Standard Chartered

How StanChart balances AI-powered innovation with security

Alvaro Garrido, Standard Chartered’s technology and security chief, explains how multi-layered defences and its approach to data protection allows the bank to embrace artificial intelligence without compromising on security

In the world of global banking, the roles of driving innovation and enforcing control can seem at odds. One pushes for speed and disruption, the other for stability and security. For Alvaro Garrido, these competing priorities are a daily reality.

As Standard Chartered’s chief operating officer for technology and operations, and CIO for information security and data, Garrido is tasked with harnessing technologies such as artificial intelligence (AI) to drive efficiency and innovation, while addressing the operational and regulatory requirements of a global financial institution.

But it’s not a matter of choosing one over the other. The key is integrating them from the start. “I’ve never seen an area where we’ve compromised innovation for control or the other way around,” he said. “It comes very naturally, and we are also getting better along the way.”

Garrido said this balance can be achieved by having a deep understanding of market dynamics, the regulatory environment and the bank’s core strategy. “You need to elevate yourself to the ethos of the bank and the company. It’s an application of the systematic regime under which you operate, but also common sense.”

Nowhere is this balancing act more evident than in the adoption of AI. Pointing to the debate between innovating with AI to secure a first-mover advantage versus taking a wait-and-see approach, Garrido said Standard Chartered (StanChart) is firmly in the innovation camp, but is supported by a “very well-orchestrated non-financial risk engine” to ensure it proceeds safely.

That includes employing a defence-in-depth strategy, underpinned by threat-led scenario risk assessments, where the bank analyses assets against specific threats to determine gross risk, then overlays existing controls to calculate the residual risk. This not only ensures security resources are applied where they are most needed, but also allows for multi-layered defences.

For example, the decision to patch a vulnerable device could depend on whether it is switched off or ringfenced by a deep packet inspection firewall. “Sometimes, it might be more beneficial to patch it, but other times it might be better to segment it or do both at the same time. Of course, there’s economics and synergies to consider, but we have multiple controls at our disposal,” said Garrido.

The multi-layered approach extends to securing the bank’s employees. While security awareness training is provided, Garrido noted the importance of protecting employees with sophisticated inbound and outbound security tools. The process of detecting and responding to phishing attacks, for example, is now highly automated, moving from a manual, ticket-based system to one where countermeasures are deployed in near real-time.

Securing data in a balkanised world

With AI models dealing with vast amounts of data, ensuring data security and integrity is key, with security built in from the onset and not as an afterthought. “The fundamental rule is to try not to install the seat belt at the end,” said Garrido. “Retrofitting the seat belt at the end is expensive and probably going to kill you.”

This principle is applied across the software development lifecycle, where the bank is shifting security left and embedding controls directly into its continuous integration and continuous deployment pipeline to intercept and analyse code in real-time, ensuring safer code from the very beginning.

To me, the definition of critical doesn’t come from what you think the system is – it’s defined by the data you have in it. If the data is PII or financial data, it will need additional controls
Alvaro Garrido, Standard Chartered

Critically, the bank’s security posture is defined not by the system, but by the data it contains. If sensitive production data must be used in a test environment for a specific reason, that environment is immediately elevated to production-level security.

“To me, the definition of critical doesn’t come from what you think the system is – it’s defined by the data you have in it,” Garrido explained. “If the data is PII [personally identifiable information] or financial data, it will need additional controls.”

The bank also adopts a holistic data protection strategy that includes having an inventory and taxonomy of critical data entities, understanding where data is at any point in time, ensuring data persistence and quality, as well as detecting data anomalies using machine learning models.

All of that work can become complex for a global bank operating in over 70 markets, each with its own data sovereignty laws. “There is a trend right now for more data balkanisation, with governments becoming more protective of data,” Garrido noted.

To address this, the bank is moving towards a set of global data platforms built on the principles of federation and orchestration. The goal is not to create one single monolithic data lake, but an intelligent integration layer that can enforce rules and cater to different sovereignty requirements.

Hybrid roles

The convergence of technologies such as AI, data management and cyber security is not only forcing CIOs and chief information security officers (CISOs) to rethink how their teams are structured, but is also giving rise to a rare breed of hybrid tech workers who are expected to be well-versed in multiple domains.

“In a way, it’s like finding the unicorn,” said Garrido. “You want a good data scientist who is also an expert in cyber security. Those people don’t exist, so you need to find the best way to cross-train people.”

Fortunately, the bank has seen an appetite for reskilling among its employees. “The level of interest is unbelievable. Everyone is training and retraining,” said Garrido. “With AI, we’re actually making room for more innovation. The shape of the organisation is going to be different, and it’s happening almost organically.”

Moving forward, Garrido sees his teams becoming more modular and agile to respond to the fast-changing macro environment. He expects to see tighter integration between business and technology teams, enabling highly focused, boutique capabilities to be developed while maintaining the rigour, predictability and uniformity of a global bank.

“Banks usually build for scale, but with more data balkanisation and data sovereignty, scale is no longer the paradigm,” said Garrido. “You need to build for modularity to cater to different regulatory requirements and jurisdictions and find that sweet spot.”

Read more about IT in APAC

Read more on IT strategy