Sibos 2020: Bringing cybersecurity to masses – does the answer lie in new tech?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Music] [Music] just [Music] hello and welcome to this cyber session bringing cyber security to the masses does the answer lie in new tech my name is heather mckenzie and i'm a freelance writer and i've attended and reported on cybos since 1992 when it was um back in brussels it's much smaller event and cyber security wasn't on the agenda it was much simpler times but in our complex here and now we have what i think is a really interesting um group of people on our panel to discuss our topic and i'm going to introduce them uh i'll start with sharon barber who is chief security officer at lloyd's banking group and sharon oversees and coordinates all uh security activities at what is the uk's largest digital bank with 30 million customers to protect them sharon's department brings together governance assurance monitoring and incident management into a single function we have johan gerber who's executive vice president of cyber of security and cyber innovation at mastercard where he oversees product strategies for cyber security financial crime consumer online credential management and dispute resolution he's head of mastercard's security standards group and uh he participates in several payment industry forums where you might have seen him uh before all this he was a member of the south african police services and he specialized in organized crime investigations and internal investigations of financial crimes and we have lisa lee who is chief security advisor at microsoft and she's a global lead for security compliance and identity in the business development group at microsoft and she's also a former bank regulator and finally we have william hoffman who is chief information security officer for uk and ireland at deutsche bank and william heads the governance and control function for the bank's chief security office globally um he's previously been regional ciso for emea a global chief operating officer for ciso and has led the information security strategy portfolio and governance functions he has quite extensive experience across the bank in in various roles in transaction banking and i also noticed on his cv that he studied agricultural economics at the university of melbourne which is intriguing but not our topic for today but if you can get agricultural economics into our discussion william will be all very impressed i think so our discussion is about cyber security and bringing it to the masses of course we know that the coronavirus pandemic has accelerated the adoption of e-commerce and the bank for international settlements in a recent bulletin pointed out that the lockdowns have led to a surge in online demand for many goods and services and that the online share of retail sales in china germany the uk and the us have risen by between four and seven percentage points so many organizations particularly small smaller businesses have had to adapt to the new world and go online and that's exposed these companies and their customers and also their banks to heightened cyber risk the financial stability board in april 2020 uh released a consultative document in which it describes cyber incidents as a threat to the stability of the global financial system and a major cyber incident they want uh if it wasn't properly contained could seriously disrupt financial systems including critical financial infrastructure which would lead to broader financial stability implications so cyber security is is is a very important topic obviously now the first question i have is for our two bankers um william and sharon and i'm i'm thinking that given the interconnectedness of transaction banking whether an organization cyber security measures will only be as strong as the weakest link so does that mean that cyber security should be viewed as a collective responsibility so maybe sharon if you'd like to start is that heather so i think you know as security professionals we know the first part that question is certainly true and weak points have been exploited many times you just have to look at incidents like the bank bank bangladesh highest they wanna cry many examples since then so uh so definitely definitely true point there so from a collective responsibility if there was a significant incident then the ncsc would lead that however you know how do we be proactive and so that we're able to prevent that in the first place and i think that's the bit that's the broader responsibility that we have to take and that's on all of us all of our businesses to educate our staff and customers and make that societal responsibility i think um when we think about that security shouldn't be seen as competitive we need to work together in the broader uk to make sure that you know it's for the better good and today we do share a significant amount of intelligence and technical data with industry forums many of us have active security campaigns we have cyber academies and online learning and all of those things are really important for us to make sure as organizations we you know we learn ourselves but we must the collective bit is we've got to share that with our customers our clients and also our suppliers so that we can learn together um and you know learn from each other i think that's really important and there's other ways that we can help collectively which is around the mentoring both internally and externally again they're great things that we all need to step into particularly when we have the resources to do that and if we think more broadly when we think more forward as we move to public cloud many of us are looking at that move how do we move there safely it becomes even more important and i think a compromise of public cloud as we all know could lead to a challenge for many people so i think that's even more um important for us to look at so standardization in the cloud is pretty critical and how we move that forward so i think it brings us many opportunities because it's highly configurable but many