The Resilience Factor Podcast
Cyber resilience is fast emerging as the driving force behind critical business continuity in our digital era. Faced with brownouts, blackouts, and the ‘when not if’ nature of cyberattacks, how do businesses harness this resilience for stronger cybersecurity and networking?
Listen in to The Resilience Factor as our hosts — renowned social engineer Jenny Radcliffe and Zscaler’s own Kate Baker — explore how organizations and employees can fail forward to adapt with confidence.
Through trend-based discussions with cybersecurity experts and pioneers, real-life case studies, and practical advice, The Resilience Factor offers audiences insights on the tools and strategies needed to build business and personal resilience.
The Resilience Factor Podcast
S1 E6 Building resilience in Financial Services with George Briford
George Briford, Director of Financial Insights at IDC, joins the Resilience Factor podcast to explore how financial services are adapting to a rapidly shifting risk and regulatory landscape. He discusses the impact of frameworks like DORA and NIS2, the push to modernize legacy systems, and the growing need for agile, cross-functional collaboration. George also highlights why effective CISOs must bridge the gap between technical expertise and board-level communication to drive true resilience.
Hello and welcome to the Resilience Factor podcast from Zscaler. I'm your host, jenny Radcliffe. Cyber resilience is fast emerging as the driving force behind survival and success in a world of unprecedented digital transformation. Through trend-based discussions with cybersecurity experts and pioneers, real-life case studies and practical advice, the Resilience Factor offers the tools and strategies needed to build business and personal resilience in all areas of cybersecurity and networking. You'll get to hear from a range of industry-leading professionals and experts at the very top of their game. Join us as we build a vital resource to drive organisational resilience within a fast-moving security landscape.
Speaker 1:This week, we are joined by George Brifford, director at IDC. With a career that spans over two decades, including stints at companies such as PwC, capgemini and Accenture, george has held his current role at IDC since March 2021. As the Director for Financial Insights in EMEA and Central Asia, george works at the coalface of the ever-evolving financial services industry. So who better to provide insight into the recent regulatory twists and turns, the importance of business continuity and, of course, how FS businesses can be more resilient? George, welcome to the podcast.
Speaker 2:Hello Jenny. Thanks very much for the invitation.
Speaker 1:First question for you Can you talk to me a bit about how the financial services landscape has evolved from a resilience perspective over the last few years?
Speaker 2:I would go back in time a few years back to the Lehman Brothers crisis, about that crisis. In its aftermath, all the focus was on capital adequacy, asset pricing, balance sheet management and operational risk and resilience. It was not really a topic Actually. The big shift came really in connection with COVID-19, when suddenly mainly banks found themselves with a non-accessible branch network which spurred their digitization efforts in all aspects. Branch networks had to access their systems from home with all their connected cybersecurity and, of course, fraud risks. Also, several banks and, we should not forget, insurance companies were in the process or had finished a number of migrations to the cloud in connection with their legacy modernization, and this really triggered a major discussion about cybersecurity, not only from a work from home perspective, but also from a cloud perspective.
Speaker 1:Can you tell me, George, about the IDC financial services survey that you did last autumn?
Speaker 2:the IDC financial services survey that you did last autumn. So the first question we asked the financial entities what are your top business priorities? And guess what no surprise that compliance regulation, risk management, was the leader, where 46% of entities says yes, this is my absolute top priority. Financial crime and cybersecurity that's the runner up, but 44 percent agree. There's basically no difference. And then we have operation efficiency as the third top business priority, of which 38% agree with. So it's very much oriented on resiliency, regulatory requirements and resiliency.
Speaker 1:How do you see it continuing to evolve? There's an awful lot of legislation. There's a lot of guidance out there. What more can they do? How can that keep evolving?
