Turning Risk into Resilience
In this episode, host Raghu Nandakumara sits down with Indy Dhami, Partner at KPMG UK, to explore the evolution from traditional InfoSec to cyber resilience. They discuss the strategic implementation of Zero Trust, the impact of regulatory pressures, and the challenges posed by AI. Indy emphasizes the critical role of foundational cybersecurity
Transcript
00:16 Raghu Nandakumara
Hi, everyone. Welcome back to another episode of The Segment: A Zero Trust Leadership Podcast. Today, it is a great pleasure to be joined by Indy Dhami, financial services cyber partner at KPMG UK, and someone who's had many years of experience in helping some of the largest financial services organizations build out their cyber strategy and practice. So, really excited to speak to him today and learn from his experiences. Indy, welcome to The Segment.
00:48 Indy Dhami
Thanks. Thanks for inviting me. It's a real pleasure and honor. I've been following Illumio’s story for many, many years. So yeah, keen to get involved and contribute some of my learnings.
1:01 Raghu Nandakumara
Well, we're definitely here to hear your story today, Indy. So with that, why don't you just start off by telling us your background in cyber, and the experiences that have got to where you are in your career today?
1:13 Indy Dhami
Yeah, sure. So, I've been working in the security industry now for coming up to 21 years in varying different roles. So, started off my career by managing an IT department for an architect's firm. And that involved everything from network management to running backups, to then you try to clear all these pesky viruses and malware that were sort of proliferating across the entire network. And now, this is early 2000s. So, you can imagine that, you know, security wasn't high on the agenda. But what's what really resonated with me was being able to manage these things. But then also, the fact that many organizations weren't prepared for the worst that would happen if they were to lose their network, their entire network; they had no contingency plans in place. So that really got me interested in security. I studied a little bit at university, some of the sort of the main principles of InfoSec, it was at the time, and then having moved on from that role, end up moving to Mercedes Benz in Milton Keynes, and probably a pivotal point in my career because I ended up working with a chap that was just very knowledgeable about everything that you can think of was security, business continuity, enterprise, risk management, physical security, everything. And that's where really it kick-started my career in the world of security.
We built an information security management system. It became the first in Mercedes Benz globally to be certified to ISO 27001, and we had a quality management system that was ISO 9000 certified. And it was brilliant, we were doing some really interesting work. And roughly around 2004, 2005, the parent company, Daimler, saw what we created, and they asked my team to go out and replicate what we've built in Germany. So, I spent two and a half years traveling in and out of Stuttgart and spending some time there. So, great experience on a global operating model transformation program, fundamentally, and there was an element of security in that. But this is a large-scale process transformation. All based on the great work that we did in the UK and my German friends, I always remind them that, you know, it is around then when the Germans ask the Brits to go out and teach them the processes. They hate me saying.
03:34 Indy Dhami
So yeah, left Mercedes and moved on to Accenture. And spent a year in The Hague. This was a really interesting project, large scale, nation state breach of a prominent organization based over there. I won't say who it is because many people can probably guess. And our role was to help, trying to identify what this nation state was doing in the network. And oddly enough, it started with just looking at Excel CSV files to try and figure out, you're looking at the logs to see what was actually going on. Ultimately transition to a SIEM solution. And that allowed us to then start onboarding more log sources, breaking the platform a couple of times, because you just wasn't prepared for the sheer size and scale of logs. But great experience. I moved from there to PwC and spent two years in Copenhagen, working with a large shipping conglomerate, big security transformation program that covered everything that you can think of from developing policies to really crisis simulation exercises, full end-to-end security transformation program, following that, and moved to running my own company. I set up my own business, fundamentally running a matrix type organization, whether it's providing consulting or pen testing services. A really great experience working with a couple of financial services organizations both in the UK and in Paris.
Following that move to IBM, I spent four years there leading the FS transformation team, primarily involved in large-scale, managed security services, engagements, things like running end-to-end SOC, but then also running security assessments and consulting type work. Following that, I spent a year with a company called Historic Global, who were funded by the Singaporean government to go and invest in other cyber companies. So, a great experience there. And then I joined KPMG in January last year with the remit of picking up FS clients, mainly banking, but then my remit has grown a little bit further for running our cyber resilience capability, which then cuts across a number of different sectors.
