–> This is a pre-event interview in the run-up to the Leaders in Finance Cyber Security Event on 25 May 2023
Jeroen: Marco, thanks for taking the time to talk to Leaders in Finance. First of all, it would be great if you could introduce yourself.
Marco: Of course, thank you, Jeroen. My name is Marco Doeland, I’m the Team Leader Safety within the Dutch Banking Association. I am responsible for the safety and security when it comes to fraud, cyber security and anti-money laundering. And I do that all from a policy perspective. So that is my role and that is also the challenge of my role: to strive for maximum security, for the financial institutions themselves but also for the customer of these financial institutions and also for society in a broader sense. So to work with our members, large and small, and also with the government, the national cyber security centre, and the academic world on a national and international playing field, that’s one of the best positions there is – if you are interested in this topic, of course.
Jeroen: Before the Dutch Banking Association, where did you have a career?
Marco: I started as a management trainee at ING in 1994, and I had several management functions. At a certain point in time, I set up the ING security operations centre, I moved that towards ISP components from the ING side. Then I moved to Currence, the ownerof iDEAL, the Dutch ecommerce payment brand. There we had double digit growth every year, and I did a lot in making that payments team safe and secure. From that position, I moved to the Dutch Payment Association where cyber security became an important task for all the entities involved in the payment ecosystem. My current job is Head of Policy of Safety and Security within the Dutch Banking Association, as well as CISO of the Dutch Banking Association.
Jeroen: What would you say are the biggest challenges at the moment for financial institutions or banks when it comes to cyber security?
Marco: With cyber, we see a big change in the landscape, the environment. The financial ecosystem is changing very rapidly. Startups and new technologies create many new possibilities and with new possibilities comes new risks. With that, the size and the diversity of cyber threats is also rapidly growing every year. For instance, we see the threat of ransomware, we see the threat of nation state attacks and also the threat of effects to and from third parties, which are very actual and also could have a big impact on the Dutch banks. Within that world, both our customers and society demand that banks put a lot of effort in safekeeping their privacy and security. These things combined, along with the increasing regulation on cyber are putting a lot of pressure and heat into the work. As banks alone, we cannot respond to this efficiently, so we really have to work together as a sector to make this happen in the Netherlands. It’s our ambition to become the most digitally resilient financial sector in Europe.
Jeroen: Right, that’s a good ambition. If we take it one level up, from financial institutions to society at large, what would you see as the biggest challenge related to cyber security?
Marco: I am also chairman of the VNO-NCW committee for vital sectors. There, we see a lot of cyber threats also when it comes to infrastructure, to energy, to transport, to hospitals. Moreover, society is growing more and more dependent on the digital availability of services. So there is no going back anymore. We are completely dependent on a digital world and a digital uptime and digital security. Whether that is on banking, or on savings or transport or payments or energy: without a safe and secure digital ecosystem, we can have a major crisis within a few hours.
Jeroen: Yes, that makes sense. It doesn’t make me happy, but it makes sense. In terms of technology, a lot of people talk about technology as a threat and technology as an opportunity. How do you look at that? What do you see as threats and as opportunities, related to tech and cyber?
Marco: We see some threats, for instance Artificial Intelligence, but also on deepfake. That is more of a fraud problem. A specific topic I would like to mention is the quantum computer, which is upcoming. We do have a digital resilience program for it, but it is also a big promise in the future.
Jeroen: What exactly is the threat there?
Marco: The threat of the quantum computer for financial institutions is that the current security of transactions is no longer guaranteed. Today, we have secure connections for safe payments transactions, but the quantum computer can break those within seconds. So we really have to change that to other, quantum ready, cryptographic standards.
Jeroen: Right. You mentioned AI earlier, is that also a solution to things, or mainly a threat?
Marco: I’m a risk manager, I’m a CISO, so…
Jeroen: You see threats.
Marco: Yes, I focus on the threats – there are a lot of business people who are focusing on the opportunities. But from my side, I’m always focusing on the threat, in the same way as I do with the quantum computer. When it comes to AI social engineering is a threat, but what we really see is that also the faster explorations of vulnerabilities within systems and software, the so-called zero-day vulnerabilities, poses a threat. These are exploited very quickly, which can lead to quite disastrous situations. So I would not say that there is one specific technology which is a threat. The threat lies in the fact that the whole ecosystem is going digital. Everyone has a mobile-first or a mobile-only strategy. And to keep that safe and secure in this changing world, that really is a big challenge.
Jeroen: Let’s end this short interview on a positive note. If you were to start today or if someone else would start working in the cyber security field today, what would you have as a tip for them?
Marco: In cyber security, it is my experience that you truly cannot do it alone. So you must really work together, you have to be open, you have to create trust and to be able to gain that trust from another party. Besides that, I would advise to quickly get on speaking terms with the people who are already working in the sector: you have to make sure that you know your basics. So for instance, familiarizing yourself with all the topics within the CISSP would be a good start. But on top of that technical level, it’s very important that you are cooperative, that you don’t have a big ego, and that you are open and flexible. Because this is a world in which you could be surprised quickly. And you must be able to deal with that.
Jeroen: That’s a great answer! It encompasses a lot, that’s great. Lastly I would like to ask you: you are taking part in the Leaders in Finance cyber security event, are you looking forward to that?
Marco: Of course! Though that is a suggestive question. But it’s always good to be with the people involved, to have a day in which we can learn from each other, in which we can discuss the new threats that are coming up, but also to ensure that our network is as good as it can be. Because only with good relations on an operational, technical, but also on a strategic level, we will be able to manage this big challenge.
Jeroen: Wonderful. Marco, thank you so much for your time and we’re looking forward to have you at the event.
Marco: Yes, I’m really looking forward to it and thank you, Jeroen.
–> This is a pre-event interview in the run-up to the Leaders in Finance Cyber Security Event on 25 May 2023