In this episode, host Raghu Nandakumara sits down with Tristan Morgan, Managing Director Cyber Security at BT Group, and Mark Hendry, Digital Services Partner at Evelyn Partners to discuss DORA regulations and compliance in the financial services sector. They discuss the interplay between regulatory standards like NIS2 and DORA, the importance of proportionality and operational resilience, and the broader adoption of principles such as Zero Trust. Learn more on how to achieve DORA compliance: Illumio.com/dora
In this episode, host Raghu Nandakumara sits down with Tristan Morgan, Managing Director Cyber Security at BT Group, and Mark Hendry, Digital Services Partner at Evelyn Partners to discuss DORA regulations and compliance in the financial services sector. They discuss the interplay between regulatory standards like NIS2 and DORA, the importance of proportionality and operational resilience, and the broader adoption of principles such as Zero Trust.
Learn more on how to achieve DORA compliance: Illumio.com/dora
Learn strategies for DORA compliance in this ebook: https://www.illumio.com/resource-center/zero-trust-segmentation-dora
--------
"If you did a search on DORA and looked for the word segmented, ss in micro-segmentation, instantaneous severing of elements of the network in order to contain and what have you, it's in there. It's absolutely in there. So, you just need to know what you're looking for and you'll find it. And Zero Trust will evolve. It might evolve into a different name or a different set of characteristics that we seek to achieve, but DORA should last. And we might find terms like Zero Trust start to pop up in regulatory technical standards or implementing technical standards that accompany it, but it's absolutely in there because it's such a good way to protect our organizations from harm, the types of harm that we've talked about." - Mark
"If you were to build something completely separate and ask all businesses to comply with something that was different, not only would there be significant cost, I think actually you get much greater resistance. Whereas, these regulations like DORA actually build upon industry-recognized best practices that many businesses are already adopting to a degree, and it actually is sensible, but it also makes the barrier to compliance less." - Tristan
--------
Time Stamps
(04:22) Current cyber threat landscape
(11:02) Operational resilience and cyber resilience
(12427) Compliance and regulatory standards
(15:22) A historical look at compliance
(25:58) The tipping point for the EU to prioritize operational resilience
(36:48) What differentiates DORA from other legislation?
(44:24) The role of Zero Trust within DORA
--------
Sponsor
Assume breach, minimize impact, increase resilience ROI, and save millions in downtime costs — with Illumio, the Zero Trust Segmentation company.
Learn more at illumio.com.
--------
Links
Connect with Tristan on LinkedIn
[00:00:00]
Raghu: Hi everyone. welcome to another episode of The Segment. It gives me great pleasure to welcome Tristen Morgan, Managing Director Cybersecurity at BT Group and Mark Hendry, Digital Services Partner at Evelyn Partners, Tris, Mark, welcome to
The Segment.
Tris: Thanks, Raghu. Great to be
Mark: thanks for having us.
Raghu: well, the pleasure is all mine. and I get to converse with two people rather than the usual one. So it's, double the
fun, double the trouble. of talking about, like compliance, particularly as it applies to the financial services industry and what that means for cyber, a bit of background, about both of you.
So Tris, why don't you tell us about yourself
first?
Tris: Yeah, thanks, Raghu. It's great to be here and, you know, I have the pleasure of helping to protect all of BT Group's customers, particularly in the business domain. So I look at the products or services that we want to bring to market, how we serve them, and really, ultimately, in line with today, how we ensure that they stay safe, you know, can defend against as many breaches as possible, but also stay compliant.
So what I've had for a number of [00:01:00] years and prior to that, Strong background working in the government sector, both UK and internationally.
Raghu: Awesome. Thanks, Tris. Mark.
Mark: Nice one. Thanks for having me. so yeah, Mark Hendry, I'm a digital services partner at Evelyn Partners, which is a UK and Ireland focused business advisory firm. I spent a lot of my time. before joining this firm in a variety of companies, technology companies, big four consultants, and law firms. From about 2014 onwards, a lot of my practice, was either lawyer instructed or working as part of a legal team as a technical and operational expert, interpreting regulatory requirements, Getting aligned with, or even challenging, regulations and, and regulatory enforcement.
so that includes things like big digital regulatory change programs in the years of [00:02:00] the GDPR, and working with clients who had been impacted by data breaches or cybersecurity incidents and needed to investigate, remediate, and deal with, regulatory scrutiny and enforcement. So it's a fun time to be alive in the world of digital regulations and thanks for having us on this podcast to talk about them.
Raghu: Well, as I said, right, the pleasure is ours. So Tris, Mark, thank you very much. So actually, Mark, sort of the last bit of your intro, I think sort of sparks really, where I think we'll go with, the start of this conversation. and it's getting both of your perspectives on what you feel are the biggest threats that are, the biggest cyber threats that are out there.
That are impacting, I mean, sort of, are impacting just in general, but also specifically on the financial services sector. So Tris, your
thoughts.
