How This Mutual Fund Giant Stays a Step Ahead of Cyber Crooks

New security threats keep assailing the financial services industry, but Ken Pfeil, chief information security officer for the mutual fund giant Pioneer Investments, seems unruffled.

Pfeil is in charge of security for an infrastructure that includes operations in 27 countries and more than 2,000 employees (Pioneer, whose U.S. headquarters is in Boston, is a unit of UniCredit, the Italian banking conglomerate). He recently shared with us some of the security steps the company has been taking.

BTN: I haven't seen the name Pioneer associated with any security incidents.
Pfeil: That's why I'm still employed.

What security threats do you primarily worry about?
It varies from week to week based on the threat landscape and what the other side of the fence is trying to do. Everything that's old is new again, everything from phishing and drive-by downloads and malware and advanced persistent threats to the standard rap-rap-rap knocking on the door of vulnerabilities like Bash, which has been out there for 26 years, and before that Heartbleed. There are a lot of different avenues we have to be on top of, as well as setting our road map in response to where we think it's going to go.

When you hear about something like Bash or Heartbleed, do you have to deploy a team to search throughout the infrastructure for spots where you might be vulnerable?
Fortunately, we have a very mature response plan in relation to stuff like that. We know what technologies we're running. We know where we're running them, and we know what our exposure is to a large extent. Does that require a more mature and deeper dive into things? Absolutely. Then we've got to give due diligence and confidence to our customers as well as our partners as well as receive the same level of confidence from the vendors we do business with. There's a lot of back and forth and due diligence when something like that happens.

Did the Bash vulnerability surprise you?
Bash did not surprise me. The vulnerability in 25-year old software does not surprise me one bit. Vulnerabilities in six-month-old software surprise me a lot.

Some people have said financial services companies should stay away from open source software because it's easier for hackers to understand.
That could be said for any type of software. Take Microsoft. People have been waiting for Patch Tuesday to come out, and it's not just the customers — the hackers are as well. They'll be pulling apart the patches, finding ways around them. To say that one software is more secure than another bit of software is myopic. Any software can be compromised at any given time. A hacker is just a person who makes software or something else operate in a way it was not intended or designed to do. It gets the software to operate out of bounds and opens up a hole or avenue of delivery where they can control it. That's what a hacker wants, control. If you look at it from that perspective and think like a hacker, you'll go a lot further than just being in reactive mode.

Where are you putting your greatest efforts in security technology?
We work with all security technology: proxies, firewalls, intrusion protection systems … antivirus, anti-malware, authentication systems. It's not just a question of buying new technology, but exploring new capabilities of the technology. For instance, we use the CounterAct access control system from ForeScout. About one and a half years ago we began to explore the integration capabilities, and we have been making this product work with other software, such as the Bromium anti-malware technology we use. So if we have a user that goes to a website that redirects or tries to execute something within the user's browser, Bromium stops that. It's not something traditional antivirus software is going to catch because anti-viruses are signature-based and they're largely reactionary. Bromium has micro-virtualization [technology that abstracts applications and sub-processes from hardware and runs them in isolated environments]. Every tab within a browser is run on a separate incidence or machine, as is every PDF or Word document the user opens. If, in a browser tab, a user got redirected by an ad that was serving malware, that malware would be contained within that isolated micro virtualized kernel and would not affect the operating system or anything else running on it. And the software provides feedback. We know not only where the event occurred but we have a detailed analysis, including what keys they tried to modify, what files they tried to drop. We feed that information into ForeScout. Then we'll check the existence of that process anywhere within the enterprise. We've cut our response time down from hours to minutes.

Have all the big security incidents of the past year helped you obtain the security technology budget you need?
Absolutely. It's unfortunate, but when bad things happen to other companies, that's good for us. When bad things happen to our companies, it's good for everyone else. With the state of things that have happened in the news and the airplay things have gotten, it's certainly elevated our visibility to the point where the executives get now what they didn't get two years ago.

Will your security budget be bigger in the coming year?
As we've gone further along in our program, we've had to make less investment in technology, so we're seeing a return as far as being able to recover man-hours we once burned doing a lot of manual analysis. A typical investment company will invest in security technologies anywhere from 3% to 12% [of the total budget]. I know that seems like a wide range, but the further along you get into your program and executing your long term strategy, the less investment you have to make and the more of a return in productivity you'll see. There is a return on security investment, even though everybody thinks that is more like a unicorn. A lot of folks will look at it, especially folks that are not security savvy, and they'll say, 'how can security be anything other than a cost center?' But if you're able to actually show your operational numbers, you're executing on a vision, you're executing on a strategy, the number of reactional events have gone down and you have relevant security metrics that back up the things you're trying to accomplish, then you can talk more intelligently in the boardroom rather than just the network hall or wherever the geeks happen to be.

Are you able to say 'we've blocked this X number of intruders and the potential losses would have been X'?
Absolutely. Every good chief security officer and every risk manager worth his salt will understand completely what constitutes an annualized loss expectancy. That's just a ballpark estimate based on past events, based on landscape, based on what's happening with competitors and things like that. That's what you can expect to lose, but when you take that into the overall equation of what you're expecting to gain by executing on your road map, it's simple numbers. Especially when you can unequivocally demonstrate that particular events that happened did not cause disruption.

I would think that would be hard to quantify.
If you start with a company that has cybersecurity insurance, you can take the worst-case deductible out of that. Say a company has a $250,000 deductible for an incident breach that would result in $10 million worth of loss. That's a set number you can include in the equation. Especially in financial services, executives understand money very well, but technology, if it's not enabling the business directly, you've got to show at least the indirect method [of] how it's enabling the business.

Can you share any security priorities for the coming year?
It's continuing to improve on the mechanisms we have. I see in the next three to five years on our roadmap an expansion of existing capabilities, a deeper look at data from the metadata perspective and the classification perspective and certain intelligence aspects being done automatically. I want to continue with our automation vision. That leaves us a lot more time to be on top of our game and ahead of the curve when we start to see something trending in a certain direction. The last anything any CISO wants to be is behind the eight ball and purely reacting. That's not an enviable place to be.