Bank of America CTO Talks Windows 10 Plans, Security - InformationWeek
IT Leadership // CIO Insights & Innovation
09:00 AM
Connect Directly
Building Security for the IoT
Nov 09, 2017
In this webcast, experts discuss the most effective approaches to securing Internet-enabled system ...Read More>>

Bank of America CTO Talks Windows 10 Plans, Security

Bank of America CTO David Reilly is juggling Windows 10 deployment and security concerns, supported by an evolving relationship between business and IT.

Beyond Windows 10: 6 Microsoft Releases To Watch
Beyond Windows 10: 6 Microsoft Releases To Watch
(Click image for larger view and slideshow.)

Is your enterprise looking towards early adoption of Windows 10? Bank of America is.

InformationWeek sat down with Bank of America's CTO David Reilly following his keynote at the Hispanic IT Executive Council (HITEC) Q3 Summit, held last week in New York, where he chatted about an enterprise-wide Windows 10 migration, the changing dynamic between business and IT, and his biggest security concerns.

Reilly promised a Windows 10 upgrade is on the horizon for Bank of America. "We're looking to adopt as early as we can," he said. Such a project will be a massive undertaking given the sheer multitude of Windows devices within the organization, but he appears optimistic about the process.

The upgrade path to Windows 10 seems much smoother than the transition to Windows 7, he explained, which is part of the motivation to adopt early. Bank of America is currently running Windows 7 throughout the business.

[See how Redmond is handling containers. Read: Microsoft, Docker Boost Container Collaboration.]

Employee devices were never upgraded to Windows 8 because the bank requires its OS and applications to function fully across tablets and desktops. As many businesses have experienced, Windows 8 wasn't well suited for cross-device enterprise use. A broad range of employees, from financial advisors to customer greeters, regularly use both tablets and laptops.

Windows 10 delivers the same user experience across tablets, desktops, and laptops. Another key reason Reilly is looking forward to upgrading sooner rather than later. "That's an opportunity we'd really like to take advantage of, if we can," he said.

Of course, enterprise adoption will prove much more complex than a simple download. Windows 10 will have to interface with inventory and security systems, said Reilly. The bank has to create a build for its specific environment.

If this type of build is ready by November, he said, it will be tested among development teams so as to address key concerns and bug fixes. From there, the plan is to enter a phased adoption so employees may opt for earlier upgrades before the OS is fully deployed throughout the enterprise.

Business and IT Relations

The myriad ongoing technology projects at Bank of America have been supported by an evolving relationship between the business and IT departments.

The level of technical proficiency among today's business leaders is dramatically higher, Reilly said, which makes his job as far easier and more effective. When IT leaders can talk with the business team about details of operating systems and tech stacks, it's invaluable to the tech team.

Half of the leadership team, for example, has been running Windows 10, while half continues to use Windows 7. This allows a group of execs to become familiar with the new OS, receive and edit documents, and understand the many differences between the two systems.

The technical know-how of business leaders could prove helpful in understanding how data is used, another priority for the bank. "Data is an asset that really has to be owned by the business," Reilly emphasized in his keynote. IT can provide the necessary tools, but it's up to the business to understand, and act upon, the data collected.

Security Concerns

Speaking of data, like many tech professionals in financial services, Reilly has data security at top of mind.

Bank of America has a tough exterior but continues to worry about the dangers of insider threats. All recent public breaches have, at their core, either known vulnerabilities or insider activity, said Reilly in his keynote speech.

"Once you're in with us, it's pretty open," Reilly admitted. "It's not enough to have that hard outer shell."

To create a more secure environment, he explained, it's necessary to protect sensitive resource zones within the bank. The process of segmentation, as he calls it, restricts contamination to smaller areas of information so as to limit the spread of harm.

To combat the risk of insider threat, Reilly is cracking down on access management for digital resources provided to Bank of America employees.

As they change roles within the organization, employees receive new credentials to access privileged resources, but continue to retain logins they needed for previous functions. New restrictions will limit employees' access to information specifically related to their duties, said Reilly.

(Image: E_Y_E/iStockPhoto)

(Image: E_Y_E/iStockPhoto)

Bank of America is also investing a large chunk of its security efforts into discovering third-party software vulnerabilities and revamping its patch strategy.

Normally the team tries to deploy patches when it's convenient, said Reilly, but this is no longer a practical strategy. As the number of software vulnerabilities quickly rises, so does the volume of necessary patches.

The problem is, faster patch delivery may lead to problems in other parts of the business. A patch intended to safeguard company information, for example, may cause a glitch in Bank of America ATMs.

In such a case, Reilly and his team have to decide which situation they would rather address: broken ATMs caused by a patch that successfully protected sensitive data, or a more in-depth breach that occurred because a patch wasn't deployed.

The former would be the lesser of two unfortunate situations, the CTO admitted. He and his team face a challenge in convincing fellow executives it's necessary to deploy a patch that could potentially cause other issues, but doing so is necessary to prevent more serious attacks.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/17/2015 | 10:38:44 PM
Re: All Breaches Known?
In any case, their approach to fixing patches in third-party software sounds like a gerbil in a wheel approach, no? Won't they be constantly chasing holes to patch, running in circles? I don't mean to be negative here, and certainly that's not their only approach to security, but still, sounds like they're doing it just to say they've jumped through the hoops, or patches in this case.
User Rank: Strategist
8/17/2015 | 12:03:53 PM
Re: All Breaches Known?
@Broadway0474 good point. The Target breach did start with an HVAC contractor. Looks like a hacker stole credentials from a worker from the company, which was granted access to the Target database for maintenance purposes. I'm guessing David put it under that umbrella because it started with a third party vulnerability.
User Rank: Ninja
8/14/2015 | 10:10:31 PM
All Breaches Known?
Great interview. I find fault with only one of his statements --- the one about all recent breaches having been caused by known holes or insider action. Wasn't the Target mishap caused by the fault of their HVAC contractor? That's what I've heard, and if that's the case, I wouldn't chalk that up to either explanation.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll