Skip to main content
close search
site logo
Dive Brief

How BMO Financial Group shapes its security strategy

Published June 20, 2019
Naomi Eide's headshot
Managing Editor
Naomi Eide for CIO Dive

Dive Brief:

  • Businesses have wanted to go digital for a long time but struggled to find what that end state looks like, said Aman Raheja, CISO at BMO Financial Group, speaking this week at the Gartner Security and Risk Management Summit at National Harbor, Maryland. Though companies are serious about "digitization," which has the potential to help revenue generation, the "goalpost keeps shifting."

  • The same business pressures pushing for bottom line growth are influencing the security organization as well. As a result, two years ago BMO instituted a security strategy, referred to as BICT, centered around business value, industry benchmarking, compliance and threat management, according to Raheja.

  • Security projects from BICT contribute to overall business performance and assess the company's security maturity compared to its peers. The financial organization also closely follows internal standards and those set by regulators. Securing data and people is "the core of what we do," said Raheja​. 

Dive Insight:

With a BICT model, the security onus shifts toward prevention, not reactionary measures.

BMO is boosting the value of its security organization at a time when more businesses are asking infosec to prove their worth. It's a stark contrast to security leaders ringing the alarm about one threat or another. Instead, teams can collaborate with lines of businesses to make technology easier to use and more secure.

BMO is working to eliminate passwords, which is a useful user experience with an underlying security benefit, Raheja said. With password alternatives, users won't have to write them down, which increases security and saves time for support teams tasked with resetting account credentials.

Revamping BMO's approach to passwords has a business case with the promise of quick ROI. The company has already done the math; now it needs the right solution, Raheja said.

With resource constraints, the security organization cannot get to every project at once, so Raheja ranks the priorities. It creates a phased approach to security, which BMO repeats every six to 12 months to ensure the previous priorities still stand. 

The upgrade process has its drawbacks: It's hard to be strategic if a company is saddled with technology it doesn't want, said John Girard, distinguished VP analyst at Gartner, speaking at the symposium. Strategic security investments are mired in old systems.

System "bloat" also leaves teams invested in orders solutions nested in their workflow, Girard said.

Change is often resisted when it comes to technology, but organizations need to simplify their security stack to make it more effective. But, Girard said, security leaders have to ask themselves, "are you investing in security or are you a consumer?"

When security teams buy a product, they should also plan its retirement cycle, Girard said. Groups can put criteria in place for when something becomes obsolete. 

Filed Under: IT Strategy, Security

Editors' picks

Company Announcements

View all | Post a press release
Celonis Appoints Benoit Fouilland as Chief Financial Officer to Drive Next Phase of Growth
From Celonis
December 05, 2024
Welo Data Launches Innovative Model Assessment Suite, Advancing Multilingual Causal Reasoning …
From Welocalize, Inc.
December 17, 2024
Smart City Expo USA 2025 Speakers Announced
From Smart City Expo USA
December 11, 2024
Graphiant Unveils Revolutionary Data Assurance Offering
From Graphiant
December 09, 2024
Editors' picks
Latest in IT Strategy
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.