Having risk rather than cyber conversations
Bread Financial holds a lot of personally identifiable information (PII) for millions of customers, and it goes without saying that it needs to be protected. Naturally, the business cares about abiding by all the regulatory requirements a financial services firm is subject to, Kapil says, but he needs to always be thinking beyond that, especially when it comes to the implications of this PII being leveraged in an unauthorized way.
“Talking about encryption and tokenization is not really going to help the business,” he says. “But talking about, ‘If we do not secure the information and its access for unauthorized purposes, here are the implications,’” including loss of customer confidence, regulatory fines and additional oversight, and reputational loss — “those are the kinds of things the business cares about more.”
Gaurav Kapil, SVP and CISO, Bread Financial
Bread Financial
Further, instead of playing “a policing role,” CISOs need to think artfully about forming more influential relationships; and instead of having cyber conversations, have risk conversations, Kapil says.
