CISO roundtable on security priorities for 2023

welcome to WithSecure's seesaw Roundtable webinar today's topic is cyber security priorities in 2023 I'm Elisa mustan and I will be your host for the day and I am joined by three brilliant csos here who will be sharing their unique insights and perspective of the year ahead so first we have our very own Christine Bejerasco and then we have demo ulhaisi sis Full Art Phoenix Bank op Financial Group and then all the way from London we have more dude a multi-industry expert and a consultant seesaw a warm welcome to you all thank you thank you for having us thank you and thanks for joining to the other side of the screen as well please keep in mind that this is an interactive webinar so feel free to post any questions and comments in the chat we will have a q a session at the end and we'll try to answer as many questions as possible this webinar is recorded and will be available on demand so let's dive into the theme of the day first looking at things with a little bit of a broader lens let's ask our csos in the studio what are their main focus areas for the year ahead can you go first yeah sure um if I briefly mention the topics first Cloud Shakira the serial trust and then detection and response capability so our business is moving forward um public cloud and cyber security function needs to be able to walk hand in hand with the business to make sure that the the cloud infrastructure is is secure and and controls across the board are in place so that's one of our main themes and secondly I see zero trust as a significant next step in in Enterprise security so moving away from the the the eggshell or the modern Castle type mentality from a always verify zero trust architecture is a significant change and it will help us in the future so that's really interesting yeah taking steps in in that in in that journey is is is crucial and then thirdly making sure that we're always Vigilant and and we have detection and response capabilities up to the bar to to match uh future threats and threat actors do you see this as something of a longer term strategy or only for the year to come I think yeah it's it's definitely longer term so so uh detection of response capability this is ongoing it never stops zero thrust takes more than a year definitely and and so that's a a cloud cloud transformation doesn't stop uh at the Christmas time yeah so definitely that's a really great perspective what about you Christine what are your main focus areas for the year yeah like there is one main focus area that I'm I'm really experimenting as well with the organization and this is in building a secure by Design organization and uh behind that are actually three pillars so firstly it's about shifting accountability left because what we have observed in the past as well is that the CSO team or like the IIT security team has become kind of like an overlay security of the organization but especially with us since we are a software organization it would be good if those who are building things are actually accountable for securing them so shifting accountability left first then secondly built-in cyber security into the processes that we're having and then finally the Cyber secure mindset which is really quite long term as um as my peers here probably already have known it takes a long time to really change the mindset of the people such that when they're dealing with suppliers when they are working with externals that the cyber security mindset actually kicks in so that it doesn't come after the fact that we have already had these agreements that we realize okay apparently this is not secure enough then we need to do something so that is basically the core of the focus area that I'm having this year so security is at the very starting point of everything it is and well it really starts with the mindsets of the people and it's a lofty goal you can come back to me in a few years to see how successful this is yeah well it's good to be ambitious and I think that sounds like a really solid plan thank you then what about you Mo what are your main focus areas for the year yeah sorry touching on a lot of what's already been said um for me the primary focus area is around incident response planning so many of the organizations that I work with um I certainly feel for me one of the priorities should be around ensuring that they have a major or incident response plan and that plan has been rehearsed with the execs so typically what we've seen recently is when a major incident does happen people are unfamiliar with the decisions that need to be made or are certainly unfamiliar with making decisions with small amounts of information that's constantly changing so for me this year it's it's predominantly working on helping organizations understand and prepare their major incident response plans and I think that ties into everything else that's been said via Teemo and Christine that's really interesting great responses I think you had quite different perspectives as well there was instant response Cloud strategy zero trust and then Christine this whole security built into everything including our mindsets any thoughts what does this face in you um I wanted to comment on what Christine said all earlier so um we are Toby even though we're a financial institution we're a huge technology company the business runs on I.T and we've already had built-in cyber security one of our ICT strategy cornerstones for for a couple of years and and just an example on the on on on topics you mentioned uh um I frequently speak at our induction whenever we get new employees on on our technology side I speak at the inductions and I start with the statement to them and say that cyber security function is not responsible for