Yeah, what is the new role of the ciso and to support me in, in, in discussing this topic, I have three excellent experts and leaders with me on stage. I start from, from, from the north, or should I say right hand side? Right is Mark Hoffman from C Chief Security Officer from Nordea. You started in technology, then you had a history in consultancy, then you had the, we had the pleasure to work together in a bank. Then you switched to to, to to Swift as, as a Caesar there. And finally, you are now ending up in, in Nordea as the chief security officer. So thanks for joining us, Steve. I forget anything important. Obviously not. No. So then let's start, let's, let's continue with, with going west. So I have Andre from Vodafone. You are, that's actually an interesting title. I need to look it up or you can help me here.
You are the, where is it? Cybersecurity, head of cybersecurity portfolio of, of waterfront business. Perhaps you help, help me later to understand what that is. But I know you also have a technology background. You have had multiple roles in also marketing as a strategist and innovation, et cetera. So you somehow, somehow know the multifaceted aspects of cyber security, I guess. Yeah. And finally I'm very pleased to welcome Ralph. Ralph actually is a little bit an outlier because he's not a ciso, he's a cio, which is obviously, CISO is reporting to me. Yes, the CISO is report and I know that, that, that cybersecurity is very close to your heart. And he just told me that he has been reelected in the, what is this cyber security sharing alliance right. In Germany. And this also underlines that cybersecurity is very, very close to your heart. So thank thank you all for joining. Mark, I, I'd like to start with you. A Caesar today has to be obviously a leader, but he also is a team motivator. You also have to be a psychologist. You have to be a very good communicator, right? You have to be a strategist, you have to understand business, you have to be a risk manager, sometimes you have to be a lawyer and so on. Did I forget anything important? And what do you think stands out of that long list of capabilities?
I think ard, you're absolutely right, right? So the list of requirements for CSO is super long and it's getting longer. And I think this gets us already to the core of the vision where, what is the refinement for the CSO in the future. Actually, we look at a few years back actually, the C was an an IT introvert sitting somewhere in IT and working with isolated topics like funding a firewall Yeah. And configuring the virus can and so on. And I think the key requirement today is you need to be good at leadership. Yeah. Managing the tenants, having the right people for your team. Motivating them. Yeah. I found out after the covid situation, it's so difficult. You have to, to keep people from leaving and taking other opportunities with my startup companies in Miami and so on, you know, So I would say that this is long talking the board language, understanding the technical details,
What
Setting easier, I would say
Anything outstanding. So what do you think is most important? Can you say that? Or is everything equally important or does it change over time or from, from time to time?
I, I would, I would say if I think about what it's the most important thing is the, the ability to learn and to adapt to what happens. So even you look at the Ukraine situation, for example, this already really find a little bit my role because my bot has a totally different level of interest into cyber security. So I need to even more talk to the board and talk to more to my peers Yeah. About intelligence and what is best practice and what can we do. Collaboration is one aspect. I think the people component is your key.
That's actually a nice bridge to, to the question I would like to give you. So obviously as a CSO or cso, you have to be an excellent stakeholder manager. You have to talk to the board, to your team, to external parties, even to the police, et cetera. With whom do you spend most of your time?
It's a, it's a, it's a great question. And I think Mark, you picked on the fundamental challenge we have, which is that translation from what was an operational role, technology focused operational role where we talked about controls, we don't control anything anymore. And that translation to being much more of a, a lobbyist and influencer, you know, we aspire to take risk based decisions, but actually most of the time it's a, it's a budget based decision that we, we, we trade off. But you know, I spend a third of my time leading the technology and operational teams and we had a thousand people together only a few weeks ago. And they're the people on the front line delivering security controls for our, you know, for, for our, our employees. And the 10 million organizations that we look after about a third of the time is really thinking about how we take the big pieces of technology evolution that we need to make and the risk controls and aspects of that. And about the third, you know, the third, third really is around actually liaising with government, understanding research, the evolving political, economic, you know, and risk based landscape that we face. Because if we just face into a, you know, a day to day, minute by minute operational view will always be behind. So actually engaging with government and, and, you know, and peers and industry is a, is a huge part of, of what I do day to day.
