Voice-over: This is Leaders in Finance, a podcast where we find out more about the people behind the successful career. We speak with the leaders of today and tomorrow to discuss their motivations, their organizations, and their personal lives. Why? Because the financial sector could use a little more honest conversation. We’d like to thank our partners for their ongoing support. They are Kayak, EY, Medirect, and Roland Berger. Your host is Jeroen Broekema.
Jeroen: Welcome, listeners, to an additional episode of the Leaders in Finance podcast. I’m super happy you’re listening. And today we’re recording live—quote unquote—when you hear this, it’s not live anymore, but it is live at the moment, from the cybersecurity event here in Soesterberg, at an event with a lot of speakers and panels. And I’m still very excited—you probably hear it in my voice—from all the things I’ve heard this morning. With me are three partners of this event, and I’d love to reflect with them on what we’ve heard over the last few hours, and, you know, whether they can share something they’ve learned, or liked, or would want to see differently next year. All those things we’ll probably speak about in this additional episode of Leaders in Finance. So, Rudrani Djwalapersad Partner at EY—welcome to the podcast.
Rudrani: Thanks, Jeroen.
Jeroen: And Ricardo Ferreira at Fortinet, thanks a lot for joining.
Ricardo: Thank you for having me.
Jeroen: And last but not least, Filip Verloy at Rubrik—great that you’re joining as well.
Filip: Yeah.
Jeroen: And these were obviously way too short introductions of you guys, so I’d love you to share a few sentences on who you are, what your job is, and maybe also something about your relationship with cybersecurity in the financial services industry. So Rudrani, please, over to you.
Rudrani: Yes, for sure. So—Rudrani, I’m at EY, partner at EY. I lead our cyber practice, which is actually focused on serving the financial sector. So my main clients are financial institutions—banks, insurance companies, wealth and asset managers, pension funds—in the Netherlands, but also outside. Next to that, I’m globally responsible for our cyber resilience and risk services. So really thinking about what is happening in the market and how we can best serve our clients. I really enjoy it, because resilience—and how to make sure that organisations and society as a whole are resilient, in which the financial sector plays a pivotal role—is something I find meaningful. Being able to contribute to that really makes me feel of added value, and I’m able to help organisations. So that’s what I do a bit in my day-to-day job.
Jeroen: My assumption would be there’s a lot of work nowadays—is that wrong?
Rudrani: There is a lot of work, but also—I think, but then we’ll go into some other reflections—there are still a lot of people to convince, and we need to speed up the resilience agenda. So I think the momentum is there, but we still need to be able to move faster.
Jeroen: Great, thanks for the introduction. Riccardo, same question to you—a bit more about yourself and your role within Fortinet.
Ricardo: Sure. Riccardo Ferreira, Field CISO within Fortinet. What that means is that I get to work with CISO’s in the financial industry, but also in other industries. It’s just that, due to my background and skill set, I’m normally more aligned with financial organisations—retail, commercial, private banking as well. What I do is act more as an advisor, but also internally within Fortinet as a leader regarding the go-to-market proposition—how we can position our portfolio. Because Fortinet, as a cybersecurity vendor, has an enormous portfolio—very, very broad. And sometimes we need to understand which part of the portfolio would benefit the customer more than others, depending on their maturity level. So that’s where I play within Fortinet.
Jeroen: And do you work globally, or are you…?
Ricardo: EMEA-wise.
Jeroen: EMEA-wise, okay. So, particular countries you’re spending most of your time on?
Ricardo: Europe, but also interesting stories from CISO’s regarding Africa—South Africa—very different mindset. So EMEA, a bit of Middle East, but spending more time in Europe.
Jeroen: Okay, thank you. Great to have you on the show. And Filip, same question to you.
Filip: Yeah, so—Filip Verloy, I’m the Field CTO for RubrikX. RubrikX is sort of the corporate innovation lab, if you will, within Rubrik. So a lot of my time goes into looking at M&A targets from a technical due diligence perspective. But the other part of my job is also to sort of figure out go-to-market for our solutions for our customers. We focus a lot on cyber resilience—especially, of course, in financial institutions. Things like DORA and so on are extremely relevant these days. I think in the past, sometimes cybersecurity was sort of looked at as an insurance policy—like you’re paying a lot of money, but you’re not quite sure why you have it. And I think now, with all of these, let’s say, public issues that we’re seeing—especially in the UK over the last couple of weeks—I think it’s quite clear why we need to focus on resilience and recovery as well.
