The Monica Talks Cyber Show

That's Cyber in the FinTech World

Monica Verma Season 1 Episode 17

The goals of security isn’t confidentiality, integrity and availability but to understand, support and enable organization’s goals and mission. Business acumen, leadership and communication play a vital role in that. 

Security is not an IT problem but everyone’s responsibility. In this episode, we turn the tables and talk to a business leader on his role and involvement in security as well as expectation of and support for security leaders. Monica Verma talks with Christoffer Hernæs on digitalization, the business perspective of security and the FinTech world.

Looking to become an influential and effective security leader? Don't know where to start or how to go about it? Follow Monica Verma (LinkedIn) and Monica Talks Cyber (Youtube) for more content on cybersecurity, technology, leadership and innovation, and 10x your career. Subscribe to The 10x Circle newsletter at https://www.monicatalkscyber.com.

Intro  0:00  
You're tuning into the podcast series We Talk Cyber with Monica. Your platform for engaging discussions and expert opinions on all things cyber. For more information, check on MonicaTalksCyber.com. And let's hop right into today's episode. 

Monica Verma  0:17  
Hi, everyone. Welcome to today's episode of We Talk Cyber. This is your host Monica. Today we have a very interesting guest, someone who is not a stereotypical security professional, but a business professional. So welcome Christopher to the podcast show today. How're you doing?

Christoffer Hernæs  0:34  
Thank you Monica, doing just great.

Monica Verma  0:36  
Lovely to have you on the show today, Christopher. Would you like to say a few words about yourself to the audience and maybe a fun fact about yourself?

Christoffer Hernæs  0:43  
Yeah, of course, my name is Christoffer Hernæs. I was until recently, Chief Digital Officer of SBanken. Norway's leading digital bank. Been digital only since 2000. And now I'm after being on the C-level position for quite some time, I'm doing my own company to enjoy the freedom and answer only to myself. Basically, management consulting on everything strategy, digital, [and] commercialization. Fun fact, that's always a difficult question. I'm extremely interested in music. Used to play in a band. Had a dual life, being a banker in the day and rock star by night. But I had to just focus on being a banker by day and the dad when I come home as I get older. So, I've left that behind. But it's still a big part of me.

Monica Verma  1:35  
That's amazing. Lovely to have you over. So, since you mentioned it that you worked quite many years as Chief Digital Officer, what is Chief Digital Officer? What does the role entail?

Christoffer Hernæs  1:48  
I think if you ask 10 CDOs, you'll get 10 different answers, because that's one of the titles that's up to every organization to fill. Like a CFO, everybody knows what a CFO is, that's the same in almost every company. In my case, it was being in charge of business development and innovation, as well as everything within IT. That also included security, I had to meet myself in the door (eng: faced my own prejudices) a couple of times during those years.

Monica Verma  2:17  
Interesting because being a part of digitalization, and then also being responsible for security and cost, it obviously can be tricky. So what were some of the biggest challenges that you faced as the digital officer or just in general, working with digitalization over the years?

Christoffer Hernæs  2:37  
Well, having such a broad control span, one of the biggest challenges was how to manage my own time, because it was expected of me to have an equally weighted spending of time between the different parts of the organization. But when servers are down, or there was a security issue, of course, I would spend 100% of my time on fixing that breach or keeping the uptime at our required levels and innovation would get 0% of my time. So that is one challenge. But also in banking, there's always something new to do, keeping ahead of regulations, keeping ahead of compliance. That's why I really got into cybersecurity after working more on the business side of banking for many years before I got this role. Seeing that, having stable operations and state of the art, cyber security, that's the entry ticket to doing anything with it within this space basically. So I told this to everybody in the organization. This has to be a number one priority. When I'm comfortable that we are on top of this, then we can start [to] innovate. And then we can start challenging status quo. So there was really strict level. We need to be at this level before we really got to experiment and do all the fun, well we're talking security, I think it's fun, but fun for everybody. That stuff.

Monica Verma  4:12  
So how did your role basically complemented and work with the CISO? Or what do you think are the complementary responsibilities between a digitalization officer and an information security officer?

Christoffer Hernæs  4:27  
Well, again, there are different setups there. Some choose to have the CISO within the IT organization. We have the CISO in the risk organization which acts as the counterpart for IT. More of a second line type of role. Being a conversation partner, not only for the security department also for me, that was extremely valuable. We had really good discussions and happy [that] somebody had being paranoid as their primary job. It was a good reminder that we need to be always vigilant and always looking out for how can we improve in the next phase of things. But also within the banking community, we collaborate a lot on cybersecurity. And that was also a valuable part, having open lines to the CISO of other banks, between the banks and sharing intelligence, sharing information, what's going on, which allowed us to stay ahead of what was coming in terms of security threats, and seeing that planned attacks were being set up in advance, that really allowed us to put up a perimeter beforehand, rather than sitting there and not knowing what happened afterwards.

Monica Verma  5:50  
So the point that you mentioned actually is quite interesting, because you said that you had this requirement, okay, that we should come to this level, at least when it comes to security, and that you're happy and satisfied with it before you really start like taking it up a notch and being innovative in that sense. How do you see these being positive or negative in the way different organizations do it? Is it important to start buying technology already in advance? Or is it first doing the basic stuff in the beginning, before you start thinking of, okay, let's procure more stuff and get a box that will help us build security?

Christoffer Hernæs  6:30  
Well, the short answer is that there's no silver bullet to it. And sometimes there's some new technology and new software that you can buy off the shelf, which can heighten your security. And that's basically weighing your risk appetite versus your cost appetite. It's always to pay your way out of that. Then there [are] managed services or your outsourced parts of your portfolio to a vendor. Then it's more of a governance type of issue, that you need to have good governance principles in place in order to do periodical control and having really good control of what your vendors are doing. And then there's the last part, that's probably the hardest part, that's the code that you write yourself. Having a strong sense of cybersecurity really ingrained and embedded in both the heads and also the hearts of your developers, I think that's crucial to really being secure. Having cybersecurity at the code level, gets you way longer than buying all sorts of perimeter type of defense systems, especially when a lot of our innovation were related to building an open platform, integrating with third parties, using APIs as tools for business developments. And as everybody know, when you open up API's, and you start connecting with the world around you, you increase the number of attack vectors, numerous times. So venturing into that playing field, you really need to know what you're doing in terms of cybersecurity, if you want to do the open platform type of play. And if you look at all the big scandals at the platform companies, like we know, many of them have been related to API vulnerabilities of some sort.

Monica Verma  8:29  
So what are some of the biggest security and privacy challenges that you've seen and encountered?

Christoffer Hernæs  8:37  
It's difficult pointing out one particular big challenge. I gotta say, a big shout out to my gold guys, my old colleagues, they were really staying ahead and really engaged in the field of cybersecurity, but acknowledging that this is an arms race every single day is an arms race and you will never be finished, when it comes to cybersecurity. I think that's the biggest key takeaway that I can look back on that you can never be happy. You have to be paranoid, you have to think like a crook. Even though you might seem like you're this kind of paranoid, strange guy. I've been saying this for a while and people react when I say like you have to think like a crook. You have to really acknowledge that there are bad people out there. And I've had some heated discussions at dinner parties over this, look everybody's good on the inside. Well, when you are responsible for IT in a bank, you can't afford to assume that people are good on the inside because the truth is, there will be somebody and it only takes one one person who is inherently bad to do malicious things to our infrastructure. So I think that kind of mindset without tipping it over. It's a fine balance and my role of having such a broad control span, everything from innovation to IT operations. It was all about balance. Balance was the key in everything that I did? Mm hmm.

