IT Security is a Constant Battle Between the Light and Dark Side of the Force – Interview with the Security Chapter Lead at Raiffeisen Tech

My work has always been connected to the IT world. I started typically as a Service Desk/Administrator. This allowed me to gain general experience in IT, but even back then, I became very interested in information security topics. After a few years, an opportunity arose to become an IT auditor, and that’s when I seriously began focusing on this area. Auditing allowed me to gain theoretical knowledge about requirements, standards, regulations, etc. These were good foundations, and after four years, I switched "sides" and joined the information security department in 2011. So, I’ve been involved in this incredibly interesting and dynamically evolving field of IT for almost 15 years. It is definitely my world, where I can combine the broad knowledge I’ve acquired with what I love most – helping others achieve their business goals while maintaining the highest security standards.

As is always the case, there is a fear – can I do it? Am I suited for this? But thanks to the support of colleagues and the department director, I quickly realized that these were unfounded worries. Of course, IT security has its own rules, but I quickly learned the ropes. The biggest challenge in this area (not just at the beginning of my career, but throughout) has been maintaining and constantly acquiring knowledge about new threats, trends, tools, phenomena, and challenges. Therefore, continuous learning is extremely important – courses, conferences, seminars, and a lot of documentation.

When we talk about threats to today’s financial world, we’ve already touched on this in previous articles. The weakest link remains the human – the client, employee, collaborators. It is still easiest to hack human minds and obtain information through social engineering, phishing, exploiting negligence, and underestimating threats. However, this does not mean other aspects are less important. Poorly or carelessly written applications (code security!) pose equally serious risks of data leaks, theft of funds, or identity theft. The set of security tools is relatively stable, of course, these are being developed in various aspects, but on this front, there always has been, is, and will be a battle between the light and dark side of the force.

First and foremost, the awareness of information security aspects has significantly increased among ordinary users and clients. In institutions, non-IT, non-technical employees are also an important part of the ecosystem, which is especially visible in financial institutions that strive to maintain the principle that everyone is responsible for security. Of course, a lot has also happened in the technical area, where many new technologies have been implemented to help combat threats – increasing computing power, cloud availability, and AI support have greatly helped shorten response times to incidents and have allowed for more effective protection of our resources.

We’ve already discussed this a bit in previous posts – Raiffeisen Tech, as part of a large financial group, is obliged to ensure compliance with a range of internal, well-maintained, and developed security standards – in the area of application development, maintenance, support, and the overall life cycle. Let’s also remember that we operate within the EU market, which is highly regulated regarding the security of financial institutions. The highest programming standards, consistent for all teams, a full range of support tools that ensure security at every stage of an application's life – source code scanning, infrastructure, and application vulnerability scans, detailed penetration testing before deployment and regularly during system operation, training for experts in programming, maintenance, and supporting security processes are just some of the key actions taken at Raiffeisen Tech to ensure the highest quality applications for our customers.

Of course, for example, the already mentioned security scans are fully automated, and a customized report from these scans is delivered straight to the user’s desktop or email inbox. Essentially, artificial intelligence, which we have already discussed, is increasingly used at every stage of the application life cycle. Each automated subprocess allows for faster work, reducing human errors and ensuring higher final quality. However, remember that a poorly or carelessly prepared automated process can do more harm than good if, for instance, additional factors are not considered, or someone makes a mistake.

As mentioned earlier, Raiffeisen Tech is part of a large financial group, which also means centralized tools and processes in the field of security. This applies to the use of AI/ML in IT Security as well. AI supports developers by pointing out errors in source code, assists analysts in examining logs and events by highlighting those requiring the fastest reaction, or closing off those that can be ignored. Anti-malware software (e.g., MS Defender) also uses AI widely to detect and neutralize threats, significantly increasing defense effectiveness.

Looking at today’s IT security landscape, one might wonder – can we come up with something new? It’s a very difficult question; it’s hard to predict in which direction threats will evolve, and thus the development of defensive measures – tools and systems to support the fight against IT threats. However, I’ll venture a bit of foresight – certainly, there will be further development of AI technologies and the vast computing power of the cloud. I believe the battle will be based on increasingly greater and more effective use of computational resources for attacks, and similarly, this will be the case for defense against such attacks.

Similar to the previous question, I think the importance of AI and the increasingly easy (and cheap) access to computing resources will continue to grow, resembling a classic arms race. Is there a possibility to limit this arms race? For now, it’s not visible, but it’s possible that at some point, we will face a wall – the challenge of ensuring the energy required to power both sides. For example, Microsoft is already purchasing a nuclear power plant for its own use – maybe they know something about the upcoming future?

1. Trust no one and nothing.
   
2. Always consider the least probable scenario (maybe even impossible? Today it is, but tomorrow – who knows?).
3. The human factor is the weakest link.

In the context of previous questions – definitely knowledge and experience related to AI, but also the use of cloud technologies – in terms of computing power, scalability, deployment speed. However, I believe the most important skill for the IT Security sector is the ability to quickly learn and acquire knowledge – you absolutely cannot afford to "fall behind" – otherwise, you won’t know what and how to defend against. Personally, I also believe that the ability to reconcile the world of business, IT, and security is very important. Only a "security expert" deeply engaged in all these areas can provide the best possible solutions to minimize risks and ensure an adequate level of security.

As I’ve mentioned before, we use many tools and processes in this area. Certainly, a major milestone was the global implementation of SAST – source code scanning for all projects. This allows us to avoid security issues at the programming stage, which can be quickly fixed at this stage. Daily scanning of our resources also enables us to address the latest threats almost in real-time, which would not be possible on this scale without the support of tools and processes. Internal RBI group requirements also directly translate to client security – good password management or recovery policies minimize risk in this area. But even if there is a leak or credential theft – we always have a very strong defense point in MFA – multi-factor authentication and authorization methods.

Essentially, this area is synonymous with what I previously mentioned about AI/ML – I think the use of AI will go so far that it will be integrated within the application itself, reducing response times to various types of threats. Perhaps this will lead to the "miniaturization" of AI to easily and cheaply integrate it into an application – limiting its functions only to those required within a specific application. I also think that there will be further development and an increase in the importance of cloud technologies as the primary platform for applications, not only in terms of deployment speed or scalability but also in ensuring security by cloud service providers through the use of integrated security mechanisms and tools native to the platform. I’ve already mentioned some challenges – the use of AI on both sides – it’s hard to say who will ultimately prevail in this fight. With the right computing power, anything is possible – and the goal of IT Security is to make it as difficult as possible for attackers. It is a difficult, arduous, and costly process – but is there any other way? I don’t think so.

Michał, thank you very much for the conversation. It has been a month full of inspiration and a solid dose of knowledge in the field of cybersecurity. I hope that the presented case studies and insights will help better understand the challenges facing the IT security industry. And if you haven’t seen our previous materials, it’s time to catch up. Check out our recent articles, where you can learn:

1. What are the benefits and potential risks associated with using AI in cybersecurity processes - AI Opportunities & Threats
2. What are the key application security practices at Raiffeisen Tech - Key Security Practices
3. What are the biggest application security threats - App Security Knowledge