Tris: I mean the, the threats are numerous and I think the thing to remember about security is it's not one type of threat. It's many. And [00:03:00] even those many continue to evolve and change based upon such a wide range of factors. It could be, you know, economic challenges, geopolitical challenges. It could be other ideologies.
And for many of our customers, they're faced with this ever changing, you know, kind of onslaught from a variety of those. What we, what we've seen though extensively is, it used to be the case that a lot of the attacks were largely focused on larger multinational organizations, organizations with critical infrastructure, critical data, and increasingly, That isn't the case.
They're still absolutely targeted, but small, medium business now are really being affected by this. And so, when you look at it from a threat point of view, it's everywhere now, affecting businesses of all sizes, all shapes. And I think that represents some of the change, you know, that we, we have seen.
Raghu: Yeah, absolutely. Right. And I think that the, the, the data absolutely shows [00:04:00] that sort of the widening of the impact from just what, what Inventor Commons perceived to be the most valuable targets to now something that is, that is impacting sort of. Organizations of, of every size in every sector, like Mark, what are your, what are your perspectives to sort of carry on from what Tris was saying?
Mark: Yeah, I think, take the historic point. Big company, lots of assets, big target, rich pickings.smaller companies being targeted. Why? Many reasons, but, the, the payback on cyber crime is very well understood in, in criminal communities. relatively low risk, it's not going into a bank with a shotgun.
and, and the rewards are huge. Also take the digital supply chain. So actually, these smaller companies are potentially being targeted because they're linked with the, Big companies. so you can target them, and then you can, you can move laterally across networks into connected organizations, and [00:05:00] have sort of knock on and multiple impacts.
So that's all about kind of, The way that the world has changed and digitized over time, interconnectedness, we, we talked a couple of years ago about the year of the supply chain attack. Now that, that hasn't stopped, and, and sort of the, the year of ransomware. Not stopped, just evolved, just changed, lower barriers to entry for criminal organizations and criminal actors, passing down their methods, tools, ransomware as a service, playbooks available, criminal organization, customer service outfits popping up.
It's, it's very interesting and, yeah, threat modalities change often. I, I suppose. threat actor motivations largely stay static and it depends on who you are whether they're a nation state or an organized crime outfit or some lower level crime group or or a have a goer. they're all [00:06:00] after something, and the ways that they can get at it just change and evolve over time.
So the way that we need to defend, defend as one, changes over time too.
Tris: And if you don't mind, I'll just jump in there. You think of,
you think of
many of these companies, you think of many of these organizations that are trying to do harm to businesses, you know, they're actually run like businesses because they are businesses. So when we look at technology adoption and digital transformation, They're looking at the technologies to understand how can they be exploited, how can we use them to do net bad.
And so, you have two similar but very different business models.
Raghu: absolutely. Right. So that there is definitely that, that sort of the business model of like profitability and I guess the economics of ransomware and, and, and ransomware as a business or, or cyber cyber, attacks as a business. And you both sort of touched on various things about sort of motivation, about it very much not being just the year of ransomware, I'd say the years of ransomware, right?
in [00:07:00] plural, and really it's sort of the modality of attacks and,while the tactics themselves, the high level tactics don't really change from attack to attack, from attacker to attacker, some of their techniques and procedures, do evolve. But let, let's sort of like unpack those bit by bit and let's look at motivation.
And one of the things, and looking at sort of the, sort of various sort of like reports over the last couple of years, one thing that is sort of coming Some of the shift towards more attacks that are focused on compromising availability, productivity, beyond just the sort of the extortion, approach, right, the profitability approach.
like how are you, how are you seeing that? And are you seeing this as an increasing concern amongst organizations about how do we ensure that we continue to be productive? Cause we know that that attack is around the corner.
Tris: right. So this, the resiliency term is what you're talking about is, I'd say, ever [00:08:00] present and front of mind. Because even when there is a breach underway, It's not a question, I think, of the business not being able to operate, it's, well, how can we continue to operate even if there are things that are ongoing within our enterprise?
And so, if you look at the digital connected world, most businesses of all different sizes intersect on very few points, right, in the new hyperscaler SaaS model that we have. And so, The focus on IT resiliency in case there's a non cyber related outage and indeed a cyber related outage is now paramount because you make a valid point there, which is it isn't all about ransomware and being demand payment to have your data released to you again or be well.
Actually, it's an awful lot more about, well, if you can take a website down so you can't sell any new orders or you can prevent, you know, all of your 50, 000 employees coming in and doing anything that itself also costs a huge amount of money to that business.[00:09:00]
Raghu: And yeah, and, and I think tied to that, right, I was looking at sort of one of the more recent data breach reports that spoke about how, when you look at the, the average cost of a, of a data breach, About 33%, a third of it is attributed to,lost business, right? And that, that percentage as an overall total cost is increasing, which previously that the significant sort of impact was either like paying the ransom or, recovery.
Right. But that impact off to the business itself, productivity is just, is going up day by day. So Mark, like in your sort of conversations with your, with your customers, right. What is the nature of that conversation when it comes to operational resilience and cyber resilience?