cyber security and op you are the businesses and and and the risks are business risks the the it needs to start from the business and and the built-in cyber security mentality needs to be in there so I'm I'm with you on that it's it's uh it's a good goal to have it's foundational yeah it's great to hear that you're on the same page and especially on such a fundamental matter so um then going into a little bit of a different perspective on this uh what issues do you expect to see in 2023 so Mo you first what do you see as the main issues yeah yeah it's interesting because um Christine just made the point of um foundational uh and sometimes we in the industry refer to these as as getting the basics right but uh you know we're kind of 10 15 years down the road and the basics are actually proving to be really hard to do so you know we still continue to see vulnerability management um asset management application visibility um and this is all drawn by the complexity of the business right so so I completely agree with um the csos just now saying that you know it's the business's responsibility the business needs to to drive parts or be involved in security but fundamentally many of the businesses are um you know diversifying um trying to break into new markets and they need that agility and flexibility um and mapping across security controls with that can sometimes be difficult so there always feels that there's a bit of a lag so so I think again you know for me I I know that there are new threats which I'll probably leave um Christian and Teemo to bring up but I think just the foundational Basics still are a challenge for many organizations so like the basic hygiene yeah yeah that's correct what's your plan to solve this have you sorted that out yet I don't I don't have a Magic Bullet I think one of the what I think one of the approaches that works really well is ensuring that you can provide the visibility of the challenges that you have to the leadership team to the executive team and and make sure that they're informed okay so if they're informed and they're making informed decisions um that that I think is a good position to be in I think in many organizations either the challenge or the problem is not articulated clearly or there's there's an element of feeling that you should have complete coverage and confidence over that area so presenting bad news can sometimes be difficult so I think it's that again that that maturity and understanding of your leadership team that you're never all you know you're never going to be in a perfect place you're always going to be in a constant phase of maturing but I really like the point that you said that kind of enabling the decision making also there's often the talks about cyber security enabling operations and enabling business but that was a really good point on the decision making side as well so really interesting well then demo what are your concerns for this year um I was thinking about well we'll probably talk about the threat landscape and all that later on so I'll I'll take a different approach and um so much things going on the business is is developing new Services new new new applications and a new big organization is has sort of lots of bus so so it's critical that the CSO or the cyber security function stays focused on the the most critical topics so the focus is crystal clear and and and we don't get sort of overwhelmed by by the like huge mass of different topics that could be interesting so so making sure that focus is crystal clear and and you're delivering on the promise that the business helping the promise helping the business in in in in in the most optimal way so so not getting boxed down by all the complexes yeah yeah and it's not just this year or it's it's it's it's continuous but still still needs to be reminded every now and then how do you see then in the financial industry especially like what are the concerns if you think about the financial institution um obviously in Europe the the interest rates and inflation is is is is going up now so that that that creates trouble for for for our customers and and private and corporate customers so that's that's one uh one perspective for a financial institution then it's a different different legitimate the interest rates are going up the businesses is doing well so so it's it's sort of a mixed hmm really good point well then Christine what keeps you up at night in 2023 um well I can also discuss a little bit about threat landscape um later on but uh like from the business perspective I'm I'm a little bit of in a fortunate State because in a cyber security company that has products and services I can actually utilize what we have yes um to to figure out like where the gaps are so that's a fortunate situation but sort of like looking at it from a general perspective uh with for instance astemo has mentioned I mean with this um economic slowdowns I mean caused by inflationary pressures of course it becomes harder like to um to sort of like to argue for more cyber security budgets although it's very clear that the threats are out there and they are continuously happening and um with like with this belt tightening and pressures that could be happening with different csos of um different organizations then it becomes a question of how do you do cyber security on the cheap and um there are creative ways like as we all know I mean you can of course reduce attack surface you can um Harden configurations and then it it becomes really a challenge and sometimes maybe maybe even a shouting match like in the organizations I want to retire this asset because it's very vulnerable and others will be like but the business still uses this and um that internally that becomes like a pressure from one team