This is a pre-event interview in the run-up to the Leaders in Finance Cyber Security Event on May 23, 2024.
Jeroen: First of all, Martijn Dekker, the CISO at ABN AMRO. Thanks for taking the time to speak to Leaders in Finance in the run up to the Leaders in Finance Cyber Security Event on the 23rd of May this year.
Martijn: Happy to be here.
Jeroen: Could you please introduce yourself?
Martijn: Sure. I’m the CISO, the Chief Information Security Officer for ABN AMRO Bank. I’ve been working at the bank for over 26 years and I’m 55 years old. I am a mathematician by training and education. I have a PhD at the University of Amsterdam. I transitioned into IT, stumbled upon information security around 2005-2006 when it was an emerging topic in banks. I was attracted to its complexity and technical elements.
Jeroen: What is it that you particularly like about it?
Martijn: I like complexity. I like the technical elements of it. In those days, it was a very technical domain. That was what attracted me. At present, I still like the hardcore elements, but also the fact that the topic has become so diverse and strategic. It is very relevant and I like doing things that are really relevant. I like the topic because it involves not only technology but also strategic thinking, strategic decisions. It is also related to a lot of our human values like privacy and liberty. It is risky if you digitalize in the wrong way, if you treat data in the wrong way. It’s not only about protecting data, it’s also about providing a safe society.That’s what really motivates me. Apart from being the CISO of ABN AMRO, I am also a visiting professor, an advisor and a lecturer. I like talking and writing about the topic because I really feel that if you get it right, our digitizing societies can also be safe and a nice place to be in.
Jeroen: Makes sense. And you said it’s of strategic value.This topic matters strategically. When you started off 20 years ago, was it less of strategic value?
Martijn: I think it was. It has always been important, but not to the extent that it is now, because of the high IT intensity that we see nowadays in many companies and in societies. It has always been a very important topic, although it was not very much recognized as such, because the threat was not big in those days. We launched internet banking many years ago but the security measures those days would not be sufficient nowadays. But it was very acceptable because the threat was very different. It has grown into a strategic topic because it has become a strategic topic in most business models. Besides, the threat is now so large that if you don’t manage the threat correctly, it’s an existential problem for many organizations. So in that sense, it’s very strategic. If you get it right, it enables new business models. So it works both ways. And in that sense other CISO’s and I myself had to learn to have a conversation about those things and not only about the hard core technical things. So that kept me interested in the topic.
Jeroen: That’s interesting. I can imagine that if it becomes a pathway towards new business. It’s also a very different conversation with the leadership of the organization because you go from cost to potentially also turnover.
Martijn: Exactly. But it is always a balance. If you introduce security into customer journeys, it usually involves some friction or difficulty that a customer could encounter, typing in codes or using multi-factor authentication. And it takes a lot of creativity to come up with solutions that are both secure and provide a good customer experience. And I think that dynamic is interesting. But also my role in it is fascinating, having both of those elements. I know some CISO’s only focus on securing the company, but my department asked to help digitize our customer journeys properly. The fact that I can do both is very interesting. But it’s also challenging and it takes a lot of creativity to do that.
Jeroen: I can imagine. If you look at the potential challenges that you have as a cybersecurity expert, what would you say are the biggest challenges at the moment, specifically related to financial services?
Martijn: There are many things happening at the same time, so it’s quite dynamic. But what you see mostly nowadays is the ecosystem risk. The fact that banks and financials are so interconnected in Europe, forced the whole ecosystem to become highly entangled. The fact that many things are happening so fast, like real time and instant payments, makes it difficult to respond quickly enough to a fraudulent transaction to stop the transaction or correct it. Things are really accelerating now which is also reflected in regulations coming from the European Union on financial industry, recognizing the fact that the resiliency of the financial sector is actually depending on the whole supply chain and the connectedness between them. That is also true for other sectors, but in particular the financial industry. That means that risks and threats can migrate quickly from one entity to another. And that’s very different from a few years ago. It is a big challenge at the moment because we have the simple scale of everything. We have thousands of suppliers and thousands of banks in Europe. They are all connected and communicating to each other. So the scale is also a problem.
Jeroen: And ultimately it’s about the weakest link, don’t you think?
Martijn: Exactly. So if there is a weak partner, and that also might be a non-financial institution, a cloud provider or anything else, they could be used as an entry point into our sector. And then once you’re in the sector, you can migrate to other entities. So it’s a bit like the old perimeter trust model of your data center. Once you’re in, you’re trusted. And that is no longer good enough. You need defense in depth. That’s exactly what DORA is trying to do. And all the third party risk management guidelines make it very hard for lateral movement within the sector. But that means that you need to think about security controls that go beyond your corporate boundaries. It is necessary in the financial sector to spend some time with other CISO’s and agree on process, agree on control and agree on information exchange because the controls extend beyond your corporate boundaries. This is very new and the trend that I’m seeing happening now.