Mark: Depends on who you're talking to, and. What matters to them and what sector they're in. and so often it's a case of telling a story. So for instance, one of the ransomware incidents that I worked on a while ago, it was a while ago, but it's a big story. Pretty, pretty good story. they suffered [00:10:00] a massive ransomware, you know, prolific ransomware attack that basically stopped them from operating and they were, they were losing, millions per day.
They were a fast moving consumer goods organization, so they couldn't move goods in and out their warehouse, couldn't print labels, couldn't tell, gig economy workers, when to come to work and where to come to work, couldn't pay suppliers, couldn't pay staff, lots of, lots of sort of day to day impact stuff.
And they're, they're losing millions off the top line, but absolutely, philosophically opposed to paying a criminal actor to recover their systems and their data. And so, if I'm talking to an organization that produces something that has factory lines and has people, coming in and out on a, sort of, a given basis, A gig basis, zero hour contract workers.
That's a good story to tell and sharpen their minds to what the type of impact, could look and feel like and how they're going to decision make when they're faced with a crisis like that. Whereas, a, financial [00:11:00] services organization, very different in terms of how it operates and how it, generates top line revenue, and therefore how they're likely to need to decision make, how they're even going to coordinate themselves in a communications outage, how they plan for those things.
and then how they make those philosophical choices as well as the practical operational and technical choices. And of course. Different industries have different regulatory compliance, obligations, burdens, oversight, supervision. And so if you're in financial services, if you're talking about the overall cost of a disruptive ransomware attack or other sort of digitally oriented outage, then the likelihood is that a fair chunk of that cost is going to come from a monetary penalty notice from your supervisor, your supervisory authority, whereas if you are You know, for now, a food producing [00:12:00] organization, you're not really expecting,a big fine for failures to keep your systems resilient.
You might get one if it's a personal data breach as well, but that's a slightly different matter. It's the nature of the supervision and the enforcement, can vary drastically based on your sector. but that. That can really drastically change your outlook for overall costs of that type of disruption.
Raghu: Yeah, absolutely. you're sort of going towards an area that we want to explore in this about sort of how compliance and sort of regulated industries or how compliance and highly regulated industries sort of Drives better standards. And in this case, better security and better resilience.
So kind of with that in mind, right. what do you see as the shift? Cause I've kind of seen personal experience in sort of previous careers is like the sort of checklists from a compliance perspective, where it was very much around, okay. Go through, go through this list, check that you do all of these [00:13:00] things and then provide essentially provide your evidence.
Right. But it often lacked context as the impact of those controls. so they're rather static rather than actually showing a meaningful improvement, improvement in security posture. Like, what is your perspective on that? Because coming onto Dora in a second, there's some interesting changes that sort of Dora is driving with that respect, but like, what's your perspective on sort of.
A historical look back at compliance and the effectiveness of those requirements.
Tris: I think in many organizations, compliance was often seen as something which was, challenging, but also question marks around the why. And I think you make a valid point where often it was sometimes done as a tick box exercise. And if you look at some of, you know, if you then look forward at some of the recent developments, like we have the cyber assessment framework developed by the UK NCSC, you know, it's not a tick box.
It's really about a rating on a scale. And so what you can do on an organizational basis is say, For some businesses, these things matter more than other things, and so you can dial up and [00:14:00] dial down the areas that you need to be compliant and also understand to what degree do you need to be compliant to get it to scale, and I think that's really important, because a good example would be operational playbooks in the event of a breach.
Well, what kind of scenarios are you trying to simulate? How far would you look for a breach to pervade throughout a business? It's all these sort of things which you need to have a judgment call on the degree in which you actually need to have those in place based upon risk to you, customers, um, and a wider supply chain.
Raghu: Yeah, absolutely. Right. I think that that comes back to the question of, of, of proportionality, right. What is relevant to you based on sort of what is important to your, to your business. So I think Mark, like what's your, what's your perspective on it in terms of what you've been doing given sort of your background, what you've done with customers and how that's changed over time.
Mark: I suppose, well, look, the regulatory environment in the digital [00:15:00] space, let's call it that, digital and data space, has changed and is changing massively. so, In my years of practice, I used to advise clients on the Data Protection Act, 1998, as it, as it was, and then we had the GDPR UK Data Protection Act, bloody, bloody, blah, right?
And, and also the way that we've practiced that, the way that, customers, companies have needed help with that have changed over time, I think, Maybe that's a bit about my own standing as a practitioner. and maybe that's a bit about the sophistication of the digital ecosystem, the world, and I suppose the compliance of the regulatory or the standards environment in which we all live now.
So for instance, back in the day, I used to go around call centers and sort of data warehouses and made sure that the controls were present or absent and operating to a certain extent. And [00:16:00] I do kind of agreed upon procedures, audits, and what have you. I'm sure some of that stuff still goes on, but if you look at the text of the.
