More than 90% of respondents to Kyndryl’s 2023 State of IT Risk study say their organizations had IT systems or data compromised in the past two years. And 88% of the respondents feel their organization is well prepared to manage and recover from such events. Is the confidence justified, particularly given the growing diversity and frequency of IT risks? Listen as our experts discuss the risks that C-Suite executives face in preparing their organizations for the unplanned. Hear their point of view. Featured experts: Ricardo Morales, Chief Information Security Officer, Banorte Kris Lovejoy, Global Practice Leader, Security & Resiliency, Kyndryl
More than 90% of respondents to Kyndryl’s 2023 State of IT Risk study say their organizations had IT systems or data compromised in the past two years. And 88% of the respondents feel their organization is well prepared to manage and recover from such events. Is the confidence justified, particularly given the growing diversity and frequency of IT risks?
Listen as our experts discuss the risks that C-Suite executives face in preparing their organizations for the unplanned. Hear their point of view.
Tom Rourke00:02
Welcome to The Progress Report. My name is Tom Rourke. I'm the Global Leader for Kyndryl Vital. And today I'm delighted to be joined by Ricardo Morales, who is the Chief Information Security Officer for Banorte and Kris Lovejoy, Global Practice Leader for Security and Resilience at Kyndryl. We live in a world where the range and nature of cybersecurity attacks and incidents is expanding all the time. But increasingly in complex environments, facing new threats from new actors. My two guests today have a wide range of experience and unrivaled perspective on how we can respond to this increasingly complex area of cybersecurity. So, Ricardo, I'm very interested in you know, what's your view of the overall outlook in terms of the state of global at risk today? Also, I suppose, as you think about that, how has that changed for you in recent years?
Ricardo Morales01:01
Thanks. I think that there is some factor that we are seeing, from our perspective, one could be, we could talk about the complexity. I think that the cyber attacks in the last two years, for example, we are seeing this complexity. Let me say an example, many years ago, we are using a methodology. So we call this model, MITRE ATT&CK Model. Alright, so if you see this model, to attack. The challenge here is in the good sides, we are using this model to have better controls, better defense. But the problem is, on the other side - the cyber attack side - they are also using the same methods. So this is why maybe one of the most relevant factors in the complexity. On the other hand, we are seeing the impacts: obviously, financial impacts, and legal impacts. This is my first introduction about this: how we are seeing this change in the in the landscape of the cyber threats.
Tom Rourke02:14
And, Kris, maybe if I could come to you, you obviously have a global perspective with the work that you do. How have you seen that landscape change? And in particular, there seems to be a real sense that they would-be bad actors in this space are becoming increasingly more sophisticated, right? What does that mean for that landscape? And why is that happening today?
Kris Lovejoy 02:32
So first of all, you know, we just completed a fairly comprehensive study of our customer base on this question of cyber incidents and what is impacting them. And we're seeing some interesting changes and shifts. If you ask our clients 71% of them have experienced over the past year or so, some sort of cybersecurity related event of those 88% have also had a some form of non cybersecurity event, right? So something along the lines of a network outage, a data center outage, IT hardware failure, etc. Now, if you look at you know, what created the biggest impact over the past few years, what we saw was very common that it was usually a IT hardware failure, or a network failure, or some form of disruptive cyber attack like malware that really impacted the organizations. Moving forward, though, what the trend that we're beginning to see is there are a lot more impact - significant business disruptions - that are being caused by human error. We hadn't seen that before. We always knew that human error was part and parcel of you know, some of the reasons why our organizations were suffering disruptions. But we're beginning to circle human error as an issue. And really beginning to quantify the dollar-for-dollar impact that's having on our organizations. Most interesting is that we're hearing from our customers that the impact of malware and denial of service attacks, those kind of prototypical cybersecurity impacts, they're actually going down. Now, it's not that they're not more expensive than a network outage. It's that the frequency of the other failures that are associated with misconfiguration, software, hardware failures due to human error, those are increasing in volume and eclipsing the impact of the malware events.