challenges because it's highly complex as well and so again as we move forward so the things we can do in the past but we also need to think about how do we do that to set standards in the forward how do us the big tech companies you know drive those standards and actually you know able to share best practices so it isn't easy for organizations and individuals to be compromised so i think there's a lot we can do is what we do do and i think there's still more collectively we have to do yeah yeah there's a lot of interesting points you bring up there um william what what are your thoughts on on this idea of a collective i mean absolutely cyber is definitely a collective responsibility we look at it as a team sport right we don't compete with other organizations when it comes to cyber we speak to our peers at all the large other financial institutions sharon and i work together on a number of industry groups in the uk specifically on sharing best practice sharing information on emerging threats what are some of the things that we've seen that can help protect other organizations and it's very important that we take that responsibility seriously we have learned through real life incidents that the interconnectivity between the financial organizations and indeed the entire supply chain whether that is technology organizations whether that's our clients whether that's outsourced providers or otherwise demonstrates that any incident that impacts one aspect of that supply chain has the potential to be very contagious into um you know into other organizations over the past couple of months although not targeted at financial services we've been watching what's been happening with the solarwinds campaign which clearly demonstrates the um the importance of of ensuring the integrity of that full supply chain so yes we do work together on this it's important that we continue to do so it's important that we share information and it's important that we avoid any sort of polarization in terms of the skills and capabilities that organizations have to protect themselves so is that is that um you both mentioned the the sharing of information between banks is that is that on a sort of informal basis or is it formal are there formal mechanisms for that and is it something that could become like a kind of you a sort of utility type arrangement what um or is it is it good enough to be an informal set up so it's actually both i think there are definitely formal arrangements for sharing information in fact swift provides an excellent information sharing platform there are other industry groups whether whether it's fsi sac or others that enable that all of us also maintain our networks of context and if we see something that you know that specifically targets another organization we'll always pick up the phone and make sure that our peers are aware of what we're seeing sorry i would totally agree with that um we have lots of formal and informal sharing i mean bill and i want to call just this week you know looking at what we can do particularly on third parties and cloud and um so it's really really important i know but you touched on your utility model i do think your point of utility model is an important one there is an industry group called operational resilience collaboration group and they're currently looking at this actually particularly around third parties and how we do assurance models uh going forward and i think that is something that we all need to support and get behind i think it'll be better for us it'll be better for the industry because we'll make it a safer industry we'll make it easier for the smaller organizations but also making it easier for the third parties because they'll only have one assurance happen to them instead of like hundreds so um i think as a whole i think utility really has a place and it's an area that i think definitely needs progressing and it is progressing but maybe we could um go a bit faster right okay um so so you talk we've talked about smaller organizations so so um i'm wondering i'm going to ask lisa and johan here for their for their thoughts on on how we can bridge the gap between the larger organizations you know such as deutsche bank or lloyds bank that can have quite sophisticated um cyber security programs and smaller banks and and and organizations that may not have the resources in terms of personnel or funding to match those sorts of capabilities so um lisa what's what do you see at microsoft um in terms of that sort of gap and what can be done you know i think i think we see the gap in in the sense that you know all organizations of every size struggle with challenges of cyber security i don't think size size matters so much i think the challenge is there either way um it's just a multiplier effect larger that you are in the sense of you have better controls but you also have you know bigger threats and so you know for those smaller organizations i i do think that they have the message that cyber security matters i think they understand that this is a problem that we all have to solve and we're better solving it together and apart but i i worry more you know almost outside the financial system because i think in highly regulated industries you get a lot of um focus on these kind of challenges but outside the regulated entities and the commercial commercial businesses that many of us work with as customers and so forth i think it's it's a it's still a big challenge there and that affects the financial system you know those uh potential companies um can introduce risk into the financial system to some extent and so you know that it's it's that we know we're all connected we know that all businesses are connected in some way or another today and we're so reliant on the financial sector um for our economics um and so william i'm almost getting the agriculture in there but not quite um you know but i you know so i think it's um we have to work on these these industries where they aren't regulated and they may not have had the messaging and the benefit of training and awareness and