Jeroen: And just one follow-up question on the M&A—this means a business you want to buy for your own business?
Filip: Yeah, yeah. So a while ago, we added something called DSPM tooling—Data Security Posture Management tooling—to our solution set, which was based on an acquisition we did. And yeah, we’re looking at growing organically and inorganically. So lots of stuff to come, which I can’t really comment on because we are SEC-regulated as a public company—but a lot of interesting things to come.
Jeroen: Wonderful. Could you share with me what your role was today at this event?
Filip: Sure. So I was part of a CISO panel, together with ING and a colleague from OneSpan. We focused a little bit more on the human aspect, I guess, of cybersecurity and cyber resilience. I think one of the interesting things about an event like this is—if you think about cybersecurity as a whole—it’s about trust, right? And I think one way to build trust is to meet people face-to-face. So it’s always good to figure out: what’s the community looking for? Can we literally shake hands and look each other in the eye and build these relationships, whereby we can get to that next level of exchanging information and helping each other out when it comes to cyber and cyber resilience?
Jeroen: And when it comes to people—is it true, what I always hear—that it’s really hard to find talent, also for your own business?
Filip: Yeah. I mean, if you look at our company, it’s just about 11 years old now. We started out in Palo Alto—that’s where the majority of our development still is. But if you look at the company now, we have development in Sweden, we have development in India. We have to go after the talent where it sits, right? So talent is definitely out there. But yeah, you have to look at it from a global lens, I think.
Jeroen: Right. Rudrani, could you tell me what the panel you led was about—who was in it, etc.?
Rudrani: Yeah. So one of the first panels I led was the CISO panel. I had the opportunity to have a conversation with three CISOs—Arjan Minten – CISO & Head of Security and Quality Office, PGGM, Martijn de Laat – Group Information Security Officer, Achmea, and Floor van Eijk – CISO, NN Group—which I really liked, because we’d had board members before, and then this was really about understanding more of the CISO perspective on topics like geopolitical tension, the current threat landscape, but also the broader operational resilience theme and how they’re handling that. So I really enjoyed hosting that panel.
Jeroen: Was there a particular takeaway for you, or some messages you recall right away?
Rudrani: The main takeaway—and I think this was really nice to see—is that CISOs, traditionally a few years ago, were mostly engaged in technical conversations. It was really interesting to see how they are now so intertwined within the broader organisation. They’re engaged in understanding what does and does not work for the business in order to prepare their response and recovery. They’re talking to the non-usual teams within the organisation, and working more closely with the board. And I personally think that’s a very good development.
Jeroen: Ricardo, what was your role today? We saw you on stage—very energetic. I enjoyed it.
Ricardo: Thank you. I was part of a panel, also moderating, with Rob and Sam—Rob Havermans – Head of CISO Technology & Engineering, ABN AMRO,
Jeroen: Correct.
Ricardo: —and Sam van Rooij – CISO, IG&H, we discussed some topics regarding the evolution of resilience, briefly touching on the evolution leading up to DORA these days. Then we also briefly touched on interconnectedness—because, as you know, systemic risk is a concern. The European Stability Board also suggests that financial organisations are very intertwined and connected. So there needs to be resilience supporting that. And finally, we ended with emerging threats—such as China, AI, and so on.
Jeroen: That’s quite a lot in 20 minutes.
Ricardo: I know.
Jeroen: I don’t know how you did it, but—
Ricardo: I know. But the main topic was the evolution of resilience. I chose those three subtopics just to get a flavour from the participants. And I think, if I had to summarise, the last keywords were very interesting—which were “organisation” and “risk management.”
Jeroen: And that’s because you asked them to use just one word, right?
Ricardo: Exactly.
Jeroen: Organization and—
Ricardo: There were more than one word, but—risk management.
Jeroen: Risk management. Yeah. So why were they—why were they so telling, in your point of view?
