mnemonic security podcast

Security Assurance

November 23, 2020 mnemonic
mnemonic security podcast
Security Assurance
Show Notes Transcript

Are we secure enough? Are we exposed? What are our key cyber risks?

Our podcast guest this week is a veteran in the IT space in the financial sector, and has extensive experience communicating security posture to stakeholders. Erik Blomberg, CISO in the Swedish Handelsbanken, chats with Robby about what management really is wondering about, and how to communicate the value your security team is delivering to the organization. 

He also shares how he’s worked to translate tech terms into actual business value, and how the CISO role has changed in recent years.

Technical level: 1/5

Host: Robby Peralta

Producer: Paul Jæger

https://www.mnemonic.no/podcast 

mnemonic:

From our headquarters in Oslo, Norway, and on behalf of our host Robby Peralta. Welcome to the mnemonic security podcast.

Robby Peralta:

We've been investing in cybersecurity for a few years now, would you say our organization is secure? Have we been breached? When were we breached? We have a board meeting next week. Can you talk about cybersecurity in a way that they understand this time? Do you have enough money to do what you need to do? Is all this really worth the investment? After all these years management has understood the value of it, it is absolutely necessary these days to keep our business in the market. But if that's the case, why don't they understand that security is absolutely necessary to keep our it in the business. Maybe we could pick up a few pointers from a veteran in the IT space, just so happens to be the chief information security officer for one of the largest financial institutions in Europe. Erik Blomberg, welcome to the podcast.

Erik Blomberg:

Thank you very much Robby, great to be here.

Robby Peralta:

Great honor having you here in this virtual studio of ours. We are here today to talk about security assurance, not security insurance, but assurance, which in my mind is you sitting there in a boardroom assuring your colleagues that we are secure enough. So have you been in that situation before?

Erik Blomberg:

Well, I mean, we'll probably get into this later but I'm actually trying to get not to get into the boardroom. Because if you're there you have a problem.

Robby Peralta:

Yeah, cool. So said another way, we're here to reflect on how you communicate with your security posture, or communicate your security posture to regulatory bodies, internal control functions, and basically anybody else out there that is worried about security in your organization. And I also would like to ask you how you sleep at night after such conversations. But how about we start out with introduction to yourself, you know, what you've been working with the pastures.

Erik Blomberg:

Yeah, I'm actually sort of an old timer, I took my computer science degree back in the 80s. And started off as a developer, architect and came into sort of the management positions. And I've been in it then about 25 years until I got the opportunity to sort of in a way switch little bit to security. But I've been in the position of CISO for Handelsbanken now for close to five years.

Robby Peralta:

So how is your position and your dialogue with with members of your management changed over the years as security has grown more important?

Erik Blomberg:

I think when I joined the five years ago, it was, I would say very much security centric, we were the team sort of protecting the bank. And we were the go to team in a crisis. And we were the go to team for sort of the our governance around a security. But the last four years, I think giving the threat escalation, giving the digitalization and also media attention in sort of mainstream media is the expectation. So my role as a CS has changed from being sort of the the techie security guy sitting in a corner fixing security into sort of need to speak to executives about the risks, what's the cyber risk, I need to have some kind of threat intelligence perspective? What's out there? What What should we sort of be afraid of now turning into sort of becoming business enablers in securities, such an important component in our digital journey? In not pleased in the financial sector, but it's changed quite a lot. So sometimes I feel like it's you move all over the company, everywhere from meeting customers discussing the cute aspects business. So talking to technicians, maybe not myself, but my team. So we are all over the place.

Robby Peralta:

All over the place yeah. You and the rest of your colleagues in the security world. That's a common phenomenon. In your dealings with management, like with your CFO, your CIO, maybe even your CEO. What sort of questions are they are they asking you? Is the CFO asking you about your return on investment on security investments? What are some of the questions you're receiving from those different parties?

Erik Blomberg:

I mean, I report to the CIO, so part of the group IT so from that perspective, obviously, I'm responsible for security in the group IT that so we have a very close dialogue around what's what's the key for us. When it comes to CFO and bank management, I think we fall back to a lot around risks. That's sort of the natural language for a bank, we have a traditional market risk, credit risk. So I think that's, that's the, the key area where we now and then need to explain where we are in different areas. And what sort of exposing us from a risk perspective. And and as you can understand is one thing maybe to calculate on credit risk or market risk, but cyber risk is, is still quite immature when it comes to really calculating your risk posed posture. I know, a lot of companies probably well ahead of us in that, that, but we tried to put together things and again, focus on the key scenarios, but to actually calculate on risk. That's, it's still, it's still a journey, at least for us to get there. I think risk is the key key area that we we communicate to upper management. Hey, if you figure that out, you have to come back on the podcast and let everybody know, because I think everybody's struggling with how to qualify that risk. One other question that's related to that though. I had another podcast guest on and he he said something that reminds me what you're saying right now, he said that the most powerful committee in a company these days is the risk in the audit committee.And I'm not sure if it's called that in your organization. But would you I think we, have three lines f defense. The first line s cond line is compliance, r sk, and third line as audit. I hink all of us have our responsi ilities and need to view th ngs from from our end. And I try to be I mean, risk is defi itely I would say, a very stron committee or function, becaus agree with that statement? that's, that's where we sort of put together the key risks. nd compliance is also extrem ly important, since we are so regulated. So now we get the n site visits with regulators w ere we need to explain ow we work with security. S I think we all three le els need to, in a way work uite a lot together. So we are very transparent and discuss thi gs openly. So we try to not have any secrets. So we have a very ransparent dialogue in these t ree lines of defense. And th n all of us have our own pers ectives, how we summarize the s tuation. For my organization, ith all due respect t risk and compliance, I wa t to protect our company, to mi imize that we don't sort of ha e an incident that escalates t really serious crisis s tuation, that's sort of the bottom line for for my team's wh t we should be here for. T at's, and if we succeed with hat, I can see that then we ha e control of the risks. And we can also have a good dialogue with when it comes to the r gulators. It's a little bit sc red if we turn too much into compliance driven security de artment was the threat a tors, they don't care about Regulations, they tried to fi d ways into your company. And hat's, that's the date today ch llenge. So, so we'll have d fferent I think, all three le els need to have a transpar nt dialogue. And we're Yeah we're quite close in a way eve though we have our separation o duties of obviously, b t we have to do this to ether

Robby Peralta:

different approaches, but the same goal. So you wrote a wrote an article recently, which was titled - The key to achieving security goals. Where the main thing that I got out of it was basically that we as security professionals need to leave our security jargon at home and start communicating in business terms. And it sounds like that's exactly what you've done. You know, you've taken the five top risks and everything you communicate to your, you know, colleagues and management is directly related to the business to the business, and that, therefore, you're enabling security to be like a business enabler. Do you have any advice that our listeners can copy from that process you had to go through to achieve that

Erik Blomberg:

mean? Yeah, I mean, it's one thing to say that you want to be a business enabler and another thing to deliver about, I mean, I'm on a journey, and I think the whole security industry, we need to sort of take a step out from sort of the technical jargon and and be very interested in in the company working, if you're not that already understand what what is the CEO saying? The the sort of curious in how can security really not only protecting but how could we really sort of be part of the success of the company. So I think one thing is to really be focused on meeting meeting the business listening to the CEO, and really tried to map your or security objectives into to the, to the, to the business perspective, and we're trying to sort of work with different types of values, awards, I mean, we abused trust quite a lot that we, it's important that our customers, and also staff feel a lot of trust in our services, the services. And I think the covid 19 pandemic situation has also shown that it's also about caring for staff, and customers. If we can have strong digital channels, they don't need to come to a branch office to do something they can actually stay at home. So I think that has also highlighted the importance to really provide secure, stable and available environments to our customers and staff. I think we also see in in the brand, develop the brand, that you won't have a strong brand in the digital world, that's also something that you can and it's very hard to sort of put the finger on what's the brand is how much the value is, but I think you're talking about the value of your brand is also very important. So So that sort of is is the starting point in a way to do as I see it, that's my recommendation that the first step in the journey to become a business enabler, what kind of values can you deliver to the organization. And I think the next step is awareness to create awareness around the security of cybersecurity in your organization, here is also trying to we said we want to leave I mean, we have a lot of rules, security rules and instructions, and they need to be easy to understand. So it should be easy to do the right thing. So So awareness is also something that we are addressing. Also, it has to be targeted to different audiences. So you can't have the same message for everyone in your company need to have different messages for technicians or developers or people in staffing, branches, values, awareness, and then actually to how do you actually integrate we our strategies to integrate security in for instance, when we develop our services? So security becomes a natural component in delivering our projects. Hmm.

Robby Peralta:

Sounds like you've done a great job over the past years to get all that in place.