you know all of the relationship building that we have in within the financial sector uh which is so important yes gohan yeah i don't know this is a fascinating question you know and i think what the pandemic has done for us is really intriguing on this specific question you know you almost had a forced innovation and a force moved into this online space by a number of companies out there that in the past kind of stayed on the sideline a little bit you know we used to talk about digital first as being a a strategic imperative but now it's a business imperative right so all of a sudden everybody has to be online and i think lisa's called it correct that the the problem is what's much more broader in the fact that so many third parties that is involved in this ecosystem the ecosystem is no longer cut in very small or in or distinct industries you know that this is financial sector and this something else it's a hyper connected world everything is connected and the and the digital ecosystem is becoming very very complex and so you know to get back to your question around what are we doing we're thinking about this in little two categories there's our small businesses who's delivering a service to an end customer who's you know just being forced very quickly to adapt to a digital strategy and we are actually partnering and i think lisa's companies in the same boat as we are with companies like the global cyber alliance like the cyber readiness institute to actually provide resources to these companies a lot of education is on their free tools and services available to them i think that's something that more and more larger companies can do where we invest in some of these resources that are really there for the better of the industry and the whole ecosystem as a whole i think that's something that's important so we're an active participant in that and then the other part is something that sharon mentioned around around third parties and how do we understand the risks that are involved in third parties a little better and something that we've done we've actually invested in a capability to understand the risk of any third party involved in our supply chains of digital and financial services and we hope that that transparency when everybody can see their cyber posture being put out in in not only in public but visible to those who want to do business with him that also should help in raising the bar a little bit to say i need to get my cyber score up so that i'm seen as a responsible player in this ecosystem so those are kind of two of the things that we are doing uh in order to help it but it is a complex question it's not an easy one to ask me i think there's a lot more that we that we should do collectively as a as a broad industry and you talk about the complexity there and and um my next question is is about um when we were having our earlier discussions planning this session um uh many of you i think you were all mentioning this idea that um it's important to make cyber security um understandable and um you know that it's a complex uh it's a complex topic but you know there are maybe some basics that might be overlooked and maybe if we start with lisa because i know you were talking we were talking about hygiene um in cyber security so um if you want to kick off our discussion now about you know trying to um make cyber security just understandable for people well i think sometimes i i've wondered you know after after we had our our conversation and some others that i've had i wonder if we need to almost um change the terminology just a little bit because we talk about hygiene and basics and it almost makes it sound simple i'm not sure that any of it is really all that simple um you know but there there is kind of a minimum expectation of what companies need to be doing and we've known these things for a long time and it hasn't changed very much um you know we need to patch uh we need better controls around access we need to you know you know limited access uh you know need to know only um least privilege approach and so you know there are lots of other factors that come into play here and those really haven't changed over time how we do them has changed the technology that allows it and the audit level of automation that we have but we haven't gotten that much better at doing them and that has to change drastically um we are way past you know the the demarcation line of if you're not meeting the minimum expectations it's okay you probably won't be attacked that day is gone and so um you know they're we're beyond just you know the if we think about hygiene we're beyond that just wash your hands and you'll be okay i mean let's face it most of us even with kovid still have not gotten great with wash your hands you know i think there's so we we just struggle with these things that we need to do all the time but i think covet has helped and given us that analogy of how important it is you know that we do these things and and so just as we've done with the pandemic you know we do need to do the same things with our businesses in terms of being very mindful of there is a set of processes a set of controls a set of practices and we can't deviate away from those in fact we have to continually get better and better we can't live at the minimum bar you know we're not meeting the minimum and we can't live there anyway so we have to continually move forward and you know i think you know just as we talk about you know wash your hands and hygiene we have to start thinking about you know just as we would with our bodies you know it's more of eat your vegetables regularly exercise you know so there's there's more and there's more and there's more that we have to get better at but we do need to find ways to make it more simple in terms of how we communicate and more automation because um you know the the level the volume of activity the number of devices people are using and so forth you know we've got to continue to automate and make this simple because we can't expect everyone to be a cyber security expert but we do need them