Standards, so, you know, NIST Cybersecurity Framework or Cyber Assessment Framework for MCSC, as Trish just said, or, actually into NIST2 and DORA. So NIST2 is a good example. It says something like, Taking into account the state of the art. That's not static at all. It changes all the time. And so there's a heavy amount of interpretation.
And why does it say that? Because the state of the art for, protect, detect, and respond has to change as the state of the art for attack and harm causation changes as well. And these regulations need to stand the test of 20, 30 years. And they need to evolve through supporting guidance, but it points out, you know, NIS2, which has a [00:17:00] relationship with DORA, NIS2, In its definitions, it has a definition for standard, what we mean by standard, if, if this regulation refers to standard, it's referring to international standards, it's referring to European standards, it's referring to technical standards, and so, They immediately signpost you to the other places that move faster than the regulations themselves do.
And therefore, the way we advise clients, the way that clients have to consider these things and act, it all changes. Very, very frequently.
Raghu: Yeah, I, I think that he expressed that sort of, sort of beautifully. And it's kind of like, Tris, like, cause sort of keeping, keeping that in mind, right, it feels like what we're seeing now is, and I kind of, you mentioned this too, but let me introduce Dora in here that, It talks about how it's leveraged ISO 27001, right, as an inspiration on which to build because [00:18:00] there is so much in there that is already kind of relevant rather than trying to reinvent the wheel.
So I think, I think sort of tying in what Mark was saying is that a closer alignment between regulations. And sort of secure, like frameworks and standards that organizations are adopting anyway, to avoid sort of duplication of effort. Is that, is that consistent with
what
you're
observing?
Tris: Oh, a hundred percent. And actually this is This is, you know, this is really helping business. You think of some of these big global standards like ISO, which many businesses adopt across a number of domains. If you were to build something completely separate and ask all businesses to comply with something that was different, not only would there be significant cost, I think actually you get much greater resistance, whereas these regulations like DORA that actually build upon industry recognized best practice that many businesses are already adopting to a degree.
And it actually is sensible, but it also makes the barrier to compliance less. I [00:19:00] mean, there's still lots of things to do to get there, but actually it makes it less, but it also means that there are greater communities. Available for companies to speak to, to help understand what they need to do and the areas also to not worry about. see for a number of sectors whilst there is challenges in doing this. Also, degrees of satisfaction that this is something which has been used universally. And businesses are not having to comply with different local legislations in different countries because many businesses that we serve and you will serve work across country boundaries.
Raghu: absolutely. And actually I, that, that's an interesting point to just, just talk about a bit more because, NIST 2. In, in its nature, puts like with the EU defining this too as a directive and then essentially asking, member countries to, to adopt that into the relevant local regulations, but compared to that with, in the case of DORA, the EU have said, Actually, [00:20:00] we're going to take responsibility for, for getting this applied across the board and we will be, or the European supervising authorities.
Why that sort of difference in approach between the NIST 2, which is broader and covers more industries and DORA kind of becoming a regulation EU wide, right? Why that difference in approach?
Tris: I would say it recognizes and takes it a level up and actually looks at it as the European economy. And so recognizing the impact that can happen, not just at an individual country level, but at a broader, wider geographical level, unless you look at some of these fundamental issues around resiliency, cybersecurity, because without that, if you have different interpretations of it, then you haven't got harmonization and you're not moving all in the same direction.
There's also another thing, of course, in security, very much looking at, it's a team sport. You've got to share information. between organizations to be better together. And I think again, when [00:21:00] you look at these continent wide and, you know, European wide regulations, they're important because that's one of the cornerstones of them.
Raghu: and yeah, I think that's an important point, right? And I think also the financial services industry. Both in the EU and globally is far more interconnected across borders than any of the other, like critical, critical industries that sort of NIST 2 covers. So, Mark, what's your, what are your thoughts?
Mark: Yeah, I completely agree with what you've said. I think there's a bit about heritage, right? NIS2 is the second one. It comes from NIS. We had, and have UK NIS, which, you know, for those who don't know, the original NIS, Network Information Systems, whatever it is, regulation 2018, was really focused on operators of essential services.
So that's critical national infrastructure, utilities, transport, things like that, as well as what they called RDSPs, relevant digital service [00:22:00] providers. and that was all transposed into national law. It was around the same time as the GDPR. GDPR got all the attention and actually subsequently pretty much all of the enforcement and supervision.
and. NIS2 is the second bite of the cherry, because it recognizes that, a wider scope of industries, should be considered to be critical or important on a national and international economic and social basis, societal basis, but they're not coordinated, really. You know, there's, there's no coordination between, I don't know, the French Postal Service and the UK's, I don't know, hydrogen infrastructure economy.
So it'd be really difficult to, create something that is fit for all of those in scope industries for NIS2 and harmonious. whereas, like you've said, the European financial services economy and society and supervisory regime has been coordinated [00:23:00] for quite a long time. And that's why, DORA, a sort of a harmonized and sort of blanket, act stands a much better chance.
