Bank of America CTO Talks Windows 10 Plans, Security - InformationWeek
IT Leadership // CIO Insights & Innovation
09:00 AM
Connect Directly

Bank of America CTO Talks Windows 10 Plans, Security

Bank of America CTO David Reilly is juggling Windows 10 deployment and security concerns, supported by an evolving relationship between business and IT.

Beyond Windows 10: 6 Microsoft Releases To Watch
Beyond Windows 10: 6 Microsoft Releases To Watch
(Click image for larger view and slideshow.)

Is your enterprise looking towards early adoption of Windows 10? Bank of America is.

InformationWeek sat down with Bank of America's CTO David Reilly following his keynote at the Hispanic IT Executive Council (HITEC) Q3 Summit, held last week in New York, where he chatted about an enterprise-wide Windows 10 migration, the changing dynamic between business and IT, and his biggest security concerns.

Reilly promised a Windows 10 upgrade is on the horizon for Bank of America. "We're looking to adopt as early as we can," he said. Such a project will be a massive undertaking given the sheer multitude of Windows devices within the organization, but he appears optimistic about the process.

The upgrade path to Windows 10 seems much smoother than the transition to Windows 7, he explained, which is part of the motivation to adopt early. Bank of America is currently running Windows 7 throughout the business.

[See how Redmond is handling containers. Read: Microsoft, Docker Boost Container Collaboration.]

Employee devices were never upgraded to Windows 8 because the bank requires its OS and applications to function fully across tablets and desktops. As many businesses have experienced, Windows 8 wasn't well suited for cross-device enterprise use. A broad range of employees, from financial advisors to customer greeters, regularly use both tablets and laptops.

Windows 10 delivers the same user experience across tablets, desktops, and laptops. Another key reason Reilly is looking forward to upgrading sooner rather than later. "That's an opportunity we'd really like to take advantage of, if we can," he said.

Of course, enterprise adoption will prove much more complex than a simple download. Windows 10 will have to interface with inventory and security systems, said Reilly. The bank has to create a build for its specific environment.

If this type of build is ready by November, he said, it will be tested among development teams so as to address key concerns and bug fixes. From there, the plan is to enter a phased adoption so employees may opt for earlier upgrades before the OS is fully deployed throughout the enterprise.

Business and IT Relations

The myriad ongoing technology projects at Bank of America have been supported by an evolving relationship between the business and IT departments.

The level of technical proficiency among today's business leaders is dramatically higher, Reilly said, which makes his job as far easier and more effective. When IT leaders can talk with the business team about details of operating systems and tech stacks, it's invaluable to the tech team.

Half of the leadership team, for example, has been running Windows 10, while half continues to use Windows 7. This allows a group of execs to become familiar with the new OS, receive and edit documents, and understand the many differences between the two systems.

The technical know-how of business leaders could prove helpful in understanding how data is used, another priority for the bank. "Data is an asset that really has to be owned by the business," Reilly emphasized in his keynote. IT can provide the necessary tools, but it's up to the business to understand, and act upon, the data collected.

Security Concerns

Speaking of data, like many tech professionals in financial services, Reilly has data security at top of mind.

Bank of America has a tough exterior but continues to worry about the dangers of insider threats. All recent public breaches have, at their core, either known vulnerabilities or insider activity, said Reilly in his keynote speech.

"Once you're in with us, it's pretty open," Reilly admitted. "It's not enough to have that hard outer shell."

To create a more secure environment, he explained, it's necessary to protect sensitive resource zones within the bank. The process of segmentation, as he calls it, restricts contamination to smaller areas of information so as to limit the spread of harm.

To combat the risk of insider threat, Reilly is cracking down on access management for digital resources provided to Bank of America employees.

As they change roles within the organization, employees receive new credentials to access privileged resources, but continue to retain logins they needed for previous functions. New restrictions will limit employees' access to information specifically related to their duties, said Reilly.

(Image: E_Y_E/iStockPhoto)

(Image: E_Y_E/iStockPhoto)

Bank of America is also investing a large chunk of its security efforts into discovering third-party software vulnerabilities and revamping its patch strategy.

Normally the team tries to deploy patches when it's convenient, said Reilly, but this is no longer a practical strategy. As the number of software vulnerabilities quickly rises, so does the volume of necessary patches.

The problem is, faster patch delivery may lead to problems in other parts of the business. A patch intended to safeguard company information, for example, may cause a glitch in Bank of America ATMs.

In such a case, Reilly and his team have to decide which situation they would rather address: broken ATMs caused by a patch that successfully protected sensitive data, or a more in-depth breach that occurred because a patch wasn't deployed.

The former would be the lesser of two unfortunate situations, the CTO admitted. He and his team face a challenge in convincing fellow executives it's necessary to deploy a patch that could potentially cause other issues, but doing so is necessary to prevent more serious attacks.

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance & Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she's not catching up on the latest in tech, Kelly enjoys ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/17/2015 | 10:38:44 PM
Re: All Breaches Known?
In any case, their approach to fixing patches in third-party software sounds like a gerbil in a wheel approach, no? Won't they be constantly chasing holes to patch, running in circles? I don't mean to be negative here, and certainly that's not their only approach to security, but still, sounds like they're doing it just to say they've jumped through the hoops, or patches in this case.
User Rank: Strategist
8/17/2015 | 12:03:53 PM
Re: All Breaches Known?
@Broadway0474 good point. The Target breach did start with an HVAC contractor. Looks like a hacker stole credentials from a worker from the company, which was granted access to the Target database for maintenance purposes. I'm guessing David put it under that umbrella because it started with a third party vulnerability.
User Rank: Ninja
8/14/2015 | 10:10:31 PM
All Breaches Known?
Great interview. I find fault with only one of his statements --- the one about all recent breaches having been caused by known holes or insider action. Wasn't the Target mishap caused by the fault of their HVAC contractor? That's what I've heard, and if that's the case, I wouldn't chalk that up to either explanation.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll