Extra episode: reflections on the Leaders in Finance Cyber Security event 2024 with Sherelle Farrington, Richard Cassidy, Irfaan Santoe, Rudrani Djwalapersad and Irene Rompa (transcript)

[Voice-over]

This is Leaders in Finance, a podcast where we find out more about the people behind a successful career. We speak with the leaders of today and tomorrow to discuss their motivations, their organizations and their personal lives. Why?

Because the financial sector could use a little more honest conversation. We’d like to thank our partners for their ongoing support. They are EYMeDirectRiskQuestKayak and Roland Berger .

Your host is Jeroen Broekema.

[Jeroen Broekema]

Welcome to an extra episode of Leaders in Finance. Today, live from the Leaders in Finance Cyber Security Event 2024 here in Soesterberg. We just got out of the event and I’m here with a number of people that joined the event as speakers as well as the moderator is there as well.

And I’m very much looking forward to reflect with you for about 20, maybe 30 minutes on the event and think and learn what you think was great today and the things and the insights you got out of it. So very warm welcome, first of all, Sherelle Farrington, Rudrani Djwalapersad, Richard Cassidy and Irene Rompa as well as Irfaan Santoe. Thanks for joining me and very, very quick round of introductions before I pose some questions to you.

So first, the moderator of today, Irene.

[Irene Rompa]

Hi, my name is Irene and I am a psychologist, also a mediator and a moderator, mostly of technology events.

[Irfaan Santoe]

Irfan. Irfaan Santoe, I am a security executive and former CISO of a company and also the OWASP Netherlands Chapter Lead.

[Sherelle Farrington]

Sherelle Farrington, I am a cybersecurity solutions leader at Fortinet at the moment, a longtime hacker and cybersecurity strategist.

[Rudrani Djwalapersad]

Rudrani Djwalapersad, I lead our cyber privacy practice for EY, focused on the financial sector.

[Richard Cassidy]

Richard Cassidy, I started out studying psychology, actually, but ended up as a field CISO.

[Jeroen Broekema]

Wonderful, great to have you. And first of all, Irene, you were the moderator of the day. You did really great preparations to get this all together.

And I’m just curious, did you learn a lot?

[Irene Rompa]

I did learn a lot. Yes, I am not a cybersecurity expert, but I did pick up on some new jargon. And yeah, I definitely learned things.

[Jeroen Broekema]

Wonderful. And is there something that comes to mind, what you will definitely not forget from today?

[Irene Rompa]

I, well, speaking about psychology, I really, really enjoyed the keynote by Colonel dr. drs. Leonie Boskeljon-Horst, who is also a psychologist and who spoke about how deviating from the rules can actually lead to creativity. I think she called it human ingenuity. I thought it was a very, very interesting and moving talk.

So I’m going to be thinking about that a lot more in the future.

[Jeroen Broekema]

Yeah. Sherelle, what was the part you were active in today?

[Sherelle Farrington]

I actually had the pleasure of being with some of my colleagues here on the panel and discussing some of the things that we’re seeing at a more global basis from a cybersecurity perspective.

[Jeroen Broekema]

Right. What was one of the key takeaways for you, either from today or from that particular panel?

[Sherelle Farrington]

My overview actually from today was really, I was impressed by how far ahead the Netherlands is actually in terms of cybersecurity. In fact, Tim was talking about the TIBER-NL and the ART DNB framework that they’re using. And that actually originated in the Netherlands and that’s now being adopted at the EU level.

And that’s something I wasn’t aware of. So very interesting to learn.

[Jeroen Broekema]

You’re referring to Tim from the Dutch Central Bank, right?

[Sherelle Farrington]

Exactly.

[Jeroen Broekema]

So what is a key takeaway for you from today, Rudrani? What would you, I mean, there are many things, but what comes to mind?

[Rudrani Djwalapersad]

Now, so one of the key takeaways is that everybody’s a bit in the same boat. So if you heard that there was a lot of consistency in what are the threats, what are we doing, what are the similar approaches? And it just asks for more collaboration together.

So I think having more means to share. You see that some companies already really reach out to each other, talk to each other on a weekly basis, but that’s still a smaller scope of financial services. So there’s a lot of opportunity to connect more with each other and really work more closely with each other.

[Jeroen Broekema]

Is it happening in your view already a lot or, you know, you’re asking for more collaboration, but is it already happening?

[Rudrani Djwalapersad]

It’s happening, but not sufficiently enough. So therefore you have the two buzzwords at this moment. are really there to help accelerate more collaboration, which is needed if you look into the threats that we are facing.