05:49 Raghu Nandakumara
I mean, that I think we sort of... you deserve a podcast episode for every bit of those experiences, right?
5:55 Indy Dhami
Each one has its own interesting story, I probably could write a book of some of the things that I've seen that will make people roll their eyes and say, yes, I've experienced something similar.
6:06 Raghu Nandakumara
Well, I think season three of the segment, Indy, is just going to be 12 episodes of you telling your story. That's awesome. And I'm trying to decide where we should start to sort of unpick things because I feel all of those have in some way really built towards sort of not just the role that you do today. But really, that focus where it's gone from you said right at the beginning, the focus was InfoSec. Right. And that's how it was content. And now, that's really shifted towards sort of cybersecurity. And now, the term cyber resilience. And I'm trying to, I'm connecting what you said right at the beginning, which was, which was like you were there, right? You were doing sort of IT support in all its various flavors and trying to stop, let's say, a virus running through the network goes down; there's no contingency. And now, resiliency, not just cyber resiliency but operational resiliency, is all about how can I continue to function even when I have all of these unexpected things happening. At what point do you think that shift happened to say, we've got to really focus on resiliency; it's not just about sort of being able to go and fix the problem; it's being able to function while we fix the problem?
7:26 Indy Dhami
Yeah, I mean, there's a really interesting question because go back to that, that first experience I had, and I was actually just looking through some of my paperwork recently, and it actually used the term helping the organization become more resilient. And that's probably way before anyone was thinking about operational resilience or cyber resilience. And then on to the Mercedes example, you know, we were talking about all of these things when it comes to identity and access management when it comes to enterprise resilience about bringing converging all of these things together. Whether it's security, whether it's physical and environmental security, whether it's fraud. And unfortunately, it didn't come at that point, it's probably just appeared in the last, say, five to six years. And that could be due to a number of things. It could be an increased number of cyberattacks or outages. You know, if you think of some of the big UK-based incidents that we've seen, Buncefield came to mind. You know, there was a big explosion, or the eruption of the volcano in Iceland was it.
So those types of things were often never considered, and I remember running a crisis simulation exercise aboard. And they said to me, "Indy, this would never happen to us." And the scenario that I built was all around bird flu, fighter bird flu happening, right? So now we've got, we've got people more aware of these operational-type incidents be more prevalent, then you've got the cyberattacks increasing. So you know, that awareness has dramatically grown because if you think about just the news, right now, you see, you may see cyber once, twice, three times cyberattacks on the news now, and it's become more prevalent, and people are asking more challenging questions around it to the security leaders.
9:14 Raghu Nandakumara
So just as a bit of an aside, right, so you mentioned we see cyberattacks increasingly in the news. Right? And did you feel that when that when that news is being reported, it's largely more of the same? So as someone as someone who's not as informed as you are, that the people that like watch the news, they say, "Oh, just another cyberattack." Whereas the actual consequences when you think about resilience, and the reason we're focused on resilience, we'll come on to things like DORA, is because the knock-on effect of, let's say, a high street bank being impacted is significant, right? Those things aren't being reported enough so that just the normal but just the general public, still don't have that aha moment about why cybersecurity is so important.
10:09 Indy Dhami
Yeah, it's a really good point. And, you know, I tried to peel back the layers of these challenging questions and why is that. And until it personally impacts a lot of people, you know, they then generally oblivious to cybersecurity and why it's important. I remember having this conversation with it was at a family event, a family party, and I was speaking to a doctor. And you know, he sort of had the conversation here, "So what is it, what is it you do?" And I explained a bit about the type of work I do. And you can see this moment of panic, really crossing across his mind thinking, well, actually, we've got lots of sensitive data, we're quite exposed, I actually have no clue about how my practice manages all of this sensitive information that we have. And I have no clue whether we could recover. And funnily enough, about a year or so later, we saw the WannaCry incident, NotPetya all impacting the NHS. And I think that was, it was for a period of time, it was quite prevalent, people were really concerned about it. But then it goes away. Everything goes back to normal. And again, people maybe not have that much of an interest, as I said, until something impacts and they may be, you know, may have had their bank account compromised and money is transferred. So, it still seems to be one of these areas that is maybe deemed to be out, you know, it's people sitting in darkened rooms with hoodies on hacking away at things. But actually, there's a broad range of threat actors out there, be it from. Yes, you can go this stereotypical very smart kid sitting at home hacking away to highly organized, highly organized, highly profitable business enterprises. To the point where, you know, we see some of these organizations being quite frustrated with the script kiddies, you know, damaging their reputation, because you know, they've got a reputation of being known for if they've attacked an organization with their ransomware. They'd be known to, they'll give the decryption keys back if they're paying. Whereas other organizations may not be as, as ethical, right? Which is a crazy thing to think about. But that's this shadowy underworld that we see that many people are not really aware of that operates in the light of day.
