Thomas is the Senior Vice President of Internal Security and Cyber Defense at Telekom Group with over 20 of cybersecurity experience. His wide-ranging role involves managing all aspects of security for Telekom Group from personal and physical security to cybersecurity. What are the greatest challenges you have overcome since you became SVP for Internal Security & Cyber Defense? The biggest challenge has been to drive a new mindset into the security teams. At most companies, security teams operate in such a way that they hinder rather than empower others. For example, setting policies in place but leaving the responsibility of security ultimately to the commercial and operational teams. Then, when something goes wrong, they blame others rather than their own practices. This is not how it should be and needs to change. The best way of doing this is having security work directly with the other teams to find a solution where everyone is involved in shaping it. However, this initiative should come from the security teams as they carry responsibility for this. How should senior cybersecurity executives ideally work with the board? In most organizations, you typically see CISOs reporting to CIOs. The problem with this is that you are always relying on the priorities of the CIO to accommodate your information security concerns. When the CISO is mostly driven by the agenda of the IT team (ie. the CIO) then the likelihood of failure increases because the priorities of the CIO and CISO are ultimately different. For example, a CIO might want to cut down costs but a CISO will realize this could increase your security risk. To create an effective cybersecurity strategy, you need to be an independent advisor or be on the same level as the CIO or CTO and ideally report directly to the board. This allows you to align the security strategy more independently and adapt to the needs of the company. You need a direct relationship with the board to ensure security is a priority. What needs to change about how most organizations are handling their information security strategy? When a cybersecurity team is not acting as a barrier to other teams but is instead working together, the business will see an increase in efficiency. It is crucial for cybersecurity to become a business enabler rather than just a pure cost factor. This is what modern organizations have to understand to become successful. Other than that, keeping your infrastructure up-to-date is key. Many of the most successful cyber attacks happen partially because of a missing software update. Do you have any advice for new CISOs to help set them up for success? First of all, listen to the business and understand how it works. Then you can set up security measures that will really help the business achieve their goals and keep practices safe rather than just providing commercial teams with a security target and writing out policies. This is the most essential aspect to understand: with just a policy you are protecting nobody. Also, make sure to network with your peers and talk about breaches openly so no industry ever falls victim to the same threat twice. From time to time, you might be the first victim but other times you won’t be a victim at all because someone told you about the threat beforehand. What role do you think human error plays in data breaches? I would say most data breaches come from disruptive security measures. If I only implement procedures that are a burden to people and their productivity then they will obviously try to find a way around them. For example, if a policy required people to change their password once a week you would almost certainly have more people writing their passwords down and so the risks actually increase. Security executives need to focus on security measures that support rather than burden the user. This consequently reduces the number of threats as people are not motivated to find a way around measures anymore.  

Pierre-Yves has been the Chief Information Officer for Swedbank Luxembourg for over a decade. Originally hired to restructure the bank’s IT operations, he overhauled the IT teams into a highly agile workforce and successfully led numerous IT implementations and migrations. Before joining Swedbank, Pierre-Yves worked in IT at both the Luxembourg Stock Exchange and IBM. What are the greatest challenges you have overcome since you became CIO? The greatest challenge is hiring and attracting the best employees. My strategy from the beginning was to automate as many processes as possible so that I could hire the best people. Steve Jobs once said “It doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.”. I couldn’t agree more with this and that is how we try to attract people here. We are committed to automating processes and staying on the edge of innovation. Slowly, the bank has started to change and become much more flexible and efficient. It was a difficult process but I think we have managed to do it. What are the specific tactics you use to engage the board? Chief Information Officers sometimes have difficulty getting complex ideas across to the rest of the board. The board is made up of mainly commercial, financial and legal executives so I find that the best way to express my ideas is through analogies. It is more effective to break down technical aspects into fundamental analogies as this helps them understand the IT perspective much better. This also helps us justify spending on IT initiatives, showing how they will help the business. What are the most important security indicators that banks should care about? I pay most attention to human resources because keeping talent is a factor that almost every other IT goal depends on. A company, especially a bank, needs to make sure that employees are happy to work there because the nature of the job cannot allow for mistakes to happen. Unhappy employees are much more likely to make a mistake which could lead to something like a data breach. Because of this, I have no problem allowing them to focus on any personal issues first so that when they come into work they are as happy and effective as possible. The cost of employee mistakes will be much higher than the cost of letting them focus on any personal challenges first. What needs to change about how most organizations are handling their IT? Most organizations do not think about how happy their employees are. They don’t understand that if you take good care of your employees, then they will take good care of the organization, especially in IT and cybersecurity. Happy employees are much more likely to behave in a compliant and secure manner. What are the greatest information security threats to the banking industry? A lack of employee education when it comes to cybersecurity risks is a very big threat. Lots of employees tend to get phishing emails and many click on the links included in the email without knowing the risks involved. One way of tackling this could be to be very close to the users and remain up-to-date with how users are treating these threats. However, this can only take you so far. Luckily, we have been able to escape any major risks for now but it is an ongoing process. Do you have any advice for new CIOs to help set them up for success? You have to get out of the office. Meet with your peers and industry experts, go to workshops and networking events. You should also read blogs and articles constantly to remain on top of the newest technologies, solutions and threats. Ultimately, if you are curious and flexible in your approach to solving a problem in IT then you have the right tools to get started.    