[Jeroen Broekema]

And for you, Richard, same question. What is a key takeaway for you?

[Richard Cassidy]

What I found probably most interesting was the speech of Marco Zannoni. What was interesting is because the panel that we were on was all about compliance regulations as an intrinsic factors of the business, something you have to do internally, but Marco brought to the table was there’s actually a much wider thing going on within government and country and also inter-country and multi-agency that you should really consider as part of a strategy around resilience. So I thought that definitely brought it a little bit of a wider remit, making people think about the problem end to end.

So that was for me, one of the good takeaways.

[Jeroen Broekema]

Right. And for you, Irfan?

[Irfaan Santoe]

Yeah, first of all, thank you so much, Sherelle, for the compliment that you see that the Netherlands is further away in the maturity of cybersecurity than you initially thought, I think we’re doing good. The interesting part for me is, you know, CISOs are in general a very risk-averse.

They have a risk-averse profile. And we had two CISOs today, largest banks for the Netherlands saying, hey, we need to actually take, not take more risk, but embrace changes and see how we navigate the risk towards that. That was one of the talks from the CISO of Rabobank, of course, talking about AI and the threats that AI bring, but then embrace that and use that as opportunities.

And the other was Martijn Dekker really saying, you know, we need to be able to say no more of these sort of controls because it’s bad for the overall survivability of the organization. So I like that, that was also for me emphasized that as CISOs, we are also, I’m not saying that we’re not controlling, but we’re also starting to understand that it’s also about the business and the livability of the organizations themselves, and we’re speaking that out.

[Jeroen Broekema]

Yeah, that makes sense. And you were the one asking a couple of questions, did some Q&A with Martijn Dekker, who is the CISO at ABN AMRO. He gave quite a long speech and I’m not going to ask you to summarize all of it, but what were key takeaways from his speech?

Because that was the last thing we heard today.

[Irfaan Santoe]

If I have to boil down the whole keynote in a bit, it boils down to the following. So with everything that’s happening, you will see that CISOs will get more responsibility and what he’s saying, the vision he has or the statement he’s making, we need to be very responsible with that power that will come towards us as CISOs, because regulation is putting more pressures on the managing boards, therefore, naturally, they will put more pressure on getting more controls in place because they don’t want to feel liable of if things happen, then they need to be able to explain that they did their best. So the takeaway for me from Martijn’s talk was really with great powers, the CISO getting more power, you will also need more responsibility.

You need to go about it more responsibly as well. And nobody else within the organization will play that role of preventing over-controlling within the organization. The CISO will have to play that role.

And how to do that, there was no clear cut answer to that. It’s an appeal that has been made to the community to come up with what he says, a belief system, because then it will not be one CISO just saying it to the managing board and then being the odd CISO saying that we need to have lesser control or better controls, but it will be the community of CISOs saying that. And for me, that was the punchline of what Martijn’s talk was about.

[Jeroen Broekema]

You guys agree or different views?

[Richard Cassidy]

Yeah, I’d like to add to that because he raised a point that I don’t think the industry is thinking about enough, which is the lowest, the low in the price point of complexity. And, you know, there’s always an age old issue in the industries in there. You buy a hundred percent of the tools, as he mentioned, and you use very small subset of the features.

And so I think what he’s, what he’s positioned there is a longer term view in terms of cybersecurity strategy that we need to adopt in the CISO ecosystem and world, as opposed to the kind of three-year, five-year life cycles that we’re thinking at the moment. So it was a really, really interesting shift. And the whole term around cyber sentience, I mean, never heard that before.

And I think that’s absolutely the right way to think about it because, you know, things have limited shelf life and complexity can be seen too short term. Let’s think about the longer term visions. That was a really good takeaway.

[Sherelle Farrington]

I actually was really interested to hear about the complexity because in actual fact, it’s something that we hear all the time. In fact, we actually had an annual event, which is based on managing complexity and how do we address that. And I think the other thing that I actually really took away from Martijn’s was waste.

And again, that was, that’s not necessarily for technology. This is about how do I spend effectively? And that’s, again, something that we’re really focused on.

So we tend to think of cybersecurity primarily from a technology, which I love, as you know, but it’s also about how do I spend that budget effectively? And what we’re seeing is actually being, we’re putting in place some programs whereby rather than having to sign up for a three year, five year term on what you think you need for the next three, five years, it’s just basically saying, you know, I don’t know. So what I’m going to do is I’m going to plan my budget, but then have the ability throughout the course of that three, five years to say, give the teams the ability to say, well, this is what I need now.