to be a cyber security player they have a role we all have a responsibility and so we just have to help them you know understand what that responsibility is and give them the tools to carry that out okay so so bill what what do you think of the basics and and um how they can be got rights so i i absolutely echo lisa's point about changing the way we talk about security um we as security people have a tendency to use complicated terms and sometimes a lot more complicated than they have to be and that means when we go into conversations with our business partners when we go into conversations with our boards with clients we're not always speaking the same language and one of the things that i think is really important for security organizations is to talk about what we do in a way that makes sense to people that are not security practitioners and the way we do that is start with what is the threat what is the bad thing the harm that can happen to us as an organization and to our clients and then build the story from there right so ransomware clearly has been um you know i think one of the most prominent threats that we've seen not just in financial services but universally over the past um over the past couple of years it passes what i call the mother-in-law test if my mother-in-law knows what it is and it's definitely something that has kind of you know hit the hit that hit the mainstream and when we go into our conversations rather than talk about you know we need to have good endpoint detection and response and privileged access and anomaly detection what we should be saying is we have a high risk of being impacted by ransomware and these are the things that we need to do as an organization to protect ourselves against it and by putting it into a perspective and starting with the harm that can happen in a way that people understand it it makes it much easier for non-security people to kind of come along for that journey with us in terms of what that means for the for the basics i think there's a lot of security that organizations are able to implement today without spending a single dollar pound or euro more than what they're spending they're not easy things to do because it's things like patching and knowing where all of your assets are and what i think is probably one of the hardest thing for organizations to do is to create a culture of security right changing culture is is very hard for organizations to do and we'll talk about that in the in in a little while but you know creating a culture of security and doing some of these foundational things and also um you know bringing the language back to what are the threats and how do we prevent uh protect ourselves against them are some really easy things for organizations to do okay thanks thank you and and sharon i know you you spoke about the importance of education in in um helping to make cyber security understandable that was both within and sort of internally and externally at the bank you know absolutely i mean i just echo with lisa and bill both said everyone has a responsibility to then um to make sure we we understand cyber and you know we take responsibility for that i think um what's difficult is as they're both articulated which is how do we turn something that's quite technical into something that everyone understands and i think that's the key to education the key one education is making it bringing it home making it real just as bill said you talk about ransomware but what does that really mean how do you make that real how can you um tell a story that says well actually if this happens to you then your business breaks and this is how it breaks and actually you know that it's a significant impact and actually really make that real and i think the way we've addressed that in our education with our internal teams we've gone away from you know sending out documents and sending out power points and we've actually changed it to make it more fun i think you've got to connect emotionally with people so it's that emotional connection that makes them want to learn and how to learn and so it's about how do you change things so i think you need a suite of um options to be able to bring people on the journey because everyone learns differently so using one one um way of communicating i don't think work so you know you've got to have that suite that says okay the younger generation like the cyber arcade game style that we do and we we put some things out there around puzzles and learning and training and they love that and then there's some there's a lot of technical people that like don't like being told what to do and so they like to learn by doing and so we've got some innovative online learning what you do with that you've got that ranges from boardroom training which is quite high level to pen testing which is very technical um and it's a technology that allows you to it prompts you questions you have to go and find the answers it doesn't give you the answers and so by learning you actually learn a lot more and so there's some really i think innovative different ways of pushing education out there to people that in a way that makes it um stick with them and i think the other way is making it um personally attractive to them in a way that it can help them at home as well as at work so what we try to do is to say well this is actually an issue for you when you go outside of the organization and you go home it's really important for you to have all of these um this understanding and all the controls you have in place and knowledge for when you go home as well because actually these are the things that can happen to you from that perspective so there's quite a lot we do there um from a colleague perspective but we also do work with clients and customers as well so making that documentation understandable um it's harder obviously with customers because you've got such a broad set of customers to reach but clients um and third parties we do quite a lot with them trying to articulate and spend time with them so they do understand it as well so there's a lot