Standard Chartered’s cyber strategy shifted when its teams started encountering signals that outpaced what traditional systems were built to interpret. Alvaro Garrido, COO, T&O and CIO for Information Security & Data, watched his teams process terabytes of telemetry they could not fully exploit using rules-based detection. Something fundamental had changed: The signals had become richer than the tools designed to interpret them.
What changed was the centre of gravity: The story moved from technology to the sheer volume of signals entering the bank’s field of view.
Garrido describes the shift in simple terms: “People think cybersecurity is very complicated, and it’s not. Cyber is the art of seeing more, understanding better, and responding faster.” The definition is concise, but executing it at a global bank required a decisive break from legacy approaches. Telemetry, machine learning, and secure AI governance became the pillars of a redesigned defence model, one built around continuous learning rather than static controls.
Telemetry: The raw material of modern defence
The first pillar of this shift is the bank’s telemetry system. Every modern device, from servers and laptops to smartphones and cloud workloads, produces a continuous stream of behavioural signals. Garrido described this cascade in straightforward terms, noting that “the amount of telemetry that you can capture from just your iPad or even from a smartwatch is almost infinite.” Standard Chartered processes terabytes of telemetry every day; this volume, he said, would have been unthinkable just a few years ago when storage limitations, processing constraints, and network bottlenecks restricted collection and analysis.
Now those constraints are gone, and banks can observe their environments with tremendous depth. But increased visibility introduces its own challenge: No human team can manually sift through signals at this scale, nor can traditional rules-based detection systems cope with the speed, fluidity, and distributed nature of modern attacks.
“As the bank’s digital footprint expanded, we realised that typical rules-based decision-making was no longer valid,” Garrido said. Attackers, especially AI-powered ones, adapt quickly, user behaviour shifts constantly, and threat surfaces change from hour to hour. Rigid, signature-based systems are simply too slow and too narrow for today’s threat landscape.
Machine learning in modern cyber defence
Recognising that static defences could no longer keep pace, Standard Chartered initiated a fundamental shift in its cyber strategy about four years ago. “We decided to use a radical approach with our first machine-learning cyber defence platform,” Garrido explained. This platform ingests vast telemetry streams, correlates disparate behaviours, learns from historical patterns, and identifies anomalies that fall outside what rules-based systems can reliably capture.
Machine learning enables deeper and more sensitive pattern recognition. It adapts continuously to new behaviours and new threats. It processes enormous quantities of data at speeds unattainable by human analysts. It also builds contextual understanding across domains: systems, transactions, and increasingly, human interactions. Garrido noted that the bank’s operating reality has fundamentally changed: “Right now, it is a machine-learning world defending the bank.”
As Standard Chartered integrated more data sources, its models began identifying patterns far beyond cyberattacks. Machine learning surfaced signals linked to financial crime, sanctions evasion, money laundering, human trafficking networks, and payment fraud, underscoring the convergence of cyber and financial crime intelligence inside large institutions.
“We started to realise that it would move laterally from pure cybersecurity to other areas of the bank,” Garrido said. This lateral shift led to what he described as mission-agnostic anti-crime operations, a unified approach that incorporates cybersecurity, fraud detection, financial crime analytics, and behavioural monitoring into a single intelligence fabric. In modern financial institutions, these domains can no longer be separated; attackers exploit the seams between them. Machine learning closes those seams.
According to Garrido, this evolution is still ongoing. The bank’s frontline operations, supported by machine-learning models, now work with enriched indicators from vendors and law enforcement agencies. He said that even though the exact number of personnel in these operations is confidential, the integration of external threat intelligence and internal telemetry has become central to the bank’s defensive posture.
Human behaviour as telemetry
As machine learning matured, Garrido recognised a third critical dimension of telemetry beyond systems and financial transactions: human behaviour. “The ultimate challenge for any bank is not just the highly organised bad actors trying to steal your assets,” he said. “It is also about boutique infiltrations and insider threats.” Detecting these anomalies requires a careful understanding of behavioural baselines, including what users normally access, when they access it, and how they behave across digital touchpoints.
To reach this level of detection, Garrido said banks need a clear understanding of what constitutes normal behavioural patterns across their environments. That includes knowing what users typically access and how they interact with systems so that anomalies can be identified. He explained that this third telemetry dimension helps Standard Chartered recognise when behaviour falls outside expected patterns in the course of daily activity.
Collaboration and architecture in modern cyber defence
Garrido said cybersecurity teams traditionally operate separately from fraud, financial crime, and physical security teams, even though all of them observe related signals. The bank has established unified cyber defence centres to bring these functions together and support closer coordination across cyber, fraud, and physical security. He added that cross-sector collaboration and intelligence sharing are also essential for interpreting signals that span systems, transactions, and behaviour.
When discussing security architecture, Garrido said the traditional model of protecting fixed assets is no longer viable. Instead, the bank focuses on securing identities, which he described as the new firewall. An identity can be a person, a system, or an AI agent, and the bank is even evaluating whether certain agents require their own employee identifiers for traceability. He explained that the bank aims to validate security posture continuously, not just during login. This includes dynamic checks based on the user’s location, the data they access, and the actions they perform.
