UPDATE: Oct. 2, 2020: Goldman Sachs found a permanent chief information security officer (CISO) — by hiring him away from Morgan Stanley. Matthew Chung, 54, will be joining Goldman as CISO and head of technology risk, the bank said in a memo seen Thursday by Bloomberg. Chung's predecessor, Andy Ozment, left Goldman in May to become head of technology risk at Capital One.
Ozment's interim replacement, 20-year Goldman veteran Phil Venables, will leave the bank at the end of the year, the memo said. The shuffle comes during a week when the investment bank elevated a woman to the role of division co-head for the first time since 2018 and announced a change in leadership at its digital bank, Marcus.
Morgan Stanley, meanwhile, named 18-year company veteran Katherine Wetmur as its next CISO. She assumed the role in mid-September, when Chung left the bank, Fastinform reported. Wetmur previously served as managing director and international chief information officer.
Chung had served at Morgan Stanley since 2014. He previously worked at Barclays.
Dive Brief:
- Goldman Sachs's chief information security officer (CISO), Andy Ozment, is leaving the bank after three years to join Capital One as head of technology risk.
- Capital One is rebuilding its information-security image after a breach last year exposed the personal data of 106 million customers. The bank removed former CISO Michael Johnson from that role in November but retained him as an adviser focused on the company's breach response.
- The hire comes as the Federal Financial Institutions Examination Council (FFIEC) issued a statement Thursday on behalf of several regulators, emphasizing the responsibility of banks' management to carefully keep tabs on cloud security.
Dive Insight:
Bank management should "evaluate and monitor the cloud service provider's technical, administrative, and physical security controls that support the financial institution's systems and information assets that reside in the cloud environment," the FFIEC said.
Amazon Web Services, which provides cloud security for Capital One, said in August the onus of the security gaps falls on the bank. FFIEC guidance merely states that banks and third-party providers need to identify and agree upon where the reach of each organization stops.
"Management's failure to understand the division of responsibilities for assessing and implementing appropriate controls over operations may result in increased risk of operational failures or security breaches," the FFIEC wrote.
Capital One employees cited high turnover in its cybersecurity unit before the breach, according to an August report in The Wall Street Journal. Some employees said Johnson's management style was unsuited to the public sector — he had previously worked for the federal government — and many "initial direct reports" left for other positions, the Journal reported.
Ozment, too, cut his teeth in several cybersecurity-related government positions. He served in five federal roles from 2008 to 2017 at the Defense Department, Homeland Security and the White House, according to his LinkedIn page.
"Andy's extensive background in both the government and private sector provides a unique understanding of the cyber risks and challenges facing organizations today," Capital One said in a statement emailed to Bloomberg.
Ozment will report to Capital One's chief risk officer. The bank also last month hired a new CISO. Chris Betz joined the bank in April from telecom firm CenturyLink, where he served as senior vice president and chief security officer. He previously worked in information security for CBS, Microsoft and Apple, according to his LinkedIn page.
Phil Venables, who was Goldman’s head of technology risk for 17 years, will serve as the bank’s interim CISO until it finds Ozment’s successor, the bank wrote in a memo, according to Bloomberg.