there i think you have to um adapt the training to the needs i think is the way forward even if i if i could heather you know even uh to take a point that sharon made and a point that william made um i think if you look at the spectrum of you know what we talk about and who we talk about uh that particular topic too um you know think about ransomware for example um you know we can have the conversation about what does that mean to sharon's point and how did it happen and what's the the impact but you know think about going younger in that perspective you know what would the impact be of ransomware if every kid growing up knew about making backups and they'd been hearing about backups forever and forever and forever and and that was just built into their nature uh you know so by the time they got to the business world they would just expect and they you know that would be a planned strategy um so i think sometimes we have to go younger and then sometimes we have to look at the other end of the spectrum of where we're focusing and how we're talking about it because a lot of us now are working on or have implemented zero trust strategies and so we've been talking about zero trust for a while for some companies it's newer for some it's been around for a while and you know we've implemented the strategy but we haven't necessarily talked about the zero trust culture and so even at that spectrum you know we've talked about assume reach you know that that's the strategy that we have but we haven't built that into our culture and our awareness yet in terms of because we still have people asking us you know well why didn't you keep these guys out why didn't you keep the bad guys out well in a zero trust strategy that's that's not the strategy the strategy is to mitigate the impact because we're going to live with and assume preach mentality so you know it's just these different uh ends of the spectrum in terms of how we're approaching and who the message is for and how we we need to adjust our conversation a little bit yeah we do we do get to zero trust um in in a later question i was going to ask um sharon actually and and maybe all of you that sharon brought up this um idea of uh you know making it personal to people and taking it home like taking this awareness of cyber security into their homes and and i was wondering that i assume that was very helpful in the early days of the pandemic when when you were suddenly all faced with having your workforce at home and and and obviously that kind of um raised some some cyber security issues and apparently fishing sort of accelerated a lot or there was a lot more did did that was that had that laid a good groundwork do you think sharon flew it for when the bank staff were actually working from home that they they were a bit more aware of um cyber security in the issues i think it definitely helps you know we've been working on in the basics with the business for some time like phishing please don't click on that link if you're not sure don't click you know there's that i mean we might get onto a bit later but i think there's technology that that takes that type of challenge away in the future um as we work through that but definitely it definitely is people um started to work from home now we we use our own technology so it isn't using their own technologies so from a bank perspective it's the same things were still relevant as when they were in the office um don't click on any links that come through etc but we were still we still educated and actually we pushed a lot of information to them to say and actually you're going to be targeted at home as well so be really careful at home on your emails and what you're doing there so we're trying to educate on both sides so i definitely think it set us in good stead as we moved into that because there was a lot more fishing um activity that went on in the early days of coding not new techniques but but definitely more efficient activities so yeah i do think that uh you know important part of this comes back to education and to lisa's point it's across multiple levels whether it is around zero trust or random click on this link i think we need to look at this from from different angles you know the other piece that i think is really important for us if you look at the pace of innovation right now heather things are changing so fast you know 5g is coming in quantum computing is coming in so even our cybersecurity experts will have to be retooled on a much higher frequency than in the past ever before and i actually think our educational sector has a big role to play in this how do we retool our workforce not just on cyber but how to think security by design you know a security cyber uh cyber security experts we have a bit of mia culpa here you know for a long time we've been sitting there and smiling when everybody's trying to talk about cyber and we can see they don't really know what they're talking about but if we want to lift security by design if we want to lift privacy by design everybody needs to understand what it means not to click on a link it has to be simplified it has to be part of you know not just a cyber security curriculum but a a broader curriculum it has to kind of make its way into just about everything we do and across different levels whether it's somebody who's building code whether it's a decision maker in middle or senior management or whether it's a board that's trying to figure out what are the exact apis that i need to focus on to make sure that we're actually moving the needle i do think we need to look at this across multiple dimensions and layers and i do think our educational sector can play a bigger role i'll give an example what we've been doing we've actually been partnering with some of the local universities to offer you know coding or security by design coding courses for our engineers for different product experts so how do we just get this part of our everyday work not a four year study that i do and then i go off in the world and i never go back to my textbook it has to be more continuous rather