In this episode, host Raghu Nandakumara sits down with Indy Dhami, Partner at KPMG UK, to explore the evolution from traditional InfoSec to cyber resilience. They discuss the strategic implementation of Zero Trust, the impact of regulatory pressures, and the challenges posed by AI. Indy emphasizes the critical role of foundational cybersecurity practices in maintaining business continuity and driving innovation.
In this episode, host Raghu Nandakumara sits down with Indy Dhami, Partner at KPMG UK, to explore the evolution from traditional InfoSec to cyber resilience. They discuss the strategic implementation of Zero Trust, the impact of regulatory pressures, and the challenges posed by AI. Indy emphasizes the critical role of foundational cybersecurity practices in maintaining business continuity and driving innovation.
--------
"The way I see it with some of these regulations, it's changing the focus of very siloed-based approaches to addressing regulatory requirements, to as I term, it's turning compliance into a team sport. You need to have your Chief Information Security Officer at the table for DORA. However, you also need to have the person that's responsible for all of your human resources or the person that's responsible for your business operations or for your important business services. And the more mature organizations that I'm working with are approaching it in that way. They have all of those key stakeholders at the table. They've understood that there are certain roles to play for each of these functions and they're working together."
--------
Time Stamps
(01:27) Indy's career journey
(07:40) The shift to cyber resilience
(10:18) Importance of cybersecurity awareness
(13:19) Ransomware ethics and initial client concerns
(17:10) Evolution of regulations in cybersecurity
(27:58) Understanding Zero Trust
(35:54) Adoption and implementation of Zero Trust strategy
(48:19) Harmonizing risk, security, and fraud
(50:55) Future challenges in cybersecurity
(53:05) Impact of AI and quantum computing on cybersecurity
(55:03) Indy's vision of the future
--------
Sponsor
Assume breach, minimize impact, increase resilience ROI, and save millions in downtime costs — with Illumio, the Zero Trust Segmentation company.
Learn more at illumio.com.
--------
Links
Connect with Indy on LinkedIn
0:00:03.4 Raghu Nandakumara: Get your foundations right before you start trying to go and buy the new silver bullet shiny, wizzy technology. But if you can't get the foundations right, think about, you know, how you mitigate your risk. Get your risk management controls in place. And this is fundamentally goes back to what cyber resilience is about and what operational resilience is about. Have those foundational elements in place that allow you to continue to operate.
0:00:27.9 Raghu Nandakumara: Hi everyone. Welcome back to an episode of the Segment A Zero Trust Leadership podcast. Today, it is with great pleasure to be joined by, Indy Dhami, Financial Services Cyber Partner at KPMG UK, and someone who's had many years of experience in helping some of the largest financial services organizations build out their cyber strategy and practice. So really excited to speak to him today and learn from his experiences. Indy, welcome to the segment.
0:00:58.7 Indy Dhami: Thanks. Thanks for inviting me. It's a real pleasure and honor. I've been following Illumio's story for many, many years. So yeah, keen to get involved and contribute some of my learnings.
0:01:11.2 Raghu Nandakumara: Well, we're definitely here to hear your story today, Indy. So with that, why don't you just start off by telling us your background in cyber and kind of the experiences that have got you to where you are in your career today.
0:01:25.4 Indy Dhami: Yeah, sure. So I've been working in the security industry now for coming up to 21 years in varying different roles. So started off my career by managing an IT department for an architects firm. And that involved everything from network management to running backups to then trying to clear all these pesky viruses and malware that were sort of proliferating across the entire network. And now this is in the early 2000s. So you can imagine that security wasn't high on the agenda, but what really resonated with me was being able to manage these things. But then also the fact that many organizations weren't prepared for the worst that would happen if they were to lose their entire network. They had no contingency plans in place. So that really got me interested in security. I studied a little bit at university, the main principles of InfoSec, it was at the time. And then having moved on from that role, I ended up moving to Mercedes Benz in Milton Keynes. And it probably a pivotal point in my career, because I ended up working with a chap that was just very knowledgeable about everything that you can think of, whether it's security, business continuity, enterprise risk management, physical security, everything.
0:02:41.0 Indy Dhami: And that's where really it kick-started my career in the world of security. We built an information security management system. It became the first in Mercedes Benz globally to be certified to ISO 27001. We had a quality management system that was ISO 9000 certified, and it was brilliant. We were doing some really interesting work. And roughly in around 2004, 2005, the parent company Daimler saw what we had created and they asked my team to go out and replicate what we'd built in Germany. So I spent two and a half years traveling in and out of Stuttgart and spending some time there. So great experience on a global operating model transformation program fundamentally, and there was an element of security in there, but this was a large-scale process transformation, all based on the great work that we did in the UK. And my German friends, I always remind them that it was around then when the Germans asked the Brits to go out and teach them about processes. They hate me saying that. So yeah, I left Mercedes and moved on to Accenture and spent a year in The Hague. This was a really interesting project.
0:03:54.1 Indy Dhami: Large-scale nation-state breach of a prominent organization based over there. I won't say who it is because many people probably guess, and our role was to help trying to identify what this nation-state was doing in their network. Oddly enough, it started with just looking at Excel CSV files to try and figure out, looking at the logs to see what was actually going on, ultimately transition to a SIEM solution. And that allowed us to then start onboarding more log sources, breaking the platform a couple of times because it just wasn't prepared for the sheer size and scale of logs. But great experience. I moved from there to PwC and spent two years in Copenhagen working with a large shipping conglomerate. Big security transformation program that covered everything that you can think of from developing policies to running crisis simulation exercises, full end-to-end security transformation program. And, following that, I moved to run my own company. Sorry, I set up my own business fundamentally running a matrix type organization, whether it's providing consulting or pen testing services. A really great experience working with a couple of financial services organizations both in the UK and in Paris.
0:05:14.5 Indy Dhami: Following that, moved to IBM, spent four years there leading their FS transformation team. Predominantly involved in large scales, managed security services, engagements, things like running an end-to-end SOC, but then also running security assessments and consulting type work. Following that, I spent a year with a company called Istari Global, who were funded by the Singaporean government to go and invest in other cyber companies. So great experience there. And then I joined KPMG January last year with a remit of picking up FS clients, mainly banking. But then my remit has grown a little bit further to running our cyber resilience capability, which then cuts across a number of different sectors.
0:05:58.3 Raghu Nandakumara: I mean, that I thin we sort of, deserve a podcast episode for every bit of those experiences, right? Because...
0:06:05.2 Indy Dhami: Each one has its own interesting story. I probably could write a book of some of the things that I've seen that would make people roll their eyes and say, "Yes, I've experienced something similar."
0:06:15.7 Raghu Nandakumara: Well, I think season three of the segment, Indy, is just going to be twelve episodes of you, right? Of you telling your story. That's awesome. And I'm trying to decide where we should start to sort of unpick things, because I feel all of those have, in some way, really built towards not just the role that you do today, but really that focus where it's gone from. You said right at the beginning, the focus was on InfoSec, and that's how it was conceptualized. And now that's really shifted towards cybersecurity, and now to the term cyber resilience. And I'm connecting what you said right at the beginning, which was like, you were there, you were doing sort of IT support in all its various flavors and trying to stop, let's say, a virus spreading through the network. The network goes down, there's no contingency, right? And now, resiliency, not just cyber resiliency but operational resiliency, is all about how can I continue to function even when I have all of these unexpected things happening? At what point do you think that shift happened to say, we've got to really focus on resiliency? It's not just about being able to go and fix the problem, it's being able to function while we fix the problem.
0:07:35.4 Indy Dhami: Yeah, it's a really interesting question, because go back to that first experience that I had, and I was actually just looking through some of my paperwork recently, and it, and actually used the term helping the organization become more resilient. And that's probably way before anyone was thinking about operational resilience or cyber resilience. And then onto the Mercedes example, we were talking about all of these things when it comes to identity and access management, when it comes to enterprise resilience, about bringing, converging all of these things together, whether it's security, whether it's physical, environmental security, whether it's fraud.
0:08:09.9 Indy Dhami: An unfortunately, it didn't come at that point. It's probably just appeared in the last five to six years. And that could be due to a number of things. It could be the increased number of cyberattacks or outages. If you think of some of the big, at least UK-based incidents that we've seen, Buncefield comes to mind. Big explosion or the eruption of the volcano in... It was Iceland, wasn't it? So those types of things were often never considered. And I remember running a crisis simulation exercise for a board and they said to me, "Indy, this would never happen to us." And the scenario that I built was all around bird flu, prior to bird flu happening. So, now we've got people more aware of these operational type incidents being more prevalent, then you've got the cyberattacks increasing. So that awareness has dramatically grown, because if you think about just the news now, you may see cyber once, twice, three times cyber attacks on the news now. And it's become more prevalent and people are asking more challenging questions around it to the security leaders.
0:09:21.4 Raghu Nandakumara: So, just as a bit of an aside, right, so you mentioned we see cyber attacks increasingly in the news, right? But do you feel that when that news is being reported, it's largely more of the same? So, as someone who's not as informed as you are, the people that watch the news, they say, "Oh, just another cyberattack." Whereas the actual consequences, when you think about resilience, and the reason we're focused on resilience, and we'll come onto things like DORA, is because the knock-on effect of, let's say, a high street bank being impacted is significant, right? That those things aren't being reported enough, so that just the general public still don't have that "aha" moment about why cybersecurity is so important.
0:10:07.1 Indy Dhami: Yeah, it's a really good point. And I tried to peel back the layers of these challenging questions, and why is that? Until it personally impacts a lot of people, they generally are oblivious to cybersecurity. Why it's important. I remember having this conversation with. It was at a family event, family party, and I was speaking to a doctor, and we had the conversation. He said, "What is it you do?" And I explained a bit about the type of work I do, and you could see this moment of panic crossing across his mind, thinking, "Well, actually, we've got a lot of sensitive data, we're quite exposed. I actually have no clue about how my practice manages all of this sensitive information that we have, and I have no clue whether we could recover." And funny enough, about a year or so later, we saw the WannaCry incident, NotPetya, all impacting the NHS. And I think that was. It was for a period of time, it was quite prevalent. People were really concerned about it. But then it goes away, everything goes back to normal. And again, people maybe not have that much of an interest, as I said, until something impacts them.
0:12:21.3 Indy Dhami: They may be, you know, may have had their bank account compromised, and money is transferred. So, it still seems to be one of these areas that is maybe deemed to be, "Oh, you know, it's people sitting in darkened rooms with hoodies on, hacking away at things." But actually, there's a broad range of threat actors out there, be it from, yes, you can go this stereotypical, very smart kid sitting at home hacking away to highly organized, highly profitable business enterprises, to the point where we see some of these organizations being quite frustrated with the script kiddies damaging their reputation because they've got a reputation of being known for. If they've attacked an organization with their ransomware, they'll be known to. They'll give the decryption keys back if they're paid, whereas other organizations may not be as ethical, which is a crazy thing to think about. But that's shadowy underworld that we see that many people are not really aware of that operates in the light of day.