Yeah. Thank you. All right. Coming to you, I think as a CIO, I would assume your main store stakeholders obviously are, are the business, your business peers and normally they are mainly interested in getting the latest technologies or to save cost time with, with this technology. And in the past, security was often an afterthought or a side product or something like that. Has this changed in your view?
I would say it's changed totally because it's understood in the business more and more sometime by by learning or sometimes by evidence yet that you cannot only run it. Yeah. First it was understand the new business, you cannot run without it. But nowadays it's understood. You cannot run your business without security. Yeah. You cannot do and say, I, I'm doing it and not doing it in a secure way. And you will see it when you are in a line of fire that this is then the case. So this fundamental understanding is there, but now is the topic what to do. And I see the question for the next generation. First of all, I would say why is security so a hot topic? Because one fundamental changes also in it, normally you have time in security, have no time, It's real time. Yeah. And this is a change in thin thinking.
Yeah. In planning and all the other stuff in business that they have to learn. Security is real time and you cannot act in planning and budgeting and all, all this stuff in cybersecurity and this fundamental change, I would say this is one of the goals for the next change of CSU to explain what this means and what how to act. And therefore I would say what you have to have in the future as a C is the follow following attitude. Because the, the gap PT in what you know and what is possible in cybersecurity is writing in every second. So how to close the gap. The only challenge is to have a network to competent people. So a network for the CSO to with competent people, whether it's stakeholders, shareholders, partners, or nerds. This is I would say the key.
Yeah. But that, that actually brings me to the next question. So in the past, and probably you are good examples for that, three of you, the CSO used to come mainly from, has a better technology background, right? So you all worked in technology, probably even as developers, etcetera. Now when I'm now hearing CSO has to be a good communicator and psychologist, et cetera. Do you see the chance also to, to, to become a CSO without the techno? Well obviously you have to have technology, but coming from a different discipline in the first place, what
I would say have a look to the stock market and you will see that the most value companies are security and IT companies.
Yeah.
And then businesses coming. Yeah. I would say there is a fundamental change and also the business has to learn a lot. But the technology, what you say is totally right. You have to understand your business, but the business will not run without your security. So there is a switch. It's not a nice add on technology. Yeah. You have, first of all, you have to be very deep in technology, in understanding and then develop your business. Yeah. But this is change.
All right, Mark, when you, now you mentioned that you, you, you talk to the board a lot. When you now talk to them, how well do they understand security today? And has this changed, let's say, let's say if you look back two, three years or four or five years. So has this changed or, or is this still the same situation?
I, I absolutely see a changes on how the board has addressed in details, Right? And has an understanding for the topic, the change in the past few years. I think a few years back we came mainly with them with super high level. This is the, the critical risk. And then was the question, what are the main bullets and main actions to get this down too high or even to moderate and so on and so forth. And today they are far more interested in details. Give an example, one of the critical risks we see is data leakage, for example. And we rolled our data leakage endpoint protection like you usually do with it. And then we have an issue with some countries. So for example, in Finland, it's not allowed to scan outgoing emails. And their piece appears to be no valid solution for that. So there is no, you cannot make the, to signed an agreement on that.
That's not sufficient, right? So we really cannot scan uploads to the web or even emails to the outside. And the bot is now super very much interested in all the details. They want to understand this. Somebody from the board was speaking up and says, I have a, a link to the pharmacy or for Microsoft, can I help you on, on this topic? So I think the, the competence on the board level is increasing and the level of detail they would like to discuss is increasing as well. I saw another push during the Ukraine situation. During the Ukraine situation. The board was really cooling us. What are the technical measures you consider now? And what are you implementing? How are the different scenarios looking? And that was the difficult question. When is good, good enough? And I think this is zu difficult to answer and find that evidence to the board and all. It comes back to what, what RA just said at the end, collaboration is key here. So what we did is we reached out to all the CS of the other banks in the Nordics and said, What are you guys doing? Actually we reached out to the security firms, to law enforcements, to governments to find out what is something like a best practice list. Do I need satellite phones? Yeah. To prepare for potential outage of critical infrastructure and things like that actually. And that gave, and they had confidence to the board that we have.
