Securing Financial Services

David: Thank you so much for joining us here today. I am joined here by three of the most innovative and impactful CISOs in financial services. I am joined today by Marcos Marrero, who is the CISO of H.I.G. Capital, by Darrell Bateman of City Bank in Texas, and Marco Maiurano, who is the CISO of First Citizens Bank. I will pass to the three of them for a quick introduction and opening words. First, Marcos Marrero.

Marcos: I am the CISO for H.I.G. Capital. It is a private equity firm based in South Florida, but we have global operations. We particularly specialize in the middle market space and also have a credit and real estate business.

David: Excellent. And Darrell?

Darrell: Darrell Bateman. I am the Chief Information Security Officer at City Bank. We are based in the West Texas area — about four billion in assets — and we try to be pretty innovative with what we do in banking. We try to serve our customers with newer technology, and that puts some challenges on folks like us to make sure it is all done securely.

David: Awesome. Thanks for joining. Marco?

Marco: David, thank you, and I really appreciate the opportunity to speak to everyone today. I am Marco Maiurano, the Chief Information Security Officer at First Citizens Bank. We are based out of Raleigh, North Carolina. We are one of the top 15 banks in the US — 220 billion in assets, over 500 branches across the United States. We also have a presence in India for our capability center, and as part of our business, we have operations in Canada and Mexico. We have been an organization built through acquisition, so securing our environment has really been an interesting but fun challenge. Our most recent acquisition two years ago — Silicon Valley Bank — really propelled us into a category 4 financial institution with its own set of interesting challenges.

David: And Marco, how has your team grown with the acquisitions and the growth of the bank?

Marco: When I first joined about three and a half years ago — almost four years ago — we were a small team, probably around 14 to 15 people, really doing everything. Through two acquisitions, we are now around 400 strong, with operations both in India and the United States. A lot of that is through hiring, but also through the acquisitions themselves, onboarding some amazing talent from each one.

David: Amazing. The topic for today's webinar is securing financial services — adaptive protection for banking and investment firms. I cannot think of three better panelists to join us and share their knowledge. As a general overview, financial services institutions are under relentless attack across all different vectors — from brute force attempts to social engineering, insider schemes, and nation-state actors trying to take down critical infrastructure. This industry faces a unique challenge: balancing stringent regulatory compliance with the need for real-time threat detection, response, and overall risk management. I think traditional security approaches, especially in this new age of AI, are potentially not that effective. Anything built around compliance checkbox may not hold up against sophisticated attacks. The goal for today is to examine the most critical challenges a CISO at a bank or investment firm might face and understand how to really prevent breaches in this new world.

My first question is for Marco. We have all seen the research — financial services are consistently ranked among the most targeted, if not the single most targeted, sector for cyberattacks. Why is this industry such an attractive target for threat actors?

Marco: When you think about it historically, banking has always been about the money. It has really pivoted from 100 years ago, when someone would walk into a bank and rob it, to now having a much lower-risk scenario by actually hacking. We have seen that grow with the speed of technology, the ability to pivot, and the commoditization of everything from ransomware-as-a-service on the marketplace. There are a lot of tools available to criminals trying to get to the money — and that is really what it is. Back in the day, we used to see more of a front-door attack. Now we are starting to see threat actors pivot around it — from socially engineering a call center or bribing call center personnel, to attacking third parties indirectly, or attacking the supply chain. It is high risk, high reward. If they can get in and access data they can monetize, that achieves their objective. Financial services continue to be a very lucrative area, and people will go where the money is. You also see the change in the geopolitical environment — more sophisticated nation-state actors are obviously looking at money movement. It is really about how they fund nefarious activities. Financial services will continue to be that prime target.

David: Excellent. And how about the difference in intentionality between APT groups and nation-state hackers? Anyone can take this one.

Marcos: There are several different ways to look at this problem. To Marco's point, they are going in for the money, but that has become a lot more difficult over the years as processes — not just technology-related — have been put in place to require different levels of approvals and controls over the way money moves within the ecosystem. So it has gotten much more difficult, not impossible, but more difficult. Piggybacking off what Marco said, the front door has been fortified with a lot of locks, so now they check the side window or the detached garage — still on the same property, but off to the side. From that point of view, they are trying to come in and then see what they can monetize. It is not just about stealing money via wire transfers — though if they succeed there, great, that is low-hanging fruit. It is also the PII. How do they use that information to extort the company they broke into, and then also monetize it on the dark web and the underground? So they are double-dipping in a sense. And then from a critical infrastructure perspective — with the finance industry considered critical infrastructure — if you think about the largest financial institutions globally or within the US, nation-states want to cause economic turmoil and geopolitical disruption. Attack that critical infrastructure piece, and if people cannot access their money or pay their bills, you start fostering dissent, and that cascades into its own real problem.

