J.P. Morgan’s CIO on the Bank’s Security Game Plan

By Emily Glazer for WSJ

Dana Deasy discusses the bank’s strategy since the 2014 breach, as well as working with fintech partners

The amount of money most large banks spend on technology unrelated to cybersecurity is shrinking. Not so at J.P. Morgan Chase & Co., the nation’s largest bank by assets.

Facing fierce competition from upstarts in the financial technology, or “fintech,” space, along with constant cybersecurity threats, J.P. Morgan is betting that tech will be an industry game-changer.

That’s where Dana Deasy, the bank’s chief information officer, comes in. Mr. Deasy oversees a $9.4 billion technology budget at J.P. Morgan, including about $3 billion in new investments, that is growing—a rarity in size and allocation among large banks. He leads 44,000 technology employees, including more than 18,000 developers.

A few years ago, many fintech firms were vowing to dismantle the financial-services giants; more recently, the conversation has shifted to bank partnerships and purchases. J.P. Morgan recently joined forces with online lender On Deck CapitalInc. in one of the first large bank joint ventures with a fintech firm.

In an interview, Mr. Deasy elaborated on the fintech landscape and cyberthreats. Here are edited excerpts:

WSJ: How does J.P. Morgan think about fintech?

MR. DEASY: We are actively scanning most fintechs. We will evaluate a fintech and say we’re already building what they’re doing and what we’re building will be better. Or we’ll look at something that is being built and decide it’s a great partnering opportunity. And in some cases we may not only partner, we may become an investor.

WSJ: What is your role in this process?

MR. DEASY: We have a dedicated team that is constantly scanning Silicon Valley and other places for new ideas. Last year alone, we started conversations with about 300 startups. Of those, we brought 100 of them into the bank and piloted their ideas. We actually put in production about 50 of them last year.

WSJ: What can J.P. Morgan learn from some of these smaller fintech firms?

MR. DEASY: One thing that we are continuing to get more comfortable with is the idea that we’re going to fail on a lot of these new initiatives. You’ve got to be prepared to let go of ideas if they aren’t going to bear fruit. This is what [venture capitalists] do really well: they can vet very quickly. If they think an idea is going to make it, they’ll fund it. And if it isn’t going to work, they’ll shut it down.

WSJ: J.P. Morgan suffered a cyberattack about two years ago in which customers’ contact information was stolen. What has changed since then?

MR. DEASY: We’ve really matured our cyber-agenda. We have committed a significant amount of time on how money and information flows through the bank—and looking at it through the eyes of an adversary. We spend a lot of time penetration-testing.

WSJ: How does that work?

MR. DEASY: We created a “red team” made up of internal specialists that is designed to think like an adversary. They try to find ways to get into the bank from the outside.

We also created “hunt teams” made up of people who are looking for [adversarial] activities that might be occurring on our network. We’ve hired a lot of people who have done this sort of work on the government side.

WSJ: What’s the strategy?

MR. DEASY: We have something we call the “kill chain.” The idea is to try to stop the adversary before they ever get in. Or if they’re trying to get in, detect it. Or if they’re in, stopping them before they get to the data. Or if they get the data, you stop them before they can extract the data.

The other thing we’re spending a lot more time on is simulations. We look at various situations, such as simulating if there’s a multibank breach—how we would work together [to remedy it]. And we’re doing simulations inside the bank. We regularly choose a part of the bank and create a simulation where an adversary has come in and caused some sort of havoc. What does the business do, how are they supposed to react, what are their contingency plans?

WSJ: J.P. Morgan has targeted $600 million for cyberspending this year. How does that break down?

MR. DEASY: Labor is a big part of our cost. So are the tools themselves. We are constantly, and I mean constantly, scanning [the market] for the latest, best tools. This is critical because adversaries are always trying to find new ways to cause havoc, harm and destruction at large companies.

WSJ: How do you measure success in cybersecurity?

MR. DEASY: Any day that’s a quiet day is a very, very successful day. Our first priority is to protect our customers. But this is a constant battle. I’d love to be able to say that everything is going to get stopped at your front door. But it won’t. The reason the kill chain is so important is that it gives us various lines of defense—it’s where we invest dollars and expertise across the board.

Ms. Glazer is a reporter for The Wall Street Journal in New York. Email her atemily.glazer@wsj.com.

First appeared at WSJ