0:12:21.8 Raghu Nandakumara: Yeah, absolutely. And I think that that thing about the ethics of ransomware or malicious actors and some malicious actors are sort of, are very proud of of the ethics that they demonstrate, whereas others who just don't know this concept of, well, if you pay the ransom, we'll release your data. The concern for me is if they've got your data. God knows what they're gonna do with it whether you pay the ransom or not. So, let's let's sort of come to your role today. And when you're engaged by your customers and I know this may be a sort of, it's a very broad question what is typically the first question they ask you?
0:13:02.8 Indy Dhami: Typically, the first question they ask me, depending on a range of different scenarios. But, I can think of one that's. That's prominent in my mind right now, is, "We believe we're out of our risk appetite when it comes to cybersecurity. Can you help us get back into within tolerance?" Now often the first question I ask is, "So, how do you define what your risk appetite is?" And then, secondly, "What are the data points that allow you to then gauge whether you're inside or outside of that level of tolerance?" And, a bit of a controversial statement, what I do see, though, is across many organizations, not just in FS, is that poor data leads to fundamentally flawed responses to that point around, are we inside or outside of our appetite? And there's a number of reasons for that, at least from the cyber perspective. It's usually coverage of controls and log sources. You could have a SOC or a SIEM running and monitoring your estate. But what many of the senior folk don't realize is actually, you only have a small percentage coverage because you don't have access to certain technologies. Some of your critical applications have been developed so long ago, they may not be producing the logs that you need to give you that clear visibility whether someone could enter your network and naturally move across. So, risk management. And the same applies from an operational resilience perspective.
0:14:28.7 Indy Dhami: But if you don't understand your estate, if you don't have the correct data to give you a clear picture of everything that you have within your enterprise, and also your third and fourth parties, how can you then make those appropriate risk management decisions? It's fundamentally flawed.
0:14:45.3 Raghu Nandakumara: Yeah, absolutely. And just hearing you say that last part of it sort of connects me to regulations like DORA that are sort of just coming to force and will be sort of truly active by early next year, where, I mean pretty much word for word what you just said. You need to start with a really good understanding of how things in your environment interact, but also how all of your suppliers, all of your upstream and downstream dependencies also interact with you at a systems level. This is not just at a business process level, but at a systems level, so that you can then understand your exposure and then put in place the right controls.
0:15:28.0 Indy Dhami: Yeah, I mean, and also you mentioned DORA, there's many. Right. And the one thing that I am seeing is that it's almost where people are fatigued by the sheer amount of, you know, regulations, be it cyber, operational resilience, there's a lot of overlap, and it's probably at a tipping point where some organizations are saying, funny enough, we just saw it in the news today, one UK high street bank has actually made a statement that they're actually letting go a lot of their risk function because it's hindering their ability to innovate, which for me is a very strange position. Bearing in mind what I've just said around the sheer number of threats, the vulnerability landscape is increasing on a daily basis exponentially, which is then having that knock-on effect to your systemic risks and your contagion risks. So, yeah, it's a really interesting position we're in right now, because whilst we're seeing more attacks, more organizations having outages, and we saw it a few weeks ago, if you recall, there was a high street retailer, a handful of high street retailers having issues with some of their processing of payments. Whilst, it wasn't confirmed whether it was a cyber attack.
0:16:40.1 Indy Dhami: It still highlights, there's a systemic risk here, knock-on contagion risk, that if a critical infrastructure provider that maybe provides services to a number of organizations, if they have an outage, the impact of that is ultimately, for some organizations, they don't have a contingency plan.
0:17:00.4 Raghu Nandakumara: Yeah, I couldn't buy my vegan sausage roll from Greg's a few weeks ago. It was a hard day that day.
0:17:07.0 Indy Dhami: You'd have to go for the full-fat one then.
[laughter]
0:17:10.5 Raghu Nandakumara: So let's talk about regulation. And I think that you're absolutely right. And I kind of was in the financial services industry sort of before my current role. And that constant challenge, the regulatory pressure, needing to be compliant, particularly when you work for a global organization, needing to be compliant with all of your global regulators, is a massive challenge. So, do you see the transformation or the evolution of regulations trying to become more unifying so that they may be using slightly different words, but what they're asking is pretty much the same.
0:17:47.9 Indy Dhami: Yes, I totally agree. And I had this conversation a few weeks ago with a friend around the purpose of things like DORA. And I think the premise of it is correct. It's shifting the focus from merely just ensuring that you've got financial soundness, you're maintaining a resilient operational service despite those disruptions caused by an ICT issue, a cyber attack, whatever it is, it's being able to withstand and recover, if not recover or continue operations whilst you're under significant stress from an outage or a cyber attack. And either way I see it, with some of these regulations, it's changing the focus from very siloed based approaches to addressing regulatory requirements, to turning it into. As I term, it's turning compliance into a team sport. You need to have your Chief Information Security Officer at the table for DORA, however, you also need to have the person that's responsible for all of your human resources, or the person that's responsible for your business operations or for your important business services. And the more mature organizations that I'm working in and that I'm working with are approaching it in that way. They have all of those key stakeholders at the table.
0:19:10.0 Indy Dhami: They've understood that there are certain roles to play for each of these functions, and they're working together. So, that's the biggest success I've seen. Many organizations see DORA and other regulations as just roll the eyes, another regulatory activity that we need to adhere to. But I think from a cultural perspective, it's having a much more positive impact. Well, come January next year, we'll see how correct that is. But at least in the work that we're doing right now with gap analyses and remediation programs, some of those key stakeholders are finally at the table and actually understanding and learning more about what their peers are doing in the security function or even from the cyber perspective, some of the CISOs learning more and engaging more with ultimately their clients, their business stakeholders, who they are providing the service for.
