New and emerging hedge fund technologies | AIMA CyberTech Forum 2022
Agenda and details about the full event, can be found here.
In this session, speakers examine information security challenges facing investment managers, the impacts of new technologies, models for bolstering firms’ IT infrastructure, and the future landscape of cyber technology in the next decade.
Conor Flynn, Waystone Compliance Solutions
Nate Tombs, Man Group
James Delaney, AIMA
Hello everyone and welcome to the final session of today’s forum. I’m delighted to be joined by Nate Tombs, the Chief Information Security Officer at Man Group. And Conor Flynn, the Chief Information Security Officer at Waystone Group. Waystone Group is also one of the sponsors of today’s forum. Will be discussing how the investment management industry is tackling information security challenges, looking to invest in future IT infrastructure, new and emerging cyber technologies or strategies that the industry are utilizing, such as cloud and software solutions, and also the expectations of what’s going to shape the landscape in the coming decade. Before we get started, just a reminder that we invite you to submit questions in the questions tab located above the live stream window. I’ll now invite both Nate and Conor to join me on the screen. Perfect, and I’ll ask them each to introduce themselves and their firms to you. Starting with Conor perhaps.
About the Webinar Panellists
Good afternoon, James and everybody who has joined us today and to Nate. I’m looking forward to our conversation. As James has outlined, I’m the Chief Information Security Officer at Waystone. I’m there a year. But prior to that, I ran an information security consulting firm, you know, ISAS. So I’m looking at this conversation today from…well, possibly I have two hats on. One is the consulting that we currently and still provide to our clients from Waystone for the cybersecurity business, but also as a CISO in our sector and what has happened to it over the last year or two with pandemic. I think it has been everybody’s focus and what we’re looking at over the next couple of years. Thank you.
Thanks, Conor. And Nate.
Thanks, Conor. And thank you all for attending today. I’m looking forward to this conversation. My name is Nate Tombs. I’m the CISO at Man Group. My background is technical. So I initially started as a software developer, maybe going on 15 years ago, and slowly worked my way into security, security consulting, much like Conor. And then finally working my way to become a CISO. That means that I do have a slightly more technical and sometimes more tactical approach to security, for better or for worse. But I’m very much looking forward to this conversation and exploring some of the challenges that the asset management industry has in the security space.
Brilliant. Thanks so much, Nate. And I think everyone listening will agree we’ve got two industry. So what’s with us today, so delighted to have you both here and I can’t wait to get going into the conversation. So let’s jump in. We’ve heard today on a few of the panels from other speakers how, obviously, the COVID pandemic caused an increase in both the likelihood and impact of cyberattacks as firms had to react rapidly to significant operational challenges, I guess, Nate, starting with you,
How did you respond to COVID and all the implications on Man Group from an information security standpoint?
I think COVID accelerated an already existing shift towards remote working. These were very much conversations that were being had in the industry prior to COVID hitting, and a lot of the initiatives that were quintessential to securing a business in COVID times were emerging. What COVID really changed is the pace of change and the risk factorization. So think on the hardware side, of course, there was an acceleration of issuing work devices to work remotely, reinforcing the security of those devices through ensuring that their data is properly encrypted and properly stored. But the most important factor was obviously the human factor. I think a lot of individuals started changing their working patterns. Working remotely meant that they needed to ensure that their homework environment was secure and that they could access the corporate network efficiently. So I think, yeah, issuing hardware was the first phase, ensuring that remote access to our network into Man Group could be done securely was the second one. And obviously, the third one is training those individuals to ensure that they understand what the implications are of this new work remote reality.
Interesting. Conor, would you add anything here?
And what are some other sort of business challenges that you saw resulting from the exercise, I guess, of taking manual or office-based processes and having to digitalize them at speed like that?
I think the keyword you mentioned there was at speed. Everybody had to react in a very short space of time to deliver solutions to allow our employees continue to service their customers in a safe way for them. This was a personal issue as well for people, and it was a very stressful time. The digitalization and how people could continue to work from home was a challenge. We are quite fortunate in Waystone that we had a very strong hybrid work ethic from a remote working perspective. And I’ve heard a couple of speakers today talk about the Amazon workspace and these digital virtual desktops that people use. And that allowed us to pivot very, very rapidly. And people had the same work experience, whether they were in the office or remote working as they had previously.
