JPMorgan Chase CISO explains why he's an 'AI optimist'

Financial services organizations tend to have sizeable budgets for cybersecurity investments. But balancing those investments against an increasingly expansive threat landscape is easier said than done.

As CISO of JPMorgan Chase & Co., Pat Opet is charged with defending the financial services giant against cyber threats as well as maintaining compliance across 60-plus countries, each with a variety of disparate regulations. As head of the Cybersecurity and Technology Controls (CTC) organization, his duties include investing in technologies that not only protect the company but also enable it across all lines of business. Even with a sizeable budget, that can present enormous challenges at an enterprise with complex infrastructure and more than 300,000 employees worldwide.

For Opet, it starts with viewing CTC as "an enablement organization" within JPMorgan Chase that makes cybersecurity as seamless as possible for developers. "We hold ourselves to a high standard to do it without a lot of friction for the technologists, which can be challenging from time to time," he said. "We're not always great at it, but it's certainly primary to our mission."

The advent of generative AI has shaken up the cybersecurity industry in large part because it has been seen by some as a true enablement technology that can assist everyone from SOC analysts to software developers. In an interview with TechTarget Editorial, Opet explained why generative AI has won him over and how his organization is investing in the tech. He also discussed how JPMorgan Chase balances its cybersecurity spending based on emergent -- and resurgent -- threat activity.

Editor's note: The following was edited for length and clarity.

In terms of threat activity, do you get reports about specific alerts or anomalies daily? Or are you at a stage now where you only get notified when the people on the ground are pretty sure there may be an incident taking place?

Pat Opet

Pat Opet: I think this is personality driven, and people can run this any number of ways. For me, there's a daily handover email between our intelligence team. There's a daily report that comes out of our security operations center that I read. I'm in New York, and our security operations center is outside my door here. I personally like to go in there at five or six o'clock at the end of the shift and just chat for a little bit about what we're seeing and what we're watching.

Obviously, we have a formal incident response plan, which would formally notify me if we were invoking forensics on the back end of an attack or if we felt that there was an event that rose to a certain level. There's formality in the notification processes because for us, it drives notification to both regulators and potential customers. But the day-to-day of what we see, especially things that we believe are emerging tactics and techniques we hadn't seen before, I'm deeply involved in.

Now I don't have a ton of time to spend just on that side of it. It's the thing that I'm most passionate about. But there's managing a large organization and everything that comes along with that as well as the compliance side of the job and meeting with and interacting with regulators. My time is split [between cybersecurity, technology compliance and resiliency posture], but I tend to spend a good bit of time in the details of the cyber side.

How often do you review what cybersecurity technology you have in place and what you think you need to invest in, especially in terms of new technologies and products that are starting to take off?

Opet: There are a few different ways we think about it. It's a bit more organic than an event causing us to do a review. In terms of our budget, we invest more than $600 million a year in cybersecurity. For us, there were some efficiencies we wanted to drive in terms of how we use automation the last several years that I think has helped keep that spending curve on a relatively modest trajectory. That said, as we look forward to the 2024 investment cycle, there are several areas where we think we're going to spend in what I'll call a differentiated way, due to either advancements in technology or the growth and trends of some attack techniques.

I have an organization that I call an assurance organization. It's our security architecture team, our red team and our penetration testing team. The focus of that organization is to test the efficacy of our controls and then look at when there's control failure or what the impact is to the global system. We've got the red team and architecture team working closely together, with architecture primarily defining what we must achieve from a business perspective and the red team showing us where we're not as effective as we want to be. That drives, to some degree, a set of findings and root cause analysis that may cause us to look at where we need to improve the efficacy of something.

We also have a strategy and partnerships organization whose job it is to really understand the tech ecosystem. That's everything from Gartner trends down to all emerging startup businesses. They're integrated into each one of the investors there and their portfolios. That can be a driver to us as well. Then, obviously, we're watching threat activity globally.

What's an example of threat activity that prompted new investments?

Opet: We saw, toward the end of last year, an uptick in DDoS activity, specifically Layer 7 DDoS activity. It wasn't trendy at the time to say, 'Hey, DDoS is going to be a problem again.' I think most cyber practitioners would have brushed you off.

We went to our risk committee late last year or early this year and said, 'We think this trend is going to continue to grow. It's relatively easy to do, and it has become easier with software that exploits functions at the application layer of websites.' We've dealt with the lower levels of DDoS attacks. But when it gets to the upper levels of the stack, we're not particularly well designed as a community or an ecosystem for that.