12:23 Raghu Nandakumara
Yeah, absolutely. And I think that I think about the ethics of ransomware, or malicious actors, and some malicious actors are sort of are very proud of the ethics that they demonstrate. Whereas, whereas others, you just don't know this concept of, well, if you pay the ransom, we'll release your data. I've been concerned for me is, if they've got your data, right, God knows what they're going to do with it, whether you pay the ransom or not. So let's sort of come to your role today. Right. And when you're engaged by your customers, right. And this is a very broad question, what is typically the first question they ask you?
13:09 Indy Dhami
Typically, the first question they asked me, depending on a range of different scenarios, but you know, I can think of one that's prominent in my mind right now is, you know, we've, we believe we're out of our risk appetite, when it comes to cybersecurity, right? Can you help us get back into within tolerance? Now, often, the first question I ask is, so how do you define what your risk appetite is? And then, secondly, what are the data points that allow you to then gauge whether you're inside or outside of that level of tolerance? And a bit of a controversial statement, what I do see, though, is across many organization, not just in FS, is that poor data leads to fundamentally flawed responses to that point around, are we inside or outside of our appetite. And there's a number of reasons for that. At least in from a cyber perspective, it's usually coverage of controls, and log sources. You could have a SOC or a SIEM running and monitoring your estate. But what you read, what many of the senior folks don't realize, is actually you only have a small percentage coverage because you don't have access to certain technologies. Some of your critical applications have been developed so long ago, they may not be producing the logs that you need to give you that clear visibility, whether someone can enter your network and then laterally move across. So, risk management and the same applies from an operational resilience perspective. But if you don't understand your estate, you don't have the correct data to give you a clearer picture of everything that you have within your enterprise, and also your third and fourth parties. How can you then make those appropriate risk management decisions? It's fundamentally flawed.
14:53 Raghu Nandakumara
Yeah, absolutely. And just hearing you say that that last part of it right, sort of connects me to, like regulations like DORA that are that are sort of just coming into force and will be sort of truly active by, by next year by early next year where I mean, you're pretty much a word for word what you just said, right? You need to start with a really good understanding of how things in your environment interact, but also how you all have your suppliers, all of your upstream and downstream dependencies also interact with you at a systems level, right? This is not just a business process level, but at a systems level, so that you can then understand your exposure, and then put in place the right controls.
15:37 Indy Dhami
Yeah. I mean, and also, you mentioned DORA. There's many, right? And the one thing that I'm seeing is that it's almost where people are fatigued by the sheer amount of regulations, be it cyber or operational resilience, there's a lot of overlap. And you know, it's probably at a tipping point where, you know, some organizations are saying, funnily enough, we just saw it in the news today. One UK high street bank has actually made a statement that they're actually letting go a lot of their risk function because it's hindering their ability to innovate, right, which, for me, is a very strange, strange position. Bearing in mind what I've just said around here, the sheer number of threats, the vulnerability landscape is, is increasing on a daily basis, exponentially, right? Which is then having that knock-on effect to your systemic risks, and your contagion risks. So, it's a really interesting position we're in right now. Because whilst we're seeing more, more attacks, more organizations being having outages, and we saw it a few weeks ago, if you recall, there was a high street retailer, and a handful of high street retailers having issues with some of their processing of payments. While it wasn't confirmed whether it was a cyberattack, it still highlights you know, there's a there's a systemic risk here, knock on contagion risk, that if a critical infrastructure provider that maybe provide services to a number of organizations, if they have an outage, the impact of that is, ultimately for some organizations, they don't have a contingency plan.