0:20:03.7 Raghu Nandakumara: I love the term that you just used there about how DORA is forcing, let's say, operational resilience, cyber resilience to become a team sport because as security practitioners, right? Going way back to, I remember when I got my CIS, the theory said, security InfoSec at that time must be a team sport. Everyone needs to be engaged, but for too long within organizations. You've had the security function and then you've got the, let's say the application, the business development function. And I think you quoted that example of a high street bank saying that actually we're sort of reducing our risk team because they're getting in the way of transformation. So I think it's great that cyber security is now being seen. As a team sport and the fact that regulation is enabling that, that's probably like the first positive thing anyone had to say about regulations. In terms of what it's enabling. So I guess that's a Godsend.
0:20:03.8 Indy Dhami: Well, you have to see these things as a positive. And many organizations that I work with are starting to realize that there's things in. And what you do when you look at some of these regulations is you realize that we do a lot of these things already. It's just structured in a different way. There are some overlaps with some of the other regulations. As long as you're smart about how you approach it, you don't need to replicate and recreate something new to deliver on some of these key areas and actually where the gaps that are identified highlight the areas where they may need more investment. So, for example, with DORA, you've got this whole information sharing piece, and that's a really hot topic at the moment because how and when do you share information if you are breached and different jurisdictions have different regulations. If you have to report in the US, the SEC have different requirements than they do here with the ICO, and managing that information securely and in a confident manner that you can actually provide the factual information is one of the big challenges that's come out of DORA. I mean, if we think about some of the other areas, the digital operational resilience testing element, which is a very, very broad statement that could include pen testing.
0:22:20.6 Indy Dhami: It could be looking at your software and your code and ensuring that it's checked in and out and developers don't have incorrect access. So then it goes onto a number of different areas. Identity and access management. It talks about network security. It's very, very granular. But if you've been working in the industry long enough, there's nothing groundbreaking in there. It's just the harmonization and focus that's being brought to light with some of the granular level of the text, the regulatory text standards that are in the regulation.
0:22:54.6 Raghu Nandakumara: Yeah, I agree. Absolutely right. And like you, I've spent a good few hours sort of buried deep in the minutiae of the regulations. And I agree that none of what the regulations are requiring organizations to do, and we've talked about DORA extensively, but to be honest, we could replace DORA with a number of the other regulations that have come out globally over the last couple of years. They're always rooted in the fact that assume the unexpected is going to happen, whether that's like an environmental event, like a volcano erupting, or whether that's a cyber attack or any environment. And what would you put in place to ensure that you have the best understanding of your environment, to be able to be resilient to that, to contain the impact of it so that you can continue to be productive while you recover this small part of it. What I think is better now with these regulations is that the overarching objective is far clearer. There's far more clarity on why organizations should be doing this. Would you agree?
0:23:58.5 Indy Dhami: Yeah, I totally agree. And I know we spent a lot of time on DORA, but if you take NIS 2, for example, there's huge overlaps. It's focused on risk management, corporate accountability, reporting obligations, business continuity, and then a set of minimum measures, the things that they must have in place. And I looked at DORA, I looked at NIS 2, and then I went back to 2004, 2005 when I was at Mercedes, and we were implementing ISO 27001. And to be honest, there's nothing that different fundamentally. There was a piece in the standard which talks about management responsibility, which, again, ties it exactly closely with what NIS is saying around corporate accountability. It's about setting the tone from the top, having the appropriate leadership and governance mechanisms in place, having people trained so they're aware of what to do when the worst happens. So it's one of these things that we've been in the industry long enough. They're just different permeations of standards and controls that have now come to the fore making it quite scary for some organizations with these potential risk of fines for not adhering to a number of regulations that applied specifically to their industry.
0:25:14.4 Indy Dhami: And I think for many years it's been brushed under the carpet. As I said, there's organizations that I've worked with that said, "Indy, this has never happened to us. No one would be interested in the data that we hold." Until I start asking some more of the probing questions about, "Okay, remind me what your business does, remind me who your clients are and think about who potentially could benefit from accessing that information and then using it for other purposes." So, you know, considering, that's not that long ago and that's probably in the last ten years. However, that has changed though. And I have to say that a lot of the board and non-executive directors have become more savvy with regards to what is needed and the difficult questions to ask CISOs. So, it's taking a bit of a painful process to get there, but I think we're there now. But what it does highlight is that many organizations have simply under-invested in security over many, many years and it can't be fixed in a "Okay, let's do a remediation program and get me back into my, within my risk appetite within six to nine months," considering that there's been years and years of technology infrastructure that, some of which in many organizations, is out of support.
0:26:29.0 Indy Dhami: So Microsoft will not patch some of the servers that these organizations have. So, trying to find the remedial controls for some CISOs is almost an impossible challenge.
0:26:40.7 Raghu Nandakumara: I agree, but I think it's great. I think what you touched on is, execs are now far more, are far better informed and are starting to ask the right questions. And I think that's that shift if I connected, it's shift from being like compliance-focused to being sort of resilience and productivity-focused in many ways. Right? And saying to the CISO, what you're delivering to us is enabling us to be more productive. It's not, I mean compliance is important, but really we need to ensure that we don't compromise productivity. So I realize that this is a Zero Trust podcast and we haven't mentioned Zero Trust, so let's talk about that.
