IoT
IoT
IT Leadership // CIO Insights & Innovation
News
8/13/2015
09:00 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%
RELATED EVENTS
Core System Testing: How to Achieve Success
Oct 06, 2016
Property and Casualty Insurers have been investing in modernizing their core systems to provide fl ...Read More>>

Bank of America CTO Talks Windows 10 Plans, Security

Bank of America CTO David Reilly is juggling Windows 10 deployment and security concerns, supported by an evolving relationship between business and IT.

Beyond Windows 10: 6 Microsoft Releases To Watch
Beyond Windows 10: 6 Microsoft Releases To Watch
(Click image for larger view and slideshow.)

Is your enterprise looking towards early adoption of Windows 10? Bank of America is.

InformationWeek sat down with Bank of America's CTO David Reilly following his keynote at the Hispanic IT Executive Council (HITEC) Q3 Summit, held last week in New York, where he chatted about an enterprise-wide Windows 10 migration, the changing dynamic between business and IT, and his biggest security concerns.

Reilly promised a Windows 10 upgrade is on the horizon for Bank of America. "We're looking to adopt as early as we can," he said. Such a project will be a massive undertaking given the sheer multitude of Windows devices within the organization, but he appears optimistic about the process.

The upgrade path to Windows 10 seems much smoother than the transition to Windows 7, he explained, which is part of the motivation to adopt early. Bank of America is currently running Windows 7 throughout the business.

[See how Redmond is handling containers. Read: Microsoft, Docker Boost Container Collaboration.]

Employee devices were never upgraded to Windows 8 because the bank requires its OS and applications to function fully across tablets and desktops. As many businesses have experienced, Windows 8 wasn't well suited for cross-device enterprise use. A broad range of employees, from financial advisors to customer greeters, regularly use both tablets and laptops.

Windows 10 delivers the same user experience across tablets, desktops, and laptops. Another key reason Reilly is looking forward to upgrading sooner rather than later. "That's an opportunity we'd really like to take advantage of, if we can," he said.

Of course, enterprise adoption will prove much more complex than a simple download. Windows 10 will have to interface with inventory and security systems, said Reilly. The bank has to create a build for its specific environment.

If this type of build is ready by November, he said, it will be tested among development teams so as to address key concerns and bug fixes. From there, the plan is to enter a phased adoption so employees may opt for earlier upgrades before the OS is fully deployed throughout the enterprise.

Business and IT Relations

The myriad ongoing technology projects at Bank of America have been supported by an evolving relationship between the business and IT departments.

The level of technical proficiency among today's business leaders is dramatically higher, Reilly said, which makes his job as far easier and more effective. When IT leaders can talk with the business team about details of operating systems and tech stacks, it's invaluable to the tech team.

Half of the leadership team, for example, has been running Windows 10, while half continues to use Windows 7. This allows a group of execs to become familiar with the new OS, receive and edit documents, and understand the many differences between the two systems.

The technical know-how of business leaders could prove helpful in understanding how data is used, another priority for the bank. "Data is an asset that really has to be owned by the business," Reilly emphasized in his keynote. IT can provide the necessary tools, but it's up to the business to understand, and act upon, the data collected.

Security Concerns

Speaking of data, like many tech professionals in financial services, Reilly has data security at top of mind.

Bank of America has a tough exterior but continues to worry about the dangers of insider threats. All recent public breaches have, at their core, either known vulnerabilities or insider activity, said Reilly in his keynote speech.

"Once you're in with us, it's pretty open," Reilly admitted. "It's not enough to have that hard outer shell."

To create a more secure environment, he explained, it's necessary to protect sensitive resource zones within the bank. The process of segmentation, as he calls it, restricts contamination to smaller areas of information so as to limit the spread of harm.

To combat the risk of insider threat, Reilly is cracking down on access management for digital resources provided to Bank of America employees.

As they change roles within the organization, employees receive new credentials to access privileged resources, but continue to retain logins they needed for previous functions. New restrictions will limit employees' access to information specifically related to their duties, said Reilly.

(Image: E_Y_E/iStockPhoto)

(Image: E_Y_E/iStockPhoto)

Bank of America is also investing a large chunk of its security efforts into discovering third-party software vulnerabilities and revamping its patch strategy.

Normally the team tries to deploy patches when it's convenient, said Reilly, but this is no longer a practical strategy. As the number of software vulnerabilities quickly rises, so does the volume of necessary patches.

The problem is, faster patch delivery may lead to problems in other parts of the business. A patch intended to safeguard company information, for example, may cause a glitch in Bank of America ATMs.

In such a case, Reilly and his team have to decide which situation they would rather address: broken ATMs caused by a patch that successfully protected sensitive data, or a more in-depth breach that occurred because a patch wasn't deployed.

The former would be the lesser of two unfortunate situations, the CTO admitted. He and his team face a challenge in convincing fellow executives it's necessary to deploy a patch that could potentially cause other issues, but doing so is necessary to prevent more serious attacks.

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance & Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she's not catching up on the latest in tech, Kelly enjoys ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
8/17/2015 | 10:38:44 PM
Re: All Breaches Known?
In any case, their approach to fixing patches in third-party software sounds like a gerbil in a wheel approach, no? Won't they be constantly chasing holes to patch, running in circles? I don't mean to be negative here, and certainly that's not their only approach to security, but still, sounds like they're doing it just to say they've jumped through the hoops, or patches in this case.
Kelly22
50%
50%
Kelly22,
User Rank: Strategist
8/17/2015 | 12:03:53 PM
Re: All Breaches Known?
@Broadway0474 good point. The Target breach did start with an HVAC contractor. Looks like a hacker stole credentials from a worker from the company, which was granted access to the Target database for maintenance purposes. I'm guessing David put it under that umbrella because it started with a third party vulnerability.
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
8/14/2015 | 10:10:31 PM
All Breaches Known?
Great interview. I find fault with only one of his statements --- the one about all recent breaches having been caused by known holes or insider action. Wasn't the Target mishap caused by the fault of their HVAC contractor? That's what I've heard, and if that's the case, I wouldn't chalk that up to either explanation.
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.