17:08 Raghu Nandakumara
Yeah, I couldn't buy my vegan sausage roll from Greg's a few weeks ago. It was a hard day, that day.
17:20 Indy Dhami
You have to go for the full fat one.
17:23 Raghu Nandakumara
So let's talk about, let's talk about regulation. And I think that the, that you're absolutely right, and I kind of was in the financial services industry for sort of before, before my current role, and that that constant challenge, the regulatory pressure, needing to be compliant, particularly when you work for a global organization needing to be compliant with all of your global regulators is a massive challenge. So, do you see the transformation or the evolution of regulations trying to become more unifying, so that they may be using slightly different words, but what they're asking is pretty much the same?
18:00 Indy Dhami
Yes, I totally agree. And I had this conversation a few weeks ago with a friend around the purpose of things like DORA, and I think the premise of it is correct, right? It's shifting the focus from merely just ensuring that, you know, you've got financial soundness, you've maintained an operational, resilient operational service. Despite those disruptions caused by an ICT issue, a cyberattack, whatever it is, it's been able to withstand and recover from, if not recover, or continue operations whilst you're, you're under significant stress from an outage or a cyberattack. And, you know, the way I see it in with some of these regulations, it's changing the focus of very siloed based approaches to addressing regulatory requirements to turning it into a, as I turn, is turning compliance into a team sport, you need to have your chief information security officer at the table for DORA. However, you also need to have the person that's responsible for all of the human resources, or the person that's responsible for your business operations, or you for your important business services. And the more mature organizations that I'm working in, that I'm working with are approaching it in that way. I have all of those key stakeholders at the table. They've understood that there are certain roles to play for each of these, these functions, and they're working together. So I mean, that's the biggest success of the scene. I mean, many organizations see DORA and other regulations as just one roll the eyes or another rotary activity that we need to adhere to that. I think, from a cultural perspective, it is having a much more positive impact. Well, come January next year, we'll see how correct that is. But at least in the work that we're doing right now with gap analysis, and remediation programs, you know, some of those key stakeholders are finally at the table and actually understanding and learning more about what their their peers are doing in your the security function or even from the cyber perspective, some of the CISOs learning more and engaging more with the ultimately their clients, their business stakeholders who they are providing the service for.
20:16 Raghu Nandakumara
I love the term that you just used there about how DORA is really is forcing, let's say, operational resilience, cyber resilience to become a team sport, because as security practitioners, right, going way back to I remember when I got my CISP, right, like the theory said, security InfoSec, at that time must be a team sport, everyone needs to be engaged. But for too long within organizations, you've had the security function, and then you've got the, let's say, the application, the business development function. And I think you quoted that example of a high street bank saying that actually, we're sort of reducing our risk team because they're getting in the way of transformation. Right. So. So I think it's great, the cybersecurity is now being seen as a team sport and the fact that regulation is enabling that that's probably like, the first positive thing anyone's had to say about regulations, right? In terms of what it's what it's enabling. So I guess it's that that's a godsend.
21:24 Indy Dhami
But you have to you have to see these things as a positive. Right. Many organizations that I work with are starting to realize that, right, there's, there's things in what you do with when you look at some of these, these regulations, you realize that we do a lot of these things already. Right? It's just structured in different way. And there are some overlaps with some of the other regulations. As long as you're smart about how you approach it, you don't need to replicate and recreate something new to deliver on some of these key areas. And actually, where the gaps that are identified, highlight areas where they may need more investment. So, for example, with DORA you've got this whole information sharing piece, and that's a really hot topic at the moment, because it will how, how and when do you share information, if you are breached in different jurisdictions have different regulations. You know, if you have to report in the US the SEC have different requirements than they do here with the ICO. And you're managing that information securely and in a confident manner that you can actually provide the factual information is one of the big challenges that's come out of DORA. I mean, if we think about some of the other areas, the digital operational resilience testing element, right, which is a very, very broad statement, you know, that could include pen testing, it could be looking at your software and your code and ensuring that it's checked in and out and developers don't have incorrect access. And then it goes on to a number of different areas like, identity and access management, it talks about network security, it's very, very granular. But if you if you've been working in industry long enough, there's nothing groundbreaking in that it's just it's just a harmonization and focus that's been brought to light with some of the granular level of the text of regulatory texts standards that are that are in the in the regulation.