Monica Verma  10:20  
And what you said here is probably very critical. Because when you talk about insider threat, it's not easy to talk about it, because you're now basically insinuating that maybe some of the employees don't have the right motive. And threat actors can obviously, both external internal, can have wrong motivation. But the key really, as you say, is correct. How do you talk about it? Or come across as that now you're just pointing fingers at everybody. That's not really the case. But just having in the back of the head that he has that could happen. Are there some examples? How have you dealt with this kind of like insider threat topic in general?

Christoffer Hernæs  11:04  
Well, it's awareness. It's extremely important. And yes, the CISO did a tremendous job of doing internal learning efforts. All this, all the time. Whether it was phishing attacks, or downloading something you shouldn't do, because at a lot of times, the weakest link is always the human factor is always the human error, which is the weakest link, you can buy, like I said, you can buy all sorts of threat protection and try to secure yourself in some kind of way. You can take away the internet for everybody inside the company and just exclude yourself from the outside world. But if somebody brought a USB stick to the stationary computer in the office, then it doesn't help. So really, having a well educated workforce is the best you can do in terms of staying secure. I think also having a culture that is ready for that it's impossible to be 100% secure, and believing that you're able to shut down every single vulnerability. There will always be something there. And you need to be prepared to have the fastest possible response time to close that gap when it is discovered.

Monica Verma  12:29  
So you talked a bit about the API, right. You mentioned that okay, but if you look at  one of the biggest things that have, or attacks that have happened, a lot of the cases in a lot of times API, weak API [or] open API's are the reasons for it. And we talked a bit about FinTech. So let's let's jump over to FinTech. What were some of the challenges that you have seen in terms of this open banking and going towards open banking, in terms of both security and privacy?

Christoffer Hernæs  13:00  
Well, now, you really, now we are in my home turf here. Because open banking, the starting narrative for open banking was that the bank should be platforms, they can be an app store for a lot of fintechs. And consumer can choose which fintechs they wanted to use, and they will lie on top of the banking infrastructure. I quickly realized that this is a scenario that's close to impossible to really implement. How should you have the ability to oversee, governed like, not only 10 to five different small fintechs that should have access to your infrastructure on behalf of the customer, when you as a bank are, you are responsible. At the end of the day, the bank is responsible for the risk or both the IT risk but also the the balance risk, the risk of KYC the bank, the risk of anti-money laundering. So the amount of governance, compliance and legal work required to really uphold that mission, for me, it was not sustainable. So I I basically abandoned that scenario many years ago. That's why in our open banking efforts, we consumed data from third parties because then we had control. But when we had data exchange, we did it together with other financial institutions, people or who are living under the same requirements as we did. In that case, when we had our legal agreements for data exchange, our counterpart, were under the same laws that we did. We did a lot in open banking. I'm really proud of everything we did. But we had, like I said, we had very limited box. There was no thinking out of the box. But we challenged what was possible to do within the box that were, of course, secure compliant. Because at the end of the day, what you want from a bank, you want a cool bank? Or do you want a secure bank? So I know which one I would choose, but maybe I'm old and conservative, but I rather have somebody who takes care of my money and takes care of my data than somebody who's cool and a bit sloppy on the end.

Monica Verma  15:32  
No, I agree, I think, I would, I'd obviously want both secure and cool, if that's possible. But if you have to choose then security, obviously. When you talk about money, and you're talking about millions and millions of dollars in transactions, security is definitely important. I mean, I did one of these talks where I talked about the mobiles and how we have evolved with the rotary phones that we had, like, decades ago, to the mobile that we have today, where we, our whole health, banking apps, every critical data, every critical application is on this device. If I lose this device today, I think I'm gonna lose literally a very important part of my world. And the reason we do that, and we have evolved from having majority of our aspects into a small device, is because we kind of have that implicit trust. And if we start realizing that the trust is completely broken, one would think 100 times before somebody would put money in there. So yes, definitely a secure bank would would have to trump over a cool bank.

