–> This is a pre-event interview in the run-up to the Leaders in Finance Cyber Security Event on 25 May 2023
Transcriptie: Lokke Moerel
Jeroen: Lokke, thanks for taking the time to talk to Leaders in Finance in the run-up to the Leaders in Finance Cyber Security Event. First of all, could you please introduce yourself?
Lokke: My name is Lokke Moerel and a global expert on new technologies and cyber. I am professor of global technology & law at Tilburg University, a lawyer in the global data privacy & cyber security team of Morrison & Foerster and also member of the Dutch Cyber Security Council.
Jeroen: That is a very strong and relevant background for this short interview, and for the event. Have you been a professor at Tilburg University for a long time?
Lokke: Since 2014.
Jeroen: So you have been involved for quite a while. Are you mainly teaching, or also publishing articles and doing research?
Lokke: I publish a lot, mostly on the impact of new technologies on society, like artificial intelligence, blockchain, etc. I just finished a lengthy piece on the impact on society of the metaverse. Relevant for cyber are my publications on the EU’s quest for digital sovereignty, due to the increasing cyber treats, the tech cold war and digital dependencies of a limited number of foreign tech companies.
Jeroen: It is probably hard to summarize, but if you could try, what is the most interesting thing about cyber security for you?
Lokke: To me, it is that cyber security is one of the most multidisciplinary topics you can imagine. There are the hardcore technical security aspects, there is the continuously changing threat environment, there are geo-political dimensions, there is the human factor, the emerging field of cyber risk management and incident preparedness and response. On top of that we now see cyber security law emerging as a standalone field of regulation rather than as part of other laws (like the GDPR, eIDAS, PDS2, ect).
Jeroen: can you explain why we suddenly see specific cyber security laws emerging?
Lokke: There are two reasons. We need to better defend our critical infrastructures and the essential services they provide. After the NIS directive was implemented, it became quickly clear that we needed to broaden the scope of the covered critical infrastructures by including more sectors of society (including the public sector), and also make sure that the obligations of the critical entities should be extended to ensuring the security of their supply chain.
Second reason is that due to the lack of cyber security requirements for software and digital services, we still have a system in which the risk of cyber security incidents is with the user of products of services, while these often have far less expertise that the providers. We need to ensure that products and services are secure in the first place, rather than being dependent on whether an individual clicks a fishing link or not, or on whether my 75 year-old mother installs the right anti-virus software. We need to shift the burden for cyber security away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us. And yea, that includes the financial institutions. In both areas the EU has stepped up with a suite of new legislative measures.
Jeroen: So if I try to summarize why you find cyber security so interesting, is it the complexity, as there are a lot of stakeholders involved and the playing field is constantly renewed with new subtopics and legislation coming up?
Lokke: I could have given you that answer, Jeroen! The other answer is that I get bored quickly.
Jeroen: There you go, that’s indeed a good one as well. As you know, we are specifically focused on the financial services industry. What do you see as the biggest challenges for financial institutions?
Lokke: The established financial institutions need to innovate, and any form of innovation involves new digital technologies, which in turn bring new cyber threats. Traditionally the IT departments of these institutions are so focused on stability and security, that it is a challenge – especially with so many legacy systems– to turn their current business models into new digital business models while making sure they live up to the security requirements. A second issue is that these institutions have more and more digital service suppliers, and are working in an ecosystem. DORA requires the financial institutions to have adequate cyber supply chain management. They basically need to control their ecosystem. Considering the shortage of talent we see at the moment, it is likely that the best professionals will go work for the financial institutions. But who is going to work for the rest of their ecosystems? In practice the DORA supply chain requirement will likely entail that the institutions will need to take responsibility to make sure that their whole ecosystem is meeting the minimum requirements, rather than just looking after themselves. This is a new role.
Jeroen: That is a great answer, very clear. If I would pose this question again, but focusing on society at large instead of just the financial services industry, what do you think are the biggest threats or challenges for society at the moment? Let’s focus on the Netherlands for now.
