ANZ Banking Group is completing the first year of its current enterprise security strategy, with a focus on embedding security, building resilience and enabling business transformation.
Speaking on the iTnews Podcast, chief information security officer Dr Maria Milosavljevic reflected on her first 14 months in the role, during which time the bank has worked to a strategy put together by its former CISO Lynwen Connick.
“In my first week, the new three-year strategy was approved by the ANZ Board, which came into play in January 2024,” Milosavljevic said.
“That's been a big focus for us, to continue to uplift our security capabilities”.
The strategy is organised around three core pillars, the first being to embed security across the bank.
“Given the nature of security, we are dealing with an environment that is no longer possible for a single business unit to drive,” Milosavljevic said.
“It is really something that has to be systemic across the entire organisation.”
That has impacted everything from leadership to building the adaptiveness and connectedness of staff at the bank.
“A big part has been understanding current accountability and redefining what that needs to look like in the future,” she said.
“It’s about how we can move to a more shared or mutual responsibility approach to security - not just within the bank, but also with our relationships with third party providers, regulators, peer organisations, and so on.”
Milosavljevic said the bank has run a series of exercises “so that people can experience what it's like to actually go through a significant cyber event.”
“We did our first enterprise-wide exercise in November last year. That was a mammoth effort – from board down. Of course, you can't involve everyone across the whole organisation, so it had to be focused on key roles and decision-makers and action implementers,” she said.
“We took a scenario based on what had happened to another organisation, which is a pretty significant incident, and it was something that they really struggled with.
“We took ourselves through a real scenario, and really pressed into some of the more difficult decisions that would have to be taken, and then looked in the mirror to see whether we thought that we were ready to execute on some of the things that we needed to do.
“And based on that, we then identified where we needed to uplift, and we're well progressed in terms of that.”
Smaller exercises have also been run in different parts of the organisation, testing - for example - how the Australian part of the bank would work with its New Zealand or Pacific-based counterparts if an incident occurred in those regions.
Milosavljevic said tests had also been run involving Suncorp Bank and ANZ.
She noted the importance of people having “absolute clarity” of incident response processes and their role in them.
This included contingency planning for unforeseen situations, such as where a key decision-maker is absent or uncontactable; arrangements to ensure the right people could participate in the incident response, while ensuring they had adequate rest; and communication plans to ensure that regulators and other third-parties were kept informed, as required.
“We're on our way in terms of understanding exactly how to respond should the worst happen,” Milosavljevic said.
The second pillar of the strategy is strengthening resilience to emerging threats. This pillar includes some significant work around third-party contract and risk management, ensuring clear expectations are set as part of these relationships and arrangements.
“Just like with the exercises, you don't know what you don't know until suddenly it faces you - and so the way that we negotiate and set those relationships up, there's contractual arrangements, but then there's also the soft relationships, trust building, and working together on a daily basis [to improve resilience],” Milosavljevic said.
The strategy’s third pillar is to enable and support business transformation, which aims to set ANZ up to experiment quickly but also securely.
“[As security], we don't want to be that ‘department of no’, we really do want to be able to make it easy for people to comply,” Milosavljevic said.
“We've spent quite a lot of time developing what we call an ‘experiments at pace’ framework … to really help different parts of the organisation to self-help so t they can navigate this themselves until things get too complicated and they need a bit of help.”
Supporting this are some technical activities - designing systems to be “secure by default, not just by design”, and implementing a Zero Trust framework for ANZ’s network.
“We're in the middle of rolling out a Zero Trust framework,” Milosavljevic said.
“A lot of that is focused on things like stronger authentication and network and security controls; better network segmentation and isolation of threats; and also, data-driven protection, so that we can see more of what is actually happening, both in terms of our risks as well as behaviours across our network.”
On the security controls front, the bank is moving from manual to automated testing of controls applied to its application estate.
This should allow the controls to be tested more frequently and expansively, giving the bank better “situational awareness in a 24x7 capacity, so that we understand what our level of risk is or what our posture is at any point in time.”
“It means you're not just doing it on a weekly, monthly or quarterly basis, or depending on the level of control, but actually something that can be there sitting in the background permanently,” Milosavljevic said.