Amy Chaney, SVP Technology, COO for Citi, shares a seasoned perspective on driving technological transformation and robust security in large financial institutions. The episode explores practical guidance for aligning business cases with emerging technologies like AI, highlights the importance of agile security policies, and emphasizes the critical skills needed to effectively communicate security priorities to boards and business units. Chaney underscores how fostering a balance between innovation and risk management empowers organizations to build resilience amid evolving threats and rapid tech advances.
Transcript
Amy Chaney: I had 18 people in the room. We had 13 value statements on their top use case for why they used AI in their company. You have to define what you’re trying to do because really, you can improve anything. What is it you’re trying to do and then what’s the best tool to do it? Your different teams are going to use different tools. So defining that business case just like you would define in a classic way, what’s the expected result, how is it measurable? You know, how much effort can we put in until we have to roll back like a Rubicon thinking? You know, you can’t just go forever on an adventure.
Phillip Wylie: On this episode of the IoT Security Podcast by Phosphorus, I’m joined by Amy Chaney, a member of the executive cybersecurity community in the Dallas Fort Worth area. She’s a cybersecurity leader and risk expert working for a large global bank. She shares her insights on how to implement technology and security in large financial institutions and shares tips and tricks on how to up speak with the board and the executives and business units if you need to help improve those skills, as well as learn more about emerging technologies and how to properly implement AI and other emerging technologies. I think you’re going to enjoy this episode. Hello, Amy, thanks for taking time out of your schedule to join me today on the phosphorus IoT security podcast.
Amy Chaney: Yeah, glad to be here. Thanks so much for having me.
Phillip Wylie: Yeah, I appreciate you taking time out of your busy schedule. We were trying to get you worked in during RSA was one of Dane’s amazing recommendations. It’s kind of funny, all the people he recommended, people that I know from the Dallas CISO community here. So it’s good to finally get you on. I look forward to hearing your insights.
Amy Chaney: Yeah, excellent. And Dane’s a good friend to the community for sure. So glad to be here today.
Phillip Wylie: Yeah, it’s good to have you. You’ve got a really interesting background. So for the folks that don’t know you, Amy’s worked in the financial industry for quite a while. She’s worked in risk and cybersecurity and automation. I’m really interested to hear what you’re doing on the automation and optimization stuff there, where you’re at.
Amy Chaney: Yeah, absolutely. So right now there’s so much focus on how do we get the right set of curated security tools at the ready and then continue to evolve that as the threat scene evolves, the automation gets the complete, we’ll say, visibility that not everybody always had to manage to in the past. A lot of folks are Managing to unfortunately assessments, spot check, point in time information, latent information, not really contextual sensory information. So automation goes hand in hand with optimizing intel reflex and reaction and response to intel before threats develop. Even just reactive to marketplace changes or different strategies very quickly is part of that total strategy. And it’s a lot of fun to be able to work in environments that can make those moves and maneuvers and really invest in that focus.
Phillip Wylie: I’m sure because you’ve been in the industry for a while, I’m sure it’s kind of exciting and refreshing to work in an area with the newer technologies and stuff because after a while this stuff can get boring at times.
Amy Chaney: Yeah, I tend to be on the front edge as often as I can. Kind of like if you think about surfing the wave, I’m right up there on the board at the front many times looking at what’s being developed, what’s coming out on the marketplace, how quickly we can understand the environments. Right now we can see environments very quickly. But can we understand that in a contextual way to recommend what actions should or shouldn’t be taken at what time span or with what thresholds and triggers against how a company might want to operate? Is it as few additional steps? We’re trying to get those types of decisions as seamless, as quick and as we’ll say updated as quickly as we can. So that reflex to be able to be more fluid and maneuver in your environment and shape to what’s happening is not dissimilar to when we think about cloud. The biggest selling strategy of cloud is it will size and shape to your workload. Right. It will spin up and perform high compute when you need it.