23:16 Raghu Nandakumara
Yeah, I agree. Absolutely. Right. And like you, I've spent a good few hours sort of very deep in the minutia of the of the regulations. And, and I agree that none of what the regulations are requiring organizations to do, and we've talked about DORA extensively, but to be honest, we could replace DORA with a number of the other regulations that have come out globally over the last couple of years, that they're, they're always rooted in the fact that assume the unexpected is going to happen, right? Whether that's like a, like, an environmental event, like a volcano erupting, or whether that's a cyberattack or in your environment? And what would you put in place to ensure that you have the best understanding of your environment, right, to be able to be resilient to that right to limit to contain the impact of it so that you can continue to be productive while you recover this, this small part of it right. And what I what I think is better now with these regulations, is that the overarching objective is far clearer. Right? There is a far there's far more clarity on why organizations should be doing this. Would you agree?
24:27 Indy Dhami
Yep. Yeah, totally agree. And, you know, we spent a lot of time on Dora. But if you take these two, for example, you know, there's huge overlaps focused on risk management, corporate accountability, reporting obligations, business continuity, and then a set of minimum measures, the things that they must have in place. And I looked at DORA and looked at NIST2 and then I went back to 2004 2005 when I was at Mercedes, and we were implementing ISO 2700 1. And to be honest, there's nothing that different fundamentally, and it was, is a piece in the standard which talks about management responsibility, which again, ties in exactly closely with what Nizza saying around corporate accountability. It's about setting the tone from the top having the appropriate leadership and governance mechanisms in place, having people trained, so they're aware of, you know, what to do when the worst happens. So, I mean, it's one, it's one of these things that we've been in industry long enough, they're just different permeations of standards and controls that have now come to the fore in quite scary for some organizations with these new potential risk of fines for not adhering to the a number of regulations that are applied specifically to their industry. And I think many, many for many years, it's been brushed under the carpet. You know, as I said, there's organizations that I've worked with that said, Indy, this has never happened to us, you know, no one will be interested in the data that we hold until I start asking some more of the probing questions about, "Okay remind me what your business does, remind me who your clients are, and think about who potentially could benefit from accessing that information, and then using it for other purposes." So, you know, I mean, that's considering that it's not that long ago, and it's probably in the last ten years. However, that has changed. And I have to say that a lot of the board and non-executive directors have become more savvy with regard to what is needed, difficult questions to ask CISOs. So, you know, it's taking a bit of a painful process to get there. But I think we're there now. But what it does highlight is that many organizations have simply under-invested in security over many, many years, and it can't be fixed in a, "Okay, let's do a remediation program and get me back into my within my risk appetite within six to nine months." Considering that there's been years and years of technology infrastructure that some of which in many organizations is out of support. So, Microsoft will not patch some of the servers that these organizations have. So, trying to find the remedial controls for some CISOs is almost an impossible challenge.
27:09 Raghu Nandakumara
Yeah, I agree. Right. And it's, but it's, I think it's great. I think what you touched on is the like execs and are far more or far better informed and are starting to ask the right questions, right. And I think that's that shift. If I connected, it's shifted from being compliance-focused to being sort of resilience and productivity-focused in many ways, right? And saying, saying to the CISO, what you're delivering to us is enabling us to be more productive, right? It's not. It's, I mean, compliance is important, but it really needs to ensure that we don't compromise productivity. So, I realized that this is a Zero Trust podcast, and we haven't mentioned Zero Trust. So, let's talk about that. Right? Fundamentally, everything that we're talking about revolves around having this focus of, of Zero Trust, and, and it appears in the regulations as well. So yeah, let's go down that route.
28:02 Raghu Nandakumara
Let's okay, let's go. So, let's start, right? So, we've had many, many others on this podcast and everyone sort of shares their interpretation of Zero Trust or an analogy that they use. So, Indy, the stage is yours. So, what's your Zero Trust analogy?