0:27:21.3 Indy Dhami: Fundamentally, everything that we're talking about revolves around having this focus of Zero Trust, and it appears in the regulations as well. So yeah, let's go down that route.
0:27:31.0 Raghu Nandakumara: Let's start. Right, so we've had many others on this podcast, and everyone sort of shares their interpretation of Zero Trust, or an analogy that they use. So, Indy, the stage is yours.
0:27:44.8 Indy Dhami: So, yeah, I mean, we spoke about this a few weeks ago, and it was off the back of conversations that I had with friends and colleagues, those that are working out on the NEOM project in Saudi Arabia. And that, to me, jumped out to me is that, you know, if you were to build a new city, if you had the opportunity to build a city from scratch, how would you go about building in trust, privacy, and applying almost that Zero Trust analogy into building a city? And it got me thinking, really, if you think about the UK, it's a very traditionally built country over many, many years. But if you had that opportunity, what would you do? And if you focus probably more on the US type model, and I spent time at Mercedes, which is in Milton Keynes, they slightly use that model there with the grid system. But you take city blocks as almost workload segments. In our imaginative city, each block would represent a different workload segment. Now, these blocks could be housing specifications, it could be services, it could be workloads. But just as city blocks have those residential and commercial industrial areas, our city block would have different purposes.
0:29:03.5 Indy Dhami: It could be web servers, it could be databases, it could be your payment gateways. And then for that, then you'd also have streets, you'd have your rules to the road as well. Right? So these streets are connecting those blocks like a network path. And then you've got your traffic, which is your data packets, they're flowing between the blocks as well. So then you think about, actually, we'd need micro-segmentation or Zero Trust to set up specific rules for each street. Some streets may only allow specific types of vehicles data, while others are closed off entirely. And then you probably have security checkpoints at the entrance of each of these blocks, there's a security checkpoint. Think of it as a gatekeeper. Before allowing anyone through all that data packet through, they need to be verified, need to have their identity checked, and the purpose of why they're traveling through that particular zone. And then only authorized traffic is allowed. Then what I thought about was, actually, you could have these Zero Trust lanes. So within the city, you've got special lanes that they're super secure. Every set of traffic light, they'd need explicit permission to proceed through.
0:30:17.3 Indy Dhami: But then you'd also need something around isolation and containment. If a fire breaks out in one particular block, that could be a cyber attack. Do you have a way of segmenting that to ensure that it doesn't spread across to your other block? And then those other blocks remain unaffected and you manage that fire, that breach within that particular domain. And then for your city, you'd also have customized signage that each block would have its own security. These could then like dictate who's coming in, who's going, how they communicate. For example, you have your database block and the sign may say only authorized database queries lab. So this is, the way I see is you have to be dynamic as well. So dynamic as the city evolves, the planners are adjusting their streets the checkpoints and then you microsegmentation would allow to adapt that changes in the workloads, the applications, you've got new cloud and controls coming in. So in summary, if you could build a city and apply that Zero Trust analogy, that's the way I think I would go about it. No, yeah, I'm not a city planner. Can't claim to be. But maybe that's it's an interesting analogy. It just came to my mind not so long ago. I I'm just making.
0:31:38.2 Raghu Nandakumara: I'm just imagining SimCity, the Zero Trust edition, based on the back of what you've just said. And I think we should just get everyone who's in sort of cyber resilience, cybersecurity, InfoSec to play it, and we should have a leaderboard and see who can design the best Zero Trust protected city. What do you think?
0:31:57.5 Indy Dhami: Yeah, it's a great game. I used to play that and also Theme Park, if you remember Theme Park. And it just makes you think differently. And I think that's. As security professionals, I think we've all, and I've seen it many times, where leaders go in front of the board and they start talking in a technical language, and it's almost Klingon to some of the C-suite. So how do we make it easier to understand? How do we make it resonate with them, make it apply to what they're concerned about? One of the key things that I always do when I speak to the execs is that tell me what drives you? What is it that motivates you, what keeps you busy, and what keeps you focused on your role? Because the security team's responsibility is to enable you to make sure that we're not the policing function. We don't just say, "No, sorry, you can't do that." We think of this, we're the smart people that know about security, technically, right? So how do we help enable the business? And how do we communicate to them in a language that resonates with them. And I think that's still one of the big challenges that I see is that boards are still being presented with vulnerability scan reports, or here's a view of technical controls.
0:33:09.3 Indy Dhami: Many of them simply, they care, but they don't need to care. They need to know what is the business outcome? How is this supporting us going and building a new data center in a different location? Or how does this allow us to build a new application for mobile devices that we can provide new services to our customers?
0:33:30.2 Raghu Nandakumara: I completely agree. I think it's so important as security professionals, and actually now that I work at a vendor, as security vendors, to be able to connect really like the, what we do with why it's important to ultimately like the goal that we're trying to drive. And in an organization, that's okay, what is the business objective? And then how does what our program does, how does that connect to their business objective? And do you think that the Zero Trust strategy and organizations that are adopting a Zero Trust strategy, that they're able to tell a better story about how that strategy is aligning to the business objectives, or is there still a gap?
0:34:13.8 Indy Dhami: I think there's probably two types of individuals, those that can tell the story well and articulate it in a language that the board can understand and leadership understand and the business gets, and those that are still focused on technology controls. Now I'm seeing more, luckily, I'm more on the left side, articulating what is Zero Trust. And it's all about setting that scene. If you frame it in the correct way and make it resonate to those leaders, I think you can be very successful in delivering that Zero Trust approach.