Amy Chaney: It will compress down. You don’t have to have a magnificently large colo data center and then three twins of it somewhere in different locales anymore. Because now you can just borrow that power. It’s not a dissimilar strategy when you start to blend a lot of these tools into agility and a changing marketplace. And it’s especially important in global banks and there is none more global than my current bank which is in all all countries basically around the globe. So we rely on these strategies.
Phillip Wylie: So did the whole move to cloud seem to help prepare you for this next wave of technology with AI?
Amy Chaney: Yeah, it’s interesting because I remember around 2012 cloud was the term CMT was being used a lot and there was a lot of concern for co maintained or co mingled tenancy basically. And so the thought was if you use the cloud that somebody Else uses your information and their information can both be visible to the cloud, which is not true at all. But the initial concerns and risks that were being guardrailed against almost seem a little bit simple today because it’s natural how we think about the environment. So in the same way, you know, there’s things that we learn right at the front and we say, well, these questions we, we just really need to know to understand the borders or what we’re talking about. And then we get more fine grained with our knowledge, our understandings, different ways we can apply or turn on certain technologies to deal with different scenes, scenarios, activities, or even start to synchronize information. Because we understand with some of these tools, especially our cloud providers, that they work across many sectors, they aggregate a lot of information and they might know more than we do about, you know, the way markets are shaping, responding or preparing for certain things. So that information exchange is equally important as well.
Phillip Wylie: So with, with AI being just the, the hot topic of the day, everyone is hearing about AI, it’s becoming used more and more. Is there a lot of pressure within organizations to migrating processes over and implementing AI?
Amy Chaney: It’s a great question. There can be and there can be very successfully. My bank, Citi is an AI first bank. We are an AI first workforce. We say that tools are available, forums are available, resources are available, you can bring cases, you can enter, understand applications, you can use AI to filter, even where to go in the AI help scenarios that are offered. And that’s becoming more common. It’s not unique only to my company, but it’s becoming more common. Companies and teams are embracing and creating pathways to let employees explain, explore those business scenarios that they have, but not to the degree where people are getting distracted from, you know, actually executing their role.
Amy Chaney: So there’s a, there’s a fine, you know, there’s a fine balance there between, you know, having the workshops offering the tools and then also making sure people are using them and then making sure people aren’t overusing them in lieu of the actual work. And so, you know, that’s what it looks like today in an AI workforce strategy where maybe other companies might still be putting policy out about what you can, what you can’t, where you should or you shouldn’t put certain, you know, pieces of information or scenarios that might relate to something that sounds like a corporate confidential or a client asset type scenario you of course couldn’t put in a public space. And so some companies are still defining those boundaries for their employees. Some companies are fully embracing and Blending AI technologies into, we’ll say, even contest like environments to rev up and ramp up what used to be yesterday’s operation and the streamlined, efficient operation of the future to usher that in.
Phillip Wylie: I can imagine that chatbots could really help kind of change and improve upon the old IVR systems where people would call up to get bank balances or to get help and just kind of. I’m sure it’s kind of such an improvement over those old systems with the AI chatbots.
Amy Chaney: Yeah, that makes me think of the classic Seinfeld episode where Kramer was answering the movie phone and just giving the voice with the numbers. I mean, the feeling soon will be the IVR will feel like, you know, press for just will feel antiquated. Today it’s okay to still cue in. We do that. That behavior won’t be a normal behavior in the most likely because of the conversational nature that’s coming along so quickly.
Phillip Wylie: Yeah, that’s going to be a big improvement. Because I don’t like IVR systems myself. I like any business I’m doing business with. I like the chatbots instead because it’s so much easier. Seems like with the IVR systems you have to overcome the different language dialects and accents from different folks and getting that to work and be able to hear people clearly and return response.
Amy Chaney: Yeah, and that’s hard too. Just, you know, individuals do have difficulty understanding each other sometimes when they’re having a direct conversation. Sometimes people say, I want, I want to talk to a person. When they do talk to a person, they have trouble talking to that person and they want to talk to a different person. And sometimes an agent or a bot is much faster, much more efficient and feels more like the exchange you expected to come from a person. Maybe something else that’s very interesting is several years ago in some of the banks, and this is true for many of the banks. Bank of America, Chase. Lots of banks have put out thoughts about where they’re developing their technologies for consumers.
