In the same month that Devon Bryan took over as EVP and CISO of the Federal Reserve System, cyberthieves stole roughly $101 million from a Federal Reserve Bank of New York account belonging to Bangladesh's central bank.
It was not the welcoming party Bryan was hoping for.
The perpetrators, believed to be from the North Korean APT group Lazarus, were reportedly able to steal the Bangladesh bank's credentials for the SWIFT bank messaging system, using them to send the Federal Reserve fraudulent requests to transfer large sums of money (originally reported as $81 million, then revised to $101 million) to accounts in the Philippines and Sri Lanka. SWIFT later publicly disclosed that cybercriminals orchestrated attacks against additional financial institutions, including banks in Vietnam and Ecuador.
This brazen cybercrime was proof positive that financial institutions, including those operated or funded by the Federal Reserve, remain a highly prized and lucrative target for cybercriminals.
And money isn't the only key asset in play. As the U.S.'s central banking system, the Federal Reserve holds a myriad of data that bad actors might want to acquire – and it's Bryan's duty to protect it. According to his LinkedIn profile, Bryan is “responsible for leading and maintaining the enterprise information security program of the Federal Reserve Banks to ensure that information assets are adequately protected.” (Due to his agency's strict guidelines on interviews, Bryan was unable to participate in this profile.)
On joining the Federal Reserve in February of 2016, Bryan brought with him ample cybersecurity experience as the former vice president of global technical security services at human resources management systems provider ADP. A former lead network engineer with the U.S. Air Force, he also previously served as deputy associate CIO, cybersecurity, at the Internal Revenue Service.
In late August of this year, Bryan was named a member of the International Information System Security Certification Consortium's U.S. Government Advisory Council. In that role, he will provide insight to the organization's executive management team regarding government policies and programs that impact cybersecurity professionals.
Bryan was presented with a Federal Computer Week Federal 100 Award in April for his efforts in addressing the lack of diversity in cybersecurity – specifically as founder and president of the International Consortium of Minority Cybersecurity Professionals (ICMCP), a volunteer-led organization that creates new career opportunities for underserved populations.
“As I talked with colleagues at RSA and other shows/meetings over the past few years, a common theme that surfaced in our conversations was not only the lack of talent in the market but lack of diverse talent,” said Bryan in an (ISC)2 blog post announcing the award. We decided that there had been enough dialogue about the problem, and it was time to do something about it.”
To that end, the ICMCP helps female and minority cybersecurity professionals through scholarships and financial awards, internships, training workshops, networking events and mentorship and veterans outreach programs.
“Devon has established an amazing foundation with ICMCP by being a results-driven leader who is dissatisfied with the status quo,” said Aric Perminter, the founder and chairman of Lynx Technology Partners, and the incoming president of the ICMCP. (Bryan's stint as president ended Dec. 1, at which point he will assume the role of co-chair of the ICMCP's Strategic Advisory Board.)
“He strives to raise standards through awareness and relationship-building in an effort to bridge the ‘great cyber divide' that results from the ongoing underrepresentation of minorities in the fast-growing field of cybersecurity,” Perminter continued. “He is an extremely effective communicator with keen business instincts who looks for opportunities to do great things for those around him. He has created and led an organization well-positioned to grow and evolve well into the future.”