Exclusive Q&A: National City's CSO Gareth Webley on Protecting Today's Bank

SecurityInfoWatch.com recently caught up with Gareth Webley, the CSO for National City, the eight largest financial services company in the U.S. As Webley puts it, "We're the biggest bank you've never heard of." National City has close to 1,600 branches in eight states, and with its brokerage and mortgage divisions, the company has a virtual national presence, despite the fact that the Ohio-based bank is still somewhat regional in focus.

Webley shared an inside look at his organization's security convergence, bringing the "geeks and guns together", so to speak. From the creation of a converged security command center that would be in operation 24/7 to the general benefits of merged risk assessments, the excerpts from our Q&A with National City's Webley help shed light on security convergence for any organization.

Webley will also be speaking on Wed., Nov. 15 at the ADT Financial Security Symposium in Florida. His presentation will be available for free live on your computer via SecurityInfoWatch.com's webcast series (register now for Wednesday's online seminar).

SecurityInfoWatch.com: Can you share with us some of your history as well as the history that led to a converged security program at National City?

Webley: I joined National City in 1999 primarily to head up the information security department and grow it. The bank had gone through a series of acquisitions. It had doubled, and then tripled it size in about 10 years. In 1995, they identified a need to focus on information security, so I joined the bank and built the information security team over about four years. They named me CISO. Then about a year-and-a-half later, about two years ago now, they decided the physical security side needed the same sort of technology investment and programs approach to delivering security services. They decided to merge and give me the opportunity to lead both the electronic and physical security departments. So I am a chief security officer in the true sense in that I have both data security and physical security reporting to me.

Prior to working with National City, I worked for British Petroleum, and I had quite of bit involvement there with the physical side because they used a lot more technology to secure their plants and their pipelines. [At BP] there were a lot of things that we leveraged our data systems to do for security.

SIW: What was the transition to converged security operations like at National City?

It was a very interesting transition. The physical security side is in many banks made up predominantly of law enforcement and ex-FBI or military people. They had a very different view of their world. It was typically a command-and-control attitude of "we've got to stop people from robbing our branches." And we were dealing with a lot of aging technology. What I really brought to the merger was this notion of organizational convergence. It was the notion that the teams really need to do is work together. Part of the goal is that services that are commonly delivered -- such as administration, security engineering, risk assessment - can be done out of a single group. We won't have a single risk assessment and then an electronic risk assessment, but we will have a team that delivers risk assessments.

We're combining our logical and physical access into a single card. "One card, one access" is sort of our motto. We've just begun the rollout of a multi-year program to upgrade our physical card system. And the same system that provisions our mainframe systems and our LAN systems is also going to provision our card access system under what we call role-based access control. The same people that are adding people to user accounts on computers are also going to be adding people to the card readers, and it can all be controlled by a single user ID.

SIW: How did the issue of Sarbanes-Oxley affect convergence at National City?

Many people feel that it creates a lot of work for people who are doing the right kinds of things already, and who already have the right kinds of controls constructed. But it doesn't really help prevent a lot of the things that Sarbanes Oxley was created around. I firmly believe that for us, it was a matter of more documentation, as opposed to having to really change our control structure. It certainly helps spur on the ability to have our HR system delete employees on the physical side as well as on the electronic side from an authorization perspective. So I believe there are certain things that have become easier for us to comply with now that SOX is around, and it's made some things easier for me to help justify why we need to unify our security and access to databases. But overall, it didn't create a great deal of change. National City had already been highly ranked on corporate governance by independent surveys.

SIW: Day-to-day, what do you consider to be the top risks that you face?

From a risk perspective, network-based attacks always concern us. Phishing attacks always concern us. Bank robberies always concern us. Our ability to safeguard our employees from a fire suppression perspective and the other kinds of life-safety threats that are out there is very important to us. Those are the sorts of risks that we face across the different disciplines.

SIW: It seems that when we go through the risks you mention - network attacks, phishing attacks, robberies, life-safety of employees - they still silo out to either network security or physical security. Is that the case, or can you treat the risk group areas in a converged manner?

We are actually in the process of designing and building a new command center where we will treat alarms or alerts from both worlds in the same way. There will be a security operator in our security command center which will be manned 24/7. They will be looking at alerts from burglar alarms, robbery, and tuned things coming off our networks IDS's. It will also be making sure that those IP-enabled security devices (alarm panels, DVRs) are network accessible.

We now view it as an even more critical need. We believe that if we've got an alarm panel out there, it needs to be able to communicate through the network. We'll also have a redundant dial system. We're starting to see more and more devices that are IP enabled. For example, if you have a door lock that is controlled by IP traffic, and someone is able to spoof that contact or cause that device through an electronic hack to open, or at the same time interrupt a video service, then someone could perhaps pick that lock, and gain access to the facility.

We're really starting to see that as more security devices get IP enabled, attacks against organizations are going to start to converge as well. Some of the romanticized views of crimes in the movies are actually going to become more real as people get more sophisticated. We've also seen a shift from network attacks done by what we call "script kiddies" (people just doing it for the glory) to it being backed by organized crime. And eventually, I think those investments by organized crime are going to be made and they'll have skills to attack network controls and network security devices as well as the old brute force through the door.

SIW: This is a very progressive idea, this idea of the converged command center. You'll have alerts coming in on intrusion alarms, alerts on network attacks, and maybe they'll have different priorities, but they'll be coming into one view. Can you tell us more about how this will operate?

Our command center will be monitored 24/7. Our geeks that monitor our firewalls, phishing alerts and all those sorts of things typically work during the day. They need to go home at night. So a lot of these alerts would be set to go to pagers or e-mail queues, and there pagers are going off so much that they tend to get desensitized to that. So for us, it's important to have a security officer that we can train to look at these alerts and ask, "Should I get the firewall engineer out of bed?" So we're thinking very hard about that so we can have work flows and queues that they can set up to be reviewed by a subject matter expert the next day if they feel this is a medium priority. But having someone who can watch the trending happen is a tremendous benefit, and it's a better use of the resources.

It's very exciting to think through and design it. And hopefully by the end of 2007 we will have it up and running, at least in its pilot stages.

Hear more from Gareth Webley, CSO for National City, along with a host of other financial security experts, integrators and leading convergence thinkers in SIW's Wed. Nov. 15 online webinar. Register here for free.