Lokke: I think there are two fundamental issues. The first is the increasing cyber workforce gap. According the World Economic Forum Future of Jobs 2023 report, cybersecurity is among the top strategic skills for the workforce. Yet, there is a global shortage of 3.4 million cyber professionals. In Europe, we managed to grow the cyber security workforce with 12% last year, but at the same time the workforce gap has grown more than twice as much as the workforce itself. This number is only expected to grow as the impact of emerging technologies is felt across organizations. To illustrate, while the rise of Generative AI (GenAI)has its benefits, it also heightens cyber threats such as phishing and identity fraud which add to the workload of overstretched cyber teams.
Due to the workforce shortage, retaining cyber talent proves difficult. Pressure and burnout are frequently listed as reasons why cybersecurity professionals leave their jobs. So we need to scale up cyber education drastically, but how to do that if all experts are fully employed already? By now I think no single actor alone can find the solution. It requires collaboration across the public and private sectors. Educating students is not sufficient, we need to re-train and upskill current workforce with professional training. This really requires a national education delta plan, where all stakeholders chip in.
The second fundamental issue we see is that the cyber resilience gap in society is growing as well. Like with the workforce, we grow in resilience, but the bad guys get better as well. The large financial institutions may well keep up, but the resilience gap is growing for all smaller companies in their ecosystems. The workforce gap and resilience gap are obviously related. If you lack the required professionals, how can you narrow the resilience gap?
Jeroen: Right, that makes total sense. Are there any parts of technology that you are particularly concerned about, or that you consider to be promising on the defending side of cyber security?
Lokke: AI is a real gamechanger. The first law of technology is that it is not good, not bad, but also not neutral. With AI, bad actors can detect and exploit vulnerabilities automatically and on a large scale. However, AI can also make it possible to automatically detect and restore vulnerabilities in software. We will, therefore, have to innovate to be able to keep ahead of the criminals. We see the same with GenAI. You can use GenAI to correct errors in source code, to monitor whether anything is wrong. But I have also seen GenAI applications generating the perfect phishing e-mails; I can now get one in my daughter’s writing style – it is amazing, the tone of voice is exactly right. So these technologies can be good and bad, but in any event we need to innovate and try to stay ahead.
For a long time, everybody has been talking about the fact that we need an innovation hub for cyber, with a campus and everything. And then there are others advocating that we need a hub for AI. But I think those should be joined together. They need to talk to each other.
Jeroen: If you would advise a person that starts in the field of cyber security, whether in tech or in legal – it is a broad question, feel free to take it in any direction – what kinds of tips would you have for them?
Lokke: I think this is the perfect time to start a career in cyber security. Studies show that only 47% of them had an IT background. So they come from all fields, totally unrelated to cyber security. And that is possible because the field is so multi-disciplinary, nobody is an expert in all aspects. Also cyber security experts need to learn about other fields like global incident response management and the legal security incident notification requirements. My point is: they all need to learn. In Tilburg, we are currently starting the first multi-disciplinary professional learning course. The experts in the different fields come together to teach eachother, so that they all get to a higher level and can then act as teachers themselves. And that is what we need. It is not just one single discipline anymore. To come back to your question, they say GenAI is going to replace your job. Not in cyber, I tell you.
Jeroen: Great! Last question: you will be a keynote speaker at the Leaders in Finance Cyber Security Event. Is there something in particular that you want to highlight?
Lokke: Financial institutions are now all studying the letter of DORA and try to decide where to adjust their practices to comply. If I see the amount of cyber security legislation being in the works all around over the world, in each and every country, I think you need to take a more global approach. You can choose to just look at the detail of the law, but what you really need to do is think: “How am I going to implement a global security risk management program so I have a defense wherever I am?”, rather than a black letter approach. You need to implement DORA in spirit . Don’t resist it, embrace it. Because this is the future. It is very much as it was with GDPR. First everybody resisted GDPR. Then they embraced it and used it as the global basis. They were then able to comply with any new laws that kept (and are still) popping up.
Jeroen: Great. Well, I am sure you will tell us this again on the 25th of May. For now, Lokke, thank you so much for your time. I am very much looking forward to having you at the event.
-> This is a pre-event interview in the run-up to the Leaders in Finance Cyber Security Event on 25 May 2023