Published on: October 30, 2024
In a recent conversation with SafetyDetectives, Sean Darragh, Chief Information Security Officer (CISO) at Apiture, shared insights into his role and the evolving landscape of cybersecurity in financial services. With over five years in the position, Darragh oversees Apiture’s comprehensive security program, ensuring the company’s software development, infrastructure, and products align with industry best practices and regulatory requirements. His efforts reflect Apiture’s commitment to fostering a culture of security practitioners while continually improving its cyber resilience.
Can you introduce yourself and talk about your role as CISO at Apiture?
My name is Sean Darragh, and I have been the CISO at Apiture for 5 years.
In this role, I oversee a comprehensive cyber and information security program that provides guidance across the company for software development, infrastructure, product, and resilience architecture. Our program ensures we incorporate best practices, as well as address regulatory and statutory guidance in a continuous improvement process. Fundamentally, Apiture strives to build a culture of security practitioners.
What are Apiture’s flagship services?
Apiture delivers award-winning digital banking solutions to banks and credit unions throughout the United States. The Apiture Digital Banking Platform includes Consumer Banking, Business Banking, Digital Account Opening, API Banking, and Data Intelligence solutions. Our highly configurable solutions meet a wide range of community and regional financial institutions’ needs, from leveling the playing field with larger institutions to supporting growth through innovative data analysis and embedded banking strategies.
What are some of the biggest data safety challenges banks and credit unions face today, and how can they proactively address them?
One of the most critical data safety challenges today deals with data. Just like cities can experience urban sprawl due to uncontrolled expansion, company data must be carefully managed to avoid “data sprawl.” For example, a company has multiple services such as Dropbox, Google Drive, or AWS S3 to store its data instead of designating a single service. Managing multiple vendors for the same function can be overly burdensome and represent a significant increase in risk for breach or disclosure.
Cloud-native, SaaS-based data services make it extremely easy not only to ingest and analyze massive amounts of data, but also to extend that data across the various services and infrastructures the vendor uses to supply its product. To proactively address data sprawl, banks and credit unions must ensure their vendor management program addresses data residency, data ownership, and the identification of all sub-service providers the partner will use to process, store, and transmit their data.
In your opinion, what are the key elements of a strong vendor management program, especially for third-party providers?
- Key elements of a good vendor management program include:
- Vendor selection criteria to evaluate technical capabilities, reputation, cost, auditability, etc.
- A contractual basis for the partnership that encompasses negotiations, escalations, scope of services, service level agreements, pricing, and a security posture as good or better than your financial institution’s.
- A process to monitor your partners regularly to ensure they are performing as outlined in the contract.
- A governance process that includes risk management strategies and partner compliance with your organizational policies, regulatory requirements, and industry standards.
What role does automation play in securing financial services, and are there specific areas where it adds the most value?
Automation’s role in securing financial services is twofold. First, it ensures a process is repeated consistently and with an expected result. Second, it provides a way to more easily monitor for anomalies. I consider automation a first line of defense against the introduction of errors.
Hackathons are becoming increasingly popular. How can financial institutions leverage them to enhance their cybersecurity defenses?
I like to use hackathons to increase the peripheral vision of product development or support teams by having them compete in a “Capture-the-Flag” type of event. Just like the outdoor game, the digital version presents an IT environment with hidden digital flags— such as a cleartext password or a secret key— for competitors to find.
This forces teams that may only work on one segment of the product, such as identity and access management, to see the whole product and how their piece works within it. And when you get all teams focused on a product, you generally find items that could be made better or need to be fixed. And everyone has a blast!