So, you know, the time, time will be the proof, but it stands a much better chance of achieving what it. Needs to achieve what the principles that have been set out to be achieved. using that harmonized instrument,
Tris: So with that all being said, right, and I think we're familiar with sort of the nature of, sort of ICT risk, risk management regulations in the financial services industry, historically, like, what was the, what would you say was the trigger? Or the tipping point for the EU to reframe a lot of this in the form of, and really make operational resiliency the prime objective, what was the tipping point? Mark?
Mark: I talk about this as probably the, biggest, resilience intervention in financial services since [00:24:00] after the 2008 crash. after the 2008 crash, it was about financial resiliency, cash in the system. A lot has changed since 2008. And we talked about it earlier about how interconnected. The economy is, and all of its players, and how much society relies on digital infrastructure to an extent that, I think has been seen coming but has potentially, been a little bit surprising in just how domino the effects can be when some kind of an outage happens.
I think there's a huge amount of apprehension and nervousness.across Europe about what happens if that nth degree player and that nobody really perceives because they're buried layers deep in the digital supply chain. No one's really done due diligence on them, but we all rely on them. We just don't know it yet.
And so you see that come out in things like, the identification. objectives in DORA, where you need [00:25:00] to really map out your supply chain in a, in a thorough and deep fashion, see who's connected to who, and who's connected to them and who they all rely upon. And there was a really good example recently whereby, in the midst of all these DORA, processes and programs to identify the supply chain and to determine as a financial services entity, subject to DORA, Who we consider to be a critical or an important ICT provider, there was an ICT provider that will be in with a lot of these financial services institutions that didn't suffer a cyber attack, but had its widgets and its dongles plugged in and deployed across lots of servers and lots of laptops and Something that they did caused a big disruptive operational outage.
And that was not to do with a cyber attack. And that's why this has elements of ICT risk management, which you and I would see as cyber objectives, cyber mandates, cyber requirements, [00:26:00] but it's bigger than that, it's digital operational resilience, because that wasn't a cyber attack. And yet it had a similar impact to a disruptive ransomware attack for a short amount of time.
And that's why this has come about. It's about. intervening on the basis of how the world works now.
Raghu: Yeah, absolutely. I want to come back to some of the things that you said. Tris, anything to add?
Tris: I think they could see it coming as well, right? And if you just, if you just look at the, and Mark related to it, the highly, not only interconnected, but the just in time economy that we have in critical sectors, you start to realize how at any moment, at any given point in that, how it's not just a small localization that can have much greater ramifications.
And so, I think there's a great deal of foresight that has gone into, into planning for this, but also, and for the companies I work with, also ask from organisations for greater guidance and [00:27:00] standardisation on some of these things so that certain businesses or sectors don't have to bear all of the cost of it.
Raghu: there's a few things, in there. Let's think about the impact, because both of you have mentioned that, and I can think of a, of a recent example, which was a cyber attack related, which is the, the ICBC ransomware attack, at the tail end of,the tail end of 2023, which, which then impacted that they're a key component of U.
S. securities, the U. S. securities market, right? And then there was a knock on effect to be able to sort of clear trades, et cetera, amongst all of their, all of their counterparties. And that, that's a great example of what, like DORA and the, the controls it's bringing in. It's literally looking to sort of reduce the impact of, but the, the third party thing I think is really interesting.
and the first question I'll pose to both of you is how do you identify a critical third party service provider versus a non critical third [00:28:00] party service provider, because that, that kind of, that, that chain, that, that it's turtles all the way down, because you could keep digging and say, well, that's critical to my process and that one is, and that one is, I mean, everything is critical.
So how do you differentiate?
Mark: I mean, there's a point in that, isn't there, which is, it's a matter of interpretation. And a matter therefore of depth and thoroughness. And there's a risk balance there to be had between, is the proportionality principle, all of these regulations contain a proportionality principle, which is say something to do with, you know, bearing in mind the risk to X, Y, and Z.
And so in GDPR is about the risk of harm to natural persons, you and me, if our data gets, you know, wrong. Whacked or stolen and that's about if it's medical data and somebody that we don't want to gets hold of it, or if it's financial data, what's the risk of harm? And so you put in place proportionate safeguards to deal with that.
and then [00:29:00] when it comes to supply chain mapping, if you like, what's critical and important? Well, just point out now, not a lawyer. But look into what the definitions are and interpret those for your organization. And there are, there are really two, I was giving some advice about this the other day.
There are really two ways to, to consider this, at least in the client scenario that I was dealing with, which is that, they're critical and important. If they suffer an outage or disappear, and that stops you from being able to complete the things that are important in the financial services sector and economy.
And it's things like completing transactions or placing trades or whatever else it might be, you know, people getting cash out of machines. Second part of it, which is about what's important to you. So that's, what's important to the economy and the people in it and the other players that act. And then there's, actually, is it critical or important to you?
[00:30:00] And that's more about, can you operate and can you fulfill the obligations that you hold to yourself, your people, and others who rely upon your, expect you to do a thing. So for instance, in this conversation with a client, it was, Ah, what about our risk management? We use X, Y, or Z cloud portal or platform to fulfill that and it's applied by X, Y, and Z.