Amy Chaney: Specifically, there’s holographic agent type experiences where you may go to a brick and mortar and work with somebody that’s not physically there or somebody that might not be a somebody. There’s all these different ideations that are being tested and tried and some populations and if enough, you know, enjoy this type of experience versus that, they’ll start to be offered in markets where that’s a desire as long as it can be, you know, secure, represent all of the things it needs to and you know, it’s just an evolution of how people want to do Business. There was a day that people didn’t push their own shopping carts, you know, now there’s a day that we just expect it to maybe deliver at our door or our workplace or within a four hour window or something to that effect. So it’s just adjustments and it feels very natural once we do adjust.
Phillip Wylie: So I know you’re in an environment that’s very mature and you know, you have worked, you guys have worked on your security for years and everything. So how is important, how important is it to have that security structure, policies and all that stuff in place when implementing new technologies?
Amy Chaney: Yeah, it’s important all the way through. So the policy is meant to describe at the macro level, the standards are the, what really the requirements. And then you get into the, how you actually do these things. And that’s where the partnerships and the vendor tools often come in. And the delivery of certain security aspects is then delivered upon by, you know, very large network and market that’s much larger than the bank itself. And this is true for any company that works with third, fourth and you know, external parties to process. So the security decisions have to be, you know, mirrored, reflected all the way through these processes. And many times that means we’re not only beholden to them, we have to insure them.
Amy Chaney: For companies that we don’t directly manage because they’re managing assets that we’re responsible for, which might be corporate, they might be a country, they might be, you know, personal, but they’re not ours and they’re not the third or fourth parties. And so we have to guarantee that security posture all the way through. So therefore banks have many, many layers of risk and compliance and legal and review and different types of partnerships and procurement. And you know, we, we probably have the maximum quantity of steps you could take. But on the other hand, we rarely are on tier one media outlets comparatively to the amount of times that we’re being attacked, which is all day, every day, on every possible front. You know, usually the largest threats are insiders because it’s the people doing a great job or the people missing things or people that are intentional that create those open doors. And after all, we did create all the tech as it is.
Phillip Wylie: So how is it to adding these new technologies? How hard is it to kind of have your security and policies evolve with it as you’re implementing these new technologies?
Amy Chaney: Traditionally you would wait for a certain cycle, you would have things prepared, pre vetted. We, we don’t always have the luxury. Sometimes we implement a new tool. The policies, the, you know, the controls, the Measures, everything has to be live right there with it. So we’re preparing for that type of a start. So there are more agile paths, there are off cycle paths. One bank I got to, and it’s a major bank and a bank doing very, very well. When I got there, 88% of their changes were happening off cycle.
Amy Chaney: That’s a lot. And so that was not the way the bank was left, but that’s where it was starting. And that’s a difficult environment because that’s kind of anybody and everybody shoving things through as soon as they believe they’re ready versus a more managed environment. If you have 100% managed change environment, you’re really saying we respond to nothing, we’ve planned everything. And so that’s not really likely either. So having the pathways to maneuver and know what to fast track, what to create, an exception for, what to create, you know, a longer path for is always a calculation. There’s a risk appetite, a risk tolerance and there’s that, you know, the reality of what you do and all of that doesn’t matter if you’re breached, you know, and so sometimes you can take a very, very strong position and sometimes there’s no position strong enough. You have to include risk to do that business you have to have ports to transmit digitally.
Amy Chaney: Right. Therefore there’s a level of breachability. So it’s those types of decisions going all the way down to the macro cases, the micro trends and then the megatrends. The Megatrend might be a two year project that puts identity and access management transformation at the forefront. Therefore those controls were modernized or transformation for, you know, a year where data is getting, you know, contextualized tagged environments are getting, you know, re reviewed and flowed out and the CMDB is getting healthier. So you’re going to have waves of this health hygiene type control environment that moves and then things can get thrown off if there’s an acquisition, if there’s a divestiture, if there’s a change in business. You don’t want to bring business into your environment unless it’s, we’ll say sanitized, cleaned and ready. But you know, the reality is we’re always working with a prioritization.
