With every sector now interconnected, can financial services stay secure without broader industry-wide defence?

This was one of the critical themes that emerged in our conversation with Alvaro Garrido, COO for Technology & Operations and CIO for Information Security & Data at Standard Chartered.

We set out to understand how a global bank navigates competing priorities: modernizing data foundations while managing regional constraints, scaling AI without eroding trust, and strengthening cyber resilience in an environment where attackers, technologies, and regulations evolve relentlessly.

In this Q&A, Garrido breaks down the frameworks, choices, and realities shaping the next chapter of security, data, and AI in financial services, and the principles guiding Standard Chartered as these domains continue to advance.

Edited Excerpts

Q: Your role touches core functions across operations, data, AI, tech, and security. How do you balance the often-competing priorities of innovation and growth with efficiency, resilience, and security?

I rely on a simple three-step framework. First, context — I make sure we deeply understand market needs, regulatory expectations, and where technology is heading. If innovation isn’t grounded in reality, it won’t stick.

Second, common sense — applying practical judgment and building security and resilience from the very beginning, not bolting them on later.

And lastly, focus — we prioritize initiatives that truly move the needle and support sustainable growth, rather than trying to do everything at once.

Q: What are the biggest challenges in managing data at a global financial institution like Standard Chartered? What strategies does the bank employ to break down data silos across global teams and divisions?

Managing data at a global financial institution comes with a unique set of complexities, especially when you operate across multiple regions with varying regulatory and privacy requirements. We’ve been modernizing our data lake infrastructure to address these challenges. We still firmly believe that a centralized data lake remains the right foundational approach, but it needs to evolve.

Think of it as putting “curtains” around who can see what — access controls tailored not just to job roles but also to geographic location and local data-residency laws. While much of our data lake infrastructure is currently on-prem, we’re actively evaluating the right balance between on-prem and cloud deployments to support these diverse needs.

Security is also core to how we manage data. In 2024, we opened our Fusion Centre, an integrated hub designed to strengthen security and risk mitigation across the organization. By bringing people, processes, and technology together under one roof, the Fusion Centre enhances our ability to monitor, detect, and respond to emerging cyber threats quickly and cohesively. This unified approach helps us break down operational silos internally while ensuring that both the bank and our clients remain protected.

When we look beyond the bank, one of the biggest challenges we see is the lack of interoperability in cyber defences across critical sectors. Cyber attackers don’t respect industry boundaries. An incident starting in telecoms or energy can rapidly spill into the financial system, and the interconnected nature of payments, supply chains, networks, and cloud providers only amplifies this risk.

Today, each sector still tends to operate independently, with its own standards and isolated threat-response playbooks, which can lead to slower reactions and exploitable gaps. The real opportunity lies in building shared threat-intelligence platforms, adopting common resilience standards, and conducting joint exercises across industries.

If a telecom provider identifies a new attack pattern, for example, banks should be able to receive and act on that information almost instantly. At Standard Chartered, we are strong advocates for such collaboration. We believe that interoperability is key to collective resilience, and by working together across sectors, we can move from fragmented defences to a unified shield that protects society’s most critical functions.

Q: As financial institutions increasingly invest in AI, how can banks differentiate themselves in a landscape where AI-driven innovation is becoming the norm? 

The real challenge is cutting through the noise and moving beyond performative innovation. Many organizations are pursuing AI simply because it’s the trend, but we believe true differentiation comes from applying AI purposefully, in ways that meaningfully improve outcomes for clients and the business. Our focus is always people-first: using AI to help customers make smarter financial decisions, enhance operational resilience, and drive efficiency where it truly matters.

Another area where we stand apart is our commitment to responsible and trustworthy AI. In financial services, trust is the most valuable currency, so we build fairness, transparency, and accountability into every AI initiative. This isn’t just about compliance; it’s about ensuring that clients and regulators know our systems are safe, ethical, and reliable.

Finally, our global footprint gives us a unique advantage. Operating across 54 markets means we can develop AI models that are globally scalable yet deeply attuned to local context — whether that’s regulatory nuance, customer behaviour, or cultural expectations. That combination of global scale and local insight allows us to innovate responsibly and deliver solutions that resonate across diverse markets.

Q: What governance frameworks or technologies are helping you manage secure and ethical AI adoption across the bank?

For us, strengthening AI governance starts with a clear structure and well-defined accountability. We’ve put dedicated bodies in place, such as a Responsible AI Council, to oversee, challenge, and approve AI initiatives across the bank. 

This is supported by a comprehensive set of Responsible AI standards that guide every stage of development and deployment, covering fairness, ethics, transparency, privacy, bias mitigation, robustness, cybersecurity, and compliance.

Even as we automate more processes, human oversight remains essential; people are ultimately accountable for AI-supported decisions, and our frameworks ensure the right level of human review before any output is used. We also conduct regular monitoring, testing, and validation of models including performance checks and bias assessments to maintain trust and stay ahead of regulatory expectations. 

And importantly, governance isn’t just about policies; it’s about people. We invest heavily in workforce training and AI literacy so employees understand how to use AI responsibly, follow best practices, and uphold accountability at every level of the organization.