0:34:46.9 Raghu Nandakumara: In terms of the adoption of a Zero Trust strategy, right, are you seeing more and more organizations really have that as a top-level initiative that is being tracked, let's say, at the CISO level, or is it something that is just bleeding into every part of the CISO program and not necessarily being called out explicitly?
0:35:07.2 Indy Dhami: It's probably a combination of both, really. In some organizations, it fundamentally forms part of their, not just their cyber strategy, but it's permeated into operational resilience because it's been positioned in such a compelling way, it's a no-brainer. And then there's the other one, the other side of it. By osmosis, by pure chance. It's happening in a number of these transformation programs. It's been raised at an early stage of design and organizations are managing it that way. So we're probably not at that stage where everyone understands it's implemented for the right reasons.
0:35:45.6 Raghu Nandakumara: What sort of goes into when you go into your clients and you're helping them establish a Zero Trust strategy? What is typically sort of the path that takes?
0:35:56.8 Indy Dhami: Typically, the way I approach it, is always start with what is it you're trying to do as a business? And many, many years ago I was taught this and I still don't see many professionals doing it. Pick up your business strategy, pick up the annual report, understand what the business is trying to do, and then overlay. Here's how security, or here's how Zero Trust can support us on these four strategic pillars. And if you can describe that in a way that's simple enough, it's always the best starting point because then you can start going into, okay, so these are the technology controls that we need to deliver on each of these points. And it's about breaking it down in a consumable manner.
0:36:44.3 Raghu Nandakumara: What we hear is that Zero Trust is still that it's been over marketed. And I agree. I think that to some extent that it is over-marketed. But is there a real acknowledgment now generally amongst the practitioner community that as a strategy it absolutely is robust and you need to think to get on the train and think about how you're going to implement?
0:37:14.8 Indy Dhami: Yeah, unfortunately, it's like many other buzzwords, probably over-marketed. And for many organizations claiming to provide Zero Trust capabilities, they don't. They may do in certain guises, but it's unfortunately turned into one of those buzzwords. So as again, if you have someone that can articulate it, you know, it's really focused around you verify explicitly. Well then always authenticate and authorize based on the available information you have. Focus on least privileged access. But then there's another one, another term which is probably not used that much is a principle of least functionality as well. So yes, you have the least privilege, but then also if you do have people with a specific access rights and you want to limit the amount of functionality they may be able to have with their particular credentials. And also I think that assumed state of compromise has started to land with many organizations, because they're starting to see, and unfortunately, the more we pursue and focus on trying to identify our estate, the more you realize the problem that you have at hand, which is a double-edged sword.
0:38:35.0 Raghu Nandakumara: That is a great quote, right? The more you go and discover your estate, the more you realize the problem that you have at hand. And I think that's also fairly scary because it just indicates how little we actually understand about our estate. And I think that's the realization that many organizations come to and they start this, is that I actually don't know what I've got going on. So how do you get over that hump?
0:39:04.1 Indy Dhami: I mean, that's probably sometimes a challenge why many people try to avoid knowing. I've had some CISOs saying to me, "I'd rather not lift up that paving slab because of all the creepy crawlies that will come running out, and it will then land on my desk to try and remediate." And I joined, this one client of mine said, "I joined the organization two years ago, but I can't be responsible for the previous 20 years of underinvestment, poor technology design."
0:39:35.0 Indy Dhami: So, as I said, a double-edged sword. But by going about it in the right way, by focusing on, okay, let's understand what we have, let's go out there and start discovering our enterprise estate. And it is a sprawling bowl of spaghetti. Now, let's be honest, it's not an easy task to identify all your technology components in the old ITIL days, maybe still ITIL days, your CIs, your configuration items. Do you understand? And you have a documented map and inventory of every single configuration item you have in your estate. Most organizations will probably say no, but then how much of that do you really need to know to ensure that you're resilient? Maybe 80, 90%? You could get away with a variance, but unfortunately, many organizations probably are not even at that 80% of their visibility of their entire estate, especially when you have maybe more so with those organizations that are born primarily in the cloud.
0:40:30.1 Indy Dhami: It's probably simpler for them, but it's not a done deal because then they have their third parties and their fourth parties, and some of the regulations are going to such a granular level of detail of expectations of you having visibility of what your connecting parties and service providers have in connectivity to your estate is again, something that's a little bit new for many organizations to absorb and then have the capacity to go out and have that conversation with critical suppliers.
0:41:01.9 Raghu Nandakumara: I'd say that cloud gives you the tools to make it easier, but if you're not following best practice, you're potentially creating an even bigger problem simply because of the ability to so quickly spin up all kinds of types of resource, which at least has a gating function in your data center, which is you want a new server in the data center. That'll be six weeks, right?
0:41:28.2 Indy Dhami: But interestingly, if you think about some of the large breaches that we've seen over the last few years, there have been a handful of them that have been in the cloud because of access rights to a privileged user that have been left orphaned, and those have then been accessed by a threat actor and used to move across the organization. And interestingly, I'm seeing, I'm not sure if you've seen this, there are conversations that some organizations are having around, is it cheaper for me to not be in the cloud anymore because the costs are spiraling and in particular, some of the new regulations that are having an impact on the costs that the cloud providers, because the cloud providers are now also under the spotlight for regulation.
0:42:15.6 Indy Dhami: And the question is, who's going to be responsible and who's taking the cost, who's absorbing that cost? And it's more than likely won't be the cloud providers. That'll be a knock-on effect to their customers. And is it cheaper then to remain in the cloud or build our own data centers again, which is a really strange position to be in because we're going back to how we were many years ago. And maybe it depends on the size and the scale of the organization, but for a small to medium-sized enterprise, it may not be as cost-efficient as it was told to us many, many years ago.