Jeroen:Can you share an example of a recent cybersecurity incident that caught your attention?
Martijn: There was one particular incident. It has been published by Microsoft in the last two months where they described a breach in their own environment. I am glad that they published it. It raises concern for all of us because it basically shows that some of the attackers are targeting public infrastructures like cloud providers, which of course, we all rely on. They also found weaknesses in cloud security which is the core promise of a cloud provider, to provide secure tenants and without lateral movement. But in this case you actually saw that it was breached. That caught my attention. The fact that Microsoft is open about it is a good thing because that’s what we need. But it also shows exactly the weakness in our IT supply chain.
Jeroen: They are generally known as the one of the most secure places. If an organization like that is not able to stop it, who is?
Martijn: Exactly. It raises all kinds of questions. Besides, if you look at the openness and transparency they try to provide on the internet with all the implications, organizations like ours also need to prepare. We need to be much more transparent about incidents. And how to communicate about an incident. We all have to learn how to do that. On the other hand, the very fabric of cyberspace is mostly provided by these cloud providers. It can be breached so it is vulnerable. That’s a worry and something we need to look forward to in the coming years.
Jeroen: Talking about technology in particular, could you mention something you find very promising or very concerning?
Martijn: First of all, AI, ML and other big data enable decision making technologies. It will help the defender, but it will also accelerate and enhance the possibilities of attackers. So it’s both a concern and an opportunity. It’s yet another step in the arms race. We simply have no choice but to embrace it. But in general I’m not worried about particular technologies, I’m more worried about the velocity of change with which new technologies are being introduced and adopted by large groups of people. Take for instance ChatGPT, which accumulated 100 million users in a few months, which is amazing. Velocity and complexity are the enemies of security. It is the velocity of technology change and adoption that worries me. Can we keep up with that?
Jeroen:Can regulation keep up with that? Can regulatory frameworks like DORA speed up and can they actually help, or are they just taking all your time as an institution?
Martijn: A basic problem policy makers are facing is to keep up with events because the decision making process of policy is very slow, in Europe in particular. Looking at local regulation or local law, it even takes longer which is a problem we cannot fix. I think many regulators like DORA are doing well but rather slow-going. I’ve also seen regulations finally coming into force when technology changed the world in the meantime. And then regulation fails. We have to just keep on experimenting and changing, exchanging information and learning at high speed. Don’t wait for something that is proven or understood. We should adopt technology when it’s not yet understood. And to use it as soon as you can. That would be my advice to anyone. At least spend some time in your group trying out the latest technologies.
Jeroen: Two last questions in this short pre-event interview. First of all, if you would start today, would you have 1 or 2 tips for people starting in the cybersecurity space within financial services?
Martijn: Everyone’s welcome. A particular skill set or knowledge base is required though. This topic has become so big and so diverse that the first thing would be, don’t make any assumptions and just try it out. Don’t think you can’t do it because you’re missing an education. It is important to be willing to learn the basics, learn the vocabulary, and do some studying because there is a lot of knowledge with some jargon as well. You have to familiarize yourself. So be ready to study and try several roles. You will not be a CISO immediately or a generic security specialist. Just try out different things within the teams. This is a big domain with many specialist roles. Try them out for a while. Focus on learning the fundamentals, gain hands-on experience, and continuously seek opportunities for growth. Being a lifelong learner is essential in this ever-evolving landscape.
I always ask people when they apply for roles in my team: what is your learning strategy? Do you know how you learn? And I don’t care how you learn but just be aware of what, how and make sure you do it because this field is changing very quickly.
Jeroen: I like that question a lot because most starters, or generally speaking, most people will have no answer to that directly.
Martijn: That’s also what I recognize. People do not always have an answer but it triggers them.
Jeroen: It did trigger me right away. Last question: We are very much looking forward to your contribution at the upcoming event. Is there something you would be looking for at that event? What would you normally look for if you go to an event?
Martijn: I always look for surprising new insights. I like the anecdotes that illustrate the topic for me, because if I need to tell a story about this topic, I need examples. I like to be in teams or groups with people with hands-on experience. I’m also looking for interaction, so I’m hoping for an interactive session as well. I’m going to share some new ideas I have and I’m always curious to hear from others. Really looking forward to that.
Jeroen: Wonderful. Well, we’re looking forward to having you, Martijn Dekker, the CISO at ABN AMRO Bank, for taking the time to speak to Leaders in Finance in the run up to the Leaders in Finance Cyber Security Event on the 23rd of May. Thank you so much for taking the time.
Martijn: You’re welcome.
This is a pre-event interview in the run-up to the Leaders in Finance Cyber Security Event on May 23, 2024.