To support this approach, the bank uses a dual model: centralised standards at the core, with flexibility tailored to local jurisdictions. He noted that while Singapore may set certain baselines, those baselines may need to be strengthened for jurisdictions with stricter requirements. The bank maintains modular templates for deployments, allowing it to meet both regulatory expectations and internal standards. Sandboxing and local testing ensure that variations remain compliant and secure.
AI governance: From chaos to control
As generative AI models such as GPT and Copilot entered the enterprise, new challenges emerged that had little to do with cyberattacks but carried equally significant risk. Employees across industries uploaded sensitive documents to public LLMs, exposing confidential material. Consumer-grade AI systems lacked enterprise controls, and early products from major vendors did not yet provide the safeguards banks required. Garrido said the work quickly became too complicated, with teams trying to manage third-party risk, data poisoning, data integrity, and model scanning simultaneously.
He said the bank faced a situation where consumer AI tools were widely accessible, both at work and at home, and staff tried to use them for tasks such as summarising contracts or uploading audio from conference calls. This created a tension between enabling experimentation and preventing accidental data exposure.
In response, Standard Chartered created a central secure AI council and platform. By consolidating cybersecurity, data protection, model risk management, vendor assessment, and compliance controls into one system, the bank established a unified governance foundation. Every model is scanned, every external partner is vetted, and each workflow is assessed across multiple risk dimensions.
Garrido highlighted a critical consideration: preventing unintentional model training. “If you want to use an external model, you need to be sure that you’re not accidentally training that model and letting your data go out,” he said. Even minimal leakage, such as contract summaries or customer information, creates unacceptable exposure in a banking environment.
The bank’s second-generation internal GPT platform, SC GPT, now provides a fully containerised enterprise environment that lets employees use advanced tools without risking external data transfer.
“You basically create your bank-contained ecosystem. You get the best of the model, and the training happens strictly within your enterprise box,” Garrido said. He added that earlier versions of the platform were so restrictive that employees could not upload the materials they needed, which limited adoption. The new version allows broader use while keeping sensitive data contained.
Balancing data democratisation and cybersecurity
Beyond technology, the governance model touches one of the most persistent tensions inside any large organisation: the balance between data democratisation and cybersecurity. Garrido oversees both the data and cybersecurity portfolios, roles traditionally seen as being in opposition. Data teams advocate for openness, transparency, and wide access, while cybersecurity teams enforce controls and least privilege. Some describe CISOs as people who “always say no.”
Garrido believes the balance is attainable with alignment and clarity. “It’s down to very clear agreement on what the bank wants and having the right people,” he said. The fact that he manages both functions, initially by accident, became an advantage. It allows him to integrate risk controls directly into data strategies, supporting innovation without compromising protection. He emphasised that while the business needs speed and flexibility, cybersecurity ensures that freedom does not become fragmentation.
Geopolitics and data sovereignty
No modern cybersecurity strategy can ignore geopolitics. State-sponsored threat actors, geopolitical conflicts, and cross-border data laws influence the threat landscape dramatically. Garrido notes that while cyberattacks “regardless of motivation tend to be quite standard,” geopolitical awareness becomes essential in data architecture and operational posture.
Standard Chartered structures its technology with strict modularity to comply with sovereignty rules. “Data in Singapore cannot be in Spain; data in Spain cannot be in France,” he explained, adding that China imposes even stricter constraints. These rules influence everything from cloud deployments to telemetry pipelines.
Garrido said geopolitical tensions, including conflicts in Ukraine, the Middle East, or Asia, can alter the profile of cyberthreats. In some cases, cyber warfare is deployed to disrupt infrastructure in rival countries. He highlighted the need to monitor not only why attacks occur, but also why they stop. Sudden drops in activity, he said, can signal strategic shifts among potential state-sponsored bad actors.
The future: Strong guardrails, full creativity
Looking ahead, Garrido envisions a future where secure AI guardrails coexist with business-led creativity. “We’re going to be very defined at the core and very prescriptive in the controls, so we can give you all the freedom in how you use it,” he said. He described this as a “bipolar but balanced approach” in which centralised governance ensures consistency, while business units experiment, design use cases, and apply complex prompts through approved models and APIs.
If all analytics were centralised in one department, Garrido said the organisation would lose business context. If everything were decentralised, the result would be fragmentation, shadow AI, and uncontrolled risk. The future, he said, requires unified controls combined with distributed intelligence.
A new era of cyber intelligence
In Garrido’s view, modern cybersecurity is no longer about buying tools. It is about integrating telemetry, machine learning, secure AI, behavioural analytics, and geopolitical awareness into one self-reinforcing system. It is about transforming large volumes of data into actionable, contextual intelligence. It is about closing the gaps between cyber, fraud, and financial crime. And above all, it is about enabling the business to innovate safely.
For Standard Chartered, the principle remains the same: Cybersecurity depends on the ability to see more, understand better, and respond faster. In an era defined by machine learning, telemetry, and secure AI governance, that approach has never been more essential or more achievable.
Editor’s note: This interview was first published in Frontier Enterprise 2026.