Darrell: I will add that financial services are very sensitive to reputational risk. They have to maintain a very strong reputation among their community and their customers. If that reputation is weakened through a cyberattack, banks can be more likely to pay up. So they are a good target in that sense as well.

David: So even from a ransomware perspective — even if attackers cannot directly gain access to the money, just threatening reputational harm would make a bank more willing to pay up compared to other industries?

Darrell: I think so. None of us want to do that, but sometimes you can be forced into it. Hospitals are the same way — they are in a bad spot if their operations are shut down. Banks are the same way. You shut down operations and people get unhappy very quickly.

Marco: And David, just to add to what everyone is saying — one of the things I was thinking about as you asked the question around intentionality is that it really comes down to what the nation-state's overall objective is. North Korea, for example, because of economic sanctions — or Iran — they are looking for money, so they will perpetrate fraud or do whatever they need to do to get it. But there are several nation-states, especially ones leveraging their intelligence services to launch these attacks, that are really just looking for persistence and intelligence gathering. You have seen hacks of telecoms, healthcare, and financial services. That is a lot of really valuable data if you are trying to build profiles. It really comes down to the intention of the attacker. Financial services and healthcare represent a lot of data you can use and leverage in potentially future attacks.

David: So what are the most unique threats you are seeing today — specific types of attacks, vectors, or techniques that attackers are using in the wild? That could be APT groups, script kiddies, or nation-state actors.

Marcos: We are in a unique position because we are a private equity firm — we own a number of portfolio companies that are not directly tied into our network, nor do we provide technology services to them. They are independent operating entities. We happen to own them, but they span all verticals — defense, manufacturing, healthcare, finance, technology — you name a vertical and we probably have one or more portfolio companies there. So in our case, we have visibility into a lot of different types of attacks, all the way up to APT-level activity — knock on wood, we have not come across anything nation-state-related that we are aware of — down to your basic drive-by attacks. A lot of times what a threat actor will do is, if they cannot break into a portfolio company, they will try to break into H.I.G. itself to then pivot into the portfolio company, and vice versa. That is really because of a lack of understanding of how everything is actually structured. So we see pretty much the full gamut — from drive-by downloads to more APT-style attacks.

David: What about from Darrell and Marco? Anything to add?

Marco: I think Marcos covered a lot. One of the things I am always impressed by — if I could use that word — is that sometimes what is old is new again. Threat actors are going after old vulnerabilities, going after call center associates. One of the things we are tracking in the industry is employment fraud — nation-state actors gaining employment at financial services or critical infrastructure organizations and trying to deploy backdoors. And it is interesting to see that sometimes it is not the bright shiny new thing that gets you. It is the tried-and-true tactic from the past that you always have to keep your eye on.

Marcos: And to Marco's point — we also have to put ourselves in the psychological mindset of the threat actor. It is the path of least resistance, what is most economically viable, lowest cost. If it costs them $100 to go one way versus $150 another way, they are going to take the $100 route, because at the end of the day it is a business for them too.

Darrell: We are seeing a lot of identity-based attacks. For years, people in our industry have preached using strong passwords and multi-factor authentication. Today's cybercriminals are finding ways around multi-factor. So there is a lot of pressure on organizations to up their game in that regard — using phishing-resistant multi-factor and other technologies that are not so easily social engineered.

David: I think identity technologies are fantastic and helpful, but sometimes the locks applied are not that effective. And to Marcos's point, what is old is new — he brought up two attacks that are top of mind for everyone in the industry: employment fraud attacks by foreign agencies, and these solicitation attacks. Something we have focused on at Dune is that it is not just social engineering risk in terms of employees being unaware of threats and increasing security awareness — it is also insider threat. How do you manage a scenario where Scattered Spider, for example, came to a call center that is a third-party vendor of your company and started bribing thousands of employees and contractors? That is something we have been intently focused on, and why we have been working with a lot of large BPO companies to simulate the adversary off-channel — Signal, WhatsApp, Telegram, you name it.