So are they critical or important? Well, actually, if they go down for more than a week at a particular point in time, you fail to fulfill your regulatory obligation. So yeah, they're one of the two. They're critical or important. You decide. We can, we can work through that, but that's how I go about this.
Raghu: So Tris, just, just sort of to, to counter this, but I think the proportionality, part of property of, of these regulations and, and Endura in particular, I think makes them highly dynamic, highly flexible, very customizable to every organization, but does that not also prove a challenge when it comes to sort of.[00:31:00]
Like identify, like determining, okay, this is what we're going to do. But then also to, to be able to prove that, that you've made the right choices. Does that, does that not provide a challenge, which then means that organizations sort of typically default to doing as much as possible? how do you decide and how do you prove that you've made the right
decisions?
Tris: so think you make a valid point there, which is we, you actually need to evidence your decision making and getting to a position around that. your point around proportionality is key, right? So how is it you've got to a decision and evidence that and, and, you know, to Mark's point, actually seeking, you know, Council as well, I would suggest in terms how you've got there.
Um, because obviously what you don't want to do is to make an assumption and then that to be proved invalid down, down the line. It's also worth noting that any decisions that you make today need regular review to understand actually, are they too strict? Are they not strict enough in terms of what we've implemented?
But I'd just like to come back a second ago and say that this [00:32:00] isn't a question, this isn't a question around your binary, you know, one or zero actually. This is around a, a key scale, and when you look at. Those are critical parties that you need. It's also important to think about the stack ranking of different platform systems and functions.
And something that I often talk to customers about is They often think, well, you know, if we couldn't write a purchase order, would that really matter? Well, you say, well, actually, if you needed that to get in some incident response specialists, it would be a problem. And so there's a number of things you've got to work through in quite a detailed way as part of your simulation and thinking when determining to what level and to what degree do you want to be compliant.
Raghu: that's a really great sort of point, right? It's like, what is that smaller set of key business processes that you need to ensure are kept running in order to stay in business, in operating? Is that, because kind of, I feel that that underpins [00:33:00] everything else.
So is that where the conversation usually starts? Is that, what is, what is that minimum set? For you as a
company.
Tris: Yeah. I always advocate. You start with a customer and say, actually, if I'm a customer, what is it that I, you know, what are the services that I would need to be able to continue to be served? And there'll be tough decisions there around, you know, the minimal things that would be Mark mentioned about getting cash or be able to transfer money.
These are some of the things that are fundamentally important to inner and financial services. And then working that back through an organization. The risk of doing the other way around is that you actually look at what platform systems, et cetera, do you need to maintain? But then losing sight of that one, one important thing, which actually means you can get to a customer.
And so I'd advocate looking at it from front to back.
Raghu: absolutely. Right. Cause when you start there, once you've got that, list, you can then talk about, okay, well, what are the threats these things face, right? What are they at risk of? And then move on from there about how you, how you sort of [00:34:00] identify where your controls gaps are to then determining what additional controls you need to put in place.
To alleviate that, right. And, and, and sort of continue testing that and
improving that.
Tris: And as you go through there, you'll identify loads of gaps in controls and there's important to say, well, which ones are we going to prioritize? Which is the most important ones, rather than just building a list of 700 things you've got to do. It's about knowing which ones are going to make the biggest impact to make sure that the company can stay up and running and serving their customers.
Raghu: Yeah. And so, and Mark, I think, I think just following on from that, that sort of that business informed approach, that sort of ties to the proportionality that then maps to essentially what are the threats that you and your processes face that then drives how you test. I think that's a key part of, of Dora, which I feel differentiates it from, other regulations that we've had in the risk management space for financial services in the past.
Like, is that how you see it?
Mark: Yeah, I think so. I completely agree, Tris, with what you're [00:35:00] saying. are the things that if they get knocked, people are going to notice, either because it's inconvenient or painful, and if it's not? sort of people say you're a business to consumer financial services organization or a business to business, but you know, it's going to, it's going to draw regulatory scrutiny most quickly.
What are those things and work backwards from there? What are they interconnected to? What do they rely upon? And the clue is in the name business impact analysis. We've been doing this with donkeys guys. and just because we're, we've got a sharp stick behind us, forcing us in the form of DORA to do it now.
We've always kind of had that in financial services anyway. Other industries are facing the sharp stick for the first time, but we're really talking mainly about DORA here. There's another point here, which is that, yeah, we are on the pathway to DORA enforcement, and we don't know what that looks like just yet, but we do know that financial services, [00:36:00] supervisory authorities are typically better equipped, you know, well trained people. okay resources, you know, they'll probably disagree. If you had a regulator or someone that works for a supervisor on the line now, they might disagree, but, but compared to others, then, then they're ahead of the pack and more active, because it matters so much. But we're what, four months out from DORA now?
and so what if you're not on track? What are you going to prioritize? what. Are you going to go more deeply or light a touch on? And to the point about accountability earlier, if something does go wrong, how are you going to storytell about why that was an appropriate, set of decisions and actions to take based on the information that you had available to you at the time You took them.