Yeah.
Good best practice, let's say in place.
Yeah. But what's your, what's your, let's say prediction will at some point the chief security officer or CS o be a member of the board even?
I cannot answer that question. I would be a member of the board. I think there is a, on the oversight component of the board, there is a key component on security already now. Yeah. And we see this and the board is already trying to get the competence on the board. I think that's the key point. And it's an observation I make across all larger organizations. They have a direct reporting line or direct link to the board. So they, so like, like I do it, for example, I'm on a monthly basis, I'm talking to the board and they even ask me to, to come more often. So next week we have a 90 minutes deep dive on, on security just for, for security topics on the board, for example.
Interesting. We,
We see, I'd say, I'm, I'm nodding cause we see the same, the same motion, right? The boards have become so much more technology savvy and their interest in security has moved beyond abstract risk and, and, and, and compliance to actually the decision making behind what happens. And we have the same very, very frequent, very, very direct conversation with, with our you, with the entire board. It does defer geographically. But one of the things I think everybody is, has recognized is that traditionally we've liked to, you know, enable controls, check off risks, reduce and mitigate those risks. Think about how our compliance and our privacy is managed. And actually that's becoming increasingly uncontrolled. And the uncertainty that you describe is critical. And I think getting more comfortable with that uncertainty, I think, you know, it is right? If, if I look at how, you know, the role of technology is, you know, you described Ralph as changed.
We now have a chief digital officers whose responsibility is about growing revenue and impact. I can see a transition from the internal IT security role to being a, you know, sitting on a board, being a chief trust officer. And that is not just about protecting the organization, but enabling it. And a lot of questions that we, we in increasingly think about even in the middle of an attack is what's the impact on our stakeholders and shareholders? What's impact on citizens? How are we managing communication? What is the trust that we have in, you know, we hold in place for our customers? And how is that trust seen and felt by markets and, and governments? Yeah. And I, I wonder whether, you know, you could see it, I could see alongside chief digital officer, I could, I could see a chief trust officer whose remit is so much broader, to your point earlier on than just the operational, you know, management of security solutions, enablement of endpoint protection and fielding of that constant drumbeat of, you know, operational attacks and responses that takes it potentially a step beyond the real time, but the real time will never go away.
And I, and there's a, the other, the engineer in me says nobody in security shouldn't understand the technical aspects and of security itself, even at a principle level. Yeah. Yeah. I think
Another, another, Can I add? Sure, of course. I would say our world is built, i, I would say on money. Yeah. Therefore the CFO is in the board, no discussion. Profound education and he's on the board and on the other side I see this world is built also on free child. It therefore it'll come, it will come. You have to have in the board someone who is very savvy in it, Andes and representing the board and has a profound the kind. But it will not be a nerd. Yeah. A only a touch guy. This is has to be another quality. But on the other side, this world is built on money and technology and therefore I see no way out. Yeah.
And I think another, another good, Oh, sorry,
I think I need to correct myself. I think when you mean board, you talk about board, you mean the management board actually right? In the knows we talk about the board. It's the supervisory board. Okay. So other things, so other things I just mentioned with that the board is entrusted and the details of security means the supervisory board, Right? The management board is anyways. Right. And going back to your question can well be that the C will sit on that level, but it's more important that they have access to the level. And on the supervisory board, I need to mention, I see chances and risk chances. On the one hand we get enablement on the really big things and we've seen insecurity. We have things which are structural changes to the bank. Really big projects, taking the whole bank with us, identity access, network segmentation, all these things. But the risk is they're getting more operational. So when they're consuming our time, a majority of my time is talking to people who have limited understanding on the topic, but have a say on it. Okay. So that this is one of the capabilities I think we need to be able to, to handle going forward. Yeah.