Amy Chaney: We haven’t secured everything we want to in the way we want to.
Phillip Wylie: Yeah, I used to work in the financial industry. It was like my third IT job was working for a mortgage company. I was there like around 14 years. But it was interesting to see all the mergers and acquisitions that went on in those companies like that.
Amy Chaney: Yeah, for sure.
Phillip Wylie: And it’s kind of interesting too. So how’s your experience been with companies to start adopting security and really wanting to get on board? Because, you know, I know back in the earlier days it was a lot of challenge. You had to keep things going. Of course, understandable, you had to make money. But to get buy in, to be able to implement security controls and technologies to help with that security could be a challenge at times.
Amy Chaney: Yeah. So I’m usually in environments that are able to, I’ll say, buy their way out of a lot of problems by having the ability to lab, create proof of concept champion challenger scenarios and kind of be at the front edge of the technology. People also learn in environments like that are outside of that and are attacking at that level. We’ll say, so the leading edge of the good, there’s always also a leading edge of the bad. And they’re usually fairly similarly capable or able. It’s just depending where everybody’s focused, what they’re trying to do. Right. I say that to say that we’re dealing with the most difficult criminals and we have probably some of the best technologists and technology minds in the world.
Amy Chaney: If they’re not sitting directly in our company, they’re a company that we work with all the time and we’re talking to them trying to solve these problems. So even in that type of environment, which allows you to maybe do as much as you can, we find scenarios that are brand new, you know, zero days of course, or just things that were unknown. We find scenarios that are difficult to unravel because of whatever the scenario is. Maybe brittle architecture in the middle or a monolith somewhere that’s just holding a lot of data we didn’t recognize we had a home for. And it throws a few weeks into a plan or months, prioritization issues, things like that. So it’s really fun to be able to be modernizing things. It’s exciting in a way, but when you’re in security, it’s almost like the excitement isn’t the point. The all the possibilities of what could go wrong are the point.
Amy Chaney: So you’re always training your mind back to maybe you got new budget. It’s not a fun, exciting time to spend, it’s a time to explore those scenarios, those difficult ones that you couldn’t touch before and now figure out the best way to cover them. And so there’s kind of a leveling off that always has to happen and normalizing and resetting of yeah, this is how far we got and always trying to rebalance that message because people will read things, they’ll read a Forbes article, they’ll read a, you know, they’ll, they’ll read one response to an issue plan, something like that, and they’ll get an idea. We really don’t know the next attack coming. So we’re constantly trying to keep a lot of balls in the air. Right. So it’s a good environment to do it. But we’re still going to be always looking for new technologies, new ways to transform two or three tools into one, to be frank.
Phillip Wylie: Yeah. So I’d imagine with your, with your experience, you’ve probably dealt with the board a lot and dealt with the business units. What’s your recommendation for building relationships with the business and the board? To be able to form that alliance to get things done security wise and technology, how to build that trust and to be able to communicate with them where they can understand. I think communication a lot of times is the issue because when the techies are speaking in geek speak and you tell them something about a remote code execution and they’re going to look at you like you’re speaking a foreign language. So kind of how do you deal with that?
Amy Chaney: Yeah. You know, I’ll first say what not to do. What not to do is assume that something has to be dumbed down. It doesn’t have to be dumbed down, it might just have to be translated. Your board understands your company, your business, their mission, their vision and objectives. If you tell them what objective is hampered by which scenario and start from there. It helps a lot if you start with now let me make this simple for you type of feeling. It’s going to come off just like how it sounded when I said it, like offensive.