versus another so um it doesn't also become like a budget fight um there are still things that can be argued of course because I mean the board of directors like in many of these cases is responsible for the risk management of the organization and some of these budgets can still go through but of course if the if it's about the business surviving versus approving um certain budgets then that will be a very hard decision too cyber security in some of these areas although at times it can be an existential threat as well do you have any tips to overcome these challenges from my perspective I think prioritize like if there is um demo has also mentioned this with the focus prioritize your top three and if you can even really just get your top one through like focus and that argue for that and get that through because not everything is going to get funded not even half is probably going to get funded but if that one thing could already make quite a bit of your priorities easier or they or their the pressure for securing the organization diminishes a little bit if this one thing gets solved then focused on that so that um it can get through with the budgets thanks really great overview Mo do you have any thoughts on the resource and prioritization and budget securing yeah I think I think it's really interesting I think it's really interesting and it certainly resonates what's being said about this economic slowdown um one of the observations that I'll share um and I've just been been working with the procurement team recently and they were saying that the some of the security vendors had stopped sorry had reduced their contract terms to 12 months because of the the interest rate changes that were happening so I think there's you know so so there's a knock-on effect all through our industry I think of different things that are happening um I think to Chris Christine's Point again the challenges that we have is that often the security program can be two or three years long and then within those two or three years you'll then find new threats that develop and evolve all your business changes in the way that it works and so you do need to in some cases invest in additional Technologies to support that so so it can always be very challenging I go back to my initial point in terms of getting funding is is to make a clear statement and and explain clearly what the implications of those controls and that investment is going to make and and move responsibility back to the leadership team as to whether they want to invest and apply those controls or not and and we try to make sure that those decisions are documented so that should the repercussions of those happen later on as I see so you you sometimes need to be somewhat defensive in order to to articulate the decisions that were made and how you arrived at that decision or or position um does that make sense it does makes sense yeah I can at least comment on on the prior on the on the budget situation or the attention from the executive management or board of directors at least in Europe and especially in the nordics the the Cyber threat level is elevated due to the Russian aggression and and last year has been there's been more attention from the executive management teams and board of directors on on cyber security topics than than ever before in my career so so so the attention is they're asking right questions not because they sort of are obliged to ask them but because there's like seriously concerned about sub security and and how it could impact the business in practice about the resource allocation for example do you feel it's easier now or I can't speak for others but but based on the studies I've seen at least many scissors um think or hope that the budgets will would increase then so it's it's uh it's not necessarily going in the same way as the as the economic slowdown well to add to that I I think there's a very clear message as well like for example in with secure when we elevated the role of the season to the executive team because we we would like um for this role to be part of the decision-making process and to make sure that when we Define the business goals of the organization um although it's a cyber security company obviously I mean we we sell cyber security products and services but we bake in internal cyber security as well like into that because that also means that when we secure our supply chain we are also securing our customers like effectively with that as well so it's a very strong message definitely of the necessity of cyber security nowadays yeah so yeah you're also preventing any negative Ripple effects that can be quite hard to yeah absolutely yeah yeah whatever you mentioned your Cloud to security strategy earlier so how do you see this whole current political situation affecting um has it accelerated it or well it's complicated uh so so we've seen as an as a good example in in Ukraine they've did a huge Cloud transformation rapidly before before they before the war started and that has helped their businesses and the government a lot but in my role working working for SSC so for a Finnish financial institution we have a long border uh with Russia and and basically the connections to Europe are um C cables so so that that changes the situation quite a bit so it's uh that's why from my perspective it's it's complicated yeah cloud has huge opportunities but it it's not it's not automatically secured so so this works worked a bit on that side as well I'd like to take a step back and talk about the ever-evolving threat landscape so that's a great great Trend So Christine you have just moved into this new role and you were back in the day the head of tactical defense unit at at Whitaker and f-secure at the time so how does this natural