Ricardo: I think—so for me personally, I can tell a story, and this “organization” word also validates my hypothesis. Which is—if you look at Fortinet, right, we sell a large portfolio. And if we look at how our portfolio is positioned in the Middle East, we sell much more on the response and recovery side. Why is that important for this discussion? Because I think—and if you also look at the evolution of risk and resilience—you see that advanced economies are more risk-averse than emerging economies. And that’s why I see that reflected in our portfolio as well: more post-breach focus. So for me, “organization” also shows that we, as advanced economies, are still more focused on detection and protection. And like I said, part of our portfolio sells much more on the response and recovery side in the Middle East. My hypothesis—and my opinion—is that they don’t have as many regulations, and they are more risk-embracing because they haven’t had to follow so many rules for so long. It’s a more risk-embracing environment. And I think DORA is actually forcing financial institutions in advanced economies to be more risk-embracing as well.
Jeroen: That was good. Okay, that’s interesting. Do you guys agree with the hypothesis, or do you say, like—well, Ricardo, it’s a nice one, but I don’t fully agree—if you’re also operating globally?
Filip: I mean, in general, I do feel like this drive toward more balance between prevention and recovery is something that’s happening. And yes, there are definitely regional differences. Like, for example, we’re extremely busy in Nigeria at the moment. And—to your point—there’s an opportunity for them to sort of leapfrog, because there’s a lot of historical stuff that they don’t really have to care about anymore, right? And they can immediately jump to a solid conclusion like: can we focus on cyber from a cyber resilience perspective—while, of course, still having prevention and the baseline tooling that you need. But they’ve seen what’s happening in the rest of the economy, in the rest of the world. So they do have this ability to, you know, leapfrog us a little bit, to that extent.
Ricardo: I think we also saw that—for example, in South Africa—the privacy laws, they picked and cherry-picked from GDPR, from the California law, and they actually did something which, in my opinion, is quite substantial. And it’s up there, in terms of standards. For me, I think it’s called POPIA or something like that. So it’s quite nice.
Rudrani: Yeah, so I agree. But that’s also why you have the topic of resilience—and people call it a buzzword—but the definition behind it, to summarise, is traditional business continuity management linked to risk management. And it goes broader than cyber. If you just look at what we’ve been used to in Europe—we were used to the norm and the establishment set by the world around us, on all levels. Not only technology, but also geopolitically, and all the things around it. It requires a mindset change, right? To embrace the idea that tomorrow is not the same as today. And that’s something the entire ecosystem needs to adapt to. And one part of that, of course, is the cyber part.
Jeroen: So, aside from your panels, we also had quite a number of other speakers, right? We had a short video message from someone at the European Parliament, we had someone from the board of KPN, and the CTO of Rabobank—just to name a few other items on the programme. Was there something that stood out to you? I’m looking at all of you, so whoever wants to go first—something that really resonated with you, or a point someone made?
Filip: One surprising thing for me—and it’s not one of the ones you mentioned—was the session with the AIVD, when it came up that the Netherlands has an APT capability.
Jeroen: So that’s the Dutch secret service—yes.
Filip: Yeah, exactly. That was really interesting to hear. That the Netherlands also has offensive capabilities, which I think makes a lot of sense—of course, with the mindset of defending what needs to be defended in the Netherlands. Not for monetary purposes, like some other APTs, but still, it was really eye-opening.
Jeroen: Yeah, I agree with you. I hope it’s not for offensive purposes. Well, it’s offensive anyway, but hopefully just aimed at criminal activity. Could you elaborate a bit? What are they actually doing with that capability?
Filip: Yeah, I think the idea is—if I put myself in their mindset—it’s about defending intellectual property. One of the examples they gave was that, if you look at the technologies Russia is targeting, seven of the top ones are very much Dutch, like agriculture and related sectors. That’s always been the case—Dutch tech is ahead of the curve. So there’s a lot of IP to protect. And if you can take that IP and reuse it, either from a Russian or Chinese perspective, that becomes a really interesting idea economically.
Jeroen: In some way, that validates your hypothesis—right? Protection. To your point—and I know this is audio-only, but I’m pointing at Ricardo right now.
Ricardo: Yeah, but for me, sometimes the game is also political. Let me elaborate on that. For example, like you said, I think the Dutch were quite ahead of the game when it comes to information sharing. We had TMNL—Transaction Monitoring Netherlands—a few years ago, even before DORA.
Jeroen: As the cooperation between banks doesn’t exist anymore for AML, yes, just keep going. Exactly.
Ricardo: And for me, it was just surprising. I was at an event with regulators, and I asked, why aren’t the Dutch in charge of this? They already have the know-how and could lead it. Surprise, surprise, two months ago I saw that the centre is going to be in Frankfurt. So sometimes decisions are made at the political level. I’m not saying that’s good or bad. It just is what it is.