Erik Blomberg:

Well, I mean, it's, again, this is it's a combination of putting goals and and actually, and I will say we are we are in a transformation. I think a lot of us in the financial industry, for instance cloud is, is we've been quite conservative, a lot of us, at least here in the Nordics. That cloud is, since we are quite regulated, we have been quite cautious, but that now it's sort of the way we were taught. Yeah, we are the it vendors are also more in a way pushing us to the cloud. So that has to be a natural part in our overall architecture. That's one component that is adding on and then obviously now when we have more agile development, and the one thing increase the speed, that's also where we need to be to make that process as smooth as possible as well. Hmm.

Robby Peralta:

So I have a maybe a personal question, but I'll ask it anyway. So you the role of a CEO, I hear it a lot. It's like the role of CFO is changing. Maybe before in the past it was a CFO would have a lot of technical competency, they would know maybe how to you know, configure the firewall themselves in some cases, right. But now it sounds like the most important thing for see so is to be really close you know, to the business and speak their language and be able to translate the security needs into the business. needs of the of the company, right? So have you have you noticed that sort of an transformation needed yourself over the years?

Erik Blomberg:

Man I've been in a way, I would say lucky Boss, I came in, and just been in the industry for five years, the security part of I've been in the bank there for many years. But, and for me, I've been working in it, sort of as an internal account manager, and where I've been working with it sort of very close to our business, delivering it solutions to when I joined came into the security took on the role. Let's see. So it was quite natural for me to continue with that on one hand, so I was quite used to try to translate tech terms into what's actually what's the business values. And also, since I came in, as I didn't know anything about security, more or less, I asked all these stupid questions to my very, very skilled team. And if they could explain to me what all these tech security terms were, and I could understand it, I could just pass it on. So I think in a way, it might be good to have someone like me who is not that knowledgeable about security, if you really are probably not met, met very few CSUs that has the exact position as myself. So we are in the role is very different. Some are need to have a very see server with a very strong security, knowledge and depth, because that's what expected in that company. But maybe in larger companies where you need to talk more to the business may be more to the upper management than you need me but have different types of skills and experiences. So I think that's a little bit different. But for me, it was I asked all the stupid questions, they had a lot of patience with me explaining what all these things were about. And then I had the background of working with trying to explain what it was. And that that's also has been quite challenging over the years. But now, it is more or less core business. That's your core in financial sector, definitely. But in a lot of other sectors. So it has become sort of your engine in the company. So now it is is a natural component. And the next step, I think is that security, it's also becoming a natural component.

Robby Peralta:

digitalize or die as they say, exactly, yeah. Yeah, and I really see how your your background in it as like you said, the internal internal account manager in my mind it the function of it is literally to enable the business to do to do to do its job, right. And I think security can should sort of adapt that mindset. Yeah, we're here to enable this to happen, but I guess security is enabling it.

Erik Blomberg:

Exactly. Yeah. Yeah, of course. Definitely.

Robby Peralta:

Um, so what do you what what's on your, you know, agenda? What are the things that you're gonna focus on in the in the years to come? What's gonna be here your toughest challenge. So come,

Erik Blomberg:

we are moving into a hybrid cloud. We are we are different types of companies. We are a bank, a traditional bank, in a way, we have a lot of legacy it and now we are creating a hybrid infrastructure to be able to deliver the even better data services, I think we have a very strong position today that we need to keep. But it's the digitalization in the financial sector, and also the new types of economic possibilities in the digital world is great. So we have, we have a great position, and we need to sustain that. But there's, I mean, world is changing as well. The geopolitical landscape is different now compared to a couple of years ago when it comes to wall sort of, maybe not threats, but I mean, the discussions around more nation focus, you want to have your data in your country, or at least in EU discussions between us, Russia, China has a big play. So it's also that's what's so interesting with this work that all these things might have an impact on on sort of the threat landscape and again, being one of the key players or key sectors in a country. I think we all need to work here. Try to work more closely the private sector and and the government's in the country. And here I would say both done. And Norway or I would say ahead of Sweden when it comes to sort of coordinating cybersecurity in your country. I think here, there needs to be more initiatives in Sweden, because might be very hard for an individual, private actor to cope with all these complex threats and so on. So maybe you need to work more closely in the sector and cross sector to discuss how can we sort of protect? Yeah, Sweden or the Nordics, I think that was the actors are becoming very advanced, doesn't have to be nation states, it could be very advanced organizations. And they are, of course, developing their skills as quickly as we do that. So it's, it's, that's I think that's what we try to achieve here and a way to have a more cross sector or government private sector cooperation.

Robby Peralta:

Hmm. Well, you're at least sort of lucky there with the financial sector. I have the I'm under the impression, at least that the you know, with the Nordic financial cert, that the banks are actually the one of the best, if not the best sector for sharing information with each other. Is that the case?