progression how has it been natural progression I don't know about that um but uh the threat landscape um like to to be honesty there's so many cyber threats out there that the top three threats that are interesting Percy so is probably different like depending on what type of Industry they're in there there are of course a little bit more generic one like for instance the the first one that I have on top of my mind is like data and secrets breaches because like even today um what's the latest one you open your cyber security news feed ta-da I I saw something related to MailChimp and like related to marketing and last um holiday season we saw something with LastPass there was like klm's flying uh klms and Air France Flying Blue so every single time like these data breaches which are holding data that maybe belonging to our employees like personally identifiable information personal data and even company data don't really stay in our premises anymore um I mean demo alluded to cloudification it's beyond that it's it's a lot of these different software service that software has gotten out from our devices all into the world that belongs to someone else and we are in bed with the suppliers and we are just as secure as how they secure the data that we send them so that is a relent of my mind like how how well have we evaluated our suppliers in the past um how do we do vendor management uh and involve like cyber security into that annually and how many vendors are we at the moment already dealing with um perhaps that is like the one on top of my mind secondly um the supply chain attacks uh typically with these open source libraries because we are a software organization and we're and we're delivering cyber security products to our customers but of course we utilize a lot of these different open source libraries because as Engineers we don't rebuild these things there's a lot of really good libraries already out there but how do we make sure that RCI CD pipelines have all of the right tools all of our developers are utilizing it reacting on time to whatever the findings are fixing them and just having that continuously as part of their process and then the third one like maybe something that broke a little bit the internet during last holidays chat gbt and all of this um The Hot Topic exciting and some of this we released a white paper last week like creative prompt engineering that you can continuously create very compelling um fishing threads that anybody can utilize or even create code like polymorphic code for malware Etc so uh very interesting to see how that will evolve and how much more threats are going to be delivered really interesting and it's kind of impacting both the quantity and the quality of the attacks so absolutely yeah it's a TBT great tool but also has its threats yeah well it depends how people use it and of course there are people who are going to use it for malicious purposes but besides this what do you think that CSO should be looking at when considering threat landscape especially now in the year ahead from my perspective csos really need to look in-house on what are the things that they believe is top priority like for the business to secure and then reflect that afterwards on what is the threat model on that because with that threat model comes the threats in the threat landscape that is relevant I mean there's a lot of talk that of course like every the problems with ransomware Etc but for instance a lot of these ransomware problems nowadays are related to endpoint devices but if this is for instance an organization that it like maybe they don't have endpoint devices maybe they they are using Chromebooks for instance and um ransomware can't even run on it so maybe that's not a threat that's relevant to them so like foresee so it's probably very common that you look first at what you really need to secure and then you look at what are the threats that are actually impacting your assets what are your thoughts on that demo um on that topic I I see ransomware say a significant sort of thing like attack method but but I don't think the right reaction is is to be scared of ransomware then that are paralyzed so do something about it and and and and and it's not necessarily buying anti-ransomware Solutions but but the thing that I already mentioned before like zero trust Building defendable architecture or micro segmentation and and and that type of architectural like positive changes could significantly improve your Brazilians against different types of attacks so yeah so so taking different measures and multiple different controls layered approach definitely yeah what are your thoughts small how do you see the threat landscape lining up to the priorities discussed earlier yeah I'm always conscious when I come on on something like this and and Christine has got years of experience and knows this subject much better than I do so so I keep it at a high level so so what we do know and what we have seen over the last 10 years and this continues to happen is this accelerated prilification of Advance whether it's you know whether it's Advanced malware or Advanced ransomware or whether it's advanced um nation-state tooling and that acceleration between it becoming publicly available on the dark web and being used by um how do we describe it kind of less skilled less skilled actors so so that idea of that that capability for low skilled actors to be able to pick up much Advanced much more advanced capability to edit the code and redistribute that is something that we see is it continues to accelerate and I think that that chat um that Christine related to is is again continuing to be um continues to be that acceleration that that we're always fighting to to be ahead of I think one of the