–> This is a pre-event interview in the run-up to the Leaders in Finance Cyber Security Event on 25 May 2023
Jeroen: Thanks for taking the time. First of all, could you introduce yourself?
Rudrani: Yes, sure. My name is Rudrani Djwalapersad. I lead EY’s Cyber Security & Privacy team focused on the financial sector in the Netherlands. I have over 12 years’ experience in the cyber security field. I mainly work for fortune 500 clients and I am one of the EY’s EMEIA FSO cyber security competence leaders on strategy, risk, compliance, and resilience. I work closely with my clients to make their organisations more secure without losing sight of their business strategy and resilience.
Jeroen: And do you work a lot for financial institutions?
Rudrani: Yes. My main clients are indeed the financial institutions. So in the Dutch market these are the banks, the insurance companies, asset managers and pension funds. I also work with financial institutions outside the Netherlands, as part of our global financial services practice. The financial institutions are at the core of what I do.
Jeroen: Great. It’s probably hard to summarize, but what would you say is the most fun part or the most interesting part of your work and your role?
Rudrani: This answer might sound like a cliché, but our purpose is building a better working world and I think that by helping and focusing on cyber and privacy, we really contribute to building a secure world. Making an impact, trying to indirectly support our clients, financial institutions which are critical to society, helping them to be more secure. That to me is one of the most satisfying but also most impactful things that I can do as a professional.
Jeroen: Right, that makes sense. So cyber security is all about threats. What would you say are the biggest challenges or threats at the moment with regards to cyber security specifically from a financial institution perspective?
Rudrani: I think there are two things. There is indeed the threats angle. So those are the ransomware attacks, the supply chain attacks, so anything from an outside-in-perspective. That’s the outside world trying to break into the inside element. It is something that I see a lot of organizations focusing on, but I do believe they should focus more on the inside-out-perspective. How do you make sure, and design your security in such a way, that you are not putting holes or vulnerabilities in your environment to begin with? So you need to understand the threats, but you also need to ensure that in design, you are not creating vulnerabilities. I see a lot of organizations focus on the external world, on threats, and I personally believe much more effort should also be focused on the product, on the services that you deliver, to make sure that they are more secure and that you are not putting vulnerabilities in your ecosystem.
Jeroen: Could you give us an example of that inside-out threat or structure, issues that are causing cyber security risks?
Rudrani: Well for instance, I think that a lot of securities are built on instead of built in. What you would want is for cyber and privacy and data to be addressed from the start. So if you are building a new payment application or any kind of financial services product, you would need to make sure that once you put it out there, present it to your clients, but also implement it in your infrastructure, that already then the cyber data requirements have been taken care of. What we see sometimes is that cyber, privacy and data are not part of the initial design of products, so it might be looked at only when it goes live or maybe it is even accepted not to have it. So when it’s in production or live, you already begin with a vulnerability and then you need to repair it. So how do you make sure that this is already taken care of at the beginning of the design process?
Jeroen: Right, and not after the product is launched when you start seeing potential threats and then actually need to build it in. That’s obviously a lot harder to do, I guess.
Rudrani: It’s harder, it’s more expensive and it’s not the most efficient way. So this is not about policing; it’s really about, “How can you make it work?” I once heard someone use the metaphor of a Formula 1 car with brakes. The brakes are not there to make you go slower, they are actually making sure you can go faster without going off track. That’s the thing: you want all the engineers, everybody to be part of building that Formula 1 car and helping the driver to succeed. I think that’s also what you would like to see from a cyber point of view.
Jeroen: Yes, that’s a great comparison that speaks to the situation. If we take cyber security one level up, so not on a financial services level, but on a society at large level, are there particular challenges you are mostly concerned about?
Rudrani: It’s the interconnectedness. The European Union classified it as the digital decade. There are a lot of regulations and points of view coming around, and the digital environment is highly interconnected. For instance, with the NIS2 Directive, it’s about how the Netherlands can cooperate across different critical sectors, but also about cooperation within Europe. One of the main risks that I see is that once some critical infrastructures are hacked, it could also mean destruction for others. So key to society are the efforts around building overall operational resilience across sectors and countries. A lot of efforts are happening around this, and presumably more will come. But the overall cyber resilience across society needs to be achieved by working together across sectors, across countries.
Jeroen: Right. The whole situation with Ukraine and all the geopolitical turmoil around this, is that causing more cyber risks – for the Netherlands or broader?
Rudrani: The studies on the degree of this increase differ. But I think that in essence, which is what you see in Europe too, the situation just emphasized the importance of working together. The political landscape is changing. Like I mentioned, the infrastructures are connected, so the war in Ukraine definitely increased the risk. And it also emphasized the importance of cross-European collaboration. We have to become prepared for this kind of destruction.
Jeroen: Right. So technology is something you work a lot with, right? If we look at technology from two different angles, either as a solution to problems or as an additional risk, could you mention some examples or the most promising factors around the use of technology?
Rudrani: This is also a broader conversation we are having with some of the regulators. I think that we need technology like AI and different technologies to accelerate, to innovate, to deliver better products. On the one hand these are important, in order to have a competitive advantage and also to serve your clients well. But with technologies, as with everything that you do, there are risks too. Technology in itself is not always a solution – it also matters how you organize your process, people and governance around it. That brings us back to the trust by design: technology can really help you deliver better products, as long as you make sure that in design you ensure the different risks are being addressed – and not as an afterthought. I think that is the main thing. You should not stop using the technology, because it is essential. If you compare it to other regions, like in the US or Asia or the Middle-East, the adoption of technology is sometimes much faster than for instance in the Dutch market. So you should use it. Otherwise, why should your clients come to you? But you should do it in a trusted way and make sure that these kinds of risk elements are addressed by design.
Jeroen: You mentioned one important piece of technology, and a topic that is discussed a lot recently: AI and its use. To what extent could AI also be used by the dark side of the world that is trying to hack us, for example?
Rudrani: I think you need to fully recognize that AI is already being used by hackers. So any technology that you use as an organization, hackers have been using a lot already. You need to be aware of it and also understand the techniques they are using to hack your systems, so you can have detective controls adjusted towards it. Any technology is not only available to you, it’s also available to them. That will apply to quantum computers and it will help you deliver some other products, but it will also help them to hack you with much more computing power. So you need to acknowledge and understand the technology, be aware that your counterparts have it as well and they use it to attack you. So it’s also about understanding how they are used as part of their attack techniques.
Jeroen: Right. Last but not least, Rudrani, what would you give as tips to starters in the workforce, who want to work in the cyber security field or are attracted to it?
Rudrani: This is something I say to people that apply at us as well. I think the most important thing is that you need to like the topic. You don’t need to have a specific background on it per se, but you need to find it interesting, you need to want to learn more about it and you need to want to develop yourself in the field. The moment that you have an interest and a passion, there are different ways, different certificates, different kinds of things that you can develop, training on the job is one of them too. The most important thing is that you need to find it interesting, you need to like spending time and reading on it. But you don’t need to have a certain specific background. I think that is the beauty of it as well: I have people in my team from a crisis communication background, or like me, financial law, business administration. People that are engineers or hackers. So it’s very multidisciplinary.
Jeroen: Great answer and I’m sure you are exactly at the right place where you are, given your passion for the topic. Rudrani, thanks a lot for taking the time to talk to us and we’re very much looking forward to have you at the Leaders in Finance cyber security event. Thank you so much!
Rudrani: Thanks, Jeroen!
–> This is a pre-event interview in the run-up to the Leaders in Finance Cyber Security Event on 25 May 2023