Ben Lane, CIPRNA event manager, met Cameron Dicker, Director of Global Business Resilience at the Financial Services Information Sharing and Analysis Center (FS-ISAC). FS-ISAC is the member-driven, not-for-profit organization that advances cybersecurity and resilience in the global financial system, protecting the financial institutions and the people they serve. Founded in 1999, the organization’s real-time information sharing network amplifies the intelligence, knowledge, and practices of its members for the financial sector’s collective security and defenses. Member financial firms represent $100 trillion in assets in seventy-five countries.
The following is a transcription of their conversation.
Hello Cameron. Good to meet. Can you provide a little bit about yourself, a plotted history of your career and your position now?
I joined FS-ISAC in June of 2022, where I serve as the Director of Global Business Resilience. I focus on running resilience programs across our various regions, including the Americas, Europe, Middle East and Africa, and Asia Pacific.
In these regions, my team runs a business resilience committee. This is a committee for our membership that brings members together to discuss best practices and identify risks. During an incident we assess the operational risks and systemic nature of a disruptive event. And of course, write, manage, and update playbooks.
In addition to the business resilience committees, my team also runs our exercise program. Once we have the playbooks, we evaluate those playbooks. We run exercises on all hazards, from hurricanes to insider threats to cyber. Anything that could pose a disruption to the sector’s ability to operate. We evaluate the sector-level playbooks to identify any gaps in policy, process, and procedure. We also build muscle memory while working with organizations, as well as with our government partners, during a disruptive event. So, when those bad days happen, we know who is going to do what, when, and how.
Before joining FS-ISAC, I worked for the Department of the Treasury, where I was the Deputy Director for Response and Recovery within the Office of Cybersecurity and Critical Infrastructure Protection. Prior to that I was at the Federal Reserve.
Thank you for the introduction. Can you provide an explanation of FS-ISAC and its roles and objectives?
FS-ISAC is a member-driven organization designed to collect, analyze, and share information that better prepares organizations to be more resilient to any hazard or disruption. We do this through three pillars, intelligence, security, and resilience, which is my department.
Our global intelligence office collaborates with members to share information in an anonymized, trusted environment when they have an incident or any sort of event. We then analyze that information, add in other information we receive from vendors, other members, government sources, and then put that back out to the membership through our channels to help them better understand threats and how to mitigate them.
Through our security pillar, we share all kinds of information and insights related to the work of protecting the firm. We do this through a wide variety of member-only conferences and events, as well as through our communities, which are smaller groups within our 5000-firm membership that relate to common interests, be they regional, sub-sector, topic or even role.
And then our resilience work is focused on developing incident response playbooks and then continuously testing and improving those through exercises. Of course, the pillars are inter-related and feed each other to continuously achieve our mission of advancing cyber security and resilience of the global financial system.
It is a virtuous circle. Let us delve a bit deeper into these topics. What are the main developments and changing threats you are seeing now for the financial services sector?
I think the reliance on third parties and the emergence of third-party suppliers as a primary attack vector for the sector is the largest change we have seen over the last few years. Threat actors have learned if they attack one bank, they will get one score but if they attack a third party who serves multiple firms, they will potentially get hundreds, if not thousands. Many third parties are not regulated in the same way banks are, and do not have the same security programs that a large, well-resourced financial institution will have. In some cases, they may be the easier way into the bank than the bank itself.
So, from a threat actor’s perspective, it makes total sense to focus on providers.
Interesting. I am sure this topic will be discussed in more detail at CIPRNA this year. How does FS-ISAC work within its industry sector to tackle and prepare its members for these changing threats? We have talked about information sharing, but can you dive a little deeper into this area?
FS-ISAC is a wide collection of nodes around the world – our 5000-member firms who essentially act as a real-time sensor network for the cyber threats facing the sector. We see attacks happen every day. Our members report things that worked, things that were unsuccessful, and how they fought against it. We can then start to pick up trends, the emerging threats, and where they are moving from market to market.
We also work closely with our public sector partners in several jurisdictions to take the information the government is seeing, combine it with the information we are seeing, and then provide insight back to our members. It then goes into these communities, where they can brainstorm and talk about what has worked at some organizations and not worked at others, to share best practices for how the organizations can defend against the threat landscape.
And then, where my team really comes in, is our exercising function. As we see threats start to emerge, we can exercise with the members against these. We can figure out what we think is going to happen, what the potential disruptive effects are, and what we can do today to prepare for the threats of the future.
In 2023, for example, we had a couple exercises working on the emerging threat of AI, as well as risks associated with the potential use of post-quantum computing to break cryptography used by the sector. This allows us to think through what those threats could be in two, three, four years’ time, and start now with recommendations that financial firms can use.
It is fascinating that you look three to four years ahead. That is predicting a long way ahead in such a fast-moving world. We have talked about FS-ISAC as an individual body. How does FS-ISAC work with other sectors and other ISACs to ensure resilience in the system?
In the United States there is the Council of ISACs. It has representation from all the critical infrastructure sector ISACs, of which we are a member. We participate very, very actively in that forum to make sure we have contacts with all the other ISACs, that we are sharing information on a regular basis, and we are coordinating on that front.
FS-ISAC is heavily dependent on energy and telecommunications. So, we have a tri-sector, which is just those three ISACs in a close, trusted community, sharing information on a regular basis about the threats and risks we see. We also have a playbook specific to how these three ISACs would coordinate in a state of heightened awareness or an actual incident because of the strong interdependencies between these three sectors.
You are dealing with a lot of information. Incredible work. What are the main challenges for critical infrastructures, do you foresee?
My personal view on this and having watched this grow during the past few years, is that the greatest risk we are going to see over the next few years is the interconnectedness between organizations and between sectors. We do not live in a world anymore where it is sufficient to say, “I know what I own, and I can protect it.” It is about who you are connected to. Who you rely on. And what permissions they have into your network, or what relationships they have with you that could disrupt your ability to function.
The high reliance on IT is part of that, but it is not everything. There is still a reliance, as a bank for example, on their ability to receive physical currency, which is a reliance on the Federal Reserve, and a reliance on the Mint to print it, and a reliance on the armored carriers to deliver it. There is a lot in the chain to make these things happen. We are no longer in an environment where one piece is going to operate effectively without the others.
That is a great answer. And again, a topic which will be discussed in further detail at CIPRNA this year. Cameron, thank you for your time. We look forward to seeing you in Lake Charles March 12 to 14 where you’ll be speaking in the Critical Industries Sector Symposium: https://ciprna-expo.com/session/critical-industries-sector-symposium/.
I am really looking forward to it. Thank you.
About Cameron Dicker, Director of Global Business Resilience, FS-ISAC
Cameron Dicker is the Director of Global Business Resilience at FS-ISAC and the Deputy Director of the Financial Services Sector Coordinating Council. As Director of Global Business Resilience, Cameron oversees FS-ISAC’s exercise programs as well as the regional business resilience committee. Prior to joining FS-ISAC, Cameron worked on resilience policy and crisis management for the Department of the Treasury and the Federal Reserve Board. Cameron earned his master’s degree in philosophy from San Francisco State University and his bachelor’s degree from Drake University. He is based in the Washington DC-Baltimore area.