things that helps me with emerging threats it is really to utilize the security network that you have and your security Partners so you know to to many security teams don't have the skill set and the resources to be around these so you know I'd encourage people really to lean into their security partner and get them to help you know help me help you so better help me understand what's happening out in the industry because you know better you bet you know better around the techniques that are being used um give me the confidence and assurance that what you're developing is is keeping up to date with these emerging threats and and help us understand and be prepared in a better position so I think you know sometimes we we can appear to be lone horses um driving driving through the night but actually like I said I think collaboration with security Partners can be really really beneficial in this approach what do you think about this Christine as a CSO of a cyber security company well of course collaboration with Partners really help and um like I said I'm sort of like in a fortunate space um the the nice thing about this really is that cyber security organizations uh as well like like ours are are quite open to sharing like this information and sharing the information really just helps us all I mean if we look at like if we look at the digital world I mean and how interconnected it is we can't really say that we secure our organization in this space and we'll be okay I mean how many suppliers are we connected to the the moment they are not secure that's sort of like um impacts us and even as a cyber security organizations we have suppliers as well that um give us our CRM systems our HR systems Etc so we need to also make sure that we are actually sharing information together with them because like helping them secure themselves also secures us so um I I do Echo What mo is saying here like talk to your um cyber security uh security partners because they are actually quite open as well to sharing this information and I I take that from experience with this organization yeah yeah the value of knowledge only increases when shared absolutely that was really enlightening great insights everybody so uh let's now move on to the second part of our agenda the pulse research so last year we conducted a market research about cyber security Trends and priorities and we asked more than 3 000 it professionals what they think let's have a quick look at the snapshot of the research and watch a short video now [Music] [Music] foreign [Music] okay before discussing the security priorities with our studio guests let's ask ours audience that what do you think on your screens you can now see a poll coming up please share your thoughts on the top security priority for the year we will get back to the results shortly and this is now what a respondents of the market research said so it's quite an even race when you look at the top five there at the first we have preventing data breaches at the 34 percentage then uh ensuring protection against malware and ransomware as a very strong second place what do you think about these any thoughts um I already talked about random where um a little bit preventing data breaches is is it's sort of not clear on what what would you do to prevent data breaches it's it's a goal obviously but I I call what Christians had already so talk to you not just talk to you talk to the partners photography or supply chain as well understand your sort of a footprint and and exposure it's not just the the infrastructure or businesses that are at arm's length but it's it's your whole supply chain and then the bridges could happen from from that sort of real must well so so uh secure the the the extended and the price as well actually makes a really good point that the data breaches because like date preventing a data breach is a result of how well you have holistically secured the organization it's not it's not like ransomware that you you need to deploy some certain type of protections or for example zero trust architecture would would help because I mean every different device you don't really trust it by default the data breach is is all about plugging in the individual gaps and sort of like in the end because you have managed to elevate the security posture of the organization then you become less prone to that yeah it's a little bit more on that level let's frame it a little bit differently Christine do you think that something is missing now from this top five list well one thing related at least to my lofty goal this year is elevating the security um of like the security thinking of the people really really getting training in place trainings in place and getting everyone to think security to to think about securing their areas so um quite a quite a bit of this is except for the data breaches in itself is about securing different points or like the different areas in the organization for instance when you're talking about business email compromise I mean that's on top of the email Technologies or um Office 365 for example Technologies and um Office 365 engine Salesforce um obviously they are collaboration tools but it can be more than just the devices it can be more than just this um email Technologies as well for example there are organizations that could have operational Technologies um there could be a little more of that as well but I guess this is just the top five so there's probably more than yeah okay yeah yeah so then we were for example mentioning cloud cloud strategy quite heavily so your thoughts on that missing from the top five um I don't mind not all the companies have the same priorities and and and and some of these are more more focused like Christian said on some a little bit more