Christoffer Hernæs  16:39  
Yeah, because that's the basic business model, it's trust. So I've been thinking a lot about what is the business model of banking, when I'm working with innovation. To the core of it, banking is built on trust, and trust is the core business model of banking. So everything that could challenge that level of trust, is something that you should be really, really careful of doing. And I think that's one of the key challenges that we need to overcome in terms of really making engaging and relevant and personal banking user experiences is to put aside the age old myth that you have to be secure on the one hand and usable, on the other hand. You can havea great user experience and still be secure. And it's slowly going away. But it's, still a bit, it's there still.

Monica Verma  17:38  
So talking about FinTech, because you mentioned obviously, that you decided to go in a different way when it comes to the model and consume data and but exchanged it with the counterparties that were also in the finance sector and the banks, how do you see, have IT giants like Apple and Google evolved in the FinTech world.

Christoffer Hernæs  18:01  
Good thing about no longer working at a bank, but working in banking in Norway, is that you can see these things coming from way ahead. There's no doubt that both Apple, Amazon, Google, Facebook, they want to get in on the action, especially on the payment side. They have vastly different motivations of doing so. But if you look at recently, just the recent developments now in the second half of 2020, Apple buying Mobeewave getting into the merchant side requirements of payments. It's a game changer. We might not have seen the implications of it by the end of this year. But they will be able to have a really strong grasp of mobile payments, if that is to really take off. And if we see how contactless payments have really, really skyrocketed in this year of everything being turned upside down, they have some good opportunities out there. And just imagine if Apple, they will never open the NFC chip on the iPhone for security reasons, of course, for one. And another reason is that when they keep it closed, they have monopoly on payments on the iPhone. So today, they take 30% of all revenue on the App Store. If they get the same monopoly on payments on the iPhone, I know which percentage they take today. I cannot say it because it's an NDA. It's small. I can say it's small, but it could increase if they got a monopoly situation. I'm not sure what Google's motivation is but they're partnered with a lot of US banks to offer checking and balance accounts. So, they are doing stuff in collaboration with the banks. They are constantly attempting to get in on the financial services playing field. What I find, perhaps the most scary for them, especially the big global banks is that they have failed so many times, but they keep trying. I started following Google's venture into banking and financial services around seven or eight years ago, and they're still trying, failing again, selling again. But then they never give up. The same with Facebook, they have been trying to get payments into the messaging platform for a while, hasn't really taken off yet. But they keep pivoting and they don't give up. Of course, Facebook lives off people's data. Everybody knows that. You are the product at Facebook. They live of it. They basically manipulate you as a person, what you will like, before you know it yourself. And having payment data, the gold standard of personal data is, of course extremely valuable for a company like Facebook.

Monica Verma  21:11  
Yeah, right. And so, as you said that they've obviously been trying and they don't give up. Bank's have also been trying. Where do you see how the collaboration do you think would go ahead and go forward in the years to come in this financial services, payment, FinTech landscape between banks and IT giants like Apple, Google? Will we see more collaboration? Will we see more competition? Where do you see it going in the future?