As the former Chief Information Officer for ING Belgium and Luxembourg, Johan was, until September 2018, responsible for the complete IT stack and was part of the Executive Committee. An engineer by training, Johan has worked with a number of organizations before joining ING, including McKinsey, SWIFT, SAP and A.T. Kearney. What are the greatest challenges you overcame while you were CIO at ING? There were several challenges. Firstly, we increased collaboration between the Belgian and Dutch IT operations to create a single IT organization and adopted the same agile way of working. We also brought IT professionals much closer to other teams in the business and removed as many coordination barriers as possible, which made the IT team more efficient and cost-effective. Another challenge was gaining more control of the IT change portfolio. There is always more demand than there is capacity so we changed it from a demand-driven organization to a capacity-driven one. This helped get many more things done and we had some very positive results in areas such as big data. The final challenge was creating better risk awareness and control in the business and enhancing the level of discipline in the organization. What needs to change about how most organizations are handling their IT strategy? I noticed that in many companies there is sometimes a distance between the business and IT people. This might be because of the different business jargon, personalities and delivery goals but this divide needs to disappear. Many parts of the economy are being disrupted through digital businesses and IT is increasingly becoming the main driver of business. The IT strategy for many is starting to become the strategy. For this to work effectively, you need to bring non-technical teams and IT teams closer. Improving communication and understanding between teams will help them work together most effectively. How should CIOs ideally work with the rest of the board? If you look at most company boards, I would say a lot of them are likely struggling to understand what is going on in IT. Many of them know that their digital business is becoming more important but it is like watching a soccer game; it is different when you are sitting in the stadium than when you are playing in the field. I have also sensed a mixture of fear and distrust regarding IT because some people feel that they do not have the expertise to really assess it. Most boards are made up of professionals with a commercial or finance background. An area where this is especially clear is cybersecurity, it is very frightening for board members to ultimately carry responsibility but not understand all techniques used to attack their business. Constantly reading about the newest data breaches in the news will likely do little to assure them. CIOs should do their best to address all of these concerns. What are the greatest information security issues to the banking industry and how would you address these? The biggest security incidents often happen from within, so integrity of staff must be a prerequisite. At the larger organizations, security becomes much more of a numbers game. Even with very good employee screening procedures, data breaches will likely happen either by accident or through malicious employee intent. Another important issue is adopting the right mindset when dealing with information security. I think about it in a similar way to healthcare, a new variant of flu comes out every winter and the medical industry is quite fast to respond to this but it never goes away completely. You have to adopt a framework where you understand you are never going to be completely immune as cyberattacks are always evolving. Even if you have never had a data breach before, you can never be completely sure that an employee will never fall prey to a spear phishing email. The best you can do is remain vigilant and constantly stay abreast with the newest developments. This is why I am a big fan of collaboration between industry participants or even governments. Cybercrime is like a virus, it tends to go from country to country, so by working together, you can be aware of it ahead of its arrival. All parties benefit when they collaborate together against a problem like cybercrime. What do you read/listen to stay on top of advancements in IT? Gartner reports are a very good source of information as they cover different trends well. I also follow a few networks such as CIONET to understand what is going on in the industry right now. Finally, small CIO events like dinners or breakfasts with only 10-12 participants is amazing for knowledge sharing. The size of the audience allows everyone to participate and every once in a while you get a nugget of gold. Keeping in mind that what might be very esoteric today could become very important tomorrow is key.  

Michael has been with Casinos Austria for 26 years. He started in the IT department and eventually took over the role of Data Privacy Officer in 2001. Responsible for overall information security strategy and, working closely with the CEO, Michael establishes policies relating to compliance and anti-money laundering. As well as overseeing all the activities related to the development, implementation, maintenance and adherence to the organization’s privacy policies, he is also the link between his organization and the Austrian Ministry of Finance. What are the greatest challenges you have overcome at Casinos Austria as Head of Department Compliance and Information Security? Dealing with the number of regulations is definitely number one. It is a developing field for lawmakers and this makes the laws less stringent than they should be. Additionally, this means that we sometimes have to deal with laws that are in conflict with each other such as money-laundering and data privacy. Another issue that I face, which is probably the case for many compliance officers, is keeping the awareness of compliant behavior high. It is a constantly ongoing process that requires continuous education about the rules that must be followed and we deal with this by running educational campaigns. While there are many ways to approach user education, I find running in-person educational sessions to be much more effective than the rest (e.g. e-learning). What are the greatest information security issues in the gaming industry and how should these be addressed? Different gaming markets tend to have different issues but one overall issue I found is, surprisingly, not technical but social, namely dealing with social engineering tactics. This is actually quite a problem because advanced spear phishing attacks that use social engineering methods are very difficult to recognize and therefore challenging to prevent. This is usually dealt with by keeping awareness high but, as mentioned before, that requires constant communication. Because it is such an issue, this will be my main focus for 2019. How should compliance and information security executives ideally work with the board to address information security issues? In an ideal situation, the most important aspect is to get support from the top as I cannot execute my plan if I do not have the support of the board. Additionally, constant communication within the organization is key so having weekly meetings with the board and other departments to discuss strategic issues is ideal. How are most organizations in the gaming industry handling information security and what do you think should change? Surprisingly, a lot of our competitors in the gaming industry do not have a high level of information security. This seems to be especially common with some of the younger organizations that might be prioritizing high growth over security practices. Casinos Austria has been operating since the 60s so we have very well established compliance procedures. It is not the case that these younger organizations do not care about information security but rather that they usually address this in an unstructured way without many processes. It is extremely important to have a clearly defined information security strategy and that usually means having processes in place.