28:22 Indy Dhami
We spoke about this a few weeks ago, and it was off the back of conversations that I have with friends and colleagues, those that are working out on the neon project in Saudi Arabia. And that to me jumped out to me is that, you know, if you were to build a new city, if you had the opportunity to build the city from scratch, but how would you go about building in trust, privacy, and applying almost that Zero Trust analogy into building the city? And it got me thinking really is, you know, if you think about UK, it's very traditional, traditionally built country over many, many years. But if you had that opportunity, what would you do? And if you'd focus, probably more on the US-type model, and I spent time at Mercedes, which is in Milton Keynes. So, the slight, slightly use that model there with the grid system, but you take city blocks as almost sort of workload segments. And in our imaginative city, you know, each block would represent different workloads segment. Now, these could be you know, these blocks will be housing specifications. It can be services, it can be workloads, but just as the city blocks have those residential and commercial industrial areas, our city blocks would have different purposes. It could be web servers can be databases, it could be your payment gateways. And then for that, then you'd also have streets you'd have your you have rules to the road as well, right? So, the streets are connecting those blocks, like a network path. Then you've got your traffic, which is your data packets. You're they're flowing between the blocks as well. So then you think about actually we'd need microsegmentation of Zero Trust to set up specific rules for each street. Some street may only allow specific types of vehicles, data, while others have closed off entirely. And then you probably have security checkpoints, at the entrance of each of these blocks, you know, there's a security checkpoint, think of it as a, as a gatekeeper, before allowing anyone through, or that data packet through, now that need to be verified, the need to have that identity checked and the purpose of why they're traveling through that, that particular zone, and then only authorized traffic is allowed. Then what I thought about was actually, you could have these Zero Trust lanes. So within the city, you've got special lanes, that, you know, they're super secure every set of traffic light they'd need explicit permission to proceed through. But then you'd also need something around isolation and containment for fire breaks out in one particular block, that could be a cyberattack, you know, do you have a way of segmenting that can ensure that it doesn't spread across to your other block. And then those are the blocks remain unaffected. And you manage that, that fire that breach within that particular domain?
And then, for your city, you'd also have to customize signage, right then each block would have its own security policies. These could then like dictate who's coming in who's going, how they communicate. For example, you know, you have your database block, and the sign may say, only authorized database queries allowed, right? So this is, the way I see it, you have to be dynamic as well. So dynamic as a city evolves in the planners are adjusting their streets, their checkpoints, and then your micro segmentation would allow to adapt that changes in the workloads, the applications, you've got new cloud, new cloud controls coming in. So, in summary, if you to build a city and apply that Zero Trust analogy, that's the way I think I would go about it. Now, I'm not a city planner, can't claim to be. But you know, maybe that's, it's an interesting analogy. It just came to my mind. Not so long ago.
32:11 Raghu Nandakumara
I'm just imagining SimCity, the Zero Trust edition, right, based on the back of what you've just said, and I think we should just get everyone who's in sort of cyber resilience, cybersecurity, InfoSec to play it, and we should have a leaderboard and see who can design the best Zero Trust protected city. What do you think?
32:31 Indy Dhami
Yeah, it's a great, great game. I used to play that. And also theme park, if you remember theme park, and it just makes you think differently. And I think that's a security professional. I think we've all, you know. I've seen many times where leaders go in front of the board, and they start talking in technical language. And it's almost clinging on to some of the C-suite. So how do we make it easier to understand? How do we make it resonate with them and apply it to what they're concerned about? One of the key things that I always do when I speak to the execs, is that tell me what drives you? What is it that motivates you? What keeps you busy? And what keeps you focused on your role because the security team's responsibility is to is to enable you to make sure that we're not the policing function. We don't just say "No, sorry, you can't do that." We think of this like we're the smart people that know about security, technically. Right? So, how do we help enable the business? And how do we communicate to them in a language that resonates with them? And I think that's still one of the big challenges that I see is that boards are still being presented vulnerability scan reports, or no, here's a view of technical controls. And many of them simply, they care, but they don't need to care. They need to know what is the business outcome. You know, how is this supporting us going and building a new data center in a different location? Or how does this allow us to build a new application for mobile devices that we can provide new services to our customers?