0:42:49.3 Raghu Nandakumara: Yeah, I've definitely come across a lot of those studies, and it all kind of boiling down to, in order to achieve the benefits of the cloud economics that are marketed, you kind of have to be very specific in sort of the types of application you run there, how you design them, so that you're benefiting from all of that sort of like, on-demand nature of it to truly optimize for cost. I want to go back to something that you said you're talking about, like the amount of data, amount of information that you need in order to be able to make progress, right? And organizations struggle, and often they typically don't necessarily even have like an 80% understanding of what they have in their estate. So how much information is enough to start making progress, right? Because I think that's the barrier to Zero Trust adoption. One of the barriers is, "I don't think I have all the right data points. And so I'm going to wait." So what's your response?
0:43:55.9 Indy Dhami: Yeah, I mean, it's a great, great point you've raised, because in many cases now it's the point where it's okay not to have all the data. We can take some informed decisions, right. We can use the data points that we have. And, in the past, I built a dashboard for an executive leadership team to say, we're answering these four questions that you've set us. How secure are we? What are our biggest areas of focus? And the dashboard was fundamentally built on how much confidence we have in the data points that we have. Red, amber, green status. We can answer this one question that you have, because I have all of the data points and have all the logs that allow me to confidently answer this question of how secure are we. However, on some of the other points that you may have or the points of interest, we're only answering it to a 50% level because it's an amber status. We only have partially the information to be able to respond to that. And that's where things like cyber risk quantification is actually really coming in. Right now, we're seeing many of our clients coming and asking us, "So how do we apply cyber risk quantification if we don't have all the data points? Because surely this is an exercise where we need everything to be able to truly quantify," and that's not the right approach.
0:45:15.8 Indy Dhami: It's take what we have, use our existing knowledge, use some subjective judgment as well, to a certain point. But moving to that risk quantification model, which is fundamentally built on what the finance industry has been using for years when it comes to how they make some of the predictions of how the market will move, and applying that logic, which then allows you to speak that business language in the finance world, but applying it to cyber has a real big impact at the moment.
0:45:48.9 Raghu Nandakumara: Absolutely. Because you need to have a way of being able to make progress with so many unknowns, and often unknowns that you have no control over. Otherwise, you're literally just going to stagnate and perfection is the enemy of progress.
0:46:06.1 Indy Dhami: Exactly.
0:46:07.6 Raghu Nandakumara: So I want to come back again to that news item that you mentioned about an organization, a financial services organization, essentially reducing their cyber risk force. And sorry if I misquoted it, but...
0:46:22.0 Indy Dhami: Just their risk function.
0:46:23.7 Raghu Nandakumara: Just their risk function. The focus, like reducing their risk function in order to. Because it was hampering their ability to transform.
0:46:31.5 Indy Dhami: And innovate.
0:46:34.3 Raghu Nandakumara: And innovate. But surely the approach that organizations should be taking is bringing those functions closer together so that the innovation can happen in a secure way, secure by design and all that. So that the things that you're building security are involved early so that when they're built, you know that they're secure. It's not. You're not going. Asking for approval later. I mean, what's your thoughts on that? The decision that's been taken, because surely that's against what we're sort of preaching as best practice.
0:47:07.8 Indy Dhami: It is, and I think there's an opportunity to harmonize. And this is something that I've been preaching about for many years. And actually, one of the white papers I wrote years ago was actually, now's the time to converge risk, security, and fraud from a financial services perspective. Unfortunately, those functions I still see maybe risk and security coming together more often. But fraud is still a siloed capability, which doesn't make a lot of sense because the things that you'd monitor for would overlap with the things that cybersecurity teams are monitoring. But they've gone and invested in significant tooling. And that's probably part of the problem, is that that siloed based approach has caused a significant amount of spending on a number of tools. One client said to me, "Indy, if you think of all of the tools in the cybersecurity market, I probably got one of each." Their budget is that sizeable, but are they really getting the most value out of it? They're not optimizing. Some organizations that I worked with had close to 20 different scene tools across the globe because an organization in Germany had gone off and procured one, built their own operations, and someone in the US had done the same thing.
0:48:19.7 Indy Dhami: And that's probably still the state that we're in, which then, when business leaders are looking at the cost of it, it's fundamentally quite expensive. So the answer was, let's cut some of this risk team. It will reduce some of the cost, and it will allow us to innovate, but then it exposes them to a number of other areas that they probably haven't considered yet, or maybe they have, because some organizations are prepared for, have contingencies set aside for a breach or a GDPR fine. And it's sometimes it's a business decision that, "Look, we'll accept that the worst will happen to us, and we'll have to deal with it as and when. When it happens, if it ever happens." Because I've had this said to me before, but, you know, all this cyber stuff is, it's a bit of an insurance policy, really, isn't it? Because it might not happen to us, and we don't get our money back for all that investment.
0:49:11.6 Raghu Nandakumara: But it helps you make money safe in the knowledge that you are protected with the best efforts possible.
0:49:19.4 Indy Dhami: Sometimes that's not enough.
0:49:21.5 Raghu Nandakumara: Sometimes that's not enough. Okay, let's look into the future. Indy Dhami looks into his crystal ball, what do you see as the challenges from a cyber perspective that are going to be facing the financial services industry over the next few years?