These attacks were a way of driving disruption and, perhaps, ransom trends that weren't generating a response from the U.S. government or others. It was an unchecked way to disrupt critical infrastructure. Post-Colonial Pipeline attack and other things like that, that type of [ransomware] disruption to critical infrastructure was clearly going to be met with some retaliatory response from the U.S. government. It was this point where the tools could be used effectively, and it wasn't going to draw the negative response given geopolitical trends and the war in Ukraine. It just seemed like a logical area for us to grow, and so we made some changes.

We had always run on-premises DDoS mitigation equipment, but we made some changes around that time to adopt more SaaS-based tools that have better Layer 7 protections. Then we decided to build technology internally and have response teams and other things to scale out where we felt pinch points were in the web-facing environment. Events like that or identity compromises are old things becoming new again. Those areas always drive some attention on investment.

For us, where financial services may be fortunate, if we need to make an investment because we see a growing trend, there's an openness at the operating committee to hear about an emerging risk and the need to invest. In all those situations, the firm is open minded about making the right investment where it's needed.

Given that you saw the DDoS trend happening, prepared for it and tried to get ahead of the threat, would you consider that a security win, so to speak?

Opet: Absolutely. We did see some challenges late last year. They weren't anything that would have impacted customers, but we saw the precursor activity. We took action, primarily on some of the customer-facing sites where we felt there would be direct focus. Getting ahead of that trend was great.

It's not always something you can get ahead of. Sometimes the trends are emerging, whether it's zero-day vulnerabilities; the Log4j scenario, where you're behind before you start; or changes in techniques that you didn't predict. We don't depend on prediction. Our ability to be proactive is driven by the intelligence work we do. We invest significantly in intelligence work, not just about JPMorgan Chase but broadly, for the attackers that we believe would target financial services. We closely follow their mechanisms or tactics, techniques and procedures.

We've invested in a differentiated way to source that information. For example, we rarely buy finished intelligence now. We have essentially shifted all our budget to collection -- largely open source collection and dark web collection. We've got some pretty neat techniques we're using these days. A lot of that work has allowed us to understand capabilities the attackers are developing and then ensure we can evaluate how we will respond as we see these trends building.

One of the areas that's been getting a lot of attention over the last year is generative AI with the emergence of ChatGPT. The resurgence of AI technology has created this concept of large language models and AI advisors alleviating the burden on infosec professionals. Have you looked at this new wave of AI tech? And what's your sense of that market in terms of the hype versus reality?

Opet: We've started to look at it. That's the short answer. The longer answer is, I was a bit of an AI pessimist before November of last year. Seeing ChatGPT in action for the first time and what it could do opened my mind -- perhaps many others' as well. It felt like we tipped over the precipice of an AI era.

I was a bit of an AI pessimist before November of last year. Seeing ChatGPT in action for the first time and what it could do opened my mind -- perhaps many others' minds as well.

I'm an optimist about its capabilities. Most of the last nine or 10 months or so have been us trying to enable AI to use inside of the firm. We have been users of traditional AI for some time. Generative AI is newer for us in the business. We've spent the last six or seven months designing the right isolated mechanisms that are safe for us to use to produce our data. That's something we'll start doing internally as a business more broadly and think through how we use it as a cybersecurity use case.

It's probably not going to be done in a generic sense in the short-term. Cybersecurity practitioners and maybe some industry consortiums need to get together to build and train the right models to support cybersecurity. It's clear to me that one, everybody's thinking about how they use AI in their tech. But two, to do it well, the right models must be trained in the right way to lead to an effective outcome. That is something we all must learn to get to the end state.

But I do think there's a day in the not-too-distant future where, as a cybersecurity practitioner, you can present a scenario [to a generative AI model] and get back the next best action you should take. If you're a small business that has limited resources but you can ask a question and get an answer back that would just give you enough time to call a professional incident response firm and interdict the attack, then it could make a meaningful outcome and raise the bar for cyber practitioners globally.

We are starting to work on that project internally and we've started to socialize with some potential partners about our desire to build a model that hopefully we can open source and enable others to gain some of that advantage. But we're at the early stages. Frankly, I don't know which models are going to be the best fit to help do that.

What we've done as a community, which is really powerful, is organize the security data well. Mitre and various projects associated with Mitre have such well-organized data. Threat intelligence companies have highly organized data on threats and their capabilities. It's like we've positioned ourselves as an industry to leverage well-structured, labeled data to train a machine. We've just got to figure out how we do that in a way that interacts with security operators most effectively and can be super creative around the options.

It's not about making an investment in EDR and installing it. That's not an option at the time when you're being attacked. The options could be to rename this system registry file or take these specific actions on these IP addresses. There are tactical, precise responses that people can use just to disrupt the attack -- not necessarily mitigate an issue or defend it in the future but just buy some time. That could be hugely powerful.