And then be able to actually roll that out and consume that on an ad hoc basis so that you spend your budget and get as much as possible out of that budget, but with the greatest agility.

[Rudrani Djwalapersad]

Yes. I think what you mentioned there, Irfaan, also Martijn in his role saying, and CISO’s being less risk averse. So that shift is really important.

I see that happening as well. But what is key for that is the collaboration with risk and audit. Because as CISO, you can say, okay, I’m gonna be and have less controls, which, and then risk and audit will come and say, this is not really showing compliance or a feel, and there we see happening slowly with some financials.

I see it a bit more in the US, UK, Netherlands now getting more is a bit of a paradigm shift on how IT risk measures and metrics are changing up to help, because what you always see happening is there’s a compliance focus, DORA comes in, other regulations, let’s build another control, another control. And once that fits all approach in new worlds, AI, new technology is not working. So CISO needs to, in that sense, partner up much more with those functions as well, because it’s all about trust.

And if you’re able to explain and have a culture, so it’s also very soft, it’s the culture element where sometimes less attention is being played. It’s the technology, it’s the controls. But in the end, as CISO sets up the guidance, the people actually in the first line, they’re the one that needs to do it.

So the culture element, so I think the human factor, collaboration between first, second and third line and the role of CISO is key in this, what we call paradigm shift.

[Voice-over]

You’re listening to Leaders in Finance with Jeroen Broekema.

[Jeroen Broekema]

A lot of talk today was obviously, I would say, obviously about AI, right? Because this comes back all the time, but maybe you guys can help me a little bit because I was somewhat confused, like what to make of this, right? After having heard many people talking about AI on different levels, what are some key takeaways here on AI?

Because I’m not sure anymore, although almost the entire room of participants was quite optimistic, seemed to be quite optimistic about it when there was a question at some point, I’m not so sure because when I spoke with people during lunch, people were much more afraid than they were as a group. So maybe you guys can help me a bit. Where is AI here on the threat spectrum, but maybe also on the defence spectrum?

[Irfaan Santoe]

What I actually read from the room is everybody is excited about it because anyway, there are multiple applications on AI which have seen and shown value and utility in the world now. So we’re believing in it, but I couldn’t hear any real practical success stories today. And that was mentioned also by you, Rudrani.

It’s like we’re doing it, we’re investing in it, but it’s not there yet. And we cannot show that. I really loved what the CISO of Rabobank showed, right?

Or at least explained that they did a pilot with co-pilot and they clearly defined why they wanted to do that pilot. What were the success criterias? And they concluded we’re not there yet.

So I think for me, that is the takeaway that we are not there yet with AI for cybersecurity to enable that, right? I’m not talking about defending the AI risk that exists because that’s a fact. We are struggling with that and it is on the attention of most of the CISOs.

But harvesting the power of AI for the security benefits, we’re not there yet. But the only way to get there is by investing. And I do think we’re in agreement with each other on that one.

[Richard Cassidy]

Yeah, I agree. I think what she did in her session was show a framework that we can start and one that she put into practice, because I think a lot of organizations don’t really know how to tackle, does AI work for me in the way I want it to work? And I think that’s the big challenge.

And I love the way she framed her journey and her process and the way she’s going to reiterate that and learn from it. I definitely felt there was a consensus that people feel the need to adopt AI at some level. And I think, you know, we definitely we landed lots in the security operations center.

And I gave some examples myself of where AI has been using regulation to help kind of keep ahead of the regulators asking the million and one questions they’re going to ask the organizations. I would agree, we’re in our infancy here and there’s a lot of work to do, but it’s great to see banks of the ilk of ABN AMRO taking that step to show us how the process should look. And I think some regulators should take note of what what she’s been speaking about.

I think it’s really good thought leadership.

[Sherelle Farrington]

I actually I kind of disagree with you, I’m afraid, because we’re actually already seeing some advances in terms of the, well, AI has been in cyber security for a long time, right. But the Gen AI, I’m actually having that on the front end. But I think the point was, was that it needs to be used and framed in the right context.

So the objective, the scenario that Corence presented was about using it to upskill junior analysts, which didn’t work. And hats off to her really for sharing that with us. I think that’s really important.

What we’re doing is actually targeting the high value analysts, because those are the ones that cost a lot of money. They’re hard to keep. They very quickly get burnt out.

So how do we protect them? And that’s where we’re using the targeting of the Gen AI on the front end to actually help those guys actually more quickly and effectively use their time and their valuable insights to actually steer us in terms of addressing threats quicker.