I was sitting with a former CISO of one of the biggest shops in the world the other night, and he said he had interviewed 51 Fortune 500 CISOs in the past several months. He said deepfakes were a huge concern — ranked as one of the biggest worries for these CISOs. But he said, quote, "Nobody is willing to fund it." There was no budget for deepfake detection technology. How true is that? Deepfakes are real. AI phishing enables the barrier for specific social engineering to dramatically drop — you can send personalized messages to thousands of employees in the same amount of time it previously took to send a message to one employee. Have you seen deepfakes or AI phishing in the wild? How real is that within financial services in the US today?

Darrell: We have not seen it within our bank personally, but all three of us participate in threat intelligence feeds. We are seeing reports of it — just not within our particular bank. But I do see reports of deepfakes and business email compromise on steroids, where it is not done through email but through a phone call using a very convincing AI-generated impersonation of the CEO or CFO.

David: So voice phishing attacks — vishing attacks — using AI-generated voice. Yeah.

Marco: We have seen an increase in phishing attacks. We did think we had some AI phishing attacks, but they turned out to be spam and a very lazy marketer using the framework to do that. We have not seen any deepfake attacks either. We do see attempted business email compromise, but nothing of that nature. I was at an event last week where some banking CISOs and critical infrastructure CISOs were talking about seeing a rise in it. I think the larger brands will probably see more attempts. But we continue to information-share across the industry to see if anything is coming our way.

Marcos: In our case, we have not seen anything specific to deepfakes from an H.I.G. or portfolio company perspective. We have seen an uptick in the quality and cleanliness of phishing emails, though. The concept of AI has really lowered not just the barrier to entry but also raised the quality of those phishing attempts. We have definitely seen that.

Darrell: These deepfakes are real. We expect to see more of it, and more use of AI by the criminal element, and we have to be prepared for that. It may really change our notion of trust. Think about a loan officer who gets a phone call from a customer he has worked with for years — the perpetrator has spoofed the phone number and is using an AI-generated voice that sounds exactly like that customer. In years past, the loan officer would immediately feel a sense of trust: "I see the caller ID, it sounds just like him." Other elements like business email compromise imitating a CEO — a lot of CEOs at publicly traded companies have their video and voice recordings publicly available through SEC reporting requirements. So it is a real concern. We have to be prepared for that. We have to use AI on our side to defend, but we have to recognize that what we used to trust in the past may not be as trustworthy as it once was.

David: When we think about AI, the way I look at it today is that it is an amazing productivity enhancement. If employees can use it effectively, it can really increase their quantity, efficiency, and quality of work. If you block it, you risk hurting the company's revenue because productivity decreases. So most companies need to enable AI. But how do you enable it safely? How do you defend against misuse — individual employees using personal accounts, for example — and ensure you are giving them the latest technology without risking data loss?

Marcos: There are several layers to that onion, and there are controls within each layer. I think it is important to start from a legal and compliance point of view. Develop your AI policy — your "thou shalt and thou shalt not" listing — and make sure it is democratized within the organization so that employees attest to it, understand it, and sign off on it. From a technology perspective, there are several providers out there to help you understand and rein in AI usage. Number one is discovery — understanding what is actually being used. It is not just Perplexity, Anthropic, or ChatGPT. AI functionality is now baked into your existing tech stack. Was it turned on automatically? If so, have you done due diligence to understand whether the vendor is using that data to train their models? And if they are not using their own model, they are using someone else's — what agreements do they have with the model provider, and what guardrails are in place? Once you understand that landscape, and you have decided you are going to adopt AI, the next question is what platform. Let us say for argument's sake it is ChatGPT Enterprise. You communicate to the organization: this is our sanctioned generative AI application. We have done our due diligence. No issues with putting data in because it does not train on it. And then it is ongoing monitoring — understanding who is using what, whether there is still usage of unsanctioned applications, and gently nudging people toward the sanctioned platforms while explaining the risks.

I think at face value it may seem like we are taking a more advanced security posture toward generative AI than is perhaps necessary. But if you take a step back, this is the same approach we have taken with other technologies in the past. Institutionalize it from a compliance and legal standpoint, do the discovery, decide on your platform, and then ongoing monitoring. It is really not anything new — just the same approach with some tweaks.

