Bank of America CTO Talks Windows 10 Plans, Security

Bank of America CTO David Reilly is juggling Windows 10 deployment and security concerns, supported by an evolving relationship between business and IT.



Beyond Windows 10: 6 Microsoft Releases To Watch (Click image for larger view and slideshow.)

Is your enterprise looking towards early adoption of Windows 10? Bank of America is.

InformationWeek sat down with Bank of America's CTO David Reilly following his keynote at the Hispanic IT Executive Council (HITEC) Q3 Summit, held last week in New York, where he chatted about an enterprise-wide Windows 10 migration, the changing dynamic between business and IT, and his biggest security concerns.

Reilly promised a Windows 10 upgrade is on the horizon for Bank of America. "We're looking to adopt as early as we can," he said. Such a project will be a massive undertaking given the sheer multitude of Windows devices within the organization, but he appears optimistic about the process.

The upgrade path to Windows 10 seems much smoother than the transition to Windows 7, he explained, which is part of the motivation to adopt early. Bank of America is currently running Windows 7 throughout the business.

[See how Redmond is handling containers. Read: Microsoft, Docker Boost Container Collaboration.]

Employee devices were never upgraded to Windows 8 because the bank requires its OS and applications to function fully across tablets and desktops. As many businesses have experienced, Windows 8 wasn't well suited for cross-device enterprise use. A broad range of employees, from financial advisors to customer greeters, regularly use both tablets and laptops.

Windows 10 delivers the same user experience across tablets, desktops, and laptops. Another key reason Reilly is looking forward to upgrading sooner rather than later. "That's an opportunity we'd really like to take advantage of, if we can," he said.

Of course, enterprise adoption will prove much more complex than a simple download. Windows 10 will have to interface with inventory and security systems, said Reilly. The bank has to create a build for its specific environment.

If this type of build is ready by November, he said, it will be tested among development teams so as to address key concerns and bug fixes. From there, the plan is to enter a phased adoption so employees may opt for earlier upgrades before the OS is fully deployed throughout the enterprise.

Business and IT Relations

The myriad ongoing technology projects at Bank of America have been supported by an evolving relationship between the business and IT departments.

The level of technical proficiency among today's business leaders is dramatically higher, Reilly said, which makes his job as far easier and more effective. When IT leaders can talk with the business team about details of operating systems and tech stacks, it's invaluable to the tech team.

Half of the leadership team, for example, has been running Windows 10, while half continues to use Windows 7. This allows a group of execs to become familiar with the new OS, receive and edit documents, and understand the many differences between the two systems.

The technical know-how of business leaders could prove helpful in understanding how data is used, another priority for the bank. "Data is an asset that really has to be owned by the business," Reilly emphasized in his keynote. IT can provide the necessary tools, but it's up to the business to understand, and act upon, the data collected.

Security Concerns

Speaking of data, like many tech professionals in financial services, Reilly has data security at top of mind.

Bank of America has a tough exterior but continues to worry about the dangers of insider threats. All recent public breaches have, at their core, either known vulnerabilities or insider activity, said Reilly in his keynote speech.

"Once you're in with us, it's pretty open," Reilly admitted. "It's not enough to have that hard outer shell."

To create a more secure environment, he explained, it's necessary to protect sensitive resource zones within the bank. The process of segmentation, as he calls it, restricts contamination to smaller areas of information so as to limit the spread of harm.

To combat the risk of insider threat, Reilly is cracking down on access management for digital resources provided to Bank of America employees.

As they change roles within the organization, employees receive new credentials to access privileged resources, but continue to retain logins they needed for previous functions. New restrictions will limit employees' access to information specifically related to their duties, said Reilly.

Bank of America is also investing a large chunk of its security efforts into discovering third-party software vulnerabilities and revamping its patch strategy.

Normally the team tries to deploy patches when it's convenient, said Reilly, but this is no longer a practical strategy. As the number of software vulnerabilities quickly rises, so does the volume of necessary patches.

The problem is, faster patch delivery may lead to problems in other parts of the business. A patch intended to safeguard company information, for example, may cause a glitch in Bank of America ATMs.

In such a case, Reilly and his team have to decide which situation they would rather address: broken ATMs caused by a patch that successfully protected sensitive data, or a more in-depth breach that occurred because a patch wasn't deployed.

The former would be the lesser of two unfortunate situations, the CTO admitted. He and his team face a challenge in convincing fellow executives it's necessary to deploy a patch that could potentially cause other issues, but doing so is necessary to prevent more serious attacks.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.