[Rudrani Djwalapersad]

Yeah, so to come back to your question, right, on AI opportunity threats, I personally see it as an opportunity because AI, these technologies are there to, from a business point of view, help, but with associated risks. And it’s a global experiment. I think what Sherelle mentioned, AI machine learning in cyber is not something new, maybe not fully adopted.

But what I personally like about it is that it accelerates transformation. So normally with new technology adoption, you have some time as an organization because it’s out there, you have time to implement, security can look at it, etc. This time around, actually, your employees already had access to it.

So what it actually helped, and I think it’s going to help the CISO function, is to get a better place in the value chain, be a trusted partner. So it’s because you have all of these growing pains out of comfort zone, experience, and everybody needs to figure things out. So how you now go to the AI journey, next year there will be other, there will be quantum, there will be all of these things.

And then you already have set up an organization where you’re much quicker to adapt towards it and mitigate your risks. So I personally see, although it’s maybe a bit painful at this moment, because you don’t know, it’s AI shadow you would have, you have not awful oversight, but it really helps all of the CISOs, but also the organizations. I see AI risk, CROs, building frameworks around it.

If they have done it and they know now they cannot take a year to get it done, but in two months or three months, it really sets them self up for being able to adapt to new technologies better in the future. So I’m personally quite positive about it from a transformation point of view, but of course the risk angle and threat angle really need attention on that aspect.

[Sherelle Farrington]

If I may. So I think going back to your original question, Jeroen, which was about, you know, the risk, we’re used to, I think, to some extent to dealing with the innovation in the threat community. And the reality is that we know that they will adopt the Gen AI the same as they’ve adopted every other technology that we’ve come up with.

And so this is where that’s only going to make our jobs more difficult. That’s a fact. But I think the reality is for a lot of the people, at least in the room, were very much about, this is something that we’re used to dealing with.

It’s a new way of them innovating, but it’s the same thing as we’ve had to done previously, and we actually constantly have to innovate and adapt to that.

[Jeroen Broekema]

Last thing from my side is a question that is very helpful for myself. Is there something or someone, you know, something, I mean, a topic or a subtopic or someone you think will be really good to have at the Leaders in Finance Cybersecurity event next year, right? It could be anything.

I’m just curious to learn.

[Irfaan Santoe]

The next level I would say for this event, Jeroen, is it would be great to also have CIOs, CTOs participate in a conversation because ultimately, you know, for CISO, we’re helping them. And they are probably the most important stakeholder, and if needed, really also the CFO, right? So I think for having part of them being part of the conversation will enhance the insights we’re getting out of it and cross-stimulating a little bit conversations with other industries next to the public sector.

But that’s my take.

[Jeroen Broekema]

No, very good one.

[Rudrani Djwalapersad]

Yes, I agree. More executives on the stage and the other party to have next year would be the oversight authority from the Dutch government, from NIS2. So they will have the Minister van Justitie, so Secretary of the Department of Justice, that will be now in the draft, the main responsible to own NIS2.

So it would be really, I think, interesting to get those government responsible in the session because NIS2, and for some, will be, of course, applicable. So next to the executive, I think having the oversight authority from the government, Dutch government perspective here would be really great.

[Richard Cassidy]

Yes. So, I mean, look, the psychology team is going to say, I really like the human factors discussion. What I was really hoping for, and I think we should include next year, is the cybersecurity version of that.

You know, because it’s great to talk about rules and then ingenuity as a capability to think outside the box. It’d be good to have some examples of, you know, and we’re talking about complexity becoming at a lower price point. So we’re going to be dealing with more data in the next 12 months.

That’s an inevitability. So let’s talk about how that’s going to affect human factors in a cybersecurity world. What does that mean?

How can we better build processes? You know, and human factors has loads of models, Shell model, Borden’s model of reflection, and so on and so forth. I do think there’s a lot of crossover and connection with the standard human factors models back into cybersecurity.

And I think we all talk about the culture, right? It’s a culture of making sure we manage risk. Let’s bring the human factors into that and how we can promote that change.

So that’d be a great topic for next year to elaborate on.

[Jeroen Broekema]

Wonderful.

[Sherelle Farrington]

Continuing on the theme of the human factor, but actually from a different angle, you know, how do we look after these cybersecurity professionals that we have that are so precious and so hard to come by? I think there’s a lot of interest from the people I spoke with about how do we engage them? How do we enable them?

How do we increase the number of people coming into the field? I think that would be an interesting one, just from that perspective. And then, in fact, going back to Martijn’s call to action, I think there’s all, I feel as though there’s actually a desire and an energy to actually come together and create something.

