Cyber Security Event 2026 Reflections (transcript)

The Leaders in Finance Podcast with Ricardo Ferreira (Field CISO EMEA, Fortinet), Marcel van Leent (Security Leader, ABN AMRO Clearing Bank), host Kees de Wit, Deepak Rambhadja (Sales Engineer, Rubrik), and Rudrani Djwalapersad (Partner, Cyber Security Financial Services, EY).

Voice-over: This is Leaders in Finance, a podcast where we find out more about the people behind a successful career. We speak with the leaders of today and tomorrow to discuss their motivations, their organizations and their personal lives. Why? Because the financial sector could use a little more honest conversation. Your host is Kees de Wit.

Kees: Welcome, listeners, to an extra episode of the Leaders in Finance podcast. My name is Kees de Wit, and we’re live from Kontakt der Kontinenten in Soesterberg, right after our fourth Leaders in Finance Cybersecurity Event. I’m joined here by four guests.

I will briefly introduce them. They all contributed to today’s program, and I would like to reflect with them on the event and discuss some of their key takeaways. But first, an introduction.

I’m joined by Rudrani Djwalapersad, Partner Cyber Security Financial Services at EY, Deepak Rambhadja, Sales Engineer at Rubrik, Ricardo Ferreira, Field CISO EMEA at Fortinet, and Marcel van Leent, Security Leader at ABN AMRO Clearing Bank. Welcome, everyone.

Before we dive into today’s event, I’m very curious to hear a bit more about each of you for our listeners as well. Ricardo, could you start by telling us a bit about yourself and the company you work for?

Ricardo: Sure. I’m Ricardo Ferreira, originally from Portugal, and I’ve been living in the UK for the past 13 years. I work for Fortinet, which is a leading cybersecurity company. Our mission is to protect data, people and devices. We’ve been publicly listed for the past 26 years.

We’ve also been exploring what AI can do for our customers and have been integrating it into our portfolio for the last five or six years. Thank you very much.

Kees: And you also contributed to today’s program, right? You presented a use case.

Ricardo: Yes. I presented a number of use cases based on the regulatory framework of the Monetary Authority of Singapore, called MindForge. That operational handbook—or however you want to describe it—is essentially a governance framework for AI.

What I wanted to highlight is that you can have a checklist, but that alone is not enough, because the devil is in the details. That’s the message I wanted to bring to the audience: some food for thought.

Kees: Thank you very much. I think we’ll come back to MindForge later, because it was a very interesting topic.

Marcel, could you tell us a bit more about yourself and the company you work for?

Marcel: Definitely. I’ve been the Security Leader at ABN AMRO Clearing Bank for the past three years. ABN AMRO Clearing Bank is part of the ABN AMRO Group.

We are an organization with banking licenses in multiple countries, but our core business is clearing and trading. We’re a top-three player in all the markets where we operate worldwide, and we have a truly global presence. That makes following common principles and building resilience across the organization much easier.

Kees: Yeah.

Marcel: Thank you very much.

Kees: I saw you were joined by two colleagues today, so you were well represented. And you also took part in the panel discussion together with Rudrani, right?

Marcel: Yes, that’s correct. It was a lot of fun. I think we shared some valuable insights with the audience and also received good feedback.

The topics we discussed—AI, geopolitics and risk—are areas where, as a community, we should collaborate more. Sharing is caring. We need to move forward together and prepare for the emerging threats coming our way.

Kees: We’ll definitely come back to those emerging threats later in the podcast, because they were a major theme throughout the day.

First, let’s complete the introductions. Deepak, could you introduce yourself to our listeners?

Deepak: Certainly. I’m Deepak Rambhadja, and I work at Rubrik as a Sales Engineer.

I’ve only been with the company for about a month, so it’s still quite new for me. Before that, I was on the other side—I was a CISO. I held that role for many years across different companies and sectors, including banking.

For example, I was the Information Security Officer for ABN AMRO Hypotheken. So, in that sense, I also come from within the same group. That’s a bit about me.

Kees: Thank you very much. And, just like Ricardo, you also presented a use case today, right?

Deepak: Yes, that’s right. I spoke about cyber resilience. I used a case study from one of our customers that was actually the victim of a ransomware attack.

Fortunately, they were using Rubrik, which meant they were able to withstand the attack and keep operational downtime to a minimum.

Kees: Thank you very much. Rudrani, you’re next. Could you tell us a bit more about yourself?