broader but I like um like the fact that you brought up the people aspect and and in contrast to the technology focused discussion so so um I fully agree on that uh that topic that people are crucial part of the um security um like chain or or the overall protection of a company so people have a crucial role it comes down the skills knowledge motivation and they do the right things and and lots of work can be done in there and um it's possible to achieve good results yeah yeah on the list from cyber security firms perspective well um the cloud-based collaboration applications at least would stand out uh that helps a little bit with this distribution of data away from the estate that the organization is responsible for towards another organization's estate so we have quite a lot of SAS applications and by we I just don't mean with secure as an organization because other organizations as well because every time I mean because of the um the agility of business that we would like to do nowadays whenever we want to use something we usually don't really get to install that in our state anymore we go out there we take a SAS provider and then we utilize that for organization so I think that would be very valuable like how do you secure um how do you secure yourself like these SAS applications the interaction that you have with them the data that you send towards them how do you make sure that there's data Integrity for instance there's no malicious threats um that are being utilized so everybody is taking their responsibilities in a sense they are but additionally on top of that you still protect you still have the capability to protect yourself just in case that was excellent what about you Mo you have such a wide view into different Industries is there something that stands out from this list to you yeah I've got a lot I've got a slightly different perspective I'd like to just rephrase the first piece because I think this this concept of preventing data breaches is possibly unrealistic what we're looking to do is reduce the risk of data breaches and be prepared for when we have a breach and then what we're looking at is the other four items that are underneath it they all contribute to that outcome that we want to achieve I think and and we often have changed made this cultural change over the last few years to educating the execs who's saying you know it is likely just you know with the best will in the world that you're going to have incidents right you're going to have minor ones and you know you're less likely to have them the major ones but this isn't all about technology this is all around this is also about culture and often we and often we see good people doing bad things not necessarily bad people doing bad things so you know in all the breaches that we've seen all the you know the the high sorry in all of the major incidents that we've seen when you go into the the core of what happened in terms of it was a third-party supplier and that third-party supplier didn't have relevant checks on them all that third party supplier didn't disclose the vulnerability that they had and and you know it's a whole chain of events where everyone meant well but it just it just wasn't enough so so again I think we just need to be honest and probably prepared to say that we're the best one in the world we can reduce everything but things are still going to go wrong and we need to be prepared to respond to them and maybe like understanding the risks yeah and I think we can try and understand all of the risks but invariably as as karma works right it'll be the one that you haven't thought of that that presents itself so that's why again we need to be prepared for the fact that something's going to happen and we may not have prepared for where it comes from but we are prepared around what our response is and we're experienced in making decisions when we've got very few uh Snippets of information Okay so now we can see the actual poll results from the audience let's see how much they differ from from the results of the market research quite similar data breaches at the top again no not no sorry the devices yeah devices and services and software data breezes at the second any thoughts on this Christine well the um the services front yes I I do agree I was just talking about the SAS applications and the sprawl that we are seeing they are quite concerning I mean data breach as Mo mentioned and um demo and I mentioned as well earlier I mean it's it's a really it's a really big thing and it it's a good goal to have but more than just prevention um What mo is actually mentioning about like incident response like what is your response plan when this happens which should include actually your containment plan um so not trying to control everything but rather uh I wouldn't say that because of course like prevention is still still better than cure I mean you still need to continuously elevate your security posture right indeed that's like having a very good response plan is no excuse for that from my perspective and I believe like I don't know many if not all csos who would agree with me but you do need to have a response plan incident response plan when the thing you know when something really bad happened how do you sleep at night exactly I would actually really funny having a sister that says that we don't need a good protection because our reaction capability is such a toughness oh God yeah I haven't seen one yeah but it's I I fully agree with um with Mo on on the on the reaction capability if you don't know what you do what you're gonna do when the incident comes um yeah then then you're squirt yeah and if if it's not if you're not if you haven't planned it if you haven't exercised it then then then you probably end up