than a learning at a point of time and then we move on so i do think there's a big opportunity for us to do some really good innovation in the space and just change the change the dynamic on this quite a bit that's a really interesting point yes and um johan you you mentioned that you brought up uh talking about technologies which which is segues very nicely into the next question actually which is um about the role that technology can play in in bringing cyber security to the masses so so maybe if we stay with you and um you you just talk us through from from what you're seeing um in terms of technology that can help on this and and you know whether whether it's it's something that might be out of the reach of or people think it might be out of their reach you know if you if you look at some of the big themes in the world right now be that around sustainability i think cyber for me fits kind of in that same realm that i think corporations has an accountability to make sure that we design our our technology with cyber included right i do think that technology is the is the enabler of getting it out there we will never completely solve the the old puzzle but i do think if we all start with that security by design in the way we do things i think we can move the needle quite a bit you know if you look at the just where technology is going with 5g with everything in the cloud we do see a centralization of a lot of tech and that means an opportunity that the more we build into those foundational aspects where most of these things run and operate the more we can we can at least cover a base it and then you know everybody else who uses that along the along the along the chain can add their pieces on it so i think it's an accountability that each each of us have to share in how do we build i think it's a place where we collectively as an industry has to come together uh not just within our own geographies but across the world and across industries you know whether it's the manufacturers of iot devices people making banking platforms uh you know our financial system platforms people creating user experiences where consumers can come in have a beautiful experience but in the end all of these are connected and tomorrow a consumer gets in the car and they expect payments to happen as they pass through you know the local coffee shop their the gas station all of that in the end all of these things come together so it comes back for me to um i think we have a big role to play to design it technology is a really really big enabler the intuitive education so you're looking at a multi-layered strategy is ultimately what will work here is the way we are looking at it all right okay lisa and and from your point of view at microsoft what um what role do you think technology plays there is it is like johann says is it some it's one of many pieces that have to come together well i think automation is going to be a big piece of this you know we we focus a lot on automating a lot of the tasks and making that simpler but i think there's potentially a market opportunity here for some companies to come along whether they're you know small local regional or or more broadly in terms of managed services you know i think there's some some opportunity there that that hasn't been exercised i mean those companies have existed but i'm not sure that it's being broadly used the way that it could be um you know so for your really small business who needs this type of service do they know where to go to get it do they know do they have the ability to weigh the the capabilities that a company has in terms of the service that can be provided and you know i think to some extent companies especially small businesses are going to be looking for kind of the um the all-in you know i can you provide my technology support as well as my security support and so i think there's a potential market opportunity that i think we'll start seeing come companies moving into that space because the need is there um you know is it is it a well-known need yet that may be debatable there you know i think there's still some work to do but i think the there's a potential market there right okay thank you and um sharon um what what uh what are the sort of maybe you can share with us some of the uh technologies of the approach that uh lloyd spunk is taking and and maybe um some of your best practices that you feel you can share with us yeah sure i think there are um two parts really this i think there's how do we educate colleagues and customers with technology and then how do we use technology to help colleagues and customers sort of transparently if we think about it in that way in the first bit if we think about using innovative technology i mentioned what you can do for training etc and there's some great technologies that you can use for that ever since we've moved into the covered era using zoom and teams is now an everyday multi-day we live on zoom and teams now you know in that way whereas we didn't a year ago it we used it but not in the same way and i think that's definitely technology we can use to educate significant numbers of people all at once and safely and so that's a that's a good way that we can use technology and also we can use technology to help customers by building in checks into our banking applications to remind customers about food before they make payments etcetera because that's quite important to try and combat the scans that are going on in that way and then from a technology how it helps us i started to touch on it earlier but if we think about phishing um whilst we educate our colleagues and we educate customers don't click on the link if you don't know what it is and how safe it is if you can't be sure people still do click on the link and it only takes one person to click on a link to to make it ineffective all of the controls you put in place and so there are some really good new technologies out there that um do isolation technology um that you can use that actually you can put in place people can click if they need to and actually all it