Rudrani: Yes. I’m Rudrani Djwalapersad. I’m a Partner at EY, where I lead our Technology Consulting practice. My personal specialty is cyber resilience, and I’m also globally responsible for EY’s Cyber Resilience & Strategy solutions.

Kees: Thank you very much. Since we’re already talking, perhaps we can dive straight into the panel discussion. Before we reflect on the day as a whole, I’d like to ask about the Cyber Panel, which you moderated.

Could you reflect a bit on that discussion and the main conclusions?

Rudrani: I always enjoy moderating these panels and having discussions with organizations about what we’ve heard throughout the morning, but also about how financial institutions are dealing with today’s threats. But, Marcel, as you also mentioned, it’s not only about threats—it’s also about the opportunities that come with them.

I think it’s extremely valuable for the other financial institutions in the room to learn from one another. One of the recurring messages—not only from Jack, but also in the conclusions shared by Marcia and Tom-Martijn—was that sharing is caring.

Marcel: Yes, exactly.

Rudrani: It’s about openly discussing how you’re dealing with everything that’s coming your way.

Ricardo, you spoke about AI governance. Deepak shared a real-life cyber incident and the importance of backups. These are all topics that are already on the roadmaps of many organizations. Especially the more mature organizations often have multi-year programs in place.

But then reality hits, and suddenly you need to reprioritize and accelerate. Hearing how organizations such as ABN AMRO Clearing Bank and ING are approaching these challenges provides valuable insights into what is actually happening in practice.

So I really enjoyed that conversation.

Marcel: Great to hear. And if I may add something: I think the closing presentation from the Ukrainian bank really showed why preparation is so important.

We need to use scenarios to plan for resilience. You have to think the unthinkable. Being resilient is about much more than having backups or a secure network. It’s also about people—having enough people, having knowledgeable people, training them well, and making sure the organization can continue to function, even during a crisis.

Kees: I completely agree. It’s also about people. Mark Barwinski opened the day with exactly that message: having trust in your team and purpose-driven people creates resilient organizations.

It was very fitting that Natalia Savchuk from PrivatBank closed the day by showing how real these threats are. When I spoke with her, she mentioned they had experienced 1.6 million cyberattacks since the start of the war. I imagine that number is even higher by now.

You mentioned roadmaps, and I’d like to use that as a bridge to MindForge. Ricardo, could you tell us a bit more about MindForge and what you discussed during your use case?

Ricardo: Certainly. As you know, AI is one of the biggest topics within the CISO community at the moment. It features prominently on almost every roadmap.

Whenever I speak with CISOs across EMEA, one of the most pressing questions is how they can adopt AI in a secure and controlled manner. That’s also why we’re seeing such a rise in shadow AI: people are using AI tools outside of controlled environments, which creates major headaches for organizations.

MindForge is a consortium of leading banks. I deliberately brought it up today because there wasn’t a Dutch bank involved, and I wanted to make that point. If you look at the participants, you’ll see major international banks, hyperscalers and consultancy firms. It’s a broad industry initiative that combines expertise from the financial sector and beyond.

The use cases I presented illustrated that, as I said earlier, the devil is in the details. It’s no longer enough to approach AI governance as a traditional compliance exercise where you simply work your way through a checklist and tick every box.

That approach doesn’t work anymore, and I think we all know that. I showed several examples that challenge even what I currently consider to be the state of the art in AI governance. Even the best frameworks still contain nuances that need to be addressed—not only through technology, but, perhaps even more importantly, through people.

That was the message I wanted to bring. You can complete every item on the checklist, but that still doesn’t mean your organization is truly secure when it comes to AI governance.

Kees: Thank you very much. I also really liked your final slide, which distinguished between AI for security and security for AI. It works both ways, doesn’t it?

Ricardo: Exactly. What I was trying to say—and I think it’s important for people to realize—is that we’re operating in a very asymmetrical battlefield. The bad actors don’t care. They’ll use whatever means they have at their disposal.

AI is already being used extensively. It’s well established that cybercriminals use AI to craft more convincing phishing messages, develop malware, build offensive capabilities and scale their attacks.

Meanwhile, the good guys—the blue teams—are often still asking themselves: Can we use this? Should we use this? I think we need to break that mindset and start using the technology for defence as well.

Kees: Thank you very much for that addition.

Marcel, looking back on today as a whole, what stood out to you? Do you have any key takeaways or moments that really resonated with you?

Marcel: Yes, I really enjoyed today. First of all, thank you for organizing it. It’s a great opportunity to meet peers from across the industry.

