Bank of America CTO Talks Windows 10 Plans, Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // CIO Insights & Innovation
News
8/13/2015
09:00 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Bank of America CTO Talks Windows 10 Plans, Security

Bank of America CTO David Reilly is juggling Windows 10 deployment and security concerns, supported by an evolving relationship between business and IT.

Beyond Windows 10: 6 Microsoft Releases To Watch
Beyond Windows 10: 6 Microsoft Releases To Watch
(Click image for larger view and slideshow.)

Is your enterprise looking towards early adoption of Windows 10? Bank of America is.

InformationWeek sat down with Bank of America's CTO David Reilly following his keynote at the Hispanic IT Executive Council (HITEC) Q3 Summit, held last week in New York, where he chatted about an enterprise-wide Windows 10 migration, the changing dynamic between business and IT, and his biggest security concerns.

Reilly promised a Windows 10 upgrade is on the horizon for Bank of America. "We're looking to adopt as early as we can," he said. Such a project will be a massive undertaking given the sheer multitude of Windows devices within the organization, but he appears optimistic about the process.

The upgrade path to Windows 10 seems much smoother than the transition to Windows 7, he explained, which is part of the motivation to adopt early. Bank of America is currently running Windows 7 throughout the business.

[See how Redmond is handling containers. Read: Microsoft, Docker Boost Container Collaboration.]

Employee devices were never upgraded to Windows 8 because the bank requires its OS and applications to function fully across tablets and desktops. As many businesses have experienced, Windows 8 wasn't well suited for cross-device enterprise use. A broad range of employees, from financial advisors to customer greeters, regularly use both tablets and laptops.

Windows 10 delivers the same user experience across tablets, desktops, and laptops. Another key reason Reilly is looking forward to upgrading sooner rather than later. "That's an opportunity we'd really like to take advantage of, if we can," he said.

Of course, enterprise adoption will prove much more complex than a simple download. Windows 10 will have to interface with inventory and security systems, said Reilly. The bank has to create a build for its specific environment.

If this type of build is ready by November, he said, it will be tested among development teams so as to address key concerns and bug fixes. From there, the plan is to enter a phased adoption so employees may opt for earlier upgrades before the OS is fully deployed throughout the enterprise.

Business and IT Relations

The myriad ongoing technology projects at Bank of America have been supported by an evolving relationship between the business and IT departments.

The level of technical proficiency among today's business leaders is dramatically higher, Reilly said, which makes his job as far easier and more effective. When IT leaders can talk with the business team about details of operating systems and tech stacks, it's invaluable to the tech team.

Half of the leadership team, for example, has been running Windows 10, while half continues to use Windows 7. This allows a group of execs to become familiar with the new OS, receive and edit documents, and understand the many differences between the two systems.

The technical know-how of business leaders could prove helpful in understanding how data is used, another priority for the bank. "Data is an asset that really has to be owned by the business," Reilly emphasized in his keynote. IT can provide the necessary tools, but it's up to the business to understand, and act upon, the data collected.

Security Concerns

Speaking of data, like many tech professionals in financial services, Reilly has data security at top of mind.

Bank of America has a tough exterior but continues to worry about the dangers of insider threats. All recent public breaches have, at their core, either known vulnerabilities or insider activity, said Reilly in his keynote speech.

"Once you're in with us, it's pretty open," Reilly admitted. "It's not enough to have that hard outer shell."

To create a more secure environment, he explained, it's necessary to protect sensitive resource zones within the bank. The process of segmentation, as he calls it, restricts contamination to smaller areas of information so as to limit the spread of harm.

To combat the risk of insider threat, Reilly is cracking down on access management for digital resources provided to Bank of America employees.

As they change roles within the organization, employees receive new credentials to access privileged resources, but continue to retain logins they needed for previous functions. New restrictions will limit employees' access to information specifically related to their duties, said Reilly.

(Image: E_Y_E/iStockPhoto)

(Image: E_Y_E/iStockPhoto)

Bank of America is also investing a large chunk of its security efforts into discovering third-party software vulnerabilities and revamping its patch strategy.

Normally the team tries to deploy patches when it's convenient, said Reilly, but this is no longer a practical strategy. As the number of software vulnerabilities quickly rises, so does the volume of necessary patches.

The problem is, faster patch delivery may lead to problems in other parts of the business. A patch intended to safeguard company information, for example, may cause a glitch in Bank of America ATMs.

In such a case, Reilly and his team have to decide which situation they would rather address: broken ATMs caused by a patch that successfully protected sensitive data, or a more in-depth breach that occurred because a patch wasn't deployed.

The former would be the lesser of two unfortunate situations, the CTO admitted. He and his team face a challenge in convincing fellow executives it's necessary to deploy a patch that could potentially cause other issues, but doing so is necessary to prevent more serious attacks.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
8/17/2015 | 10:38:44 PM
Re: All Breaches Known?
In any case, their approach to fixing patches in third-party software sounds like a gerbil in a wheel approach, no? Won't they be constantly chasing holes to patch, running in circles? I don't mean to be negative here, and certainly that's not their only approach to security, but still, sounds like they're doing it just to say they've jumped through the hoops, or patches in this case.
Kelly22
50%
50%
Kelly22,
User Rank: Strategist
8/17/2015 | 12:03:53 PM
Re: All Breaches Known?
@Broadway0474 good point. The Target breach did start with an HVAC contractor. Looks like a hacker stole credentials from a worker from the company, which was granted access to the Target database for maintenance purposes. I'm guessing David put it under that umbrella because it started with a third party vulnerability.
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
8/14/2015 | 10:10:31 PM
All Breaches Known?
Great interview. I find fault with only one of his statements --- the one about all recent breaches having been caused by known holes or insider action. Wasn't the Target mishap caused by the fault of their HVAC contractor? That's what I've heard, and if that's the case, I wouldn't chalk that up to either explanation.
Slideshows
How to Land a Job in Cloud Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/19/2019
Commentary
How to Convince Wary Customers to Share Personal Information
John Edwards, Technology Journalist & Author,  6/17/2019
Commentary
The Art and Science of Robot Wrangling in the AI Era
Guest Commentary, Guest Commentary,  6/11/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
Slideshows
Flash Poll