Speaker 2:I think it's not only me. There's going to be a lot more harmonized global regulations and standards, and why? Well, it's simply because the costs are so high for the financial entities and there's a lot of high level of complexity, and you have to think that you know. Really, the regulation starts to be a burden instead of a protection of the customer or the overall financial system. So it's this internal coordination. The international bodies have to work to harmonize standards, to reduce fragmentation, and this includes simplified reporting. How do we report? Why is one country so, let's say, abruptly different than another country? However, this being said, sorry to spoil the joy, there will be continued increased regulatory scrutiny in the case of financial crime and consumer protection. That's for sure.
Speaker 1:So, George, what impact does all this have on a financial organisation's ability to sort of prepare for the unknown and show business continuity? Sounds like an awful lot of paperwork, an awful lot of red tape. How does it actually impact the ability of organizations to prepare?
Speaker 2:I think there are, in essence, two approaches. There's one little bit more taxative, more prescriptive approach of the DORA, the Digital Operation Resiliency Act, in the European Union, of the DORA, the Digital Operation Resiliency Act, in the European Union, and then you have the more principles-based approach which is the approach of the UK, and then you have everything in between across the world. It would be wrong to say that one approach is better than the other, as they both have pluses and minuses, and we should rather look at this problem as through the lens of the clients and the regulators, but not always. Cloud-native, microservices-based solutions, managing containers, integration through API cores, etc. So what we see, and we see going on right now a lot of legacy replacements.
Speaker 1:So are you saying that one of the big drives is to get rid of legacy systems, that that's a practical way to help them prepare, because surely that's a difficult cultural and financial ask?
Speaker 2:Yes, it's about technology. What sort of architecture do we want to have? How does that, let's say, potentially target or to be architecture? How does it fit our business? If you want to change from A to B, how do we go about this? Are we going to go for some sort of gradual transition? Are we going to go for a big bang? What sort of technology? When we decide for progressive modernization, how do we want to deal with it? Because, let's be frank, modernization how do we want to deal with it? Because, let's be frank, this is not a cheap exercise to replace a legacy solution?
Speaker 1:No sort of. What I'm hearing is that really it's not cheap and it's not easy, but the amount of legislation that's in place, the variety of legislation depending on geography, et cetera, means that you probably most businesses are probably going to have to take that kind of order of what they've got and make those difficult decisions at some point. You're saying start with what you've got, check out those legacy systems and really make sure that they're serving you going forward, because things are changing. It's something that we can't do anything about. Is that, is that kind of what you're saying? It's going to happen anyway. You have to comply anyway. So the best thing to do is really take that, you know, take that order to try and get as ready as you can I mean absolutely.
Speaker 2:I mean, you know, I've just spoken to a bank. The cto said, well, what, we have done an audit, yeah, and we don't fear an immediate risk that the regulator will come and tell us stop operations because you're too much of a risk, which of course includes cybersecurity risks, etc. So he or she said, hmm, we're going to run until we almost hit the wall. We have a contingency plan, right, and then we do a big bang. Oh, okay, again, it's a cost.
Speaker 2:And meanwhile we have to somehow coming back to your previous question figure out how to do the change management thing. How should we want to do, you know, a really progressive start, small and scale up? Or do we want to do a really progressive start small and scale up? Or do we want to have a big bang? But for the time being, we're running because we don't have a regulatory risk, we're not fearing of losing our license tomorrow. This being said, the technical debt grows and this also means that cybersecurity I mean our, let's say, antagonists they don't sleep. So I mean, you run with a legacy system and you have to be extremely careful and you have to be very, you know, alert.
Speaker 1:Where are the existing risks, how do they evolve and what potential new cyber security risks are actually opening up or or being introduced, and that of course includes fraud I'm so interested in in your take on on that particular aspect, george, just personally, because you've obviously sort of gone through these exercises, these consultations with lots of businesses, do you find that they understand that point, that the antagonists, you know, these malicious actors, do they understand that they don't care about this and they're going to go for you anyway? I ask because when I've worked with businesses, there's a sense of injustice that like, well, we have to do these regulations. It's almost as if they believe that everyone is going to comply or try and comply, but you and I know that the people attacking those businesses are not going to try and comply. Do people resent, I suppose, having to do these deep dives into their tech, into their debt, their technical debt and into we have to comply with all this, when our adversaries, the criminals, don't have to do it? What sort of conversation do you have around that?