Building on Ricardo’s point about AI, I thought that was an excellent discussion. Financial institutions are generally very risk-averse, and as a result, adopting new technologies often takes a very long time. In the end, that doesn’t help the organization, and it certainly doesn’t help the security teams.

Even automation—which is really one step before AI—is still a topic of discussion. But if you look at the example from Ukraine, that should actually be our main focus: automate as much as possible, move people out of the loop and place them on top of the loop instead of keeping them in it.

Humans simply take more time, and they’re not scalable. If the number of attacks increases significantly, you’ll quickly run into problems if you continue to rely primarily on manual processes and human intervention.

I also thought the speakers today were excellent. I really enjoyed Mark’s presentation, as well as Bernold’s. Hans didn’t agree with everything, which actually made it even more interesting. I loved the moment when Marcia put them both on stage and said, “Let’s settle the discussion here.” I thought that was a great move.

And during the panel with Rudrani, Tom-Martijn and Jack, we shared a lot of common views, but we also deliberately looked at the same topics from different perspectives. I think that gave the audience a good understanding of where organizations stand today.

Kees: Thank you very much.

Rudrani, I know you have to leave—and that’s on us because the event ran about 15 to 20 minutes longer than planned—so let me ask you one final question.

EY has been a partner of this Cybersecurity Event for quite some time now, and hopefully you’ll be back again next year. If we’re standing here again a year from now, what do you hope will be different compared to today?

Rudrani: That’s actually the same question I asked the panel members at the end of our discussion.

It’s always difficult to look 12 months ahead, especially in a field like cybersecurity where something new happens every single day. But what I really hope is that the story security teams tell the business and the board becomes much more proactive.

Many of the issues we’re facing today have been known for years. The real challenge isn’t awareness—it’s creating urgency, increasing speed, setting the right priorities, and securing the right people and the necessary funding.

Take the discussion around sovereignty. We’ve been talking about that for the past 10 to 15 years. Yet somehow our willingness to act still isn’t where it needs to be.

Within this audience, we’re preaching to the converted. The people in this room already believe in the importance of cybersecurity. The challenge is reaching a much broader audience.

Next year, I would love to see more people from the business side attending—not just cybersecurity, risk and compliance professionals, but also board members and people responsible for developing new products or implementing AI.

Those are the stakeholders we need to engage, because cybersecurity is not just a security topic. It’s a business topic.

If we can bring those people into the conversation, we’ll shift the narrative from simply managing risks towards embracing opportunities. I think that would make for a fantastic program next year.

Kees: That’s good to hear. And with that, you’re free to go.

Rudrani: Thank you. Thank you.

Kees: We’ll speak again soon. Thank you, Rudrani.

Deepak, let me ask you something. Marcel mentioned that organizations are generally quite risk-averse. Based on your previous experience and now your work at Rubrik, could you tell us a bit more about how you see that in practice?

Deepak: Certainly. Personally, I always like to take a risk-based approach.

If you think about cybersecurity, the question is: why do we invest in security? Because organizations face risks. And how do you solve cybersecurity challenges? You start by identifying those risks, mapping them, determining which ones have the highest priority, and then addressing them accordingly.

I think more organizations should work that way. It’s a very logical approach, especially when dealing with cybersecurity.

And yes, what you’re saying is true. In my experience, many organizations are very risk-averse. You can see that today with AI. Many companies hesitate to take the next step because they’re concerned about the potential risks.

I understand that hesitation. At the same time, there is already a great deal that organizations can do to use AI securely.

For me, secure AI starts with strong data governance. That’s the foundation. You need to make sure that the right people have access to the right data. Once that’s in place, AI can also deliver much better results.

Kees: Thank you very much.

Marcel: To build on what Rudrani said, I also think it would be valuable to have a broader audience. We shouldn’t look at security as a standalone risk. We should look at it from an integrated risk perspective.

You always need to balance security, resilience and operations, together with the associated costs and the value they bring. That’s where we, from a security and information risk perspective, really need to make a change. We need to demonstrate the value we bring to the table instead of only talking about costs.

Otherwise, you’ll never be taken seriously.

Kees: Yes, I think that’s a great addition.

Ricardo: Remember, Kees, I also mentioned that we should broaden the audience by including CROs, CISOs, CFOs and CDOs—Chief Data Officers—to create a more cohesive view of why cybersecurity is so important.

Otherwise, you’ll only get one perspective. I’m not saying that’s a bad thing, but involving a broader range of stakeholders from across the business gives you much richer insights.

