Five Questions With: Mark J. Meiklejohn

Mark J. Meiklejohn is president and CEO of Bank Rhode Island and a member of its board of directors. / COURTESY BANK RHODE ISLAND
Mark J. Meiklejohn is president and CEO of Bank Rhode Island and a member of its board of directors. / COURTESY BANK RHODE ISLAND

Mark J. Meiklejohn is president and CEO of Bank Rhode Island and a member of its board of directors. A lifelong resident of Rhode Island, Meiklejohn talks with Providence Business News about cybersecurity, the rising threat of cyberattacks to financial institutions and other industries, and what measures the bank is taking to protect itself.
PBN: How much of a concern are cyberattacks at BankRI and how has that changed over the past decade?
MEIKLEJOHN:
Cyberattacks are a very serious concern for all organizations across all industries. The concern for these attacks has grown proportionally as the amount of fraud has risen. A decade ago, the types and sophistication levels of attacks were not where they are today, so as the threats increase, our attention and mitigation strategies have also increased. The only thing that’s constant is that there will always be change to the types of attacks being deployed, so we have to maintain our ability to adapt, strengthen and increase our security focus to remain ahead of these changes.
PBN: What steps has the bank taken in recent years to bolster security?
MEIKLEJOHN:
Recent changes at BankRI have included the dedication of resources toward risk-management oversight. Historically, functions related to the areas of network security and information security were often considered a portion of information technology’s many responsibilities. As these attacks have increased, and the risks have grown, we’ve expanded our risk-management function into its own dedicated internal corporate service for the bank. The implementation of new resources and procedures that provide stronger prevention, monitoring and oversight controls are all part of risk-management functions. These changes are born from strong and dedicated oversight from the top down at BankRI.
PBN: With the ever-evolving nature of technology, how difficult is it to keep internal systems cutting edge?
MEIKLEJOHN:
When it comes to implementing network security, the focus isn’t necessarily on staying on the “cutting edge” of new systems and technologies. There will always be a new software tool or security service available, but getting the newest tool to stay on the cutting edge is not synonymous with keeping the network secure. The focus needs to be on implementing and maintaining both preventative and detective security controls; your tools and technology play a role in that, but more importantly, so does your personnel. Security, including cybersecurity, starts with identifying your risks and identifying adequate controls to mitigate that risk. There will certainly be times when new technology is required to implement those controls, but you need to be confident in your security personnel’s ability to recognize and address that need. Constantly implementing the “latest and greatest” is not necessarily the correct way to address your organization’s concerns.
PBN: How does cybersecurity at banks compare with other industries?
MEIKLEJOHN:
By the nature of our business, banks and financial institutions have always been a target for theft and fraud. Historically, banks had a vault full of money which made them a more desirable target for theft than the cash register at a local store. But there is now much more to protect than just money itself. The change to electronic systems by all industries has increased the risk for us, but has also increased the risk in other industries, as well – there are now other desirable targets. Electronic payment systems have made retail stores a target, and the rise of identity theft has made hospitals and health care companies more desirable targets. The advantage we have is that managing risk has been part of our industry’s DNA for a long time, whereas some other industries have not been in the crosshairs as long. Financial institutions have been, and continue to be, held to high security standards by regulators because we’ve always had a naturally higher risk, and the benefits of that are visible when compared to other industries. The regulations and requirements we are held to can sometimes feel daunting, but at the same time, they have forced our industry as a whole to make it an even bigger priority than it already was to stay a step ahead.
PBN: What’s something interesting about cybersecurity that the general public may not know?
MEIKLEJOHN:
The starting points on which we build our security processes are based on the mentality that groups and people are trying to hack into our systems. There is a quite a bit of communication in our industry and with regulators to ensure we are all aware of what’s new. Unfortunately, there are times we don’t learn of a new hacking scheme until another institution has been exposed. Certainly our goal is to never get hacked; always keeping that concern of the unknown close at hand is what drives our continual improvements. We need processes and controls that are adaptable and versatile to protect against known risks, all the while continually improving to identify and address new risks. We work with outside companies whose role is to try and hack our system security so we can identify potential gaps and respond before there is a real threat. Cybersecurity is not about the technology; it’s about personnel and processes that use the technology. The technology is both the tool used to commit the fraud as well as the tool used to protect against the fraud, and the goal of each side is to use that tool better than the other.

No posts to display