That all plays a factor when investigations happen and enforcement is being calculated and decided upon. And it doesn't mean that enforcement isn't going to happen, but those [00:37:00] mitigating circumstances, if you could tell a good story about them and prove that they were fine and wise decisions to make, or at least not negligent, you know, you're standing yourself into, into good stead.
And so if you are behind on your DORA program right now, think about what we've said, what's going to hurt most, what you're going to prioritize, what you're going to get over the line and what you're going to kick into next year a little bit, on a risk balanced basis.
Tris: you're exactly right when you think that financial services companies are often very used to the regulation, but you know, you think of the scope of door, as you mentioned earlier, including ICT companies and many of those, this is the first time that actually that have been subject to this type of regulation.
And therefore not only is that the overhead of trying to become compliant, there's also the cost. And some of these can be relatively small businesses. And so it's quite onerous for them to. Not only embark upon the journey, but actually the cost of becoming compliant.
Mark: you're absolutely right, it's the extension of scope of these [00:38:00] things to non regulated businesses, so non regulated businesses falling into scope of DORA because they are a critical or an important ICT supplier to the European financial services economy. And actually, there's something quite interesting in DORA, there's a mechanism in DORA, and I'm quite interested to see how it plays out, whereby, what's called the register of assets, where financial services entities have to fill in these spreadsheets that say, these are our critical, important, information system, ICT and third party assets. And those need to be disclosed to the supervisory authorities upon request and at a certain frequency, to a certain extent. And then after that, providers will be designated as critical and important by the supervisory authorities. Now, I can foresee a situation where you know, there's a coordination mechanism or cooperation mechanism whereby all of those asset registers go into a great big data lake and all of a sudden, for the first [00:39:00] time in history, at the European, sort of commission level, they've got a brilliant, Layers and layers and layers deep of how all of these interconnections and intersections are operating.
That's for me, if I can achieve that from DORA, it's hugely powerful as to sort of how we maintain resilience and, and kind of almost forget for a second what it's going to take to get there. Just getting that insight is the work of decades and we might be on the cusp of it, which is, it's kind of cool in a geeky way.
Raghu: yeah, absolutely. I think just, I think I sort of have two reactions to that. The first reaction is, is your reaction about that's amazing to completely understand the entire set of interdependencies between sort of. Bank of financial services industry, the technology service providers and how these are all interlinked and all the depths of which that goes.
But then also working for a, for a technology [00:40:00] vendor, my fear is, is that. Right. How do I know whether I'm on that list? Whether, if I'm not on that list, am I critical? Am I not critical? and how sort of differentiate between what have our customers saying? Oh, they're a critical technology provider. And another customer, not us, not having us on that list, right?
How does that then play into my obligations? Cause that, that's the bit that I feel is, you know, Is unclear still.
Mark: so my firm, is, well, just one FinTech advisor of the year. So you can imagine we, we work with a lot of the sort of businesses that either fall on the Fin end of that spectrum and they're regulated because they're basically a digital bank or something like that. and if they're operating in the EU markets or supervised by European regulators, guess what?
They're in scope. But if they're on the tech end of that, because they're a tech, not they're basically a technology provider and their clients are financial services. entities, just need to look at where those financial services customers are [00:41:00] operating and what they do for them. And, if you think you're important enough to them, that if you went down there, stop being able to do some stuff, then it's a logic exercise you're in.
if you are a, you know, a broader technology company that has clients in retail, pharmaceutical, manufacturing, and financial services, just do the same exercise. Who are your financial services customers? You know who they are because you're billing them. and think about, you know, what you mean to them.
And what happens if you fall over one day, and, and plan for that. And again, logic exercise, but to Trish's point, if you're not sure, get counsel.
Raghu: Yep. Tris, thoughts?
Tris: I think this, I think that's when we pick up on the last point, right, about seeking counsel, right? So, you know, nobody can do this alone, right? And there's lots of third parties that can help with kind of, you talk about proportionality in terms of where and where to go first, and you know, what other [00:42:00] sectors have done and, you know, help to make that judgment position so that people can become compliant.
comply to the right level without the right degree of burden, um, and particularly companies which don't naturally come from, you know, this sort of more regulated sphere, you know, and Mark talked about the technology companies who have branched out into financial services. I think some of these are the ones where I think it's, most important to work with other people.