improvising on the moment yeah maybe kind of circling back to the whole holistic thinking here uh as we can see the ensuring security of cloud-based collaboration applications like uh Office 365 and Salesforce it's quite low here does this what thoughts on this yeah yeah maybe if we would uh line up all the software as a service Solutions based on their security majority I don't think Office 365 would be on the lower half so I think Microsoft is probably doing a pretty good job in interviewing that so I would be more worried about your um like HR applications or or uh Finance applications or or whatnot so more like custom applications and that type of topics services so so um yeah I I guess with the Office 365 um for example talking about Outlook I mean the software may be secure but What flows inside it I guess that's a different story yeah okay great perspective seem that there are some similarities but some differences between our audience and then the general population of the research so let's now then move on to the questions of our audience so q a what do we have here we have it chat TPT a great or a possibility Christine you were mentioning chat TBT earlier how do you see that I mean absolutely both um I have to I shamefully admit that during the holidays I may have like tinkered with chat GPT a little too much like while I was spending vacations but I do have to admit that it's really the next step when it comes to how easy it is for normal people to interact with the GPT technology essentially so as a former CTO of course I'm very excited with such Technologies but from this perspective um it doesn't mean that there are risks that we don't Advance forward as Humanity because this has been what we have always done through time but it's really a question of how take a step back I mean let's take a look at the risks and um let's try to see how we can mitigate it I mean open AI who's behind chat GPT has been trying to put like these different measures in place while people are discussing with chat GPT so that for example I mean you don't include um hate racism like all of this different things and even supposedly creation of malware but people are creative and they will ask creative questions and it's really it's an open question like how do we ensure that there is check and balance when it comes to this creative question because people are going to probe and probe and probe until they're going to find their answers and then build very convincing phishing emails or very interesting malware that was really interesting so no no clear conclusion well my conclusion is like we we shouldn't be scared of new technology I mean this is how we have advanced yeah uh but let's temper that always that whenever we build these things for the future like the more digital we are become becoming if we don't put these checks and balances in place the more dangerous this Digital World actually also becomes it's not an excuse to stop technology but it's a risk management as well that's a really good angle any thoughts on the chat TBT just to check on what Christian said any technology could be used for bad but it can still be used for good and I I'm I'm an optimist it this huge huge opportunities and and like you said the the balanced approach would not be to stop technological Evolution or development because it could be used for something bad so so we need to stay on top of the game and make sure that the good wins yeah so threat and a possibility can I draw that definitely excellent then there is a second question I worry about cloud services uh the move to the cloud has been fast and I'm not sure it's the best solution big players like Microsoft and Google are pushing hard towards the cloud it has its pros and cons the main disadvantage is that these companies tend to be from one economic region in addition X in one basket how would you address these concerns more what do you think yeah I I have to confess I've been a cloud evangelist um for a long time and and the simple question to ask if you're concerned is could you do this any better in-house do you have the the Manpower and the resources to to be able to do this in-house I I think that the you know for many of those Cloud providers Securities fundamental and have spoken with many of their um you know many many of their teams in terms of content constantly wanting to to be ahead of the curve to such an extent that they're you know I think there are very few um nation states that would be able to provide the resources that they have having said that I think that there is a lot of inbuilt security capability that is not always utilized by organizations um either because the lack of understanding or lack of skill set to be able to utilize that um so so I do accept the concerns that were raised but I do think that the positives outweigh the risks that you have for for the resources being in one region hmm I think that was a really comprehensive answer do you demon Christine have anything to add Cloud worries um just one thing to add maybe is that that cloud if you're moving to um whether it's Amazon or Microsoft or Google um it's not secured by by default so you need to still need to build Security in the day in the in the cloud cloud sort of a estate and and and need to be sure that the controls are in place and so still work to be done well I guess just sort of like to to wrap up what the gentleman said I mean you have you have a new estate or you have an extension to your estate which is the cloud it's sort of like in a different environment but misconfigurations for instance they they are abounding in the cloud and that's one of the biggest challenges that we have seen so it's a little bit about a little less about the actual like malware being deployed