Speaker 2:Obviously, regulation is a burden, but, on the other hand, where do we get our revenues from? It is our clients. Without our clients, we would be really nothing. So it's always a cost benefit of understanding. Yes, we have to not only protect ourselves, but we have to protect our clients. Is the electronic banking? It doesn't matter whether it's mobile, whether it's laptop based or whatever when are the loopholes? I mean, do the clients use it in the proper way? What? What are the problems, what? What are the risks there? So it all comes down to really understand. If the clients do not feel safe, uh, and if we do not feel safe, well, we don't have a license anymore.
Speaker 1:Exactly I think this is such an interesting way of framing it and what you just said then as well, about, well, you know where's the revenue come from. It's come from the clients. It's a cost saving, just like sort of getting insurance before you drive a car or, you know, looking after your diet so that you're healthier in the future. I think that agility aspect is something that I remember from years ago, looking at in businesses, the idea of taking time out of a process. I think that the key to it is getting people to invest now so that it's quicker in the future. All right, let's move on a little bit to the landscape. The regulatory landscape evolves very rapidly. It evolves very rapidly and I'm wondering, from your point of view, how much pressure sits with the CISO versus the chief information officer, the CTO. You know, because you've touched on it already, how much pressure is with the CISO and those roles to ensure that compliance. I mean, are they under pressure to ensure compliance or are they under pressure from everything else that they're taking care of Do?
Speaker 2:they feel that this is part of their job now, a big part of their job. The question is who owns the cyber risk? Who is accountable? So it is actually the board of directors, the owners or the owner representatives. Well, they are accountable for it.
Speaker 1:They're the ones on TV when it goes wrong, right? Yes, yeah.
Speaker 2:Absolutely, but the CISO or CTO or CIO actually should own, or must own, the answers. So how do we deal with it? So it's very much a question of communication and, yes, sometimes I have the feeling that the CISO or the CISO team or security team same child, many names is a little bit too operative and they need to pick up the skills to be able to talk at the board level. I mean, I don't again have any data points, but security is talked in banks, insurance I mean financial entities, for sure, at the board level, sometimes not at that great depth. But the point is, if the CISO comes up to the board, he has to be, or she has to be, you know, able to communicate risks, remediation, proposing KPIs in a very, let's say, tangible, easy to understand and operational way. So, and getting allies to understand this, the CISO needs to be able to get quote unquote buddies with the business people.
Speaker 1:See, I think this is such a good point that you're making, george, and it's something that comes up a lot, because there's part of me that thinks that if you've got a, a ciso, ciso, I, you know one child, different names, that's a great phrase. If you, if you have that person, they may not. They may be brilliant at their job, but they may not have those business communication skills that they need. And I've started to come around lately to thinking that maybe we need two. You kind of need the person.
Speaker 1:If you've got a person there who's not as comfortable and doesn't communicate as well, I sometimes think the buddy system that you've just said, the allies, maybe need someone to sort of help you know one to to present and translate into business languages, rather than focus on the technical, and maybe that number two role is the person that's very technical, because I think to find someone who's really good at both is quite difficult sometimes and then they get the blame for not communicating well at the board level in a crisis or in any other situation. So I think it's a big ask sometimes, although I don't disagree. It's important, I agree with you. But I just I can understand why businesses get frustrated, but I understand why people in that role get frustrated as well. They're not hired for that and I don't know what the answer is. What's your thoughts around that role and growing the role, because maybe we're asking too much?