Some of the other challenges that it really threw up, and I think Nate touched on it there was the, how did you work securely in the environment you’re in, not just at the technical level. And we had people at varying levels of our workforce who might have been sharing homes, sharing houses, rented accommodation, they’re sitting at kitchen tables. There might be two or three people working for competing organizations. And as well as having to work on your electronic environment, you’re speaking, you’re talking to customers, you’re talking about deals, maybe, you’re talking about quite sensitive information. We had people with Alexa, Siri, these sorts of home automation technologies in place. People have to share, your documents might be left in the house. So there’s quite a significant challenge with regard to supporting staff working in a very new way. And it wasn’t just about the security of the technology, like remote working VPNs, virtual desktops, all of these types of things we had to help with.
Interesting. Thanks, Conor.
Were there some particular sort of lessons learned to some of those technology changes maybe from a governance or risk management perspective?
I think there were, and I would probably see it even more so in some of the clients that we do consulting work with, where they may have been more paper-based service and how they operated. And I think that they have certainly changed a lot of their processes. I think that there was a lot of automation that people started looking at during this period of time where things like processing of paper invoices and purchase orders and things that that automation assisted dramatically with that and facilitated the people working remotely. And I think some of the other speakers at times today talked about the lack of interaction. I think George Murphy was speaking about that help desk calls increased because somebody couldn’t just walk up to somebody else and ask them. That there is that lack of interaction that certainly would have been, I think, an issue from a security perspective as well because people didn’t have that ease of just dropping down to the cyber team or getting advice. Everything had to be raised as tickets and so that the reactiveness of support teams in the various corporate services groups within a company had to pivot during this time.
Brilliant. Thank you. So lots of updates to business continuity plans and disaster recovery plans can be expected over the coming months, I guess, as the lessons learned come forward. I guess, now switching more to perhaps the present and the current state of the security environment. Cyber threats and their associated harms represent obviously a complex and evolving challenge for the financial services sector. I sit on the UK FCA trade association cyber information group, and that brings together some of the financial sector trade association bodies, and they use that to sort of build on information sharing on cyber risks and resilience. And most recently, that group discussed how, in some form, there’s always a threat to look out for. But the best way to try and manage it is by keeping consistent communications with internal stakeholders in particular. So I think some of what you were saying, Conor, in your last comments sort of chimes there.
But, Nate, what are some of the security-related challenges that you’re grappling with now as a result of this sort of new working environment? And what should be top of mind for CISOs?
Well, I think those are two rather different questions. So the exercise we went through as an industry going through COVID is extending the corporate perimeter outside of just our offices. That process as we discussed, had begun. But now, we need to ensure that the experience in security standards are consistent regardless of where you’re accessing our networks around the world. As we move towards a hybrid environment and settle into a more long-term state, that reality doesn’t fundamentally change. The users that are working remotely will continue to work remotely. I think the main change in this long-term hybrid approach is that now you have more mobility of employees both with commuting back and forth or geographically accessing your network from remote locations. But the measures that we put in place in COVID are still applicable now. I think, in 2020 and 2021, had you asked your average CISO, you would have heard that COVID-related security concerns were top of mind. And as we’ve started to tackle some of those in the past two years, I think you’ll find more traditional concerns resurfacing. So top of mind for me is making sure that incident response is automated as much as possible, and that we have kind of a full awareness of the security events going on in our infrastructure. So hybrid is an interesting long-term state but doesn’t fundamentally change the equation. And as such, I think we see some of the traditional concerns resurfacing once again.
That’s very interesting.
Conor, what are some of the sort of security risks that you see with this sort of hybrid environment? Is it similar to what Nate said, sort of same incidence of perhaps sort of heightened risk?
I think it’s very much aligned with what Nate has outlined, I think as well, in 2021, we are operating in reaction to an emergency situation. So I think a lot of people’s risk tolerances and appetites were slightly higher because they had to continue operating, they had to protect their staff, they have to slow down the rate of spread of the pandemic. And when we looked at the impact likelihood, the traditional risk analysis, there was a slightly higher tolerance to certain types of remote access and remote working to make sure that we survive at a corporate and human levels. I think that what I would say is that some of the shift of that tolerance that the methods that were permitted during the period of the initial responses to the pandemic will change. And that will impose, I think, a little bit more overhead at times on our staff when there is a perceived benefit for remote working, but we need to raise the bar that a little bit more than they may be had from a security and authentication and authorization workplace, workspace commitment perspective. So I think there will be some of those give and take because this is a very rapid change in the relationship between the employer and the employee that is happening in a very short period of time. And I think there are also things like the safe workplace, your considerations, we’ve been told, there’s a very big investment made in many offices for ergonomic chairs and the correct height for screens and desks. And if you don’t have that at home, whose responsibility is it? So there’s a lot in the equation, not just the cyber side.