although we have seen some of those as well there are data breaches because of the misconfigurations that are happening so it just takes a little bit different learning as well with the technical people that are in charge of it but I think that that 2023 how do you answer that question complexity what are the most vulnerable Industries um I think it's really it's really tricky there there are industries that are more attacked than the others and the finance industry is very much um very much exposed to that primarily because I mean a lot of the attacks are motivated by money but does it mean that the financial industry is the most vulnerable I don't think so because they have also been the ones that have been elevating their cyber security posture and really investing quite a lot on them as well and they are also doing a lot of Regulatory Compliance so I think like for that question I would sort of like flip it a little bit that there are Industries that may be more attack than the others um like for instance Finance industry and which includes cryptocurrency like industry as well um where for example last year there have been a lot of like breaches uh when it comes to um cryptocurrency being stolen like from from quite a few of these different exchanges that are there and of course there are um like industries that are handling critical infrastructure of a certain country are also like heavily um sort of like challenged especially with geopolitical um we with the geopolitical environment that we are having nowadays and it's different like one organization is different from another when it comes to like how well they are protected versus the others but it's hard to say that for example this industry is more vulnerable than this one because there will always be like varying level of security posture from one organization versus another within that industry so it's really nuanced it is it is quite Mo you have a view into different Industries can you add anything yeah I think from my perspective it's possibly where the organization currently is at so where we see levels of risk Rising so for example if if the organization's going through a significant digital transformation as many organizations are then capturing all the risks as you you go through that transition also organizations that are going through or or yeah going through Acquisitions and mergers are also times because I think you know um I think teamo and Christine will agree in past where we've seen incidents happen is because a company was acquired um and it was part of the network but it never really had due diligence covered over it so it can be a smaller company um that that has a lower security profile so I think it's more around you know organizations that are going through Rapid change for example um massive acceleration bringing on new staff um building new processes onboarding new suppliers and that's kind of what raises the risk level so it's more around organizationally where they are at their business at that stage of growth rather than I see any specific industry seems like you are on the same page any comments from the finance I can't point a finger on any specific industry but I think it's it's a it could differ from a company to another and and I see a biggest risk in companies that are not conscious about their security posture so if they don't know if they haven't thought about it then it's probably not in good shape so then that's a company specific issue um so no most vulnerable Industries identified in this discussion yet okay so hey here goes then the last question that we will be answering how do you see the role of cyber insurance as a possible driver of improved cyber security posture for companies that may not be cyber native who wants to go first I will know the finance guy in the room that's a tough one so so um having a cyber insurance is about risk transfer and uh and you first need to understand what the risk is then sell it to the market and then then then insurance companies are willing to take the restaurant on your behalf and uh that that type of mitigation is not available for everybody so if if you're not in a a decent shape nobody's going to injure you and and and and so and it also cannot be your sort of a a first approach like so so you need to have basics in place uh like comprehensive security program and then Insurance could be uh like an additional layer of risk management uh on top of that what you've already done yeah so valid option but requires a sound Foundation yeah [Music] Christine do you have anything to add well let's put it this way like in the past few years the the number of questions in the questionnaire of the the side um sort of like when you when you renew your annual cyber insurance they have increased and increased and they have become more specific so this cyber insurance I mean tell me who knows this so they have really become more and more conscious in ensuring that the cyber security posture of this organization is actually insurable and if it doesn't look like it then either they don't insure you or it would make an impact on the premiums that you're going to be paying so it it's astemo mentioned it's definitely not just about transferring your risk you'd really need to do the work to elevate your security posture before you can even get into the stage that they are willing to take on the risk for you thank you thanks a lot um yeah if we didn't touch your questions then we will be creating this follow-up article and try to cover everything there and uh we've had such a fantastic discussion today so huge thanks to our csos here in the studio and mo in London thank you if you wish to learn more about the research then please download the full report thank you until we meet again