I think another good example that the role of the CSO is expanding and also is arriving in the domain of the businesses. Our challenges we have in the, in the supply chain, right? So we, in the past the CSO was primarily concerned with securing the own IT infrastructure. Now the CSOs also ask to look into the products, businesses, purchasing. What, what's your view on that? Right? Is this, is this increasing this problem?
Yeah, Heavily, heavily twofold. First of all, you have to be as a c a people manager because everything is in the attack space. People attack you. It's not technology which attacks you. They use technology and, but they are people behind and people have the caveat, they are very creative. Yeah. And they are not doing the same things in the same way. So people management is the most important topic of each and every si. This is hard because normally the SISO is coming from techie and normally only looking to their screen. But on the other side, they have to find a way to manage people. This is the one now your third party management, the tricky thing with this third party or on premise or when you're using your own software in the cloud, you are able to get the data and then you can charge in real time what's going on. When you have third party, you cannot charge in real time. So you have now to find a way to cooperate and say to the provider, you, you not only, I cannot only trust you by contract, I can only trust you by data and the right data in real time. And I would say this is a topic, it's not solved at the moment. Cause to look in the data of a provider is a very Yeah. But also here, I would say it'll come no way out.
Yeah. And I agree with you. This is an unsolved problem, which we were probably discuss going forward a lot more.
Right. And we are, as a financial industry, are heavily regulated. And the regulator says you have to monitor your SaaS provider, good luck to monitor on SaaS provider. Then you can ask what data you can give and how can we judge what you are doing. It's not, it's really tough.
Yeah. Yes. CISOs are also used to discuss and, and, and touch latest technologies. Yeah. And they all have a favor for latest technologies. On the other hand, we all know that security is very much dependent on what we now call cyber hygiene. Right? This is, I think, something similar like motivating your kit to, to keep their room clean, right? So, so how do you do that in your organization
That that that tension between like doing the basics brilliantly and trusting every person in the organization. You talked about you're motivating people actually, it's not just motivating my team, right. Who are, you know, are passionate about admission to, you know, to, to protect our organization and our customers. Right. And they need, and they are techy and you know, we've, we've embarked in a big program recently, which is about actually what is, what's quantum going to do. Not just to our crypto standards, but to the opportunities that we face. And we're taking, you know, a couple of years run up at it to build and drive the levels of, we just got a quantum literacy across the organization so we can even have that conversation. Right. That talks to the inner engineer in techie in all of us. Yeah.
But
Actually the hygiene is isn't about the security team. The hygiene's about every single employee in every single partner in our business. And you know, I've always said, right, our employees and our partners will do the wrong things for the right reasons. And, and that's the critical thing. So it's, it's, when you talk about communication, it's about motivation and it's about understanding the, you know, why and how people are doing things. Huge advantage has been through covid and the movement to a, you know, a much more open and yet more controlled hybrid working model. Right? It's been a real starting gun for a complete shift in how, how we deliver, how we deliver those controls and how we enable people. But making, making that cyber hygiene, those base brilliant basics personal to people. That's how you motivate your children. You either carrot or sticks, sweet, sweet, sweet or you know, or, or, or some punitive action. Right? And, and then you make it personal
To, That reminds me of discussion Mark we had yesterday. So your CEO, you said mentioned your Danish ceo mentioned to you, Mark, you need to be more German. What did he mean by that
Actually was his attitude To be be tougher to the organization. Yeah. Find somebody who was breaching the policy and then hang them up, so to speak. Yeah. Not literally. And, and make this public then and one or the others. That was the idea. I mean the thing is really awareness things as the human component. We all know this, this is the weakest thing. Yeah. On the other hand, whatever you do, they nevertheless make a mistake. Again. So we know this from, from fishing campaigns and we always do this at the beginning, we've had a click rate of 25% after running fishing campaign, after fishing campaign and nano lessons and training and awareness. We've brought the declared down to five to 7%, but somebody is still clicking whatever you do. And I've been attacked by a spare fishing attack the other day and I was clicking as well.