I think we’ve probably ironed out a lot of the cyber issues in terms of the access methods. I think what is a safe workplace is going to be an interesting part of the future with regard to voice communications, paper storage, clean desk policies, and adaptation of our acceptable usage policy or your written information security policies and how they apply now to a hybrid environment and particularly in the context of the proposed SEC rules that are coming that are going to reflect even more specifically, what is in our written information security policies, but they have to flex with and be updated based on this hybrid.
Thanks, Conor. Yeah, that’s really helpful to hear.. I think the other, I suppose, big topic that is keeping CISOs awake at night is nation-state cyber activities. And, obviously, the heightened risks following Russia’s invasion of Ukraine. We’ve all read the headlines about the sort of cyber threat particularly that’s happening perhaps more in Eastern Europe at the moment, but is likely to come over should things continue as they are.
I suppose to both of you, what can firms be doing to ensure they are best prepared for these types of attacks that might be coming around sort of malware or others?
Nate, maybe you’ll want to go first.
Certainly. Yeah, certainly. That’s an interesting question. And I think Conor’s earlier statement about risk assessment is an important one. External threats to corporations should be responded to in a standard manner. I mean, the methods to secure yourself against a nation-state don’t differ dramatically from the methods to secure yourself against the cyber hacktivist group or organized crime. In fact, if you look at the NCSE’s guidance, you’ll find a number of steps that firms should already be doing patching their systems, getting regular PenTests, ensuring that their employees are adequately trained, rehearsing their incident response processes. These are all steps that firms are already doing. What dramatically alters is the likelihood and the impact of such events. And so, as a result, I think it’s important for people to be practicing for what would happen in a case where such an event were to materialize. Did that answer your question, James?
Yep, very much. Thanks, Nate. Conor, would you add anything there?
No, I think Nate summarized it very clearly there. I think that the…this is not new. It’s a key thing for us. I mean, very specifically with the Ukraine and the unfortunate situation we see unfolding with the invasion there. If we go back a number years, one of the biggest ransomware outbreaks we saw was NotPetya, which was also a nation-state action against the Ukraine and against some of the revenue function there within it. And it had an unintended consequence of spreading globally and causing devastation for a large number of firms as a ransomware attack. But that was a piece of nation-state activity from a cyber perspective. And funnily, I know it’s something we’re gonna touch later on, but not for me. Ironically, because it was a nation-state activity, it was considered by some insurers under cyber policies to be an act of war and has been used as an exit clause. So this is not new. It is a patching. It’s exactly as Nate has outlined. It’s about our readiness and our preparedness for what are quite traditional attacks that we’ve seen. It’s expose vulnerabilities, its software updates, its business continuity, in the event that something does happen, what’s your response plan? How do you get past it? So yes, it’s about being more prepared using the tools that we have had in the past. But we have seen this before, and we have something to look at in terms of how we manage our responses.
Thanks, Conor. Yeah, that’s interesting. I think we’re gonna touch upon sort of vendor and third-party risk as well, which is another error that might be of concern. I suppose switching now to looking at sort of emerging or new technologies and strategies that are being used by some CISOs and technology teams. Conor, why don’t we start with you here.
What types of resources are you seeing that firms are using to help structure their approach to addressing sort of cyber risks?
I think one of the ones that has come up a couple of times again, today, and some of the other speakers have been very interesting. And I know Nate and I have spoken about this, it’s the whole area of intelligence and hedges in the artificial intelligence buzzword, but it’s the machine learning and the automated assessment of the massive volume of telemetry signal log data that we are getting from sensors and technologies that we have spent a lot of money deploying. And, unfortunately, with the information security in the cyber world, the way it is, there’s so many new technologies and endpoint defenses and controls that the volume of data that they create is overwhelming. And if you don’t have a security operations center that is properly staffed with the right kind of analysis technologies in place to look at the information flowing, I think that’s going to be a huge challenge. But I also think, and again, it’s something Nate touched on is, that the penetration testing, it’s the assessment, it’s testing your systems, testing your perimeters, not just taking the vendors’ word for it, that they have deployed properly. And separating the organization that’s doing your operations, your configuration management and having somebody else doing the testing of it because then you get proper validation. So I think there are a couple of areas that I would see where there’s more resource focus and development that CISOs will get comfort from.