Speaker 2:Yes and no. I don't believe in superhumans. Somebody has to understand the technology at a very detailed level and come with solutions. Somebody else has to be able to understand this and communicate with the rest of the financial entity. And that's where I think an agile way of working actually comes into play, where the various types of categories of people if I can say this way, people, if I can say it this way they come together but they basically get to know each other. They start to understand the requirements. The techie person to put it in plain English, techie person starts to speak, perhaps after a while, in a less techie language. And the business people they start to understand the technology aspects, the compliance aspects.
Speaker 1:This is a sort of a quick question how long can a system be down for, and what sort of punishment do companies face?
Speaker 2:So if you're in a shopping mall and you have your five or six children with you and they want to go shopping 30 seconds, 45 seconds. You can't pay because some silly, let's say uh, device in a, in a server has gone down. What do you do? You won't be happy, no, and the regulator won't be happy. So, no, and the regulator won't be happy.
Speaker 2:So it's not only a question of it's two seconds or two minutes or two hours, it's a question of how severe the incident is. It's a very tricky question and, yes, the regulators, they have their little let's say quote unquote Excel sheets with okay if it takes more than a second, and this or that. But at the very end there is no, let's say, formal rule book on if you between one and two seconds, you're going to get one pound or whatever, one euro in fines, et cetera. So it's a question of combination how severe it is. And you know, and does it actually belong to a critical business service? And let's come back again to the protection of the customer. And if the customer is protected and can carry on its business, well then the institution providing the critical service is more resilient. So it's again combination of how long, but also how severe.
Speaker 1:Some of the effects of these things are intangible, right, they're difficult to measure. Do the commissions and the regulators, do they have scales or ways of measuring that intangible aspect? I'm thinking of things like if you know a medical system went down and someone missed an operation or something like that, like we had with you know some of the problems we had with the NHS going down a few years ago. Can you measure the intangible effects of a system being down and are they punished for those? It boils?
Speaker 2:down to what sort of impact does the client face? Um, let's assume there's something wrong with your payment system yeah and a client cannot pay, so he or she cannot pay, or the legal entity cannot pay, so there are penalties. Because of this, many things can be, and should be, monetized and quantified.
Speaker 1:I'm going to ask you this in a really tabloid way, but what's the biggest fine, like what's the biggest punishment a company could get for something like this?
Speaker 2:I think the worst thing, which can have many worse things you can go to jail on a personal level. That's pretty bad and that just institute the financial entity can be, um well, will lose its license.
Speaker 1:End of story, end of business and would that be across europe, or did that? Could that be a global thing? Could you? You lose a global license? I'm just thinking of the different jurisdictions.
Speaker 2:Okay, I should watch my mouth here. I haven't got a legal degree Me either, but I'm interested.
Speaker 1:Lock him up.
Speaker 2:That's a tricky question really. But you know, if you are a global group and you have operations in many countries and you lose a license in another peripheral country, you lose a lot of business, you lose a lot of revenues. I mean it doesn't really matter if it's fees and commissions or net interest income. I don't want to name any names here. But a global group may have huge difficulties in country A, will lose its license to conduct business or will be subject to huge fines and has to close down or sell its business in that country. That will change the overall business model of an institution. We've seen that European entities or banking entities faced huge fines in the US. We have also European entities having problems in Europe, in the European Union, and that has completely, you know, a huge metamorphosis over the entire group. I know one bank which used to be global and it just has shrunk to be significant but still only, let's say, smaller regional group these days.
Speaker 1:Given what you've said and we've spoken about the way that the industry evolves and the tech evolves financial institutions are they early adopters of solutions to ensure that they are secure, or do you think it's better when they are mature? They have to wait to mature to be effective in their security efforts? So do they adopt early, early in their life, early in the solutions life, or is it the more mature companies that kind of do better in their efforts at security?