does is it doesn't deliver the content down it just delivers a picture and that actually protects you from fishing in that way and so i think that's innovative technology that you can use and we're definitely implementing that right now across our estate just so we can help our colleagues um in the fishing area because i think that is a while it's not the only way to be compromised is significantly uh the most uh chosen way to try to compromise people so i think there's lots there and then i think um as we move forward into clouds we're talking about cloud previously how we design and implement cloud is critical and the new technologies allow you to write policy as code and to do that you can then mandate your controls rather than have to check them you know afterwards and i think that's a way forward so i think we'll be doing um that a lot more i think um efficiently there's a lot more automation to come through as lisa touched on and i think that's the area that we need to sort of um adapt and embrace uh in the future okay and and uh william from from deutsche bank's point of view yeah so it's interesting everything that we've heard from johan from lisa and sharon is is very familiar to us right and if i think about the opportunities that we get from new technologies and particularly the move toward public cloud that absolutely introduces new security and resilience capabilities we need to be transparent with ourselves it also introduces new risks and challenges but clearly the benefits from a security and a resilience perspective outweigh that especially well managed i think from an overall technical technical innovation perspective the theme of automation and orchestration will continue to increase the sheer volume of information that we're receiving the sheer volume of events that we're responding to means that we need to be much more efficient and much more automated in terms of how we manage that and we've been absolutely implementing um you know incremental technology platforms that allows us to process that much more data to understand at a deeper level what's going on within and outside of our network i think another important part of that is increasing through technology our ability to anticipate when something is going to happen so moving away from just doing straightforward analysis to understanding not just within our own environment but on the outside what are the threats how are they materializing and what is the next thing that we need to be worrying about and then finally um you know i think some of the advances that we're seeing in authentication as well and starting to move away from passwords which are a really really clunky old-fashioned way of logging on to things both in a personal life and in a professional life the quicker that we can kind of move to an environment where we're less dependent upon those those complex multi-string passwords will absolutely help bring cyber security not just to our organizations but clearly to the masses as well okay okay well sadly i see that we we are actually running out of time it's been such an interesting conversation haven't really noticed um but i did say we were going to go back to this uh this question of trust zero trust which lisa raised so maybe if we could have each of you sort of maybe a quick uh a quick sort of proceed how you how you see that idea of trust you know where where trust fits in cyber security and and maybe we'll begin with you johan yeah look this is this is this is something that in itself can probably take us 45 minutes just to talk through for trust um you know on the one hand we're asking our consumers uh jump into the car of a stranger that you've never met or go and stay in a house that you've never been to or seen and at the other end please don't click on this link and at the same time we have with a pandemic a whole new set of consumers who have been trying to avoid the online space like the plague now don't have a choice because i can't get my groceries delivered unless i can do it do this so it's a really big big big balance which i think comes back to a lot of what we discussed throughout the whole process here i think there's an accountability on us as as as banking financial institutions as tech firms to make sure that we put trust as in embedded into the tech that we do so we can foster that with the consumers that they can trust our brands they can trust what we do i think that's going to be critically i know we're running out of time so i'm not going to label that too much but that's where it has to start for us we cannot trust that the consumers will all figure this out so i'll i'll leave this one there but i think it's a really really complex question thank you for that right so so finally if we wrap up um i think i thought it would be really good to ask everyone what what your ideal cyber security culture is because we've we've talked about cyber security culture during the um during the discussion so um i think it'd be great to get everyone's views on what um what your ideal cyber security culture would be and maybe we'll start with uh william thanks thanks heather when i think about culture and we think about culture within deutsche bank we look at it in a couple of dimensions the first is the values right do people understand the importance of security and do we feel it inherently in our dna in our processes and the way we interact with clients and the way we manage our businesses the second aspect of it is the behaviors right what are the things that we do individually are we smart in terms of choosing whether to print something are we locking our pcs when we get up from our desks during normal times when we're in the office right those are the things that we do individually even without thinking about it if not even if no one is watching right and the third aspect are the rituals what are the things that we do and we're together that help promote security culture one of the ways that we can do that is by talking about current threats when we start a meeting or other things that we do when we're together