Amy Chaney: They’re very intelligent, they’re very esteemed and have experiences way beyond, you know, what, what you might know as somebody who’s going to be a presenter to them. So, so you don’t assume you know any knowledge gaps. You just assume that you have to put it in real terms and overlay it on the company, the shareholders, if it’s a publicly traded company or the customer’s clients, reputation impact, financial loss, whatever it is, or competitive advantage loss, and sometimes the other way around. Getting a good security play can advance. You can really add velocity if you understand all of your data flows and can turn them up and down when needed. All of a sudden you’re very agile in how quickly your sprints can produce responses. So when you’re talking to the board, they have a diverse background but high knowledge. So you want to give them the effects and impacts and kind of like the, you know, green arrow up, red arrow down, you know, and this business unit or customers at large, things like that, they will always know if something major has happened in and around a company or size in the industry at large, if it’s made news outlets.
Amy Chaney: Be ready for any questions on those types of things. It’s a simple, you know, AI click. If you don’t have a source, you know, latest headlines, condensed types of things as well. I recommend that now when you’re working with executives, it’s going to be their interest, their business unit. If they’re an information executive and they sit over a particular business unit like consumer banking, you’re going to be talking to them through that lens. Their initiatives, their portfolio, their clients, their, you know, cities, jurisdictions, where they’re working, whatever it is, if it’s the ciso, you’re talking domains, you know, this is a data loss prevention item that we can apply AI to. We can pick up all these, you know, under whatever size, filter things, run them through a smart model and tell you patterns we see and start to look for insider loss or data replication or something. You start to put it in terms they know.
Amy Chaney: But as you know, once you step outside of that, you’re always. It’s best for us to have three questions ready to answer with a technical expert or a back pocket, but always speak in business terms. Have somebody that’s reading, sitting, attending their town halls, their major meetings, somebody that’s in that discussion as well with you. Don’t go alone and have a resource to. If it, if it needs to be something that needs to be takeaway, take it away and bring it back. So that’s my recommendations is very bespoke and tailored for your business, very applied to your company and shareholders, for your board.
Phillip Wylie: Yeah, it’s interesting to see and especially your background having the risk background because a lot of people in security don’t really speak risk. And it seems to be one of those languages that the boards and executives understand over more technology specific language.
Amy Chaney: Yeah, yeah, It’s a lot of, it’s a lot of translation and timing, to be frank. So if I were to say a detective control finds something before it happens. A corrective control finds whatever was damaged and solves it, fixes it, makes it whole. That makes sense with the timing preventive, keeps it from getting in your environment completely. So that timing aspect makes sense. Then, you know, if I were to say the nature of the control, it’s an operational health control or it’s a risk Prevention, control, you know, that starts to make sense too. It makes sense to everybody. But that one step translation, you know, when you’re talking to cyber, makes the least amount of sense because cyber’s always trying to stop everything from the outside, always finding whatever hits on the inside.
Amy Chaney: So to them, it’s their natural life cycles. So the translations aren’t hard, but they mean everything sometimes. Because if you have the experience of one or two trusted people that always seem to be able to speak to the board and get whatever they want, it’s because they’ve cracked that code. Right. And you want to be the people that crack that code. The best way to crack it is listening to how they speak, what they talk about, what concerns them, and then just talking back in their language.
Phillip Wylie: So do you have any good resources for someone to learn that?
Amy Chaney: Yeah, I mean, the town halls are always helpful. Investor reports, if you’re in a bank, if you’re in a healthcare company, if you’re, you know, you’re publishing periodical resources, most people don’t read them. If you have enough stock in your company and you get proxy votes, go actually read. Listen to those. It’s like, Jules, you’ll find it’s being said at the top of the house. It’s being said by all of their leaders. Everybody under that is making strategies to try to fill these things. And so it’s hidden in plain sight.
Amy Chaney: Too often we try to find the next three amazing things we can do out of our empowerment area, our zone of expertise. What’s been granted to us within a company versus just connecting to efforts that are already in motion. If you connect to the efforts that are already in motion, well, you’ll find open arms. So that’s, you know, that’s, that’s my tip is you’ll, you’ll have superpowers and skills that attach to what your company’s trying to do, jump in there and be valuable there before trying to present individual ideas. It’s just, it’s like a pay or dues things.