David: It sounds like you have to provide it safely and aggressively. I was sitting with a private bank CISO about a month ago and he said they had blocked it entirely. I could not help but think — your bankers are going to be taking pictures and using their personal ChatGPT or even DeepSeek accounts on their phones. Even if it is blocked on the Wi-Fi, they could use their mobile devices to access it. Any other thoughts on protecting AI safely from Marco and Darrell?

Marco: I agree with Marcos's view, and I will add a couple of things. First, I think AI is going to be a great opportunity for everyone — from a security perspective and as a business enabler. We are a highly regulated industry, so there are a myriad of compliance and regulatory requirements, and regulation has not really caught up with technology yet. A lot of what we have been focusing on is making sure we have appropriate governance — why are you bringing this in? Do we have the appropriate legal language? How do we protect the data? We are also thinking about the type of AI. Is it a vanilla chatbot, machine learning, generative AI, or agentic AI? It is really about working with the business to understand the use case and what they are actually trying to achieve.

To Marcos's point, it is about posture management for AI. When I look at AI use cases — deploying agents, for example — I look at it in two phases. Phase one: it is an identity and access issue, and it is a data loss prevention issue from a regulatory perspective. The risk of data leaving the firm or being used in a way we do not intend. When I think about agents, I treat them like people — this agent will have access to certain things and certain systems, and it should not deviate from those. How do I manage that? A big question we are working through is who owns those agents: is it the CISO, or is it the business? And what data loss prevention rules are in place? If it is an internally generated LLM, how do I make sure that data stays in my tenant and does not sit somewhere else training someone else's model?

I have talked with some CISOs who have gone all in and are now catching up from a governance perspective. We are taking a more conservative approach — making sure governance, business justifications, and documentation are in place before deploying safely. But I think the answer to some of the AI security challenge is AI itself. As an industry we just have to get together and figure out how to do this safely and securely. Everything is always changing in this discipline.

Darrell: The criminal element, the attackers, the threat actors — they are always getting more sophisticated, and AI just ups the game even more. It is a matter of staying up with it, keeping up with the technology, and it is a big burden on training your employees. That has always been the challenge — making sure your last line of defense, your employees who have access and need access, can do their jobs without falling prey to social engineering or making mistakes that could cost the organization. It is a lot to keep up with, but it is also kind of fun. I am excited to see how the defensive technology and the guardrails we can put around AI develop in the future.

David: How do you adapt the posture you apply to individual employees in this new world — with advanced persistent threats, social engineering risk, potential lack of awareness, and increased incentives for attackers to come in through insider threat channels like bribing call center employees? How do you think about treating different employees differently based on their risk and role?

Marco: No two employees are the same. You need the ability to really leverage a tool that understands the risk profile a given person presents. Someone who handles money is very different from someone who works in a mail room versus someone who has access to confidential information. Understanding their behavior — how they are logging in, how they are interacting — is important too. And then how do we leverage training? One of the things we can do as security professionals is not assume everybody knows what they should know. Things are always changing. Every day something new comes out. So how do you continue to work with your employee base — your associates, as we call them at First Citizens — to give them all the information and tools to spot things? If they see something, say something. How do you provide them constructive feedback? Not, "Hey, you clicked on this link and now you need 20 years of training and we are going to tell your manager you did something bad" — but really working with them to show them: based on what you are doing and the attacks we are seeing, here is data to help you be better. People are going to want to know how they did. The number of times someone comes to me saying, "I clicked on that phishing link — oh no" — and I tell them, no, this is good, because now we can identify an area to work with you on. If I can individualize that for each person, that is a hugely powerful tool. I can work with HR and their manager to incorporate that into their development.

The idea of security training once a year to check a compliance box is the wrong approach. That has always been the approach. But now, how do I actually work with that employee in real time to make sure we are giving them the tools they need for better cyber hygiene? The age-old adage says the employee is our weakest link. I believe the employee is not our weakest link — they are our first line of defense. We have to give them the tools they need to spot things that could potentially harm the business.

David: We think the traditional security awareness training industry has been missing the bigger picture. It is not just security awareness testing across different channels — it needs to be individualized to the user based on their risk and role. That is what we have been focused on at Dune. Any thoughts from Marcos and Darrell?