so if we think about culture in terms of values behaviors and rituals these are some of the tools that we can use to help drive culture security culture across the organization okay and sharon what do you think a good culture is well however i think i think the ideal culture is when everyone understands owns and takes action on their cyber security risks across the business so that's perfect right if everyone we can get everyone to do that that's a journey and that's how do we you know get everyone to understand what they need to do and work with that over time now a couple of ways that we've approached this at lloyd's is to look at it both from an organization perspective and then also um a culture education perspective so if we think about organizations how do you get the business to own um and be accountable for cyber for everything they do and a number of organizations and businesses would have put in um roles like visos of business information security officers we call ours divisional resilience and security officers and so they're accountable within their division so accountability is just not on the central team it's with the business divisions themselves so firstly there's an organizational way that you can help towards that and that's around accountability and then secondly we think about uh culture so we measure culture actually we created a culture scorecard for all of the businesses and we thought about how do we do that and that's not perfect by any way um but what it does is it it sets out it measures what they do on a day-to-day basis on some of the things that that bill mentioned around have they got their user access correct have they done their recertifications um are they doing all of the right activities that they should be doing are there any policy violations that they shouldn't be doing um and we measure all of those things actually we set them targets as well around how to improve those and we put them on their divisional balance scorecard so it's a group responsibility and it's a group focus and i think that's some of the ways you can do to actually move the culture because you make them accountable for it so there's a few ways um not perfect um but definitely some ways to think about and lisa how about you so i think about two things when i think about culture um when i think about the classification of data because i think especially in financial services that's been an exercise and it's been a journey to sharon's point and it but i think it's a great example of how culture becomes part of the tooling and part of our response we have the capability now to classify an email to classify a document classify a database or a spreadsheet and you know we have the tooling to make that simpler we have the tooling to make it automated and so forth but we still have people trying to go around it we're not thinking about it when they need to so the tooling can help automate that but we still have to work on that culture of um you know this is why it matters you know this is when you should use it this is when um it's needed and when and why it's important and why it's valued so to me that's a great example of how we're not quite there yet on culture because um you know we shouldn't have to remind each other uh oh by the way you should have you know classified this email as confidential um so you know that's an example and then the other thing that i like to think about is the the message that we're giving our children but that we should also be giving ourselves because i love talking to kids in schools about being cyber aware and using cyber security and the big message for them is this is part of our national protection this is part of our national infrastructure protection and you have a role in that you are part of our cyber army so to speak and everything you do matters and every time you don't do something there can be consequences and i think that message plays in our companies as well so it's not just a message for children it's a message for all of us that we're all part of that national protection effort and gohan yeah i think there's a really great point here i think it's a multi-layered approach right but it starts with getting the basics right and owning it i think everybody has to own it which means you know all the things we talked about earlier on education make sure people understand this thing has to be there but ultimately everybody has to own it end to end if i write a piece of code if i am the one that's starting a track on an email irrespective of what it is down to the lowest level you have to own it and then understand you know interestingly enough if you think about what solarwinds has done in terms of damaging trust around can i trust the third party uh code that i'm getting from a well trusted system that we had forever if i'm a coder how the code passes through my chain you know from i'm the developer it can be handed off to somebody who tested everybody has to think through so that ownership is really really important but being enabled by technology i think things like ai is going to help us tremendously in doing this and especially weaving through the complexity of cyber security yeah i would say multi-layer starting with owning it getting the basics right if we get those two things right i think we can make a big dent uh we're not there yet for sure but i think that that's where at least where i think we would love to start okay okay great great thank you all i want to thank everybody very much for for making themselves available for the discussion and really um having such interesting um points to bring up and and i hope it's uh i hope it's been very useful to everyone who's watching and um bad luck uh william you didn't get an agriculture reference in fact lisa did so next time next time lucky so um uh once again thank you everyone and thank you for watching thank you

Info

Channel: SibosTV

Views: 80

Rating: 5 out of 5

Keywords: Technology, CyberSecurity

Id: daUmF8e6h9A

Channel Id: undefined

Length: 48min 30sec (2910 seconds)

Published: Mon Mar 29 2021