–> This is a pre-event interview in the run-up to the Leaders in Finance Cyber Security Event on 25 May 2023
Jeroen: Thanks, Rob, for taking the time to talk to Leaders in Finance. First of all, could you introduce yourself?
Rob: Yes, sure. My name is Rob, I am a passionate Information Security Manager. I have been working in this field for over twenty years, going from junior to senior level roles. I have worked as a CISO in multiple companies in the financial sector. Currently, I am Security Manager for ABN AMRO bank in the Netherlands, managing a larger team of security professionals.
Jeroen: As you just alluded to, you have been in this field for a while. What makes it so interesting to you?
Rob: What makes it interesting is also what I like most about the job: that it is a very wide and complex field to work in. There are two parts to that. Content-wise I like the fact that it ranges from very technical aspects across all technologies to more functional challenges, including risk management, governance and reporting. Organizationally, it stretches from the work floor to the executive board, and in my situation including supervisory boards and regulators. It is my job to be able to operate on all those levels. So there many different facets to this line of work, and I see myself as the go-between between the different functions that form a part of the cyber security puzzle. It is a big puzzle and a lot of people struggle to oversee the complete picture of it. That is what I enjoy: trying to make these complex things simple.
Jeroen: Great. So these are two major things, from what I hear. One is the fact that you work both with the top of the organization as well as everyone else that works there. And secondly, there is the complexity of it.
Rob: Yes, exactly. And being able to translate this complexity to simple things, to enable my colleagues to do the right thing and to make the right decisions.
Jeroen: Right. That is a great segue to the next question: I would like you to talk about the challenges for financial institutions with regards to cyber security, in simple terms.
Rob: At the moment we are in a kind of “devil’s triangle”, that you might know of. The impossible combination, or the impossible decision to make, is that the financial services market is still in a state where we have to become more efficient, so basically cheaper. But we also have a lot of legacy technology that has been in the market for 30, 40 or 60 years. And we operate in a quickly digitizing market. So we have to do many new tech investments, with limited funds, while also maintaining the old tech. How do we keep that all in check and secure? Because that is my objective, of course: to make everything secure, both the old and the new. That is a major challenge.
Jeroen: Yes, that sounds like it. I think this goes for almost every organization that has been around for a while, right?
Rob: Yes, but the technological complexity in a bank is clearly above average. Most companies are technologically less complex than banks. That is one differentiator, though not the only one. Besides that, of course the financial sector is regulated, and that means that new demands tend to be put more quickly on organizations within sector. So that means that they typically have less time to align.
Jeroen: Right, that makes total sense. If we go from the financial institutions level one level up, to society, what would you say is the biggest threat or concern that we should be worried about?
Rob: Once again, I see two opposite movements that strengthen each other. Society is becoming heavily reliant on digital services, digital products. That has been the case for a decade or more, but our dependency on organizations delivering digital services is still heavily increasing. On the other hand, many of these organizations still lack the knowledge, discipline or attitude to make these digital services secure. Of course, this is not good news from a consumer perspective.
Jeroen: Right. And the actual threat?
Rob: The threat is that if there is an area that offers a big gain and a relatively low risk, people will jump in it. And in this digital space where you can attack from afar and where the digital footprint is growing, more and more digital services are in place and security is not always on par. So logic dictates that more incidents will happen. And that is what we see every day in the news.
Jeroen: Do you have an example of a particular threat to society that you are concerned about?
Rob: A lot of people are concerned about privacy. We see attacks where data is stolen, where people are being ransomed and their data is put out there. Professionally, that is one of my biggest concerns. Personally, I am not overly concerned with that, because as a person I don’t have a lot of data that I think would really hurt me. Personally, I am more concerned about the availability of critical services. I think we underestimate how dependent we are on logistics, on finance, and what the consequences can be if we have a big cyber meltdown and the supermarket is not stocked for three days. So my biggest concern is the availability of important value chains.
Jeroen: Well put. In terms of technology, where do you see technology play an important role as a threat and where do you instead see it as an opportunity to secure ourselves?
Rob: The easy answer is that every tool can be used for good and bad, however powerful the technology. I do not want to talk too much about AI and machine learning. I think there is already a lot of attention for that, and rightfully so. But another concern I have is something we talk about less, and that is IT architecture. If you make something simple, it is also easy to protect. If you make something complex, it is the opposite. That is true for about everything in the world and I think most organizations are not good enough at creating and keeping simple digital eco-systems. Especially now that organizations are using third-party services more and more. I also see that in my day-to-day job: often people choose speed or budget over simplicity.
Jeroen: Is that because we are too ambitious?
Rob: Yes I think so, typically, and because we think the short term is more important than the long term. So something may be a quick win, rather than the right way to do it. I think that characterises human behaviour. In some cases it is probably still the best choice, but the long-term effects also exist. Reducing complexity is one of the best security measures you can get.
Jeroen: Absolutely. It is also a clear line of thought in this very short interview: you like to make things simple, because you think this leads to the most secure outcome. If you would talk to a starter in the cyber security field, maybe particularly in the financial services, do you have any tips for them on what to do or what not to do?
Rob: I am a bit hesitant on which answer to give, because I see two types of cyber security colleagues. There is the hardcore specialist, who wants to dig deep in certain, often technical topics. And there is the generalist, who tries to see different views and keep an overview. In both cases, you should of course go all in and be enthusiastic and learn as much as you can. But I would advise people to just put their legs on their desk every week or every month, lean back, turn on the radio and think a little bit about, “What am I actually doing? How is this contributing? Is it the right thing?” I see too many people these days who work very hard, but who have stopped reflecting. I think that is the best advice I could give, also to maintain a good work-life-balance: it is also important to just turn on the radio sometimes, and really think about, “Am I effective? Did it make sense at all to push 40 hours this week to get whatever project to the next level? Or was I just doing something that somebody else told me?”
Jeroen: Right, that is great. Thank you so much for taking the time and we are very much looking forward to have you as an active participant at the event next month. So thank you so much!
Rob: You are welcome!
–> This is a pre-event interview in the run-up to the Leaders in Finance Cyber Security Event on 25 May 2023