Although technical threats like malware represent significant risk, Damian Laviolette, senior vice president and chief information security officer at Webster Bank, understands that the most persistent threats to any bank and its customers are accidental insider threats. Leadership can view its workforce in one of two ways—either as an exponentially increasing threat or as an army of CISOs all doing their part to secure the company—and Laviolette believes the latter works for Webster Bank. In his view, a large and continuously trained workforce is necessary to deal with today’s constant stream of phishing, social engineering, and business email compromise attacks that normally take advantage of weak user awareness environments. “Like any other healthy organization, Webster Bank has a user awareness program in place,” he says. “And again, like any other healthy organization, there are always opportunities for improvement. My goal at Webster Bank is to cut the accidental user threat in half or more.”
Learn more about cybersecurity prevention and response in the legal and IT fields with a white paper from Sync titled The General Counsel’s Guide to Digital Defense. The Legal Side of Cybersecurity. Click below to download this complimentary industry insight report.
That’s done by talking with the workforce about the core and critical information security risks for the bank, as user awareness is still the most effective method to combat critical information and cybersecurity attacks. “This is the year of awareness for Webster Bank,” he explains. That’s not just a passing statement, but a call for action. Laviolette joined the world of banking security in 2012—first at Umpqua Bank and then Webster in 2014—after spending two decades working in technology and information security for the US military.
Laviolette’s efforts with Webster include traveling to subsidiaries for special presentations about information and cybersecurity, monthly newsletters, implementing automated training and assessment programs, and even a new fifteen-minute information security awareness video presented during each onboarding session, so that new employees join the Webster organization with a solid understanding of their obligations to customers and shareholders.
As mobile tech advances, banks face new threats. American Banker outlined the biggest struggles, and mobile banking was one common thread. While individuals frequently use security programs on home computers and laptops, mobile devices are less likely to be as secured. Also, while EMV chip-and-PIN cards become the norm, online and mobile retail may still leave a gap in security.
Laviolette’s background in the armed forces prepared him to face head-on the challenges of managing risk and overseeing a diverse group of workers. “My career in the military provided both exceptional training and real-world opportunities,” he recalls. “It also allowed me to build a strong technology and concept foundation, which I use to this day. I was able to start in the trenches as an individual contributor and slowly move up the ranks, advancing along with technology and process, and all the while growing leadership and management skills.”
His final six years in the military were spent as a leader in the information and cybersecurity field, not only leading a team of information security professionals, but working and building partnerships at the executive level within state and federal agencies. This allowed for an easy transition to the civilian sector, leading a large group of bank security talent. Among his responsibilities are four main buckets: governance, vendor and risk management, standards and policy, and technical/tactical security operations. Laviolette works to confront attacks and the unpredictable angles from which they might arise.
When Laviolette began at Webster Bank, the information security program was static and in need of relevance and direction. Two critical advantages allowed him to make immediate impact on the program and the bank’s overall security. “The first [advantage was] consistency and dedication right out of the gate, from the CEO and chairman of the board. Second, [this was] a team that, although in need of direction, had plenty of drive and desire to strive for excellence,” he says. “Everyone can use a little luck now and then, and being blessed with excellent leadership like I have been at Webster Bank has made things much simpler.”
Utilizing this strong, unwavering support, Laviolette went to work on a long-term strategic road map, building up staffing, communication and awareness, technology, and process, and redesigning and revamping standards and policies. His primary goal has been to get the program to the point at which he could implement the information security risk assessment program, which spans all of his core components.
Webster Bank’s Information Security Risk Assessment (ISRA) program went live this past March, and early indicators are that it’s a success. ISRA is the primary resource used by Laviolette to protect the bank’s 180 northeast banking centers, three thousand bankers, and customers. The ISRA works by looking at the clear guidelines established by the bank’s policies and standards, and then alerts Laviolette and his team to any gaps or components of those policies that are not being followed. The program allows the bank to rapidly integrate or ingest new opportunities, technology, and regulatory compliance requirements, document them, and provide relevant risk data to the appropriate business owner. This has also bridged transparency gaps between internal audit and information security teams, providing full visibility into all self-identified, internal, or external risk.
“The vendor and risk team within my department are owners and caretakers of the program,” Laviolette says. “They gather the gap, bounce it off the standards and policy group, and if it is a gap, it comes back in, gets officially tracked, and goes to the governance group. In turn, it goes out for mitigation, remediation, or gap risk acceptance. That process doesn’t work unless all of my components are working together, which is what all of the road map effort has been leading up to.”
Laviolette’s department works internally and externally with technology and business partners to enhance overall bank safety, resilience, agility, and awareness to bankers and customers alike.
“User awareness is one of the best ways to combat against critical attacks.”
While some CISOs come from IT, operations, or even accounting backgrounds, many have never done security at a foundational/tactical level—but Laviolette has done it all. Having that background makes his leadership decisions easier to follow, allowing for rapid change with unified goals and expectations. “I have always found people more willing to follow you as a leader if they believe you have an idea of what you are talking about,” he says. “I also believe that in order to be successful as an information security professional today, especially with the rapid pace of change, some tactical level or granular level of information and cybersecurity experience is needed.”
That’s the biggest challenge Laviolette faces today, as his days of hands-on information security work are behind him and fading further into the distance. “I strive daily to keep at least some level of tactical and technical proficiency,” he says. “Part of my success is that I have that credible tactical experience. My teams understand that I have been there, understand the work they are doing, and am worthy of their trust.”
A big part of his job is developing clear lines of communication and leading a diverse group of people to a focused goal. Finding success, he says, requires a fine balance between over-communication and, periodically, some micromanagement—especially today, where so much of the work is being done remotely. “I believe in being present as much as possible for any type of communication I feel strongly about,” Laviolette says. “Even if there might be an opportunity to delegate something to a more junior manager, if it’s something that’s important to me, I will make time to take the communication myself. I think that goes back to showing the group that if it’s important enough for me to be there, it means a lot.”
The bottom line at Webster Bank is protecting its customers and shareholders. At the end of the day, the bank needs to open for business. With so many risks in the banking landscape that can either damage reputation or impede, or totally prevent, the bank from making revenue, it’s up to Laviolette and his team to secure customers’ data, raise awareness of the risks, and keep information security as protected as possible. Laviolette believes you can always do more to protect customer data and enhance an organization’s identity access management processes.
“I always maintain a yearly goal of enhancing identity access management and improving our unstructured data environment. Once we do suffer the compromise—because everyone gets compromised—I want to make sure our unstructured data, along with our crown jewel data, is appropriately segmented and protected.”