Jeroen: Anything to add, Rudrani?
Rudrani: No, just on your earlier question about takeaways from the sessions. What I really liked about today’s event is that we had a broader ecosystem present. We started with politicians, then board members, CISOs, the AIVD, and then ended with a criminal. Former, I mean. At least that’s the claim.
Jeroen: Former.
Rudrani: Good correction. One of the key takeaways and messages was about collaboration. You have to do this together. You need to understand all those different perspectives, because everyone has a piece of this chain. And if you don’t know what the others are doing, you can still act, but not as effectively. So for me, it was great to hear all those different views.
Jeroen: Yes, that’s a good point. What I didn’t really understand, and obviously I’m not in this space, is that almost everyone said we need to cooperate better. So why isn’t that happening? I’m sure it’s something you could talk about for hours, but what are the key reasons that cooperation still isn’t working well between, say, the private sector and the government?
Rudrani: I think people do have the willingness to cooperate, but the mechanisms still need to be created. And then people look at each other and say, who’s going to take the lead? You heard some examples today. During COVID, one person stepped up and took charge. And I think that’s the shift we need to make. In a crisis, someone always stands up, but we should prepare ahead of time. Governments have quite an important role to play here. And you see that with initiatives like DORA and others. They’re trying to set up forums and mechanisms. But to be honest, it should move faster.
So the willingness is there. That’s a really good start. People want to collaborate. But then the question is: how? And how do you do it in a structured way? One of the things Chantal Vergouw – Chief Business Market & Member of the Board of Management, KPN, mentioned, the CISO community—
Jeroen: She’s on the board at KPN.
Rudrani: Yes. So the trusted circle. There are a number of companies in that, but if you extend it to include everyone, it stops working. So the structures need to be in place. And I think that’s where the Netherlands, and Europe more broadly, is trying to help.
Jeroen: What I find fascinating is that apparently we need a crisis, right? My words, but it seems that’s what makes things work better. Because that’s what you’re saying, right? COVID showed that things were possible, apparently. But if you look at everything today, almost everyone said we are pretty much in a cyber crisis. The number of attacks is enormous, and the consequences are enormous. Everyone said the same thing—banks could go down easily, or at least relatively easily. Again, I’m paraphrasing. But apparently, it doesn’t feel like a crisis right now. It’s not a question, but who wants to comment?
Filip: I think it’s always the same. For us as humans, it’s the same with health. We all know we need to eat healthy, work out, avoid stress. But once you have a health scare, that’s when you start eating healthy and working out. And probably six months later, you’ve already forgotten and you’re back at McDonald’s or wherever. I’m not sure if I can name a brand here, but—
Jeroen: Totally fine. Burger King, whatever.
Filip: Yes, exactly. And I think to some extent it’s the same here. Even if it happens to your neighbor—say you’re a bank and it happens to a competitor in the same country—your first thought might be, yes, but it won’t happen to us, because we have XYZ in place. So unless it actually happens to you, that’s the real trigger to take action.
But I agree completely. We should look realistically at what’s happening in the world right now and take lessons from it. We need to be much more focused on this. Even from a technology perspective, for example, exchanging indicators of compromise to fight against zero days. We can already use those technologies today. And I know a lot of customers who are doing this, even though they are competing with each other. But it needs to happen at a higher level, to your point.
Jeroen: And Ricardo, did you agree with the statements that banks could relatively easily go down for a few days? Could you see that happening? Because that question was posed at some point. Not everyone agreed, but—
Ricardo: Let me explain. If we look at the energy value chain, think about what happened in Portugal and Spain. If there’s no electricity for a while and the generators run out, then what happens with the main infrastructure? Were you there, by the way?
Filip: No.
Jeroen: Okay.
Ricardo: Still, I tried to call friends and family in the first few hours. I couldn’t get through. After that, just silence. It was scary. But this ties directly to what Filip was saying. I’m not a believer that there needs to be a crisis. I believe in nudging. I believe that policy should be in place. In my opinion, what happened in Portugal and Spain involved experts explaining that there was a huge investment in renewables, which is fine. But you should still spend some money and invest in maintaining the existing grid. When that didn’t happen, we all saw the result.
It’s the same with policies. We should be acting proactively from a policy perspective, nudging people in the right direction. I don’t believe in waiting for a crisis to drive behaviour change.