Thanks for that, Conor. Nate, I guess, to what extent is it sort of a technology issue where technology has all the answers? And similar to what Conor was talking about,
How are you saying sort of automation and machine learning tools having an impact on cybersecurity policies?
I mean, I’d be hard-pressed not to agree with Conor based on the fact that we’ve had previous conversations about this and are very much aligned on this. So taking a step back to what COVID did and what COVID accelerated. The traditional model of security is you have your zone of trust, which is inside your network, and you’ve got your perimeter around which you build layers of defenses. There is no more zone of trust in the modern day in cybersecurity, not only because we grant access to people remotely, but also because of cloud resources and all that. So, as a result, we’ve had to deploy a much larger amount of security tools to monitor the estate from within rather than doing the traditional model of just monitoring the outside. So we now, security teams in 2022, have a huge volume of data coming in and that data needs to be parsed, organized, prioritized, and responded to in traceable, efficient, and optimized manners, right? And the only way to do that is to start automating some of that parsing, some of that response, and some of that escalation. So to do that, you really can’t get around looking at some form. And again, the term is very much overused in the security industry, but some form of machine learning and AI, or at least some form of programmatic triage of that data. So I think that’s an area I find very, very interesting. And you’ll have to forgive me, I got so excited talking about this that I forgot the second part of your question. Could you asked it again, James?
No, suppose just sort of to what extent is it a technology issue where technology has all the answers? And I think that brings me into my next question,
Which is what about the people and human factor of security vigilance and how important is that?
It’s tremendously important. I mean, we shouldn’t get tunnel-visioned and focused only on the technology. What the technology is telling us is, “Here is human behaviour, here is what someone within your company has done, here’s what’s running on one of their computers, here’s what someone’s trying to do to your external firewall,” for instance. So all of these measures, as sophisticated as they are, will always only be as strong as the weakest employee. And so, security awareness and training is tremendously important because users are now interacting with corporate resources in novel ways and doing so from an untrusted environment. So of course, I mean, security awareness and training is tremendously important. And it goes well beyond just the traditional fishing exercise on a cadence, right?
Conor, would you add anything on that aspect?
I might actually ask Nate to go back to something that he mentioned the last time we spoke about this about the an internal SOC team and the external SOC team and your business team because I think that was really good. You might expand maybe a little bit on that for me. I thought it was really useful.
Yes, certainly. So the way we’re thinking about SOC, and Conor and I were talking about this last time, but you basically have a number of security events that are boilerplate events, things like someone installing a piece of software on their machine that’s loaded with ransomware binary or something like that. All of these boilerplate events, whether it happens at your local coffee shop or it happens at a government office, will look the same, the signatures of the software are the same, the response and containment are the same. And so for all of these kind of boilerplate events, I think it makes less and less sense for organizations to insource the security operations center to respond to that, the SOC. So having analysts analyzing this data and responding to it in real-time makes a lot less sense to do in-house than outsourcing it because the outsource model will have visibility into a plurality of companies and will be specialized in this, right? The problem with an outsourced SOC model is that they don’t understand your business, your business requirements, and specific security requirements. So they’re very good at responding to boilerplate security alerts. And so what we’ve been talking about is kind of a two SOC model where you outsource all of those boilerplate security activities, those activities which are, again, same across all companies, and then you create a secondary SOC internally specifically to deal with your business use cases and your business-related logic.
I think that was a really good piece to talk about, to follow-up from what you’re talking about, James, it’s the people who understands your business better than you yourself. So you need to understand, first of all, be alerted. I need a specialist in the outsource SOC who are honing their skills continuously, who are watching the global spread of events that are looking at the all the different plethora of technologies and they are getting the first line of defense and the alerting and the messaging and triaging it and say, “Okay, here’s something for you guys.” Our business SOC, if you wanna call it that, has to then see, well, what does that mean for me? Is this a shut everything down message? Or is it, okay, we need to just isolate and contain this particular…and know what it means to our business and the time of the month or the time of the year or what is critical in terms of our current processing as well because, again, it comes back to risk analysis. What is the impact of completing the process that we’re doing that is critical to our business or to our customers? So there is that in-house assessment that needs to be done.
