Shauli Zacks
Paul Tucker, Chief Information Security Officer and Privacy Officer at BOK Financial, brings nearly 30 years of cybersecurity experience to one of the largest financial institutions in the U.S. With a career that began in law enforcement aspirations and evolved through early cyber roles in the energy sector, Tucker has spent decades building robust security programs, managing cyber risk, and safeguarding critical infrastructure.
Since joining BOK Financial in 2015, he’s embraced a dual role that reflects today’s reality: cybersecurity and data privacy are inseparable. As digital transformation reshapes banking, Tucker leads a dedicated team working to protect customer trust, balance modernization with legacy systems, and stay ahead of evolving threats. In this SafetyDetectives interview, he shares insights into managing regulatory complexity, third-party risk, and the game-changing tech that’s redefining financial cybersecurity.
Can you share your professional background and what led you to take on the dual role of Chief Information Security Officer and Privacy Officer at BOK Financial?
From a young age, I had a strong interest in the Federal Bureau of Investigation and a passion for law enforcement. I held a pseudo-cyber role at a Fortune 500 energy company, which lacked a specific name for it in the early 2000s. After 9/11, I found my calling in cybersecurity which allowed me to work closely with the FBI as a civilian. With nearly three decades in cybersecurity, I have built and managed enterprise security functions, engineering, governance, and program management. Before joining BOK Financial in 2015, I held roles that enhanced my skills in protecting critical infrastructure, information, and ensuring cyber resiliency.
My transition to the dual role of Chief Information Security Officer (CISO) and Privacy Officer at BOK Financial was driven by the evolving landscape of cybersecurity and data privacy. As cyber threats became more sophisticated, it became clear that a holistic approach to security and privacy was essential. By combining these roles, I can ensure that our strategies for protecting information and maintaining privacy are seamlessly integrated. This alignment helps us better manage risks and comply with regulatory requirements. I am passionate about safeguarding our customers’ information and ensuring their privacy. This dual role allows me to lead a dedicated team of cyber defenders and privacy experts who work tirelessly to protect our bank’s operations and our customers’ data. My vision is to create a secure and resilient environment where our customers can trust that their information is safe with us.
BOK Financial has a long history in banking, but it’s also embraced digital transformation. How do you balance legacy infrastructure with the need to modernize securely?
To modernize securely, we adopt a phased approach. This involves gradually integrating new technologies while ensuring that our legacy systems continue to operate smoothly. For instance, we’ve been leveraging cloud solutions to enhance our scalability and flexibility. By using tools like HashiCorp’s Terraform and Vault, we’ve automated many processes, reducing the risk of human error and improving our overall security posture.
Security is at the forefront of our modernization efforts. We ensure that any new technology we adopt complies with industry standards and regulatory requirements. This includes implementing robust identity and access management (IAM) solutions to protect our data and systems from potential threats.
Ultimately, our goal is to provide a seamless and secure banking experience for our customers. By balancing legacy infrastructure with modern solutions, we can offer innovative services like digital wallets and mobile banking while maintaining the reliability our customers expect.
With your responsibilities covering both cybersecurity and data privacy, how do you ensure those two areas remain aligned—especially with evolving regulations like the CPRA or GDPR?
We adopt an integrated approach to cybersecurity and data privacy. This means that our strategies for protecting data and ensuring privacy are developed in tandem. By aligning these efforts, we can address both security and privacy requirements simultaneously, reducing the risk of gaps or overlaps. Staying compliant with regulations like the CPRA and GDPR requires continuous monitoring and adaptation. We have a dedicated team that keeps abreast of regulatory changes and ensures that our policies and practices are updated accordingly. This includes conducting regular data protection impact assessments and maintaining detailed records of data processing activities.
Collaboration between our cybersecurity and privacy teams is essential. We hold regular cross-functional meetings to discuss emerging threats, regulatory updates, and best practices. This ensures that both teams are aligned and can respond quickly to any changes in the regulatory landscape. Proactive risk management is key to our approach. We continuously assess potential risks and implement measures to mitigate them before they become issues. This includes regular security audits, vulnerability assessments, and incident response planning.
What are some of the most pressing cybersecurity threats currently facing the banking sector, and how is BOK Financial adapting its defenses?
- Phishing involves cybercriminals posing as banks to steal sensitive information over the phone.
- Ransomware attacks encrypt critical banking data and demand a ransom, which can disrupt operations. We practice regularly to ensure preparedness for such incidents.
- We adapt by conducting regular risk assessments to evaluate internal controls and identify potential vulnerabilities. These assessments help prioritize security measures and ensure that defenses are aligned with current threats.
How do you approach third-party and vendor risk, especially as more financial institutions rely on cloud services and external platforms?
- We conduct thorough due diligence before onboarding any third-party vendors. This includes evaluating their security posture, financial stability, and compliance with regulatory requirements.
- Once a vendor is onboarded, continuous monitoring is essential. We regularly review their performance, security measures, and compliance status. This helps us identify and address any emerging risks promptly. Leveraging advanced monitoring solutions allows us to stay ahead of potential issues
- Compliance with regulations like GDPR and CPRA is a top priority. We ensure that our vendors adhere to these regulations and implement necessary measures to protect customer data. Regular audits and compliance checks help us maintain high standards of data privacy and security.
Looking forward, what trends or technologies do you believe will reshape the way banks approach security and privacy over the next few years?
Artificial Intelligence of course. I will give some examples of what I see from my chair.
- Preemptive Cyber Defense is an innovative approach that aims to anticipate, deflect, and neutralize cyber threats before they can cause harm.
- Automated deception: Proactive cybersecurity approach that involves creating a network of decoy assets and misinformation to mislead and confuse potential attackers.
- Preemptive exposure management: Provides a preattack security strategy to continuously discover exposure points and remediate to strengthen an organization’s security posture in advance of an attack.
