Juan Carlos Beltran – Banco Pichincha

Chief information security officer of Ecuador’s biggest bank since July 2019, Juan Carlos Beltran thinks that to be successful, HR is critical. Every year, he meets with the human resources department to identify training and certification needed for security staff. Also, as is his standard practice, when incorporating new components to security architecture, he ensures that the bank’s vendors commit to training their personnel.

Juan Carlos Beltran | CISO | Banco Pichincha

It’s all part of what Beltran calls the pillars of IT security: identifying risks, protecting sensitive information assets (“the crown jewels”), detecting and rapidly responding to threats and cybersecurity incidents, and restoring normal as soon as possible.

“All our security strategy and our operating model is based on these five pillars,” the multilingual Beltran tells Toggle in January from Quito headquarters. “Another essential piece of our strategy is the continuous assessment of vulnerabilities and the simulation of attacks—our red team exercises—in order to identify gaps before a real attacker does it.”

Since last year, extra attention to detail has seemed warranted, with the bank transitioning to the global digital economy and nearly half its business being done through digital channels. While that’s an upbeat scenario for a bank whose business extends into Peru, Colombia, Panama, Spain and the United States, it comes with increased risks.

We’re all connected

“We live in a highly connected world where information security is key to survival,” Beltran advises. “The risk of malicious transactions now resides in the network, not the bank office.”

That percentage of online transactions should only increase as COVID-19 expands what had already been a growing need for remote banking services in Latin America. Even with a vaccine, the new banking normal should be fewer in-house visits.

“COVID has accelerated the digital transformation initiatives even more,” Beltran says. “At one time, almost all our customers were using our web banking and mobile application, which forced us to strengthen both the security controls and the infrastructure of the channels in order to support the rapid transactional growth.”

That positioned Banca Pichincha for an easier transition to remote services as the pandemic struck, with Beltran overseeing the private networks going virtual, without security issues. But now, with so many people—including Banco Pichincha’s international clientele—hyperconnected to the internet, he warns that phishing and ransomware have grown exponentially.

But he can find common denominators to cybersecurity.

“The main challenge is based on achieving that all operations in the different countries maintain a security strategy, standardized and according to the best practices of the industry,” he says. “The communication process also must be fluid so that a potential incident in one country won’t affect others.”

So, familiarizing himself with the rules and regulations of multiple countries are part of his responsibility, as are creating synergies among operations.

His department has been at the forefront in educating employees that they must exercise cybersecurity vigilance when working under the home office hybrid. He also nurtures a strong professional relationship with the legal department, not just for cybersecurity compliance but also to ensure that contractual terms with employees, customers, vendors and shareholders will be carried out.

And what changes have affected the banking business since Beltran became a title risk operations officer at Banco Pichincha two decades ago?

No longer sci-fi

“In 2001 nobody, at least not in Latin America, talked about cybersecurity and the known incidents were related more to sci-fi films than to the reality of organizations,” he says with a chuckle. “Companies allocated very low budgets to protection, and the security architectures were basically the firewall.”

He recalls how in 2005, Banco Pichincha suffered a security incident that put its web banking offline for a week but didn’t impact business continuity. Today, Beltran gets chills at the very thought of a digital channel being grounded for just a few minutes.

Banco Pichincha’s cybersecurity budget now represents around 13 percent of its global IT budget, and for good reason. Among the more evolving threats are those to a company’s logistics chain—a hacker embedding in a vendor’s data and reaching a prime target.

“All these cases require not only robust security controls but terms of reference,” Beltran explains. “Contracts must clearly assign responsibility for potential events.”

As for further evidence of the risks facing a data-rich company or institution, Beltran reminds that in 2018, for the first time, the World Economic Forum recognized cyberattacks as the third most serious global threat, behind natural disasters and massive migration of people.

Wired from the start

It’s a threat the 50-year-old Beltran is passionate about trying to neutralize. Long as he can remember, technology has been his obsession, and his favorite gift remains the computer his father gave him when he was 12 years old.

When it came time for the young Beltran to attend university, he opted for banking—“bankers were very elegant people”—while his father tried to urge him toward electronic engineering. In retrospect, he thinks his father may have been right after all, though at the time one could be forgiven for not fully grasping the importance electronic engineering would take in a soon-to-be data-driven world.

But Beltran made up for lost ground, first as a consultant for one of the “Big 5” advisory firms and then with a software development company. It’s been something of a whirlwind, he says about these last few years marked by digital transformation, an emphasis on cybersecurity and the pandemic. It may only get more exciting, he says, and this year’s to-do list includes strengthening security architecture in the cloud and ensuring safer operations for employees at home.

Beltran, too, has often been working at home, bringing him closer to his three sons, ages 6, 12 and 14. He says his cooking skills have also much improved, with Italian dishes being a family favorite. But that kitchen time has been compromised by professional duties.

“The pandemic has been a great challenge for all CISOs,” he says, advising them to borrow from his aforementioned five pillars.