Deepak: I agree. A Chief Data Officer will naturally have a different perspective than, for example, a CISO.

Marcel: Exactly. It’s always about making trade-offs. Doing business means taking risks. If you don’t want to take any risks, you should stop doing business. And I don’t think financial institutions want to do that.

Kees: No, exactly. I think that’s a great suggestion for next year. It’s important to have broad representation.

Today was really about the core of cybersecurity. We welcomed more than 100 attendees from over 50 organizations. We had speakers from ENISA, the European Banking Federation, ING, ABN AMRO Clearing Bank, NN Group and PrivatBank in Ukraine, among others. The event was also strengthened by the support of our partners, Fortinet and Rubrik, who are here at the table as well.

Perhaps next year it’s time to take the next step and bring in an even broader audience, so we can better understand the barriers we’re facing.

One word that really stayed with me today—especially after Natalia Savchuk’s presentation from PrivatBank—is catalyst. We need something that ignites action.

Some of the key themes I noted today were that we shouldn’t be risk-averse, we should embrace innovation, it’s about people, about trust, and about having the mindset to act.

I think we’ve reached consensus on those points today. Next year, I’d like us to go one step further and focus on how to turn those ideas into action.

Ricardo: In the end, cybersecurity is a board-level topic.

It should also cut across every business unit. I think that’s already the case in more mature organizations, but for organizations that are still developing, it needs to become even more embedded.

Marcel: And expect the unexpected. We really need to start thinking in scenarios—what if scenarios—and have those discussions with the board from a business perspective.

Deepak: Absolutely. Tabletop exercises, cybersecurity workshops—those kinds of activities really help boards understand the risks and what could happen.

Looking ahead to next year, and building on the idea of bringing together people with different backgrounds, I also hope we see more collaboration within organizations themselves.

From my experience, many large organizations still operate in silos. Risk teams focus on risk, data teams focus on data, and so on. I think they would benefit enormously from collaborating more and sharing the challenges they encounter.

Especially in larger organizations, I still see a lot of siloed thinking.

Kees: I’ve heard that several times today as well.

I think it’s time to wrap up. Perhaps a difficult final question: I’d like each of you to summarize today’s event in just one word. It could also be a word that describes the current state of cybersecurity.

Deepak, you look ready to answer. What’s your word?

Deepak: Inspiring.

Because of the presentations. There were many different talks covering a wide range of topics, and I’ve taken away a lot from them.

So my word is: inspiring.

Kees: Inspiring. Check.

Marcel?

Marcel: Be prepared.

I think that’s ultimately what resilience is about. But resilience is much more than IT. It’s about processes, people—it’s about everything.

So: be prepared.

Kees: Inspiring. Be prepared.

Ricardo?

Ricardo: Partnerships.

We also discussed the importance of public-private partnerships today. Marcel talked about the importance of technology and people, and I think partnerships should bring everything together: the ecosystem, the people and the technology.

So my word is: partnerships.

Marcel: I don’t want to steal your thunder, Kees, but what’s your word of the day?

Kees: Mine would be surprised.

To be completely honest, cybersecurity isn’t my area of expertise. Of course, we organize these events, and when it’s about AI that’s something I use every day.

But today I realized that cybersecurity is part of my life much more than I had previously thought, even if I don’t always notice it directly.

I was pleasantly surprised by how much is already happening in this field. At the same time, I’m encouraged by the fact that we all seem to agree that there are still important steps we can take together.

So my word is: surprised.

Thank you for asking me that question—it doesn’t happen very often!

I’d like to thank Ricardo and Deepak from our partners Fortinet and Rubrik, and Marcel, thank you as well for joining us today.

And to our listeners: thank you for listening. The date for the 2027 Leaders in Finance Cybersecurity Event will be announced soon.

Of course, we haven’t been able to discuss everything that happened today—you really had to be there.

Thank you for listening, and hopefully we’ll see you at our next event: the AI Event in June.

Deepak: Thanks for having us.

Voice-over: You’ve been listening to Leaders in Finance. We hope you’ve enjoyed the episode and would love to hear from you.

What’s on your mind? Who would you like to hear next? Let us know in a review, send us an email, or get in touch via our social channels. We’d greatly appreciate it.

Finally, we’d like to thank our partners for their ongoing support: EY, Mogelijk Real Estate Finance, Doen’r and Lepaya.

Don’t forget to check out everything else we do at leadersinfinance.nl.

Thank you for listening.

We’d love to keep you informed on the next iterations of this event. Please enter your details below, and we’ll keep you posted!