But I think as well, the human firewall, the awareness training, empowering our people to not make a mistake and to identify when something looks suspicious, and not just click through it because they’re so busy, because they know that that customer, even though it’s a fake is usually demanding for time and pressure, and not reacting to the pressures, that the good social engineering skills are being brought to bear. And we have to remember, we have to be right all the time. The bad guys only have to be right once. And that’s our real challenge in using and getting our staff and our teams all up to a position where they can help be part of the solution and not the problem.
Thanks, Conor. That’s really interesting. I think you touched upon sort of a bit on outsourcing. And I just wanted to delve a bit deeper into that topic. So I guess, Conor, just sticking with you for a minute,
What are all the different models being used for sort of investing in firms future IT infrastructure? And what impact is the increasing role of outsourcing having on our industry, the asset management industry?
I think it’s shifted a lot during the pandemic because of the move. In a lot of cases, people pivoted very rapidly from on-premise systems, which were traditionally a CapEx model where we had the investment in tin and data centers and computer rooms. And people then started looking at the apex model of SaaS and the software as a service or the platform as a service solution. So I think we saw quite a big shift when are people coming to the end, and it was coming anyway I think, as Nate referred to in some of the other conversations we’re having with regard to the period, the changes that were happening. I think the outsourcing, what it’s allowed outsourcers to do is be more specialized. And instead of having a managed services provider saying, “Well, I’ll do your security operations, I’ll do your incident response, I’ll do all of these things, as well as managing your Google workspace or your Microsoft 365 and all these other things.” I say actually, I want somebody who is a security operation center who does nothing else except this function and has the right skills, the right team, say, their skills are honed and tested on a regular basis. So I think that’s what we’re going to see as a little more specialization with regard to the outsourcing and less of the generalization for some of these things to ensure that we’re getting the maximum value.
Very interesting. Thanks for that, Conor. Nate, continuing to look at some of the vendor landscape,
How have you seen that develop? And are you seeing the right sort of solutions coming to market or there’re still many gaps to be filled?
Well, the vendor market in the security space right now I think can only be described as crowded. There’s been a tremendous amount of investment in the space. And as a result, you have a lot of emerging players. I think you’d be hard-pressed to find a CISO that doesn’t at least have a couple dozen people knocking on their door to sell them some variety of the same thing. The challenge is, there is no real way to test and benchmark these controls that they’re selling. It’s very difficult to do. So you have a lot of new companies coming to market with new solutions but the sales pitch is always the same, which is, “This is an AI-driven solution that will help you automate X part of your business and reduce response time by Y.” But without an objective way to evaluate that, I think it’s gonna be difficult to know which of those players are gonna be around in the long term.
So in theory, the right solutions are being brought to market but these solutions remain untested. And it’s important to know that in order to test the solution, you may have an event that requires that control that only occurs once every three years. So for those three years while that event is not occurring, a functional control and one that does not work will look exactly the same to you. So there’s a great amount of investment in the field. I’m glad to see it. I think we’ll see which vendors survive in the long-term.
Yeah, in my opening remarks I mentioned I think the FCA came out with a report last year, there are almost 2, 000 cybersecurity firms operating in the UK and in London now. I think last year, the sort of revenues is around 10 billion, which was almost 15% increase from the year before. So as you say, the market is crowded, maybe there’ll be some consolidation over the coming years, but it’s definitely a growing market. I just wanted to touch, before we move on to the next section, just a bit around cyber insurance. Conor, I know you mentioned that in some comments earlier.
What’s your sort of view on how the cyber insurance market is developing?
Thanks. I think the markets grew very rapidly over the last couple of years. I think a lot of the pressure to have it has come from customers who are looking to suppliers and saying that, “To qualify through our due diligence process and others, you must have a cyber policy in place, it must have this value, and it must cover these items.” So whether or not it was a value to the organization who was responding, they had to have it. We have seen the underwriters now beginning to tighten up. I think that their actuaries have been looking at the premiums and the settlements over the last couple of years. And they’re begin to refine their models. And there are more and more exclusions. And the premium cost has gone up. So I think there’s a lot of navel-gazing going on with regard to the value of cyber insurance. And I think a lot of people are putting it in place because they must from a qualification process, not from a business survival perspective.
Interesting. Nate, I’m not sure if you have anything to add there.