Speaker 2:I was at a round table where we had a couple of bankers and we had retail people and we had retail people. The bankers were quite surprised that the retailers were not so regulated, if at all, and vice versa Retailer. Or again, I'm not an expert on retail, but they can kick out a minimum viable product service in an instant and you can try it actually physically, try the service on the clients. But would you, as a bank client, would you like to be a guinea pig? Would you like to get a little bit less of an interest? Or suddenly some fees popping up without really knowing what it's for, how it happened that you? You were charged the fee. So basically, I mean, they're regulated and banks cannot take this sort of risks. So it's not okay. Shoot, we're gonna. We're gonna have a whole slew of of services. We're to try them out and if they die, okay, nothing severe will happen. That's not the way a bank or insurance company can work, or an asset manager can work.
Speaker 2:So there has to be a certain level of conservatism. It's not a question of spitting out excuse my French of being very quick to the market but then having taking, you know, biting in the sour apple and take the repercussions. Oh, we didn't think through the workflow. And again, if you have an architecture where everything is connected with everything and it's difficult and it's very cumbersome to test how things are connected, how services are connected, you can't test just one microservice and you're happy. You have to do it thoroughly because otherwise, again, at the very end, the client will be suffering, the client will complain.
Speaker 1:But, george, do you know what? This is interesting to me because I completely get what you're saying. But speaking of agility and the ability to change direction, in my experience as a customer of banks, a lot of what they put in is cumbersome to customers, both corporate and individuals. I feel like once it's in, they don't innovate, they don't change, they don't take feedback. You know. So what? For what I'm talking about is the security in place for customers.
Speaker 1:That is so bad because it's cumbersome, it's complicated, the customer doesn't, you know, and the answer when you say, well, this isn't letting me do this or I'm trying, they'll say to me, oh, hashtag, security, because security and you know to try and say yeah, but you're not. That doesn't make you secure, it makes the. It makes the customer and the corporate customer as well, of people I've worked with as a consultant really want to shortcut everything because you want to get around all these kind of. It feels like a barrier in banks more than any other company that I've worked with or am indeed a customer for. You know, because of all this conservatism that I can understand your point that they need. Does that make them slower and therefore, in a way, less resilient?
Speaker 2:Why do you have to ask these tricky questions? This one is a really tricky one. This one is a really tricky one. I don't think there is necessarily an antagonism built in, let's say, between speed or speed to market, or efficiency or customer experience and security. I'm thinking of the process of onboarding actually. I mean there are many onboarding and associated security aspects. You want to change your bank or you want to set up a new account or whatever. You want to buy a new product at a bank where you're not known, so you have to go through the so-called onboarding process. You take advantage of a bank ID, but usually a bank ID in any country is quite safe, so the solution is a bank ID and then it goes boom and you get a new product.
Speaker 1:I think Iceland, Iceland were a pioneer in that, weren't they? Iceland did that early on.
Speaker 2:Sweden. Sweden is another country at the forefront. I think Czech Republic is doing extremely well as well. So that solution combines the security and speed of getting things done. Let's say Then you have an onboarding where you have to take a picture of yourself. You have to take a selfie, you have to take a light. Okay, liveliness, test several times. Uh, you have to take a photo of your national id card or passport, um, and you may provide I don't know a picture of your bill or something I was gonna say, and a paper bill to your address which none of us get anymore, and that's like.
Speaker 1:They're like, oh no, we can't take a screenshot, we can't take a PDF. I'm like, oh God, we don't get them posted to the door anymore. You know, obviously, everything we're talking about. It's very kind of moving environments. It's a movable feast. Everything's changing. From all your experience and knowledge, what can the financial institutions do just to prepare for this going forward, to prepare for this unknown landscape? And there are a couple of things that you, you sort of, would want to tell anyone.
