JPMorgan CISO says three trends play a role in how he protects the banking giant

Pat Opet, the global chief information security officer at JPMorganChase, says three trends today play a role in how his team protects America’s biggest bank.

The first is that the bad actors have gotten savvier. “Every time the defenders continue to innovate, you’ve got attackers who are doing so in parallel,” says Opet.

This year alone, cyberattacks have stung big industries ranging from healthcare to car dealerships to telecommunications giants. The average cost of a data breach in 2024 rose 10% to a record high of $4.9 million, according to IBM and independent researcher Ponemon Institute.

“The most significant change to the ecosystem is the sophistication of the ransomware actors,” says Opet, adding that there’s even been some coordination between nation-state adversaries and cybercriminals that can make it difficult to decipher between the two.

Secondly, there’s the increased reliance on cloud-based, software as a service (SaaS) applications, which have proliferated in popularity in recent years and saw an especially strong surge of adoption as companies embraced remote work during the pandemic. “All these changes in technology creates the opportunity for weakness or failure if companies aren’t diligent in how they mature these capabilities to make them available to employees,” says Opet.

And lastly, JPMorganChase has itself become a much more technology-centric organization, embracing machine learning, public and private clouds, and newer technologies like generative artificial intelligence. The firm has said every new hire will be trained on AI and new tools. An AI assistant that rolled out this summer has been made available to 140,000 employees at the financial giant.

As new tools are rolled out and employees get access to more forms of technology, Opet deploys a “federated” approach to cybersecurity. The CISO has a team of security architects and engineers who are embedded into the development teams to build the necessary safety controls of the latest generative AI tools or cloud platforms.

“The workforce, of course, also has a responsibility,” says Opet. “But even there, we build a lot of security technology into the ecosystem to ensure we can offer that level of resilience and that a mistake doesn’t lead to some sort of cyber event.”

If an employee were to erroneously click malicious link in a phishing email, for example, the web page would open on an isolated container that’s separate from the rest of the computer. This would prevent the malware from infecting the PC.

JPMorganChase buys some cyber solutions from third-party vendors, which Opet declined to name, though he said the company generally believes that if “there’s either a scale problem or there’s a capability gap that we don’t believe we can get from the market, then we’ll build.”

Across the cybersecurity industry, Opet says some work must be done to make multi-factor authentication more resilient. That is a security method that requires users to provide more than one form of authentication to access an application or online account. Known as MFA, this line of defense has been adopted widely, giving attackers more motivation to figure out loopholes to exploit. The hackers have made inroads exposing MFA in recent years.

As companies lean more on SaaS solutions, there are also instances where two software tools are sharing information without human involvement and also using MFA to authorize those connections. These machine-to-machine relationships present another area of potential exposure. “There’s some big evolution that’s got to happen in the machine-to-machine space,” says Opet, who advocates for better mechanisms to authorize info sharing between software platforms.

He sees the June cyberattack on CDK Global as another cautionary tale. Thousands of car dealerships were stung by an outage that impacted their dealership management system and this points to two trends: corporations have lately been preferring SaaS solutions and the best vendors end up gobbling up a near monopoly of customers in certain sectors.

“We’re almost sort of systematically headed towards concentration risk in various sectors, based on those two factors,” says Opet. In response, JPMorganChase works closely with vendors to clearly understand their resilience and recovery methods. “We are looking for better ways to manage the performance of third parties as it relates to cyber,” Opet says.

John Kell

Send thoughts or suggestions to CIO Intelligence here.

NEWS PACKETS

Tech giants poised to spend over $200B on AI in 2024. Amazon, Microsoft, Meta Platforms, and Alphabet will spend more than $200 billion on AI infrastructure this year, a record sum according to Bloomberg — and the companies expect to spend even more in 2025. In justifying Amazon’s projection for a record $75 billion of capital expenditures in 2024, CEO Andy Jassy called AI an “unusually large, maybe once-in-a-lifetime type of opportunity.”

OpenAI launches a search feature to compete with Google, Microsoft. A new search feature within ChatGPT debuted last week that positions the AI startup to better compete with search engines like Google and Microsoft’s Bing. OpenAI says all ChatGPT Plus and Team users have access to the ChatGPT search feature, while ChatGPT Enterprise and Edu users will get access within the next few weeks. The product will roll out to the free version of ChatGPT in the coming months. The release has implications for Google, which has the largest market share for search, and it makes OpenAI even more of a direct competitor to Microsoft, which has invested close to $14 billion in OpenAI.

Intel’s woes raise questions on Capitol Hill. Chipmaker Intel is projected to be the single biggest recipient of federal money from the 2022 CHIPS Act that’s intended to make the U.S. less reliant on semiconductors from Asia, and yet Intel’s worsening business prospects is leading to fears in Washington about the company’s ability to deliver on its promises. The New York Times reports that the government has made direct overtures to executives at large tech giants including Apple and Amazon to consider ordering chips from Intel’s plants, pressure that’s been rejected by a majority of these firms. In another blow, Intel was replaced by rival Nvidia on the Dow Jones Industrial Average after a 25-year run, a reflection of Intel’s struggles to gain share in the AI chip market that’s been dominated by Nvidia.

ADOPTION CURVE

Executives worry about their personal data privacy but overwhelmingly say their company is doing a great job. A survey published this week by consulting firm Protiviti and the University of Oxford found that only 8% of global executives say they were “concerned” or “extremely concerned” about their company’s ability to protect customer data over the next five years, but paradoxically, 78% of those respondents say they are worried about their own personal data privacy over the next five years.

The results, based on responses from 250 board members and C-suite executives across 14 countries, also found that 86% are “confident” or “extremely confident” their company is doing everything it possibly can to protect customer data and three out of four say their company is projected to have the right level of funding and resources to support data privacy between now and 2030. Only 2% of executives were willing to admit their company has a negative reputation in terms of privacy.