James, you know, I always have things to add. Yeah, the stats from March are that in q4 of 2021 alone, the premiums for Cyber Liability Insurance essentially doubled in the space of a quarter, right? So a lot of people talked about the increase in premiums. I think it’s important to understand just how dramatic those increases are. And Conor touched on it earlier, there are a lot of cases in which those cyber liability insurance policies don’t payout. As a result, I think from a market perspective, we’re seeing two main shifts, at least two that I’m aware of. The first one is, rather than taking your entire security program and your entire organization and say, “Let’s insure this,” where there’s a lot of unknowns, and it can be difficult to quantify risks, insurers are becoming much more interested in ensuring specific scenarios rather than the entirety of the organization. And the second one is some of the more established vendors are now tying insurance to their product saying, “If you fill these criteria, if you keep our systems deployed on all your machines and up to date and X, Y, and Z, then in the event of a breach, we will pay out X amount of money.” So this risk transference going from company to insure, to company to third party. And unless there’s a dramatic reversal in the trends in these policy prices, I think we’re gonna see a continuation of those shifts.
interesting trends. Thanks for adding those points, Nate. Appreciate that. I wanted to switch now to looking a bit around I suppose stakeholders, we call it. We heard earlier from our panel of investor and due diligence experts who were talking about greater scrutiny of governance practices and discussing sort of current and future expectations as investors looking at managers around their cybersecurity maturity and management. Nate,
How have you seen sort of investor expectations change in recent times on cyber?
That’s an interesting question. I think investor expectations typically take the form of a DDQ process, a deep dive process into security. What we’re starting to see happen. So traditionally, a DDQ would have been a kind of a spreadsheet of questions that would be answered, and it’s a questionnaire not an audit. So the depth of the answers is not always tested. So what we’re starting to see is in the DDQ space, you have vendors emerging that go beyond just this questionnaire-based approach and offer a kind of an overall risk to a third party that you want to operate with. They do things like doing passive penetration testing against them to see if there’s any vulnerabilities on their external perimeter. And that will impact the risk factor. They look at whether or not the organization has been breached over the past 12 months and that’ll impact the risk factor. So I think the DDQ process is definitely an area that’s evolving rather rapidly. And in the future, I expect that we’ll have a much more all-encompassing view of the security of a firm rather than just focusing on this questionnaire-based approach.
It’s an interesting evolution. And, Conor, looking at sort of board oversight and senior management awareness, I suppose, around cybersecurity and IT risk,
Are you seeing sort of business leaders allying their strategies, or aligning even their strategies with cyber risk and resilience initiatives?
Yeah, I think that there has been a fairly significant increase in the level of awareness of board members. I think, in different jurisdictions, the perceived liability of the non-executive directors and what their responsibilities are with regard to their commitments to board is something that’s increased very significantly. And a lot of these, I know, non-executive directors would exist on multiple different boards where something has happened on one that may have been a breach, they’re suddenly asking questions in all the other ones that they’re a part of, and through a lot of the membership forums that these directors participate in, and discussions like today, there’s an increased level of awareness happening all the time. There’s a lot of focus that we’ve had over the last couple of months on the SEC rules and the proposed changes there. And there are some other SEC rules as was happening that are interesting. This is actually the 20th anniversary of SOCs. And following on from that, there was the requirement for your disclosures guide to board composition and I suppose the financial capabilities and qualifications of board members. And I think we’re beginning to see noise in the same area from the SEC with regard to board structures with regard to cyber. And I think that’s an interesting focus that’s now going to come to boards with regard to the stakeholders, and we’re seeing it out through different layers of management. I think, myself and Nate here are both CISOs. And the C letter being put in front of information security at a number of organizations who are doing that, it speaks volumes. The number of CISOs has increased dramatically. So that is another focus as well. But again, I think it’s stakeholders, whether they’re investors, customers, that they’re all looking for evidence of awareness from a cyber perspective of organizations.
Yeah, very interesting how things have changed in recent times. There was something you mentioned there, and it triggered a question I wanted to ask about sort of group-level dynamics, and when a firm may have offices in different jurisdictions around the world, how they need to perhaps tailor or adapt the cyber policies for each jurisdiction, and what some of the challenges might be there. I’m not sure who would like to take that one.
Go ahead, Conor. Go ahead.