Tom Rourke04:41
So Kris, is it fair to say that the taking from that is that actually we need to have much greater focus on you know, our culture, our mindset, our internal processes, and not just this this fear that our greatest danger sits outside that our own dangers are our own errors, if you will?
Kris Lovejoy04:59
Exactly right, it's a lot of it that we have to focus on nowadays is really on the inside. And yes, the outside the external attackers, I'm not suggesting in any way shape or form, that they're not more dangerous, and that they're not attempting to get into our organizations. Well, what I am highlighting is that it is human error that often opens the door and exposes our organizations to these more significant disruptions.
Tom Rourke05:25
So Ricardo, if I come back to you, and I think you did mention in some of our earlier discussions before this conversation, the importance of kind of mindset and culture, and in Banorte. And in terms of getting people to kind of do settle in and take these things - not being in a panic mode - but being in a very considered approach to this. Maybe you could tell us a little more about, you know, the approach that you take within Banorte and how and how that affects your ability to think about those kinds of challenges that might come from inside the organization.
Ricardo Morales05:54
Yeah, the internal culture for us is very important. Why? Because we need to create some culture, in terms of principles, etc. Let me give you more information, for example, we are involved in creating a program on that we call anti stress problem, for example. You are working with a person - not with functions - right? So if you don't create these kinds of principles or good tools internally it's complicated to carry out too many tasks around all the organization. Some examples of internal control, like, skip a level one-to-ones, for example. So we need to talk to any people of the staff about the requirements about how is division practically - all the stuff is not necessary to have one-to-ones with only the direct reports, right? Those are some examples. Too many tests that we are making around this internal code, for example, we set 16 security principles. So each week we enforce one of these 16 principles. For example, let me cite an example about the risk. When we are making change in the infrastructure, imagine, we are making maybe in one week or three hundred, change in the infrastructure of security. So obviously, in some cases, you are seeing some problems related to human errors or not, sometimes, maybe the 95% of the problems are related to processes. So sometimes one staff skip one process, or choose to have more proactive productivity. In some cases, we commit an error, but the issue is, again, it's a culture that you need to talk with these guys, and talk about the responsibility in the possible impacts that we could create to the infrastructure of the organization. So this is part of the internal culture of the company. So also, we are pushing, for example, the use of personnel agendas, because sometimes the people say, "Alright, I have too many words, too many tasks," etc. But sometimes maybe the, the problem is the internal organization of each individual. So that's why we are pushing to manage the personnel agendas, for example.
Tom Rourke08:35
Ricardo, that sounds really interesting that it makes the problem sound even more complex, I suspect, but kind of link it back to what you said, Kris, how does leadership develop confidence that the organization is sufficiently resilient and sufficiently attentive to the risks? Recognizing that when you put the organization under undue pressure, that's when mistakes get made? The need for very clear communication? What are some of the strategies, Kris, you're seeing as you work with our partners and customers globally, dealing with that very real challenge about how you protect the organization, while the organization itself is very busy.
Kris Lovejoy09:13
So first of all, let me talk about cyber resilience for a second. We at Kyndryl believe that the field of security has been almost too narrow. And that, recognizing the source of harm and the impact on organizations, we need to take a wider view, a view of operational or cyber resilience. And we need to think about our ability to anticipate risk to understand what could potentially impact our businesses, and then we have to be able to recover from any and all cyber related events. That's what again, we call cyber resilience. Now, when we talk about that, it is important that we break the silos between business and IT. And to break the silo between business and IT - first of all -you have to establish the tone at the top. The culture really can't be established unless you have the board and the C-suite engaged in these conversations. In addition to having the board and the C-suite engaged, it is critically important that the organization has articulated the mission of the organization - what are the business critical services that we care about that we need to protect, that we need to monitor that we need to have some sort of recovery capability in and around. And I think that cyber resilience at least in from our approach, gives us the opportunity to really help the business work with the chief security officers and the other stakeholders in making those digital business services resilient.
