attack surface area just gets bigger and bigger. Again, though, that’s why we need to keep learning, testing, adding and updating controls. I’d say using the analogy of Groundhog Day (the movie) isn’t exactly right, but it gets the point across. The difference is in security, hopefully; we learn from past mistakes as we face new challenges that, frankly, when you boil them down, really aren’t that new.
I guess my final statement here is to all of those mainframe naysayers: First off, such environments are still everywhere and strong as ever, but that’s not where I am going with this. The olden days of dumb terminals with computing being done at the big giant server are back! The big giant server may be the cloud and the dumb terminal may be a feature-rich, super-sleek, easy-to-use mobile device or laptop, but it's the same principle. That’s where we are going — "back to the future" … or something like that.
DL: Is cybersecurity still a good career field? How do you see security careers evolving? Does HSBC have enough cybertalent?
EG: Heck, yes, it is still a great career field. Care to help me find a Mac security engineer in the U.K. or mobile security engineer in China? It’s hard to find people unless you steal them or start them young and nurture into the industry and company — which I am a huge advocate for.
Listen to you asking me how security careers evolve, having been at the top of the game in the public sector on the federal and state side, as well as private sector, but seriously, like any other career, it doesn’t evolve unless you make it evolve. That could be by furthering education on the technical, operations or policy side of cybersecurity, or by branching out to other or emerging worlds of security like mobile, cloud, IoT or others. Hiring well, training well and succession planning matter. There is no question the field provides for growth opportunity and is fun, dynamic and exciting.
We have a fantastic cybersecurity team at HSBC. I sat with a good deal of folks across departments in the New Jersey office, and although my day-to-day didn’t involve other parts of cybersecurity because mobile is so unique, it was amazing having so many smart minds around to bounce things off of when need be. I like working at home just fine, but that has been very valuable to me and I hope to, at least to a degree, get back to some of it.
DL: What has been the highlight of your career? Any secrets to your success?
EG: One of the highlights of my career in security over that last 20 years was being fortunate enough to meet, network and become friends with so many amazingly talented and experienced security professionals — and yes, you are one of them. More than any in the world, our field defines what trust can do one on one and as a group. Working as the program director for SC Magazine for all those years, publishing security books and a lot more, gave me access to help build me into some of those trusted circles that I benefit from and deeply respect to this day. I gained a great deal of experience over the years as a result of this.
We all are constantly learning from each other.
Secret to my success — eat a big breakfast, no seriously — prepare to fail (hopefully quickly). I would argue it’s really hard to learn and grow when everything is great all the time. The saying that “true character” is what you do when the cards are down, not when all is going well, is very meaningful to me. For me, this especially pertains to my security startup days, but it also translates across all roles and professions.
DL: Is there anything else you want to add?
EG: “Never fight a land war in Asia”, a quote from The Princess Bride movie, both classic and timeless.
Dan Lohrmann: Thank you Eric for sharing your insights and experience with us. Greatly appreciated. I wish you all the best in 2021 and beyond.