Marcos: I completely agree with Marco. The once-a-year compliance checkbox training died a long time ago. We just never really did anything about it as an industry because we did not have viable solutions to replace it. Probably seven or more years ago, I started hearing more about the concept of human risk management — managing the cyber risk of the particular individual. I remember those conversations starting around insider risk, and that concept really materialized from there. It is the right approach. As CISOs and security practitioners, we wish this is how it would have materialized from the beginning — it would have had a much more lasting positive impact on our industry and our employees. And at the end of the day, it is not just a "you have to do this once a year so we can check a box." When it is individualized and personalized, employees see that you care. You are investing time in specific areas rather than making them sit through something they have to sit through. That starts moving the employee from "this is something I have to do" to "they really care about my learning and development." It encourages them to ask additional questions, dig deeper — and that is powerful.

Darrell: Definitely make sure your training is customized to the type of role you are dealing with. A mortgage lender faces different types of phishing attacks and customer interactions compared to someone in accounts payable. If you give everyone the same training, it might help a little, but when you really customize it to the role, you are a lot more effective.

David: And Darrell, can you double-click on that — specifically around overall security awareness culture, and driving that cultural shift to change behaviors within the company?

Darrell: Culture is really important. If top leadership has an attitude of "security is secondary to the bottom line," that organization is going to be at a lot greater risk. Fortunately at my company it is a big priority, and I think we have a pretty good culture from the top down. People are aware that security issues are important to the bank, but they are also important personally. The things we teach our employees about how to stay secure and keep the bank safe are just as applicable to their personal lives — making sure they are not defrauded through the various financial scams that are out there. Engaging our employees not only for the company's benefit but for their own personal benefit is really valuable.

David: Any other takes on culture? I know we are almost at the top of the hour.

Marco: I agree — it really does come down to culture. If you do not have an organization that sees security as a business necessity — not as an expense or a cost center — that is really important. Our bank prides itself on relationships. If I cannot be trusted to keep your money and your data safe, that goes against our overall culture of maintaining a positive relationship with our clients and associates. Culture is king. It makes our jobs easier as information security professionals. We are not here to slow anything down. We are here to enable and maintain the trust of our clients and our customers.

Marcos: I agree with both Darrell and Marco. To echo Marco's last comment — culture is king. If the culture is not there and the tone is not set from the top, it is going to be a lot more difficult to do your job. I know we are at the top of the hour — does anyone have any final advice for our viewers who might be other security leaders in financial services companies? Anything we did not cover today?

Darrell: Stay informed. Everything is changing. You have to spend a good portion of each day watching the news, monitoring threat intelligence, and keeping up with your adversaries.

Marcos: I agree with Darrell. Maintaining that pipeline of intelligence and up-to-date insights within your organization — and specifically within your information security organization and security operations — is key. Techniques are constantly changing. Attackers are constantly pivoting, either retweaking existing attacks, going back to basics, or coming up with something new and novel. If you stay up to date, it allows you to digest that information much more easily, rather than having your security operations team immediately context-switch to triage something new. As CISOs, our job is to manage risk — particularly cyber risk. That allows your defenders and your security operations and InfoSec teams to focus on their projects, their business-as-usual tasks, their daily operations, without constantly having to drop everything to stay current. Staying informed is the only way we know what we know versus not knowing the unknowns.

Marco: I agree with Darrell and Marcos — excellent points. The one or two bits of advice I would add: continue learning. Things are constantly changing. AI, post-quantum — just keep learning. Talk with your peers, network, and get engaged in the various groups that are out there.

David: So just to summarize for today: in the past we moved from a perimeter-centric approach to cybersecurity — where employees were all in the office behind a firewall — to a more network-based, zero trust-based, identity-based security posture. Static security models are continually giving way to something more flexible and adaptable. Attackers are moving faster than ever. Adapting the employee layer is incredibly important — through role-based access controls, behavioral monitoring, and ensuring CISOs and teams understand the risk and role of individuals to contain both insider threat risk and social engineering risk. And we had a really good conversation around cultural shift — personalized, behavior-based training as well as broader cultural enablement to ensure the company and the business is enabled, aware, and aligned with security priorities to reduce cyber risk. Thank you so much today to Darrell, to Marco, and to Marcos — truly incredible leaders sharing some great wisdom. Thank you for your time.

Marco: Thank you for having us.

Marcos: Thank you.