Tom Rourke10:51
I'm struck Kris, as you were talking by the differences across industries, in approaches to things like - I had the opportunity in a previous life to visit a number of large chemical plants, and you go to visit oil rigs, chemical plants, peoples in those industries, and a safety culture is really, really, really deeply embedded. There is no meeting that doesn't begin without a safety moment. You don't skip three steps in the stairwell and not use the handrail, because there's a camera and someone's gonna call you up on that, but it's really deep rooted in the entire culture of everything that they do. And Ricardo how do you maintain that conversation with the rest of the business to make sure that they see that they also have a role to play. That it isn't just something they can, if you like, internally outsource to you as the CISO so that everybody has a sense of they have a responsibility to work with what are some of the strategies you might advise to your peer CISOs ensuring you have that dialogue with the business?
Ricardo Morales11:48
Yes, for example, we have let me say two dimensions in one of my first dimension is when I am reporting to the CIO of the company, the it general director, we have a weekly conference for two hours each week. So we are in this conference participating very critical piece. For example, the executive director of system development is participating in this session, also the executive director from IT infrastructure, CTOs, etc. So we are talking with my boss about the cybersecurity in conjunction with the main peers imagine two hours each week. So we are talking with my boss about the cybersecurity. So what is happening, obviously, we sometimes use, to be honest, we are some weeks using this session, to escalate. "We have some problems, please help us with this IT support for cybersecurity." Also, I recognize that we have a very strong PMO; it's amazing how the project offices is pushing us all the days. So this is not a complaint. So for me, this is an advantage to have a very strong vigilance in all these cyber security programs. So we have a very strong PMO. And another factor maybe is our performance. As you know, we are executing cybersecurity programs. And, if you see the history of our security programs, there was a very high performance. So that's why we are building some kind of trust with some senior executives in the bank. And also, we are publishing each month, our cybersecurity indicator. This indicator is you could measure your cybersecurity from zero to 100, for example. We are always each month publishing these indicators. So the main actors, the main piece is knowing what is happening with the indicators. My summary is communication: you need to put on the table, a very good communication process about what is happening.
Tom Rourke14:25
If I might take a slightly different direction, Kris, for a moment. I'm aware in other parts of the IT landscape where, you know, we've changed these stakeholders. So if we take the example of in the workplace, historically we would have dealt with CIOs around workplace solutions. Increasingly, we're now dealing with HR functions because they're using workplace IT as a way of changing work styles and behaviors and so on. Is there an analogous process in regard to resilience and security where there are other roles within the executive leadership who need to take a greater interest in being part of driving resilience within an organization? Or is it still very heavily centered in the IT function?
Kris Lovejoy15:07
In some organizations, there are new models that are emerging, but outside of banking it tends that the security officer wears a cape, and is known as sort of the superhero in the story. And all requirements for security are sort of invested in this particular person. If something fails, you kind of look at that individual, as "oh, gee, what happened there?" In the banking institutions, it's a bit more mature in the approach that many of the tier one financial institutions are taking, where the chief security officer is becoming more of a, what we call second line, in the three lines of defense model. They are the organization that's responsible for sort of looking at the risk landscape, identifying the risks, identifying the controls, not implementing/operating those controls, but really monitoring the controls to make sure they're effective. And then working with the various business organizations to mitigate the risks that are sort of percolating up. And then having IT act as first line; they become the organization that implements/executes the controls, along with their peers in places like HR, and finance, etc, who all participate in this kind of ecosystem of actors. I do think though, there is another level of maturity that we're beginning to see in some of the more forward leaning institutions. What these organizations are doing is actually retooling their business impact analysis process, as part of the BCP or the business continuity programs. Now, what happens in the BIA process, which is typically run by a very strong project management office, is the key business services are clearly identified, the mission of those services and the importance of those services within a business context are identified, all of the assets that participate in that business service, whether that be data people or technology are mapped within that context, the protections that are required are mapped within that context, obligations for practicing or disruptions are mapped within that context, the way in which organizations are binding IT plus security, plus disaster recovery, plus business continuity, plus the executive teams all together so that they can achieve overall operational resilience within the context of these mission critical services.