Q: Standard Chartered operates across multiple regions with varying regulatory and infrastructural contexts. What are some of the biggest challenges in maintaining resilient, seamless banking operations globally?

Our blueprint is centred on strong identity and access controls, continuous validation of user and system activity, and security embedded into every layer of our technology stack. Instead of relying on static defences, we’re designing for automation, modularity, and real-time adaptability, ensuring our protection scales effortlessly as the business grows.

The biggest challenge with traditional approaches has been the dependence on siloed tools, manual monitoring, and uniform controls, all of which create delays and blind spots. We’re moving away from that by adopting integrated platforms and dynamic, context-aware policies that adjust based on risk. This shift gives us an architecture that is both flexible and resilient, ready for the evolving threat landscape.

Operating across more than 50 jurisdictions means we’re constantly navigating a diverse set of regulatory expectations. To manage this complexity, we use a hybrid model where global standards establish a strong, consistent foundation, and local teams tailor implementation to meet specific regional requirements.

This combination gives us the best of both worlds: global consistency and local relevance. It also strengthens trust; regulators and clients know that we’re upholding robust standards while respecting the nuances of each market. Ultimately, this balance allows us to maintain both control and agility across one of the most complex regulatory environments in the industry.

Q: How would you describe Standard Chartered’s defense-in-depth approach to cybersecurity, and how does it integrate prevention, detection, and rapid response?

We don’t view cybersecurity as a “dark art” — it’s a systematic discipline. It’s about placing the right controls in the right places and maintaining continuous, persistent observation. The real challenge isn’t complexity; it’s discipline.

You have to be methodical in analyzing, refining, and strengthening controls over time. With so many new tools and technologies showcased at industry events, it’s easy to get distracted, but our focus remains on selective investment, prioritizing capabilities that deliver the most meaningful improvements in detection, response, and recovery.

Our security strategy is also becoming more human-centred, shifting from a sole focus on systems and assets to understanding how people interact with data and processes, because that’s where many vulnerabilities and opportunities for protection emerge.

When it comes to defending consumers, we believe financial institutions play a critical role as guardians of digital trust. With AI-enabled scams on the rise, geopolitical tensions increasing, and cyberattacks becoming faster and more sophisticated, trust will soon be one of the scarcest and most valuable assets.

We take this responsibility seriously. We protect our systems and embed security-by-design into every product and process. We also invest heavily in educating and empowering both clients and employees to recognise emerging risks. And just as importantly, we collaborate with regulators and industry peers, because raising the bar collectively is the only way to build resilience at scale.  

Q: With AI now being used on both sides, by defenders and attackers, how is the bank leveraging AI-driven threat intelligence and anomaly detection to stay ahead?

Cybersecurity today has fundamentally shifted into a data- and AI-driven discipline, and that change has been transformative for us. Instead of relying solely on traditional, out-of-the-box tools, we’ve built scalable analytics platforms that allow us to identify and respond to threats far more intelligently.

A few years ago, we created our Cybersecurity Data & Analytics Factory, which enabled us to deploy advanced AI at scale in a cost-effective way. This gave us a real advantage against adversaries who are constantly evolving their tactics. 

We extended that foundation through our FUSION programme, which brings together cyber, fraud, financial crime, and even physical security into a single integrated view. These domains are deeply interconnected in the real world, and integrating them has allowed us to detect and respond to complex threats faster and more effectively. In short, we’ve turned data into a unified defence capability– smarter, faster, and more holistic.

Modern cyber defence in banking depends on recognizing the right data signals. Beyond traditional logs, we increasingly analyze behavioral data, how clients, employees, and partners access systems, how transactions flow, and how communication patterns evolve. Subtle anomalies in these behaviors often reveal compromised accounts or potential insider risks.

With large language models now part of the ecosystem, we also track AI-specific signals, such as how models are accessed, what prompts are used, and indicators of misuse or prompt-injection attempts. And thanks to business-context analytics powered by AI, we can link these anomalies to financial processes, compliance requirements, and customer journeys. 

This combination of technical, behavioural, and contextual signals gives us a much richer understanding of emerging threats and allows us to detect them with far greater precision, all while ensuring our cybersecurity posture stays aligned with how the business actually operates.

Q: When you need a break from data, analytics, and cybersecurity, what’s your go-to hobby or activity to recharge?

Outside of work, I draw a lot of energy from connecting with people and helping the next generation grow in their careers. That naturally aligns with my role as co-sponsor of the Bank’s Black and African Talent inclusion efforts.

I’m focused on driving meaningful, tangible progress through initiatives that support not only Black and African colleagues but also benefit the wider organisation, for example, our pilot peer-to-peer International Buddy scheme, which helps colleagues settle into new markets more smoothly.

A key personal priority for me is ensuring senior leadership stays actively engaged, while also serving as a representative voice for our Black and African colleagues during important decision-making moments. As an advocate and sponsor, I’m committed to showing up at every level of the community. For me, diversity isn’t just a value we talk about; it’s a catalyst for innovation, cultural strength, and long-term growth.

Q: If you weren’t in banking and tech, what field or career do you think you might have pursued?

I would have probably been a doctor – I had doubts till the very day of sending my papers to the university as to which path to take. Eventually, I chose the red pill (a ‘Matrix’ reference here) and ended up in Engineering.