We’d Like to Help Capital One Prepare for the Next “Paige”

Published by Axio

The Capital One data breach has put cyber risk management in the spotlight. From a scenario-building perspective, it’s the kind of story that gives the Axio team global attention and serves as a flagship use-case for the Axio360 platform. We’ve even written a book outlining how to drive continuous cybersecurity improvement if you want to jump right into the solution.

But returning to the Capital One data breach, here’s a scenario recap:

  • The drama couldn’t be more captivating (106+ million customer records stolen and disclosed online).
  • The hacker in question couldn’t be more memorable (the incident was fueled more by revolutionary ideals than monetary gain).
  • And the consequences couldn’t be more devastating. The bank must now incur a fine of $80M by the Office of the Comptroller of the Currency.

Capital One Unfairly Singled Out by the OCC

On August 7th, 2020, the Office of the Comptroller of the Currency (OCC) said Capital One failed to “establish effective risk assessment processes” before transferring its operations to the public cloud and did not “correct the deficiencies in a timely manner.”

As the hacker Paige Thompson is allowed to “roam” freely in the Seattle area before her case goes to trial, the bank is now required to enhance its cybersecurity security defenses and submit a plan to the Federal Reserve within 90 days outlining how it intends to do so. They must also submit an internal audit of the firm’s risk management program.

This $80M fine by the OCC sends a strong message from regulators about how they would like to look at cybersecurity planning. Regardless of the technological sophistication of the victim, the hundreds of millions of dollars spent on cybersecurity investment, and immense controls put in place, it’s not enough. Organizations must demonstrate a clearly documented cybersecurity plan.

Matching Capital One’s Internal and External Customer Experience for Best of Class Cybersecurity

 Taking a step back before discussing cybersecurity planning, it’s important to understand Capital One was always a technology first organization. Back in 2018, in an article in Information Week,  their CIO Rob Alexander talked about how he “transformed his organization from an IT shop in a bank into a software company with Agile development, public cloud, new talent, open source technology, and machine learning.” This kind of strategy was necessary to provide the very best external customer experience.

Concurrently, this type of rapid growth probably resulted in an enormous amount of new systems and processes to monitor and detect against. Behind the scenes, internal organizations such as security, risk, compliance, and IT had to collaborate 24/7 to ensure that all data flowed freely without interruption. They too, required an excellent customer experience amongst themselves to efficiently complete their tasks.

It’s impossible to point fingers at any one person, process or technology at Capital One. There’s been a great deal written about the technicalities behind the event.  The way in which the hacker, Paige Thompson gained access to the company’s cloud instances demonstrated a deep understanding of Identity and Access Management policies for Amazon Web Services and exploiting very unique vulnerabilities in specific configurations. How can the internal organizations of Capital One have this same level of understanding? The question begets, what constitutes a good cybersecurity plan?

Having Complete Visibility for Improvement and Satisfying the Demands of Regulators

Using a strong cyber risk methodology can quickly satisfy the demands of regulators. It also can serve as the ground truth for an organization on the cutting edge of technology, such as Capital One.  For example, assessing the maturity of a cloud security program in one dynamic dashboard can allow security and risk leaders to quickly determine and communicate the most  appropriate controls and processes necessary for cyber posture improvement, in regard to identity and access management.

We don’t dispute that achieving higher maturity levels in this category is an easy task.  But we’ve seen it done by approaching cybersecurity program management in a holistic manner, with action items, targets for improvement, a roadmap that the entire team has real time-visibility into.

Prioritization can be as intuitive as dragging and dropping an item on a Kanban board. We call it baby cyber steps that drive forward momentum. No organization should be confined to a stroller and never grow up because there are just too many things to do and it’s too difficult. With the right approach to cyber posture improvement from day one, Axio360 can ensure empowerment for every single team member.

For any question asked in an assessment, you can capture notes, assign action items, and document evidence to help you reach your goals, giving you more value than a spreadsheet. Also, in addition to your current score,  Axio360 enables you to select a target score and plan how to work towards that goal. Milestones and benchmarking help you compare your current state to previous ones, and to current states of other users of the platform. And Axio continues to add widgets to support our clients’ needs. Axio assigns organizations a current score, but also gives a target score with a guide of how to work towards that goal.


The Fastest (and best) Way to Document Your Cybersecurity Improvement Roadmap

We could only imagine the size of Capital One’s security organization; all the initiatives they have planned for improvement already, and all things they want to better secure. But in this point in time, there are multiple business functions within (and outside) the security org that need to quickly collaborate for forward-moving cybersecurity planning. Only a small fraction of these can realistically get done in 90 days.  Right now, Capital One’s CISO has been presented with the tall task of  quickly understanding and prioritizing the most important cybersecurity initiatives, and then presenting a plan of action in a clear and concise manner. Fortunately, 90 days is plenty of time. Our platform Axio360 has handled similar tasks in as little as 2 days.

How can you Continuous Cyber Improvement be done step by step?

Download a copy of our eBook that shows how Axio360 works to drive continuous improvement for your cybersecurity program. We demonstrate that any organization (not only Capital One) can benefit by moving beyond annual risk assessments to plan their cybersecurity program to be future proof and ready to support the demands of vested parties, such as regulators like the OCC.

Axio360 is an integrated platform for cybersecurity management, and can demonstrate immediate results, from:

  • Rapidly determining your current state
  • Benchmarking how you stand (both internally and externally)
  • Setting Targets
  • Evaluating Your Progress
  • Integrating Data Across Your Technology Ecosystem