Waystone Compliance Solutions’ Cyber & Data Protection Services
Okay. Within Waystone, I suppose we fit that bill. We have offices in major jurisdictions and customers that operate under many different regulators. And there is, I suppose, a huge pressure and responsibility upon us to make sure that we have teams internally that can interpret the regulations that exist in those jurisdictions properly, and make sure that we match them to the information security and the cyber requirements with regard to the delivery of our services, and whether it’s the notification periods that differ from one jurisdiction to another for breach notifications, whether it’s the structure of a written information security policy. And one thing I find that we’re doing more and more is spending time with our compliance and legal colleagues in the interpretation of what are quite difficult reading documents at times, to pull out the salient points that then have to be reflected in our cyber approach. So I think it’s a collaborative process between the CISO office, the chief compliance, the chief risk and chief legal in terms of interpretation of regulation and the requirements.
Couldn’t have said it better myself. Yeah. And you see a lot of overlap between some of the emerging standards and government requirements. So while there remains a divergence on points like reporting periods and speed of reporting, I mean, there is kind of regulatory convergence for at least most western countries.
Thanks, Nate. We’ve got a few minutes left. So I wanted to just with a future gazing, I guess, or crystal ball gazing, whatever we call it. And I suppose the first being sort of, what are your expectations of what’s going to shape the cyber technology landscape in the coming decade? We may have already touched upon some of the points in the conversation. But is there anything in particular or any areas in particular that you see are going to be particularly prominent? Conor, perhaps starting with you.
What is Going to Shape the Cyber Technology Landscape in the Coming Decade?
Thanks. I think something we’ve touched on a number of times, has been a theme throughout today has been the changing work environment for people, this hybrid, and the making sure that our employees have a safe, a flexible, and easy enough to operate work environment with all the controls, that from a CISO perspective, we want control, control, control, but it has to be operable in a way that is efficient for users as well. So I think that the continued shift to a more controlled and structured hybrid environment is going to be a key thing. That’s certainly one that’s going to be big on my agenda and ours. And I think the continue to shift to SaaS, and the global cloud providers, and making sure that the due diligence that we would have done on an on-prem or customized platform that we’re able to make sure that we get the same confidence and assurance that we are through due diligence with them. It’s not easy, but I think it’s something that we’re gonna spend more time and as we pivot towards them.
Thanks, Conor. Nate, what would your view be on this sort of the future of cyber tech?
I definitely agree with Conor. And touching on something he said earlier, with the evolution of the vendor landscape, we now have a number of specialized vendors that we have access to that do very niche things. As a result, I think, increasingly, security is becoming a matter of implementing change at scale in an organization and adequate governance and kind of departing from first-line response and technical incident management. Obviously, there’s room for both of those. But that’s kind of a high-level trend that I see over the coming years. And obviously, continued importance of automation for incident response, event management, alert triage all the things we talked about before.
James: Brilliant. Thank you very much. I appreciate it. We only have a minute left. And I suppose it’s just a final question. If there was one thing or area that a firm should be doing from an IT perspective for the sort of the post-pandemic future, which is hopefully just around the corner, what would that be? What would that one thing that firms in our sector should be doing?
Training, making sure you’ve got the right people in what Nate referred to as our kind of business SOC or internal SOC that are responding properly for our business to deal with alerts and automated notifications. We’ve got systems, but the first thing as a training, I think, making sure that our people are empowered, and that they can deal with a situation that’s put in front of them as best they can.
And, Nate, the final word with you on this one.
Nate: I mean, it’s difficult for me to say what the top one is since Conor already outlined it. I can talk to the second one, which is basic hygiene. Make sure your systems are patched. It’s the very foundation of security programs. It’s probably the most boring answer you’ll find but it’s the backbone of any security program to ensure that you minimize your attack surface. And so do the basics, do them really well and then move on from there.
Brilliant. Well, thank you so much, Conor and Nate, for sharing your expertise and insights with everyone today. So it was a really fascinating conversation. And you highlighted so many of the areas that will be on the minds, I know, of the businesses and our members in the alternative investment management sector. So thank you very much for that. And with that, it now falls to me to wrap up today’s event. I’d like to say thank you to all our fantastic speakers today for sharing with us their invaluable insights, which I hope have been useful for you all. We’re so pleased that we’re able to hear directly today from investment managers, chief technology officers, chief information security officers, the SEC chief at cyber unit, as well as senior cybersecurity experts at leading technology vendors. And I hope you’re all able to take away some useful insights and they provoke some thoughts about cybersecurity and programming within your own firms. If you would like to get involved in AIMA’s work on cyber and operational resilience, for example, by joining one of our peer groups, then please do get in touch with me. Otherwise, thank you again for joining us today. And goodbye for now.