0%

How Police Bank came to see the whole cybersecurity battlefield

Insights
Share

How Police Bank
came to see the whole cybersecurity battlefield

Greg McKenna walked into the CEO role at Police Bank on 18 March 2020. By that weekend, Australia was in its first lockdown, and his job looked nothing like he’d expected.

Founded by NSW Police officers in 1964, Police Bank is a member-owned mutual serving 75,000 members across Australia’s police, Border Force and law enforcement communities. With many members conducting sensitive criminal investigations and law enforcement work, protecting their privacy and data carries an extra weight.

McKenna came to the role by an unconventional path: financial markets trader, fund manager, currency strategist, treasurer of a major mutual, financial journalist, then Police Bank board member and chair, before putting his hand up for the top job.

“Lockdowns reinforced the reason I was there. While other folks were at home, the police and Border Force were on the front line keeping the wheels of our community turning. They deserve a team behind them that has their back financially,” McKenna says.

With no external shareholders, profits go back to members in better rates, products and community support. It’s a structure that shapes how McKenna thinks about every obligation the bank carries.

“Cybersecurity is part of the compact of serving members for us.”

Getting up to speed

Cybersecurity was a responsibility McKenna took personally from the start. His markets background gave him the instinct that risk is risk, whatever form it takes. Soon after becoming CEO, he took an online cybersecurity course through Harvard University, working through it in group sessions with peers from other industries.

“While the tools and terms are different from financial risk, an adherence to strong risk management protocols will keep you in good stead when it comes to cyber,” McKenna says.

The board shared his outlook, appointing a technology and cyber specialist as a director and mandating a monthly cyber report that examines the threat environment, vulnerability status, patching progress and phishing campaign results.

“I’m interested, the board’s interested, and everyone else is interested as well. That tone flows all the way through the organisation,” McKenna says.

Cybersecurity goes far
beyond compliance

Done well, cybersecurity separates a bank that members can fully trust from one that’s simply ticking boxes. McKenna welcomes APRA’s prudential standards – CPS 234 on information security and CPS 230 on operational resilience – as good business practice rather than red tape. It’s a view shaped in part by what happened to US retail giant Target when attackers got in through a third-party air conditioning contractor.

“If that can happen, you’ve got to really put some resources behind keeping your organisation safe across the supply chain. Data is currency in its own right. We’ve got to keep it safe and we’ve got to lean in because we owe it to our members,” McKenna says.

Under CPS 230, that scrutiny extends beyond Police Bank’s own suppliers to the suppliers of those suppliers.

“It hasn’t happened yet, but at some point we will inevitably have to cease an arrangement with a long-term vendor because we’re not comfortable with their third parties. You’ve got to look more deeply into the supply chain now than you ever have,” McKenna says.

Upskilling and augmenting
the Police Bank team

Police Bank maintains a strong internal cybersecurity capability, but senior and specialised cyber talent is scarce in Australia. There are only a few hundred experienced CISOs in the country, and most are working for ASX 200 companies. For a bank of 200 people, attracting and retaining that calibre of expertise in-house is neither realistic nor the best use of resources.

In 2022, Police Bank engaged CSO Group to audit its security posture and prioritise improvements. This evolved into an ongoing partnership, with CSO Group’s CTO Matt Fedele-Sirotich joining as Police Bank’s virtual CISO to extend and complement the internal team. The services span Essential 8 and APRA compliance, CrowdStrike endpoint detection, Netskope, Mimecast email security, penetration testing and third-party risk.

“As a regulated entity, we can’t outsource our responsibility or our accountability. But we can augment our own internal capability by partnering with a firm like CSO Group. I get a dedicated CISO, but I also get access to their whole team. The knowledge they gain on the cutting edge filters back to us at a speed we otherwise wouldn’t have access to,” McKenna says.

CSO Group recommended a new credential protection tool to Police Bank without any commercial arrangement with the vendor. “They brought it to us because they thought it was the right fit. That’s what I mean about having a partner who’s at the edge of what’s going on,” McKenna says.

McKenna describes three distinct eras of cyber thinking: first, organisations thought cyber insurance was enough; then came the moat, firewalls and a wall around the systems. Now it’s something else entirely.

“Today it’s much more front-footed, much more aggressive, segregated systems, real-time monitoring, partnerships with people like CrowdStrike and Mimecast who can manage things as they happen,” McKenna says. “For us it never stops. It’s about proactively maintaining our vigilance to keep data out of the hands of the crooks.”

CSO Group’s Fedele-Sirotich sees it the same way. “What Greg has built at Police Bank is the right model for an organisation of this size and maturity. You can’t warehouse every cyber skill in-house – the market won’t allow it and the threat landscape moves too fast. What we give Police Bank is continuity and depth, and access to what we’re seeing across the whole environment. When something new emerges, they don’t have to wait to find out about it.”

Seeing the whole battlefield

“If we’re speeding up, the opposition is speeding up as well. The velocity of attack is going to be much harder to repel than it was even twelve months ago,” McKenna says.

AI is already embedded in tools like CrowdStrike, adding a layer of real-time detection that didn’t exist two years ago. Netskope manages data loss prevention and a next-generation SIEM gives the team real-time visibility across the entire environment. Police Bank runs proactive phishing campaigns across the organisation and continuously scans and patches vulnerabilities.

“You need a partner who sees the whole battlefield, the whole threat vector. With expert teams working across other industries and clients day in, day out, CSO Group sees how new technology is helping the bad guys or protecting the good guys. They have people with deep, long-term experience right at the edge of cyber capabilities,” McKenna says.

“For Police Bank, that means we move faster and stay sharper than an organisation of our size could manage alone.”

Related article

AI's Wild West won't last forever.
But it's here now.

Read more

The security integration trap:
When tools talk but don't listen

Read more

Everything and nothing:
What's really changed for directors since privacy law reform

Read more

Horizon 2:
What security leaders really think about Australia's 2028 cyber ambitions

Read more

"We're there now":
What business leaders need to know from ASIO's cyber warnings

Read more

Subscribe
for updates

for expert insights on cybersecurity strategy, trends, and implementation.