So maybe we find a topic or a challenge or an idea that Martijn might have for next time and actually do a working group and actually have people contribute to something that’s actually an outcome that they can feel really take away and be part of.

[Jeroen Broekema]

So when you’re listening to this podcast, you may be in a very different environment than we are, but we are, you know, between the event and the drinks. So that’s setting the scene for the last two things. First of all, was there something today that you found very funny?

Again, this is on a, you know, in a setting where we’re going to the drinks, so I want to stress that fact. But was there something you found funny or something that will stick with you for other reasons than just content? Is there anyone that has something here?

Richard?

[Richard Cassidy]

I had no idea octopuses had such a small lifespan and that their genetics meant that they essentially disintegrate. That is something I’ll never forget.

[Jeroen Broekema]

That’s what Martijn shared with us, right? So they build a very, very complex system in their body within a very short timespan and just, you know, die and fell apart, right?

[Richard Cassidy]

Yeah, yeah. And they drew analogies to cybersecurity around that, which was even more impressive.

[Jeroen Broekema]

Fair enough. Yes. Something else to add here?

[Sherelle Farrington]

I haven’t done entropy for so long. And again, coming back to Martijn, just, you know, remembering those physics days and the external forces. But I think also, since we are going for drinks, you know, I’d never seen cybersecurity thought of in terms of waste management.

So I think I should definitely be thinking about that differently moving forward.

[Irfaan Santoe]

Maybe not per se funny, but I do want to give a compliment because I’ve been active in the cybersecurity, information security community in the Netherlands for the last five years, 10 years. I mean, longer in my career, but I’ve not had an event, public event like this where all the big CISOs or the financials were there sharing the platform, sharing insights, inspiring people. For me, that was unique.

And I wanted to share that as a compliment.

[Jeroen Broekema]

I did ask for something funny and I’m getting a compliment, but thank you. Thank you, Irfaan. It’s much appreciated.

Something else?

[Rudrani Djwalapersad]

So Irfaan and I did not talk about this beforehand, but for me, what I liked indeed, as Irfaan mentioned, you don’t get opportunity, or at least I had opportunity to moderate the CISOs. I was happy that Beate in the end joins. I had four.

It’s not a day-to-day thing you do. And that is really amazing to have them on the panel, had three amazing presentations by them. So yeah, that’s something for me, what Irfaan mentioned.

It’s a great takeaway. So I learned a lot.

[Irene Rompa]

And you did really well Rudrani. And Irfaan as well.

[Jeroen Broekema]

Did I ask for a round of compliments?

[Irene Rompa]

Yeah, as always.

[Jeroen Broekema]

Did I ask for something funny?

[Irene Rompa]

We’re not following the rules.

[Sherelle Farrington]

It tends to how great the atmosphere was today.

[Jeroen Broekema]

That’s good, Irene. You’re a part of that.

[Sherelle Farrington]

If I may just, I think the participation from the audience was really good. The roundtable I was on actually was really interactive. There was a lot of different personas from different elements of the financial sector.

And it was really good. They were very open about sharing their different views. And I think there was a lot to learn from each other within that and sharing.

So that was actually really valuable. And we had a really good time as well.

[Irene Rompa]

All this to say to all the listeners, please join the next Leaders in Finance event.

[Jeroen Broekema]

I’m definitely not going to say that, but you’re welcome to join, obviously. Well, I think I draw to a close here because it’s a precious time for you as well as for myself between the end of the event and the drinks. Irene Rompa, Sherelle Farrington, Rudrani Djwalapersad, Richard Cassidy and Irfaan Santoe, thanks a lot for taking the time to talk to Leaders in Finance.

And listeners, thank you very much for listening to this short but sweet podcast where we reflected on the Leaders in Finance Cyber Security event here in Soesterberg. Thank you so much for listening.

[Voice-over]

You’ve been listening to Leaders in Finance. We hope you’ve enjoyed the episode and would love to hear from you. What’s on your mind?

Who would you like to hear next? Tell us in an Apple or Google review, via email or our social media channels. We’d greatly appreciate it.

Finally, we’d like to thank our partners for their ongoing support. They are EYMeDirectRiskQuestKayak and Roland Berger. Thank you for listening.

Door deze site te gebruiken ga je akkoord met het plaatsen van cookies. Meer informatie

De cookie-instellingen op deze website zijn ingesteld op 'toestaan cookies "om u de beste surfervaring mogelijk. Als u doorgaat met deze website te gebruiken zonder het wijzigen van uw cookie-instellingen of u klikt op "Accepteren" hieronder dan bent u akkoord met deze instellingen.

Sluiten