So they found out I was speaking on a Financial Times summit and then they sent me a link, thank me again for my participation and sent me a link with the material and I clicked on it. Right. So classic actually. Yeah. So that means if you put enough effort into a spare fishing, and we've seen this in the Ukraine situation, then they click. But nevertheless, it's the, the most efficient way actually to, to, to do this first line of, of defense and educate the people with the training. But we need to have different means, different ways to do that. I mean I, I'm doing 10, 20, 30 different computer based trainings a year. So we put all security stuff into a 30 minutes or 45 minutes training. There's not very effective five year. So we talk about nano lessons and bit more perhaps gamification. Yeah. So letting them having achievements here. If you participate in a vet based training with a Porwal room scenario, whatever game thing. And then you convince something at the end or you get to score. Yeah. That you get a prong shield, server shield, gold shield and this then published on the intro. That's nice. People like
That.
Yeah. And cyber hygiene I would say is a capability and a capability you have trained permanently. You cannot trust that you trained it one time and then it's done. For example, last year, December is coming I guess also this year, but I had can remember last year, look Forche, we had in the December three times an emergency patch. And emergency patch means patch your environment in 48 hours. Yeah. And I have 63 local CIOs and this capability to patch or is your systems or also the user, their iPhones or their Android or the to patch and permanently. This is tough and hopefully this December it'll not coming explored. And Microsoft said, be aware zero day exploits exploitable very, very fast when they occur. So you have to patch also very fast and to patch 100%. And this is a tricky Absolutely. And I have all the discussion, this was very nice with the CIOs and said the last emergency patch Yeah. 48 hours create, create success. 85% within 48 hours, but 85 Yeah. There are 15% missing. Yeah. So what I want to say, cyber hygiene is a capability and you have to train it permanently.
Yeah. Let's come to the, to the final round. I I want you all to complete the following sentence and I'll start with you Mark. In three years from now, the core competency of CSO is
In three years.
Yes.
We made, we made a joke this morning. Yeah. We said I'm so busy with the legacy and cleaning up the mess from the past that I have no time to think about the future. I think the, there are many things, but I think a key capability will be having the capacity actually to deal with the legacy from the past. Yeah. Or 3000 thousand applications to live in the, in the present. Right. To do operational things to get the pitching done and make sure the organization is having the IG in place and nevertheless having the capacity to, to work on the strategic things which matter in the future. Yeah. And to be open minded, to have the right talents, to think around the corner and think what comes in the future and to prepare today for what is to come. The key things I'm doing today have nothing to do. And I would've been impressed at how the, the, the Queen party represent today would've thought about that actually I work today on things which pay off in three, four years time. Right. So next legislation and, and this is super difficult to get this for the board, that there's no low hang of fruit network segmentation. Still trust such a
Topic. Okay. Andre also the core confidence in three years, perhaps a little bit shorter than Mark,
Apologies
In three years I think CISOs will be mainstream. They will sit and have much greater influence across the organization. To your point, from a business perspective, from a resilience perspective and a day to day life perspective. Right. Security is and is becoming a much more fundamental topic that we can all talk about. So I think, you know, CSOs have, have and will become increasingly mainstream in their role and their influence.
Yeah.
Point I would say curiosity and humility. And when you have time, be very mindful what's going on.
Thank you very much. As always, it was a pleasure talking to you. I hope you enjoyed it all. We could have gone for, for a couple of more minutes, but I'm sure we will have the opportunity for the rest of the day to talk to each other. Thank you.