Erik Blomberg:

Yes, yes. Yeah, we, I would say we have a tradition of working a lot together in Sweden, and also across the Nordics in the financial sector. And also in Sweden, we have examples where we are sort of we have went together and create the electronic identification solution that has been very successful. So I think we we have, we are small countries, and we have a tradition that we need to work together to pray good solutions. I think that's true. Yeah, tradition that is really strong. And we should continue with that.

Robby Peralta:

You know, you mentioned earlier, you don't want to be in the boardroom. Because in your it's, you're getting you're getting yelled at at that point. What sort of questions you receive, you know, from, from your fellow members in the management team around your security posture, you mentioned risks and stuff, how do you? What are they wondering about?

Erik Blomberg:

I would say, first of all, they're gone. You don't get that much airtime if they're, if it's sort of, well, it's two perspectives. One is education. I've been there sort of educating the board in cybersecurity, what, what what is it all about? So we had a few of those sessions. But when it talks when we talk about, I mean, the simple question is, are we exposed? What's the risk? That's basically the key the question and how can they sort of support us in in changing that, so we try to have sort of a, an overview of the status of the key cyber risks, and talk through that. So we keep we have four or five major risks that were sort of tracked on a regular basis. And then of course, we are highly regulated industry, the financial sectors, and now it's, it's becoming, yeah, regulation, directly targeting or towered cybersecurity. So previously, it was more around operational risk, and that's still there. But now cyber security or security sort of an a specific area that the regulator's are are asking not only questions, if we have the governance in place, they're also asking about our the sort of quality our of our security controls are sort of going deeper and deeper into the stack, so to speak.

Robby Peralta:

As a follow up question to that, you say you don't have that much time in those meetings, when you don't have much airtime in those meetings. How do you communicate the status of all the all the projects you have going on all the things you're doing and it was such a small amount of time? Do you have to you know, just put like a green yellow red on the PowerPoint slide just to know where you are out things are?

Erik Blomberg:

Yeah, we try we try to sort of again we have we have five cybersecurity incident scenarios, which we call our main risks and one no surprises for instant ransomware it's sort of one one scenario that could escalate quite serious situation for the bank. So we try to pinpoint the top five incidents that can escalate to us losing money, data leakage outage of IT systems or blackmailing. So, we try to sort of assess the or explain how these scenarios can have what what is the business impact of this this consequence. And then for each scenario, Are we sort of assess? Yeah, as I said, more green, yellow or red, when it comes to assessing our risk portfolio and also the external threat landscape. So I mean, looking at the last few few months, I would say ransomware is thing at the moment when it comes to a really serious threat to a company. So then we sort of assess our positioning in there and what we need to do, and that's where we sort of link our initiatives if we need to strengthen something to mitigate or maybe not, not mitigate, but at least reduce the risk to become a target of these these attacks. So we try to focus our work on having Yeah, one slide with the the main risks, and then talk, talk through them and explain why we need to do things related to these key II scenarios. That sort of trying to keep it as simple as possible.

Robby Peralta:

And I'm assuming those those five pillars, those five areas of risk that you've highlighted, pretty much everything cyber lady can fall into those five then in your in your world.

Erik Blomberg:

yes. Yeah, yeah. Yes. I mean, it's, it's, I mean, as a bank, for instance, here you are, you're assist a bank, which is sort of important in the country. We are sort of a critical function, society, and then also very advanced actors. A pts could be a threat to you. So from at least I would say, I know the nomadic carrier, whether well, and we all have sort of the same. We can't only look at sort of criminals, we need to sort of be prepared for the most advanced attacks since we are one of the key key sectors keeping society up and running and in the Nordics. We are a very digitalized economy. So having large problems with digital services will have an impact to Yeah. People in our countries. So that's why and when it comes to what we need to prepare prepared for. That's actually the most advanced actors. So that sort of the bar is quite high. Yeah.

Robby Peralta:

Well, Mr. Bloomberg, I know you're very busy, busy man. And you have lots of things to do. So I will thank you very much for your time. And I will start saving my questions. For next time I get to have you on the podcast.

Erik Blomberg:

Thank you very much for me. It was great to be on this honor. Okay, thank you.

Robby Peralta:

Well, that's all for today, folks. Thanks for tuning in to the mnemonic security podcast. If you have any concepts or ideas that you would like us to discuss on future episodes, please feel free to send us a mail to [email protected] Thank you for listening, and we'll see you next time.