‘Protecting customers’ data is the core purpose of my role’

18 Jun 2021

Nicola O’Connor, AIB. Image: © Shane O’Neill/Coalesce

AIB’s Nicola O’Connor shares her thoughts on cybersecurity and why it’s an exciting time to work in tech within financial services.

Nicola O’Connor is AIB’s chief information security and IT risk officer, a role she has held for the last three years. She is responsible for ensuring the integrity of both information and systems, while also defining the strategy to future-proof technology for the organisation.

O’Connor has previously worked in a number of senior management positions in AIB over the last six years.

Prior to her time in AIB, O’Connor worked at Intel, where she held a number of senior technical roles, working in Ireland and the US. She holds a bachelor’s degree in computer engineering from UCC.

‘We have invested and innovated in our digital offering and our customers’ behaviours have followed’

Describe your role and your responsibilities in driving tech strategy.

As chief information security and IT risk officer, I am accountable for ensuring that AIB’s technology is secure and resilient, ensuring at all times that customer data is protected.

In driving technology strategy, we adhere to a principle of security by design, ensuring that security and technology risk management is at the heart of our customer solutions.

Are you spearheading any major product or IT initiatives?

Within AIB we operate a two-yearly cyber and IT risk strategy cycle. We operate our cyber defences in line with international standards (NiST and ISO), combining controls that help predict, prevent, detect and respond to attacks.

Given the nature of cybersecurity, we always have multiple initiatives being designed and delivered. Three that I’m currently quite excited about are in the fields of identity management, cyber analytics and cloud assurance.

 How big is your team?

Within AIB our team features more than 50 people. We also work with world-leading security and cyber vendors who help us keep our customers safe.

What are your thoughts on digital transformation?

At AIB, our approach to digitalisation is to expand our offering in an attractive way to enable our customers to digitally request more and more services.

Traditionally, access to our products and services was guided by opening hours and physical locations, then processed via paper or voice/call instruction. We have invested and innovated in our digital offering and our customers’ behaviours have followed. Through digitalisation we foster agility and flexibility, and ultimately offer our customers much greater accessibility.

What big tech trends do you believe are changing the world and the financial services industry specifically?

Personally, the most significant tech trend that I believe is changing technology in the financial services industry is our ways of working. We have an immediate need to adapt to the pace demanded by our customers for digital solutions, accelerated by our response as a society to Covid-19.

This type of change requires us as a community to invest in our culture, practices and physical environment.

While our ways of working change, it’s also important to ensure that the line between home and work isn’t blurred, which is why it’s important to have policies in place to prevent this.

One such policy AIB has introduced is the right to disconnect. The purpose of this policy is to help clarify expectations and, therefore, set clearer work-life boundaries that help us sustain our productivity and, more importantly, our wellbeing.

It is an exciting time to be in technology within the financial services sector.

In terms of security, what are your thoughts on how we can better protect data?

Protecting our customers’ data is the core purpose of my role, so I am very passionate about this topic. Cyber capabilities are constantly shifting.

I am a firm believer in the layering of controls, ensuring that the organisation has the ability to protect, detect, defend, respond and recover from any potential intrusion.

Key to this is having a strong intelligence capability that you can turn into actionable responses.

Finally, people are still a significant component of any cybersecurity solution. An employee base that is cyber-savvy will always be a significant defence mechanism.

To ensure awareness of information security matters, all our employees are required to complete information security training, which covers our policy, data protection law, reporting and escalation of issues. Additional training must be completed by high-risk users.

Across industry, employees clicking on phished emails are still responsible for the majority of all malware entering organisations. We conduct ongoing phishing simulations, sending targeted mails direct to employee mailboxes.

The results allow us to measure our resilience to such attacks. Typically, we conduct one simulation exercise per quarter for all employees but, mainly due to Covid-19, this rose to eight in 2020 – five for all employees with a further three directed at specific high-risk users. It really helps bring our training to life.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.