Speaker 2:This is what you need to do to prepare for the unknown let's forget about technology, uh, for for a while, but I think it's a little bit like at school. So it's a combination of grit, practice you know, practice makes perfect. There's a reason for that saying and creativity, and actually one way of actually practicing how you can prepare for the I think you say unknown is one way of actually is to have unprepared mock exams, which can serve as a key component in preparing for regulatory reviews.
Speaker 1:Yeah, like tabletop exercises, scenario planning.
Speaker 2:Coming back to one of the pillars of DORA, the Digital Operational Resiliency Act, was testing and penetration testing. You have to do a lot of planning. Somebody has to do the plan and somebody would be the victim of the plan, so somebody will be exposed to a mock exam or something else. How do you react? There's a threat going on in the network, dear account manager. How do you deal with this? Now you receive this type of funky email. What do you do with it?
Speaker 1:And also how the organization responds to what you do with it. Whether it's right or wrong, right it's whether they take lessons from that. Make sure the person's comfortable use it as an example of good or bad kind of reaction to it. Nobody gets the blame. We try and make sure that we're all prepared right.
Speaker 2:Quite honestly, it's not a question of that everybody should be a cybersecurity expert. It's a question of creating awareness, and that sort of awareness I mean banks and insurance companies they should have in the genes, built in risk management aware of. Hmm, why did I get this sort of email requesting this, either internally or from an external entity or whatever person? So this sort of you have to be on your alert 25 hours a day.
Speaker 1:I couldn't agree more. George. Listen, it's been an absolute pleasure to talk to you about this, but I have one more question to ask you, and I know you don't believe in superhumans, because you've told me that you don't. So the question is what would you, George, consider your resilience superpower to be?
Speaker 2:Again, I don't think I have one hour to dwell on this, but think the unthinkable. If something, it's not a question if, because it will, but what can happen? Then the other, let's say, level is what is it? You don't want to happen Because that sort of is a weak point. You don't want that to happen because you're not fully prepared for it. So deal with it. And that's what I'm trying to do.
Speaker 1:Well, I think you're clearly on the side of the angels for this one, george, and you're doing your best. I mean, I say that same advice to people who ask me about careers. I sometimes say, well, if you don't know what you want to do, just think what you don't want to do and then maybe move away from that. George, it's been such a pleasure talking to you. Thank you so much for being such a great guest on the Resilience Factor podcast. My pleasure. So let's reflect on that conversation with George Briffitt. George had some cautionary advice for organizations running on legacy systems hoping to manage costs.
Speaker 2:The technical debt grows, and this also means that cybersecurity I mean our, let's say antagonists they don't sleep. You run with a legacy system and you have to be extremely careful and you have to be very alert. Where are the existing risks, how do they evolve, and what potential new cyber security risks are actually opening up or being introduced? And that, of course, includes fraud.
Speaker 1:He also gave a definitive answer to the question who's accountable for cyber risk in organisations.
Speaker 2:So it is actually the board of directors. They own the risk.
Speaker 1:But CISOs aren't being let off that easily.
Speaker 2:But the CISO actually should own, or must own, the answers. Yes, sometimes I have the feeling that the CISO is a little bit too operative and they need to pick up the skills to be able to talk at the board level. He has to be able to communicate in a very tangible, easy to understand and operational way and getting allies to understand this.
Speaker 1:George also tells us how to prepare for the cybersecurity equivalent of unknown unknowns.
Speaker 2:Let's forget about technology for a while. Actually, one way of actually practicing how you can prepare for the I think you say unknown is to have unprepared mock exams, which can serve as a key component in preparing for regulatory reviews. Somebody has to do the plan and somebody will be the victim of the plan. How do you react? You have to be on your alert 25 hours a day.
Speaker 1:The Resilience Factor podcast is brought to you by Zscaler, a leading cloud-based cybersecurity platform revolutionizing the way businesses protect themselves from cyber threats. By transitioning from traditional appliance-based systems to a cloud-delivered model and the implementation of zero-trust principles, Zscaler provides businesses with optimal protection from cyber threats.