Christoffer Hernæs  21:40  
I think that all depends on a couple of factors. I think there will be no definitive and global answer for it. Consumer behavior is vastly different between Nordic banking customers, European customers and US banking customers. And then there's Asia. But that's a whole different discussion. So we don't have that much time today. And one of the reasons is trust in the banks. Every time every now and then there's a survey done, what kind of institutions do you trust? In Norway, at least, banks come out on top every single time. And social media companies on the bottom end of it. Banks are more trusting than the government in Norway. I don't remember the exact rankings in the US market, but it's different. Banks are down the list, significantly. And they never recuperated like we talked about earlier. The trust that we're taking away, in the wake of the financial crisis, the big banks got bailed out. And the consumers were stuck with the bill. And that's basically what was the spark that ignited the whole FinTech movement was to we don't want this. But that was never the case in Norway. So that's, that's separate, because at the end of the day, it is the consumers who make the choice, who they want to trust with their money. But perhaps if you look a bit more in the future, it could be possible to divide between who keeps your money and who you trust in managing your daily finances. That's a different story. Because that requires a level of sophistication in really designing great user experiences. That's way beyond what any bank has ever done before. There's so much more to do. It's still closer to the good old paper base account statement that I got in the mail once a month, than what I would have. I would have a personal trainer for a wallet, or self driving bank, somebody who just took the decisions for me and made me a financially responsible person without me having to really do as much myself today. I do a lot of stuff myself. I've been working now in banking for seven years. So I can say I know this stuff. But for the general consumer there's a lot of insecurity. There's a lot of questions related to everyday finances, how much should I save for pensions? How much should I save for my next home? How much should I save for my children? There's so many questions, and it's so difficult to find what suits you. So whoever manages to really hit the target of delivering that segment of one user experience that makes personal finance relevant for me as an individual would come out on top. If that is a bank, a FinTech, Google, Apple, I don't know. I know that Apple, over time has proven that they are bit ahead of banks when it comes to deciding beautiful user experiences. So I think that's one of the factors that should be taken into account going forward also.

Monica Verma  25:15  
Yeah, I think I totally agree with you on that one, because I just was talking with one of the colleagues a couple of days ago, on having like a financial advisor on my mobile through the help of a bank in a more seamless way. I mean, I've been in finance sector now 14 years. And I think I would still have, I don't think I can do everything myself either. So yea that would that user experience really will be the key, I see that as well. And talking about user experience and usability because you touched on the topic, usability versus security. So you, from an IT [and] from a digitalization perspective, want to obviously make sure security is in place. Plus, it's usable, that one doesn't need to trade off between these two things that one can actually, from a consumer perspective, have both security, can put trust in and still have a good user experience. Keeping that in mind, what would be your top asks or requests from a CISO? So that it enables you and security enables you still to provide usability and user experience to your consumers?

Christoffer Hernæs  26:25  
That's a difficult question. But I think really staying ahead on how is fraud developing right now? How are the most sophisticated fraudsters operating? Something that is based on tricking humans into doing something that they are not supposed to do, like we have the Olga frauds in the Norwegian market, people calling up and saying that they're from Microsoft, and they need to get their accounts and so forth. And then they get into the bank. So stay ahead of the modus operandi of fraudsters. I think that's one of the areas that I really needed to know, way ahead before the large new functionality. How could you use this for malicious intent? If that matches with what we see is being is becoming a common fraud technique, we need to rethink our UX.

Monica Verma  27:27  
Correct, correct. Yeah, it makes total sense. Thank you so much. What would be your key takeaway or key message to CISOs and risk officers on one hand, and to business leaders, on the other hand,

Christoffer Hernæs  27:42  
Well, to the CISOs and the risk officers, the ones I've talked to, I've been really impressed. So basically, stay, stay vigilant and expect the worst like they always do. And encourage [that] everybody thinks like crooks, when they design new solutions. Like I said, how could anybody exploit this for malicious purposes? And for business leaders, as myself, before I got into being in charge of IT as well, it's really, really, really take into yourself that IT security that's not IT's problem. This is everybody's concern. You cannot outsource cybersecurity to either a CISO or a CTO or anybody who knows how to spell IT. This is the concern of everybody in the top management everybody at the board level. Everybody in the middle of management as well. 

Monica Verma  28:42  
Very well said. Thank you Christoffer so much for coming on the podcast show today. It was really lovely having you.

Christoffer Hernæs  28:48  
Thank you.

Monica Verma  28:49  
So that was today's episode of We Talk Cyber. I'm your host Monica. I'll be back with more amazing guests [and] fantastic conversations. So keep tuning in. Until then, take care and stay safe. 

Outro  29:01  
Thanks for tuning in to We Talk Cyber with Monica. Do not forget to subscribe to We Talk Cyber in your favorite podcast app and YouTube channel MonicaTalksCyber. Take care and continue tuning in.