Phillip Wylie: So one thing I was kind of curious about too. Do you have any recommendations for anyone that are, you know, since you’ve worked with a lot, automation and all this, do you have any recommendations on AI, how to securely implement AI in enterprises?
Amy Chaney: Yeah, you have to determine what you’re trying to do and why you’re trying to do it, then find the right generative, artificial, synthetic, whatever it is, types of tools. If it’s a research engine, like a wiki, we used to always have to go find these different things. Go dig through a policy, standards and requirements and baseline pile to try to find a position on something or what we do. That’s a perfect case for a language model. That’s a small language model, an SLM that just has all that information constantly updated, bouncing it against every regulatory change frameworks and just maintains all that for you. Here’s what the company says. We have regulation that’s gone advanced that, so these jurisdictions should be aware. And there you go.
Amy Chaney: Within an hour of programming, you’ve solved thousands of hours of time that month for, you know, your company. Hundreds or thousands maybe, depending on how big your company is. So getting into AI is finding a way to improve something, an innovation, a way to make something a little easier, a little simpler or more. Sure, there, there needs to be a goal. The goal doesn’t have to be the same thing. I did a boardroom at Boston which is a big like education, Harvard and you know, and Cambridge and then a bunch of healthcare and biopharma. Right. I had 18 people in the room.
Amy Chaney: We had 13 value statements on their top use case for why they use AI in their company. So strategies to find new, you know, medicines to. So you have to define what you’re trying to do because you really, you can improve anything. So what is it you’re trying to do and then what’s the best tool to do it? The best tool might be a machine learning, you know, exercise where it’s looking at a lot of different exercises, looking at your company, looking at the market and determining what your best tabletops and education, you know, opportunities are in your cyber threat zone. It might be emerging risks, it might be, you know, what AI. Are you going to look for that? That’s all research. Are you trying to do something agentic? Are you trying to up your marketing and create things that people haven’t seen and make people turn their heads and have a response. So your different teams are going to use different tools.
Amy Chaney: So defining that business case, just like you would define in a classic way, what’s the expected result, how is it measurable? You know, how much effort can we put in until we have to roll back like a Rubicon thinking, you know, you can’t just go forever on an adventure. You have to have a product and a result, you know, and test it. And sometimes it may start out, model one is not so good. Model four or five, you’re going to switch over at some point, so it’s worth it. You just have to determine your appetite, how much time you can put in that and the effect on the people. There’s a sweet spot where people can go and explore and play a little bit, and motivation. The whole job gets done faster. And then there’s a, you know, I’m lost.
Amy Chaney: I’ve just been playing for three weeks. Land you don’t want to send people to. So those are my tips. Just kind of, you know, make tools available, but make sure people are smart about it. They’ve thought about a case. They’re not just going and seeing what’s out there and then trying to figure out how they can use it. That’s backwards.
Phillip Wylie: I appreciate you joining, Dan. Thanks for sharing all your advice and wisdom. It was very informative. I’m sure I could listen to you for 30 minutes longer or more and we’ll have to catch up sometime locally so I can pick your brain a little bit more, learn a little bit more from you is very helpful for me because being more on the practitioner side, understanding someone that knows how to communicate with the leadership and has worked those leadership roles is very valuable. So I’m sure our listeners are going to get a lot of good information from the episode. So thanks again.
Amy Chaney: It’s been wonderful being on. I was looking forward to this for just weeks, so I’m glad we made it happen. And, you know, it’s a tough world out there when you have time to learn and do good and lift up your team. Definitely do it. Because sometimes, you know, you’ll wake up and it will be that tough day and you’ll need that team.
Phillip Wylie: Great words of wisdom there. Thank you.
Amy Chaney:All right. Thank you so much.
Related Posts
Hash Salehi, Reserve Engineer and Founder of RECESSIM, joins host Phillip Wylie to demystify...
IoT Security Podcast featuring Josh Spencer Hosted by Phillip Wylie, xIoT Security Evangelist, Phosphorus ...