Tom Rourke17:41
And obviously, in the context of banking and being very heavily regulated industry, there is an imperative for that sort of thinking. Ricardo, your approach, though, it might be too easy to assume that actually well, because everybody gets it because everybody's got an obligation as a regulator, you have an easy job and in getting to make sure that everybody pays attention and collaborates with you. Is that true? Or are there any particular insights you might share with other CISOs not necessarily in banking, but obviously, that being your field that the key ones.
Ricardo Morales18:15
In general times I think, I am now involved in the financial industry from 10 years ago. So it's like for me I was before in the telco industry. So I moved from telco industry to financial industry, but this move like the NFL, because this is very complicated. Let me say a very simplistic scenario, when you see threats or impacts in demand, always there are related money, always is very easy in the industry when there is a one cyber attack is very easy for the cyber criminals to monetize the attack. Alright, so it's different, if your attack inside Facebook or maybe different companies, you'll get maybe information leak information, but you need to process this information to monetize the attack, right? But the problem in the bank is it's very easy for the cyber attackers to get these results. You need, as a CISO, to rise the bar above the regulation, because it is not enough to have the bar near to the regulation. Because this complexity, you need to raise the bar very above, to these to the regulations. This is maybe one of the philosophies here in the bank - in cybersecurity.
Tom Rourke19:39
Kris maybe as we kind of draw to a close and as you think about this conversation, and the organizations and the leaders who may be paying attention to this podcast, what are the kind of key pieces of advice you might offer for those seeking to secure the collaboration and confidence of their senior leadership colleagues in pursuit of greater decisions within an organization?
Kris Lovejoy20:01
I often have these conversations with customers where they'll ask me to give, at a board level, to wax on the overall security resiliency of their business services. When I get into the boardroom from time to time, and I'll say, "You know what? You could spend all your money securing this thing. But it's you're never gonna get to the goal." You know, I think it may sound trite, but it is important in today's atmosphere for the - particularly my CISO peers - to think about their obligation as not just being an advocate for better security, but an advocate for modernization within their environment. So I do think that this prioritization of critical business processes, modernization of those business critical processes, ensuring that you've got the right controls and the right skills to manage the controls around those business processes. That's what we need to do. But buying more tools to support our old stuff is not going to be the answer to this problem long term.
Tom Rourke21:06
So maybe if I could give the last word to you, Ricardo in terms of the context of Banorte and that kind of thinking that making really important decisions about the tools, the applications, the core systems, where that need for greater simplicity, to support security, has that become part of the philosophy? Or is there a way to go?
Ricardo Morales21:27
Yeah, this complexity, we need to change our mind into many sides. Alright. So let me say that traditionally, when somebody asked me, "Ricardo, what is the strategy?" My answer was "We have objectives, annual objectives. Our objectives always are aligned to pain issues, we need to create a vision to set a new vision for the future." So today, we are working to set this vision in different fields. And in the one kind of field is the traditional domains of cyber security, for example, what about the access control in the future? What is our vision in access control? What is our vision in incident response, etc, etc. But on the other hand, what would be our role in terms of the future of identity management in the organization, talking about customers, talking about internal users. So maybe we need to change the philosophy, set a new technology to monitor a different attack to so that's why I am mentioning that we need to set this vision to be more aligned to this complexity.
Tom Rourke22:50
As we draw to a close, what's very clear is that as the complexity increases, the need for that clarity of vision becomes even more important, and the need for continual communication right across the organization. Also super important because as we opened, the human factor is really at the heart of an increasing amount of the risks and issues we face. Can I thank you both for a super engaging conversation as always. Kris, Ricardo, thank you so much.
Ricardo Morales23:17
Thank you very much.
Kris Lovejoy23:18
Thank you. Bye.
Tom Rourke23:23
Thank you for listening to The Progress Report. And as they always said, if you liked the restaurant, do tell your friends the equivalent in our podcast is like, share, subscribe, and look forward to the next one. Take care guys.