Raghu: So we're getting close to time and this is a Zero Trust podcast and we haven't mentioned the term Zero Trust once. So I feel that I, I'm obliged to do so now. So Tris, starting with you first, right? So DORA talks a lot about what it's aiming to do and it's, it's aiming to, improve the resiliency of the financial services industry in the EU.
so that it's able to even while under. In the midst of a cyber attack, able to continue and be productive. And there's a lot of sort of technical requirements around, sort of reducing sort of the scope of access and so on. But it, it doesn't mention the term zero trust [00:43:00] once and very intentionally.
like what's your perspective on like the relevance of zero trust to Dora and also why it was intentionally left
Tris: Um, if I cover your second point, sort of first on why it's left out, so it's a zero trust. is obviously a wider security term, which brings together a grouping of capabilities to fundamentally drive the security position of all businesses up. And so we need to be mindful actually that Zero Trust might change as a terminology in the future, but the principles that under, underpin it, and that's one of the reasons why it wasn't named, actually stay fundamentally important.
And I look at them really in four ways. It's about identifying threats, you know, mapping out what are those critical and non critical and those sort of third party dependencies. How you can then, with Zero Trust, help to protect and prevent attacks and where you need to put the right monitoring, the right control in there.[00:44:00]
But also recognizing that there are more advanced things that you need to do for the things that you're not sure that are attacks. And this is where more advanced security like SIEM technologies are really paramount to help do that more advanced threat hunting, particularly talking about nation state type activities.
And then, you know, the other key part of Zero trust is looking at how you respond and recover to those attacks. Bear in mind that most businesses want to be able to continue to some capacity. And so zero trust is a nice grouping a number of these, but fundamentally, you know, that's why it is important.
And of course, for some businesses, it might be that you want to amplify up or down, you know, one of the four things I've just spoken about because they're most relevant to what you do. You know, but overarching, when you look at the principle of Zero Trust, it's about the concept of least privilege. So you want to give your workforce, your customers, the least possible privileges to do what they need to do, and then take that away when they don't need to, rather than the days of giving people admin access forever [00:45:00] whilst they're an employee.
You know, that's not what we want to do. What Zero Trust needs to do is to fundamentally make it harder for people to get in. But if people do get into an organization to be able to detect, respond, and recover from that in a really timely fashion.
Raghu: Yeah, absolutely. And limit how far they can get in within, within the organization. Should they get in how far they can move around? Yeah, absolutely. fantastically put, right. It's, it's a set of essentially principles, That apply not just to DORA, but also much, beyond that.
And DORA, I guess, sort of benefits from some of those principles dialed up or down as required. Mark, any thoughts?
Mark: Yep, it's, it's in there. Zero Trust is in there. It's, it's a, standard to which we, aspire and work today. the terminology might evolve over time, and that's why the term probably isn't in there to Trish's point. But elements of Zero Trust are in there. If you did a search on DORA and looked for the word segmented, As in micro segmentation, instantaneous severing of elements of the [00:46:00] network in order to contain and, and what have you.
It's in there. It's absolutely in there. So you just need to know what you're looking for and you'll find it. and zero trust will evolve. It might evolve into a different name or a different set of characteristics that we seek to achieve. But DORA should last, and we might find terms like zero trust start to pop up in regulatory technical standards or implementing technical standards that accompany it, but it's absolutely in there because it's such a good way to protect our organizations from from harm, the types of harm that we've talked about.
Raghu: And believe me, as a segmentation vendor, I have very much Google, I sort of searched those documents for every single term and all their synonyms and found all of them. So, think we're close to time. Tris, I'm going to come with, come to you first, right? So as we wrap up, sort of, how, how would you like sort of listeners to really think about, not just about Dora, but about security risk compliance today and how it's going to evolve in the
future.
Tris: [00:47:00] So one way we take away from, from, from this is that we know that just as we're, as a sector going to be increasing the use of digital technology, we also know that the adversaries are going to be using that to try and ever increasingly target and try and get gains from, from it all. And therefore, when you look at security becomes that everybody.
the pivotal and the most important thing within those organizations to make sure they can be better to spot and defend against that and ultimately better serve their customers. And I think this is where regulation and DORA also comes in to help provide that guidance, the standardization, and ultimately the collaboration that is needed to do that, not just this year, not next year, but you know, for the next five to 10 years to come.
Raghu: So better collaboration and better standards, right? So that we improve security
collectively.
Tris: Yeah. Better collaboration, better standards. I think that's the key to success.
Raghu: Awesome. Mark.[00:48:00]
Mark: Yeah, I agree with Trish. This is evergreen. It's, it's come in. It's not here yet, but it will be soon. and it's evergreen. So, let's get to a good place and let's keep building from that. And, try not to get dragged kicking and screaming into the place that it's trying to take you. Try to think about the, the benefits, right?
It's about value protection. It's about stability. Resilience, Think about resilience. Yeah, that's, that's the message. Think about resilience. Try not to think too much about compliance, but do it in a compliant way that makes sense for your business. Interpret correctly, have a good story to tell and, and do what's proportionate and right for you and you'll be in pretty good standing.
Raghu: Well, I think that's very wise and informative words from, from both of you to, to wrap that up. So Tris, Mark, thank you so much for your, for your time today. it's been great speaking to you both, and I appreciate all the wisdom. Cheers
guys.
Mark: Thanks.
Thanks for
having us.
Tris: Thanks for getting good. See you.