Financial services organizations face significant challenges when it comes to cybersecurity. With a vast threat landscape and complex regulatory environments, finding a balance between investments in cybersecurity and maintaining compliance is no easy feat. Pat Opet, the Chief Information Security Officer (CISO) of JPMorgan Chase & Co., is charged with defending the financial giant against cyber threats while ensuring compliance across its global operations.
As the head of the Cybersecurity and Technology Controls (CTC) organization, Opet has the responsibility of investing in technologies that protect the company and enable its various lines of business. However, with a large budget and a complex infrastructure that spans over 60 countries and employs over 300,000 people, this task comes with significant challenges.
Opet’s approach is to view CTC as an “enablement organization” within JPMorgan Chase. The goal is to make cybersecurity seamless for developers and minimize the friction that may arise from implementing security measures. Opet acknowledges that this can be challenging at times but highlights that it is a primary focus for the organization.
One technology that has caught Opet’s attention is generative AI. This technology has made a significant impact in the cybersecurity industry, as it can assist professionals ranging from security analysts to software developers. In an interview, Opet explains why generative AI has won him over and how JPMorgan Chase is investing in this technology to enhance its cybersecurity capabilities.
When it comes to threat activity, Opet receives daily reports from the intelligence team and the security operations center. He personally visits the security operations center to discuss the latest findings and emerging tactics and techniques. While there are formal incident response plans in place, Opet is deeply involved in the day-to-day monitoring of potential threats.
Regarding cybersecurity technology investments, JPMorgan Chase takes an organic approach, rather than reacting to specific events. The company invests over $600 million annually in cybersecurity and has focused on driving efficiency through automation. Opet highlights the importance of having an assurance organization that tests the efficacy of controls and identifies areas for improvement. Additionally, a strategy and partnerships organization is responsible for understanding the technology ecosystem and identifying emerging trends and startups that could impact cybersecurity.
Opet provides an example of how threat activity prompted a shift in investment priorities. The company observed an uptick in Layer 7 DDoS activity, which caught their attention as it was becoming easier to exploit vulnerabilities at the application layer. Recognizing the potential impact on critical infrastructure and the lack of preparedness in the ecosystem, JPMorgan Chase made changes to adopt SaaS-based tools with improved Layer 7 protections. They also built internal technology and response teams to address vulnerabilities in their web-facing environment.
Overall, JPMorgan Chase considers staying ahead of emerging threats and trends as a security win. By taking proactive measures to address potential vulnerabilities, the company aims to protect its customers and maintain its reputation as a leader in the financial services industry. The company remains open-minded about making the necessary investments to mitigate emerging risks and ensure the effectiveness of their cybersecurity defenses.