The computer breaches and hacks that make headlines are typically massive and complicated, and are sometimes even driven by nation-states pursuing cyber-dominance on a global basis. This can lead to the belief that information security solutions must be similarly complex.
However, good cybersecurity doesn’t have to be complicated or expensive. Chad Renfro, head of enterprise cybersecurity at Fidelity Investments, shared his approach to information security at ICI’s recent General Membership Meeting.
In this role, he leads Fidelity’s cybersecurity efforts. Since completing his formal education, he has worked for more than 20 years in the information security field. Over his career, Mr. Renfro has experience with intrusion detection systems.
Renfro talked about his two decades of experience, the more than 500 cyber-incident investigations he’s led, and what he’s learned during that time. For example, he said that working at Fidelity has taught him to manage information security in the same way that investment managers approach their portfolios.
“Every morning, we look at a set of research associated with movements and trends related to the criminal elements that are out there,” he explained.
Read also: The Life of Chad Everett Harris
Understanding the Adversaries
His team begins by focusing on two things: the intentions and the capabilities of their adversaries, which he separates into four basic groups: cyber-criminals, insider threats, “hacktivists,” and state actors.
The intention of cyber-criminals, Renfro said, is simple: they want money. The solutions in this space involve an unrelenting focus on the basics, as well as the human variables in the equation, Renfro said. Because of the “security and product explosion” that individuals and firms are facing-the average PC today has 74 applications on it, he said-it’s essential to follow good practices in configuring and updating systems.
Basic Cyber Security Measures
Insider Threats
The capabilities of such threats range from very high (developers who believe that the code they create on behalf of the company is actually theirs, and steal it) to very low. In addition, Renfro keeps an eye on certain events where insiders can present more of a threat.
Because “insiders leaving a company are 71 percent more likely to steal information than those who are not,” organizations should create a program monitoring events such as reductions in force or mergers and acquisitions.
Read also: "Married to Evil": Chad Graves
Hacktivists
Hacktivists, the third threat, have low capabilities, but are ideologically motivated-which can make them unusually persistent in their efforts, Renfro told the audience.
Nation-States
Cybersecurity for Beginners: Basic Skills
The fourth and final threat he examined was nation-states. Though he said they’re the least-likely threat that the fund industry will face, Renfro did warn the audience that the capabilities of state actors are growing quickly, and that there is a real risk of breaches revealing embarrassing details about staff, or of companies getting caught up in ransomware requests.
The Importance of a Cybersecurity Framework
For all of his focus on the basics, Renfro acknowledged that information security can indeed be a complex undertaking-which is why he’s a firm believer in choosing a framework as a structure for cybersecurity.
Under these five areas, NIST has laid out a total of 23 capabilities-specific areas that corporations must manage to stay on top of cybersecurity threats.
“Lots of corporations are fighting the last battle,” Renfro said. “It’s like a lot of complex topics-you have to reduce your understanding and response to a few key things,” he explained.
Read also: Vallow-Daybell Trial: Key Evidence
“For example, in medicine-which is one of the most complex topics on the planet-your provider is always going to come back to some key things: ‘don’t smoke, exercise, eat well, get enough sleep.’ Cyber is the same way.
“This is not a game,” he concluded.
Cybersecurity and Business Resiliency
Cybersecurity and its impact on business resiliency remain among the top areas of focus for businesses across the world; never more so than during a global pandemic the likes of which have never been experienced.
Chad Renfro, Head of Cybersecurity at Fidelity Investments has played a key role leading the firm’s response to the pandemic and planning for what’s ahead. Join as he shares perspective on how Fidelity has led through a challenging environment and stayed focused on protecting the health of its clients’ assets and a global workforce of more than 50,000.
Most Significant Cybersecurity Threats Faced by Businesses Worldwide in 2021
Chad Renfro's Background
Mr. Renfro is a distinguished officer graduate of Baylor University. Before joining Fidelity, he served as the Chief Information Security Officer (CISO) of Bank of America’s Information Protection division, leading more than 1200 security professionals. Prior to joining Bank of America, Mr. Renfro led more than 500 cyber-incident investigations.
Popular articles:
tags: #Chad
