1 June 2023

Guillermo González: "The financial sector is aware of the urgent need for a strong cyber resilience strategy»

Cuadernos de Seguridad

Guillermo González García, Director of Properties, Security and Services at Cecabank, explains in this interview that the role of the Security Director must be "strengthened in the context of the company's global security". He firmly believes that the future of these professionals lies in greater "integration with the rest of the actors involved in the company's security, in order to add and contribute positive aspects to coordination, highlighting the leading role that they undoubtedly play in the company's overall security". González García also addresses the pillars on which the bank's security strategy is based, as well as the importance of coordination between physical security and cybersecurity.

- What are the main characteristics of Cecabank's security and business continuity policy?
- At Cecabank we have a security policy validated by Senior Management that covers all aspects of corporate security and logical security. It sets out the objectives, principles and scope of security, and defines the responsibilities of each actor. It also determines the general guidelines that are applied in the entity in terms of security, and it makes security management a process and an objective in itself, in which people assume their role focused on physical and logical security. It covers incident management and communications with the various bodies as appropriate, as well as business continuity and, ultimately, the resilience of the entity.

- Digitalisation has changed the structures and functioning of companies, and in this case, of large banking institutions, what type of assets does the security department currently protect?
-Naturally, at Cecabank we do not limit ourselves only to the protection of the physical assets of buildings and facilities, but we are also actively involved in the protection of information systems and networks for internal use. This work is carried out with a focus on the protection of the infrastructures that contain them or through which they flow, ensuring supplies and conditions for their proper functioning with the participation of the people responsible.

- What are the main pillars on which the Cecabank Security Department is based?
- The main pillars are those we share with the Corporate Security departments of the entities in our environment: the safety of persons working in or on the premises who, for whatever reason, may be subjected to various risks while in the buildings; security for the integrity and ownership of the entity's physical assets; comprehensive control of access and goods accessing the facilities; and finally, the protection for the integrity and proper functioning of the bank's facilities and information systems.

- What do major technological advances contribute to the banking sector, in terms of prevention and security processes?
- Major technological advances are very important and we are increasingly less likely to adopt them. Among them is AI, which is seeping into the protection systems of our facilities, facilitating more efficient active surveillance or providing data with which to create intelligence. It allows us to increase the efficiency of conventional surveillance in order to be more aware of the real threats, bypassing systems that do not provide information and distract us. All of this helps us to be proactive in protecting and, therefore, anticipate incidents. On the other hand, the need for more qualified staff and ongoing training is increased to ensure that these new technologies are properly adapted.

- One of the current major challenges is the convergence of security and cybersecurity. Do you think that financial companies should have a global defence strategy?
- In the case of Cecabank, we have a global defence strategy. All financial institutions, depending on their size and resources, have coordination mechanisms between physical security and cybersecurity. Global security areas should be avoided. We now have very comprehensive committees where we have that corporate coordination for global defence. The physical and logical security heads are no longer the only ones to participate in these committees, who obviously have specialists with specific training, but also other professionals from the institution, such as specialists in organisation, compliance, architecture and information systems. They all contribute to a more comprehensive security overview of the organisation, going beyond the simple coordination of physical security and cybersecurity.

- What are the common problems faced by the security department and which are the most frequent?
- The financial sector is aware of the urgent need for a strong cybersecurity strategy. This is evidenced by the fact that financial institutions prioritise security and surveillance actions to protect the branch network and ATMs. While it cannot be said that the number of crimes in this area has increased alarmingly, there is concern about the seriousness with which ATM attacks are taking place, even endangering people's lives and the integrity of nearby homes, or the complexity with which attacks on offices or increasingly sophisticated and imaginative thefts are taking place, defying branch employees, electronic protection systems and even security companies and all Law Enforcement Agencies.

- What do you think should be the competencies that a security director should have, both now and in the future?
- The powers and responsibilities of the Security director are clearly defined in the Private Security Act. The role of the Security Director must be strengthened in the area of the company's integral security. There are still specialists in a particular branch of security who focus only on it as the most important and ignore the role of others. Sometimes this also happens with the Security Directors themselves, with a bit of self-criticism. This is why the future of the Security Director lies in greater integration with the rest of the actors involved in the company's security, in order to add and contribute positive aspects to coordination, highlighting the leading role that they undoubtedly play in the company's overall security.

Shall we talk?