Understanding Information Security in Banking: A Conversation with Tyrone Watson-Ferguson, CISO of Security Bank of Kansas City

In his Travillian Next debut, Patrick Cooney of our Banking & Fintech team, sits down with Tyrone Watson-Ferguson, CISO at Security Bank of Kansas City, to discuss a topic that is top of mind for every banking institution these days, Information Security.

Topics discussed:

• Compliance and regulations within information security
• Vendor vetting and processes
• Key collaborators and vendors at Security Bank of Kansas City
• What a playbook for information security at a bank looks like

Whether you are an emerging BaaS bank, replacing your core, or considering vendor and partnership prospects, this discussion can help steer and guide your information security priorities and initiatives. Please tune in and enjoy our first information security-themed discussion.

Understanding Information Security in Banking: A Conversation with Tyrone Watson-Ferguson, CISO of Security Bank of Kansas City

00:15 – 02:10 | Intro

Patrick Cooney: Hi everyone. Patrick Cooney here, Executive Recruiter with Travillian.

I sit on Travillian’s Banking and FinTech team, and I’ll be making my debut today on our content site, Travillian Next. Joining the likes of Brian Love and Keith Daly to get some great information out there in our space. The talent side, the consulting side, and the search side of Banking and FinTech.

With me is Tyrone Watson-Ferguson, who I’ve gotten to know very well throughout my time at Travillian. Tyrone is the CISO for the Security Bank of Kansas City and he leads the helm of information cybersecurity efforts there. I’ve gotten to know him well and we have a lot of good insight to provide for banks that are getting into that tech space.

Everything’s becoming a little bit more digitized right now. That leads to a lot of opportunity, but also opens the door to a little more threat and concern for malicious actors out there.

Tell us about your time in the space and then we’ll deviate into the conversation.

Tyrone Watson-Ferguson: I’ve been the CISO here at Security Bank of Kansas City in the Kansas City metropolitan area. I’ve been employed with the bank for five years, serving in the CISO role.

Before that, I was at the Federal Reserve Bank of Kansas City for a little under 11 years, and I held different roles there, but the last five and a half years were strictly in security. I got to see stuff from different angles and different perspectives.

03:15 – 04:41 | Compliance & Regulation within Information Security

Patrick Cooney: How does CISO stay up to date and who do you partner with to make sure that you’re aware of any changing regulatory concerns or any compliance initiatives?

How do you, from your seat, stay up to date and who do you work with mostly to make sure you’re on par with those expectations?

Tyrone Watson-Ferguson: The cool part is that there’s a lot of resources out there and in banking, it’s a regulatory requirement that you have threat intelligence or prove that you have mechanisms in place to stay up to date.

The FFIEC, which is our primary regulator, often references FS-ISAC. We use them a lot as a membership, but you can also sign up for FDIC and other threat intelligence. We get threat intelligence from the security vendors that we work with which provides us with some of the tools we use.

04:41 – 07:19 | Key Collaborators within Security Bank & Vendors

Patrick Cooney: Who might be some of the key collaborators that you work with? Either within Security Bank or with those vendors? Is there typically a primary contact or position that you partner with most frequently?

Tyrone Watson-Ferguson: A lot of my job is really internally securing the network and most of the stakeholders I deal with are other department heads but we also aid in the customer-facing aspects of it.

We work hand in hand with our fraud department and our electronic banking department a lot. It’s a group effort. We have to understand how that threat affects our customers or our infrastructure, and then share the information accordingly, internally. Then we gain a plan from there.

07:20 – 09:57 | Vendor Vetting & Processes 

Patrick Cooney: What goes into vetting and who might you partner with? Who do we want to work with and then how do we vet them out?

Tyrone Watson-Ferguson: We have a vendor management department and there’s a process to vet a vendor.

I like to look at it as we’ve vetted the vendor to see if we want to do business with the vendor and then we vet the product separately. The vendor could be awesome. For example, they’re in great financial health and they have a business license. Those are some of the surface-level things that you vet with a vendor, depending on the criticality of that vendor to your environment.

You’re looking at their business license, maybe their business rating, and then the controls they have in place to make sure they secure their stuff that could lead to a possible breach in your environment. You’re going to look at their security assessments, SOC reports, and things of that nature, and that’s for the vendor and their controls.

The product vetting is a little bit different. You have to understand the risk that that product introduces into your environment. Do you need to open up any firewall rules, or any porous protocols? Will it affect DLP? What about disaster recovery? If this vendor goes down, how does that affect your environment?

Do they have the proper disaster recovery things in place so you can continue doing business as usual? If not, can you supplement that on your end? You look at all those things from the product standpoint. Those are the two buckets we talk about. Typically, manage the vendors themselves and then the product that the vendor is.

09:57 – 13:10 | Playbook Plans

Patrick Cooney: Another term that you mentioned before was a playbook. Is that something that you helped develop? What does that playbook look like?  Who has a part in helping script that playbook?

Tyrone Watson-Ferguson: All the stakeholders in the process should have a part in creating the playbook because they’re all going to have a part to play in making sure that things get done in that playbook.

If it’s security and it’s our playbook, for ransomware, we’re going to have all of our steps lined out as to what we’re gonna do first, and then if we have to communicate with another department, we want to get their input on how they would handle the incident from their perspective.

We add those things together and we put them in a sequential order, which is important, and then you go from there. You run through it, do tabletop exercises, and do a lot of fire exercises. If you can manage that, it’s all about risk.

The principle of the playbook doesn’t change and that’s where it pays to have an understanding of what you’re trying to accomplish. If you focus on what the principle of the playbook is and what its purpose is, then you understand the role that each technology plays.

13:10 – 15:00 | Outro

Patrick Cooney: Are there any other parting thoughts that you have that you want to put out into the banking space from an InfoSec perspective and maybe for a bank that’s just getting into making some transformations? Either with their platform or working with another partner?

Tyrone Watson-Ferguson: One thing that helps everyone is to try to be collaborative. Don’t make decisions in a vacuum. We’re protecting the business and the assets of the business. If you’re not collaborating or you don’t understand the importance of the business and what’s important to them, then you can end up spending money on controls to protect something that the business doesn’t care about. The con, the risk, and the rewards, the business decides what that looks like for them. The risk appetite is our job to make sure that we understand that.

Then we put controls in to make sure the business functions as safely as possible with acceptable risk. There’s a table-stakes risk that comes with doing business and some businesses have a higher risk threshold than others. It’s understanding the business’ risk threshold and making sure your environment and the controls you put in place, including processes, don’t just depend on technology.