0:49:39.7 Indy Dhami: So for me, you probably won't be surprised, I'd say, the use of AI, both from a detective and control perspective, but also the threat actors who are using a number of different AI tools, machine learning, to fundamentally automate some of their attacks, which lowers the cost of entry for them, because some of these, as I mentioned, some of these highly organized threat actors, they have people working manual effort that reduces their cost, but also increases their attack surface that they can continuously attack while they sleep. So AI being one, and the emergence of quantum computing, which will have a knock-on effect to everything, because it can then defeat all of the encryption measures and things that you have in place. So for me, that's probably not just for FS, that's the industry for every sector.
0:50:40.2 Raghu Nandakumara: Yeah. And I think we hear that both the effects of AI and then the sort of the potential that quantum computing offers, particularly about sort of how it potentially makes current crypto algorithms essentially not useless, but very vulnerable To be able to be broken in measurable time. But in terms of the AI, of course, highly topical, no surprise that you went there. In terms of the real use of attack by attackers of AI, we obviously hear, let's say, they could create deep fakes, they could create brilliant phishing emails that you and I would be susceptible to. Forget my dad clicking on everything that he receives. But what about the threat of, let's say, like ransomware that is in your organization that has got access to sort of a GenAI in order to adapt in real-time? Do you see that? Like, we've seen examples of that from research, but how real do you think that's going to be?
0:51:45.7 Indy Dhami: I think it will be real. I've been thinking about AI for several years now. I wrote a blog post about, is it opening Pandora's jar rather than box? Because technically it was a jar. And I think we're at that stage where actually one of my good friends and colleagues, he said the use of AI, his view was that it's like inviting a vampire into your home, and it's too late, they're in. So it's one for the threat actors, potentially. It's your own internal use of AI. How can you trust it? Is it delivering on the outcomes you're expecting it to do? Can it be tampered with? Does the model then create something that was completely unexpected, which then has a knock on effect to a number of your other business components? That erosion of trust is a big concern to many organizations, and you touched on the deep fake element, and we're seeing some very, very sophisticated deepfakes that, as you said, security professionals would be easily fooled by.
0:52:56.0 Indy Dhami: So it's a very worrying era that we're living in right now, because it's how do you really trust? And how can you then verify whether the person that you're speaking to on the other end of this podcast, for example, is the person you're expecting it to be?
0:53:12.6 Raghu Nandakumara: Exactly. I mean, I may not be Raghu at all, right? Just the deep fake version. Speaking to a deep fake version of Indy. So as we wrap up, you're obviously very focused on a highly regulated industry, financial services, amongst the most regulated, if not the most regulated globally. What excites you, but then also what scares you about sort of the near future?
0:53:40.5 Indy Dhami: So what excites me is actually it's people, the people that I work with and the clients that I work with. And you're doing some really interesting things. There's a lot of innovation happening. The world has changed a lot. If you go back to how we were engaging with everything on a day-to-day basis. Technology is around us everywhere for really smart purposes, really interesting use cases, some health benefits, too. So the ingenuity and innovation of man, it's great. I love reading about new technology, also reading about some of the technologies that allows us to see further and further into space. It blows my mind when they discover some of these planets that the sheer size of them, you can't fathom. But what scares me is that sometimes I still see organizations doing the same thing over and over again and expecting a different result. And that, for me, is the definition of insanity.
0:54:35.2 Raghu Nandakumara: Yeah, totally. I mean, I completely agree. And this is where I think that actually, when we think about how we protect our future, it's not about having to do new things necessarily. It's really about being firm in how we do so many of the basics that have underpinned cyber for so long, right? And I think that to me, as a practitioner, is the bit that I always get concerned about whenever I see the next new technology. I think, that's great, but there's so many things that we still just need to fix and just need to fix.
0:55:10.7 Indy Dhami: The foundational elements. And I'll go back to the point that I made around a time at Mercedes. We built this quality management system that had all of the processes, security was embedded. I still have some of my colleagues that no longer worked there, we moved on. They'd say to me, "Indy, what we were doing there at that time was so far ahead of us, we still don't see that now." Sometimes you go into organizations, show me your documented processes, and you have a whole bunch of different systems. It's probably out of date. The policy has not been updated in many, many years. I think it's get your foundations right before you start trying to go and buy the new silver bullet, shiny, wizzy technology. But if you can't get the foundations right, think about how you mitigate your risk. Get your risk management controls in place. And this fundamentally goes back to what cyber resilience is about and what operational resilience is about. Have those foundational elements in place that allow you to continue to operate. If you're under attack, if you lost your office space, for whatever reason, you can still operate as a business.
0:56:14.4 Indy Dhami: Because it goes back to the whole point is, what is the core purpose of any business? And if we can support them in our journey as security leaders, then fantastic. And that's what motivates me.
0:56:28.4 Raghu Nandakumara: Yeah, absolutely. Get your foundations right to allow you to continue to operate and continue to innovate.
0:56:36.6 Indy Dhami: Exactly.
0:56:38.4 Raghu Nandakumara: Indy, it's been a real pleasure speaking to you. I think we've covered so many...
0:56:42.9 Indy Dhami: We could go on for probably a couple of more hours.
0:56:45.1 Raghu Nandakumara: We could go on for a few more, like I said, right? I think we could give you a season three, all twelve episodes, just for you, right? And unpick Mercedes, unpick the type of KPMG, Accenture, etcetera. But thank you so much.
0:56:58.7 Indy Dhami: Thank you. Great talking to you.
0:57:02.1 Raghu Nandakumara: Thanks for tuning in to this week's episode of the segment. For even more information and Zero Trust resources, check out our website at illumio.com. You can also connect with us on LinkedIn and Twitter at Illumio. And if you like today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host, Raghu Nandakumara, and we'll be back soon.