Jeroen: Oh, definitely. I think nobody believes in initiating a crisis, but sometimes, you know, they say never waste a good crisis. Sometimes it helps things move faster, right?
Ricardo: Yes, but are you really affecting behaviour, or is it just that we as humans are quite adaptable? It might be that we forget again down the line.
Jeroen: Yes, that’s what Filip said. Like six months after a health scare, you’re back to eating the wrong things again. So true. Makes sense. I’m moving toward the end of this short and sweet episode. Maybe one or two final rounds. Is there anything you’d like to add—something you learned today, something you found interesting, or someone you met who stood out? Anything that comes to mind to share with the audience?
Rudrani: I really enjoyed connecting and hearing different perspectives. In your day-to-day work, you tend to speak with the people you already know. I think the presentation from AIVD and the former criminal, not current, helped update your views. Especially at the end, during lunch, you can talk about these topics in a different context. I really enjoyed the connecting part of the event.
Jeroen: And you mentioned Alex Wood – Former Fraudster, Motivational Speaker & Government / Banking Advisor. Was there something you learned from that? Apart from the fact that it was an extraordinary story, exciting and all that, but was there something useful in it?
Rudrani: Definitely. The way he explained how they operate. To be honest, a lot of it we already know and that’s how we implement, but when he explains it, it sounds so simple in some cases. That’s how the criminal mind works. Telling the story in that way really helps raise awareness. It’s not that complicated. You need the skills, yes, but it’s not impossible. People fall into these traps every day.
Ricardo: I can go. Crime does not pay. That’s my short version. I think overall, just to echo what Rudrani said, having a broad mix of stakeholders—from the board, the chair, the CISO, C-level executives, and people working on the ground—gives you a unique perspective. It allows for real conversations across the organisation. Why is that important? Because when we’re trying to affect change, I believe in a dual approach. If you only look top-down or bottom-up, it doesn’t work. You need both together. Having all those stakeholders in the room and being able to speak with them was what made this event really valuable.
Filip: Yes, I’d like to echo that too. We talked a lot about DORA and cyber resilience. One of the benefits that came up today is how DORA provides an open invitation to engage with senior leadership, to have those conversations with the board. There’s a shift in responsibility happening now, and I found it really interesting to hear that we’re all starting to think in the same way about it.
And one additional thought on that, which I read recently from the CISO at Amazon. The way he thinks about it really fits well with DORA and regulation. He says, you have to turn the question around. If you were the board member, what question would you ask your CISO team? And how afraid would you be to answer that question? That’s the question you should be asking. And that’s how you build a cyber program.
Jeroen: Wonderful. Before I thank you for joining, is there any last comment you want to make? Something we should take into account? Maybe a topic we should definitely include next year, or anything else. Any final thoughts before we wrap up?
Rudrani: No, I think I’m just looking forward to next year. It was a really nice and packed agenda, but I’d love to see even more opportunities to connect with one another. I think that would be really valuable.
Jeroen: It’s hard to fit everything into such a short programme, but I agree. I totally agree with you.
Filip: Yes, I definitely echo that. I think the most important part is the ability to connect and step outside your own echo chamber—to hear other thoughts, to learn what people are working on, struggling with, and what their experiences are. That’s probably the most valuable part.
Ricardo: All good. What Rudrani and Filip said reflects what I believe as well. A bit more downtime to connect and talk with the other stakeholders would be great. But overall, it was very good.
Jeroen: I feel a bit bad that I took the last moment you had to speak with your peers and used it for the podcast. So sorry for that. But thank you so much for taking this valuable time to speak to me and to share your insights here at the Leaders in Finance Cybersecurity Event. I hope to see you again next year. And to our listeners, I hope this episode made you excited about the event and that you’ll join us next year too.
Again, Rudrani Djwalapersad, partner at EY, Ricardo Ferreira at Fortinet, and Filip Verloy at Rubrik—thank you so much for taking the time to speak with us.
Voice-over: You’ve been listening to Leaders in Finance. We hope you’ve enjoyed the episode and would love to hear from you. What’s on your mind? Who would you like to hear next? Let us know in a review, an email, or get in touch via our social channels. We’d greatly appreciate it.
Finally, we’d like to thank our partners for their ongoing support. They are Kayak, EY, Medirect, and Roland Berger. Don’t forget to check out all the other things we do at leadersinfinance.nl. Thank you for listening.