34:04 Raghu Nandakumara
Yeah, I completely agree. Right? I think it's so important as security professionals, and I'm actually now that I work at a vendor, as security vendors, to be able to connect really like the what we do, right? With why it's important to ultimately, like the goal that we're trying to drive. And in an organization, that's okay, what is the business objective? And then how does what, how does what our program does? How does that connect to the business objective? And do you think that, like, the Zero Trust strategy and organizations that are adopting a Zero Trust strategy, that they're able to tell a better story about how that strategy is aligning to the business objectives, or is that still there?
34:52 Indy Dhami
I think there's two, there's probably two types of individual, those that can tell the story well and articulate it in a language that the board can understand and leadership understand, the business gets. And those that are still focused on technology controls. Now, I'm seeing more; luckily, I'm more on the left side, articulating what that is Zero Trust. And it's all about setting that scene, if you frame it in the correct way, and it and make it resonate to those leaders, I think you can be very successful in delivering that that Zero Trust approach.
35:26 Raghu Nandakumara
So what do you say, like, from, from the adopt in terms of the adoption of a Zero Trust strategy? Right? Is that, are you seeing more and more organizations really have that as a top-level initiative that is being tracked, let's say at the CISO level? Or is it something that is just bleeding into every part of the CISO program and not necessarily being called out explicitly?
35:49 Indy Dhami
It's probably a combination of both really, in some organizations, it fundamentally forms part of their not just their cyber strategy, but it's permeated into operational resilience, right? Because it's been positioned in such a compelling way. It's a no-brainer. And then there's the other one, the other side of it by osmosis, or just by pure chance, it's happening in a number of these transformation programs it's being raised at an early stage of design. And, and organizations are managing it that way. So it's probably not at that stage where everyone understands it. It's implemented for the right reasons.
36:26 Raghu Nandakumara
And what sort of goes into what when you go into your, to your clients, and you're helping them establish a Zero Trust strategy, right? What is typically sort of the path that takes?
36:43 Indy Dhami
Typically, it's, the way I approach it is always start with what is it you're trying to do as a business? Right. And many, many years ago, I was I was taught this, and I still don't see many professionals doing it is pick up your business strategy, pick up the annual report, understand what the business is trying to do, and then overlay his here's how security and here's how Zero Trust can support us on these four strategic pillars. And if you can describe that in a way, that's simple enough, it's always the best starting point because then you can start going into, okay, so these are the technology controls that we need to deliver on each of these points. And it's about breaking it down in a consumable manner.
37:29 Raghu Nandakumara
And do you think the, I mean, what we hear, right, is that sort of Zero Trust is still that it's been over-marketed? And I agree, right? I think that to some extent, that, that it is over marketed. But is there a real acknowledgement? Now, I'm generally amongst sort of the practitioner community, that as a strategy, it is, it absolutely is robust, and you need to think, to get on the train, right, and think about how you're going to implement.
38:03 Indy Dhami
Unfortunately, it's like many other buzzwords, probably over marketed, and for many organizations claiming to provide Zero Trust capabilities. They don't. They may do in certain guises. But, you know, it's, it's, unfortunately, turned into one of those buzzwords. So again, if you if you have someone that can articulate it, you know, it's really focused around, you verify explicitly, or then always authenticate and authorize based on the available information you have, focus on least privileged access. But then there's another one, another term, which is probably not, not used that much is, a principle of least functionality, as well. So yes, you have the least privilege. But then also, if you do have, you know, people with specific access rights, and you want to limit the amount of functionality they may be able to have with their particular credentials. And also, I think that assumed state of compromise has started to land with many organizations, they, you know, because they're starting to see and unfortunately, the more the more we pursue and focus on trying to identify our estate, the more you realize the problem that you have at hand, which is, is his double-edged sword.
39:24 Raghu Nandakumara
That's a great quote, right? The more you go and discover your estate, the more you realize the problem that you have, that you haven't had. And I think that that's also fairly scary, because it just indicates how little we actually understand about our estate. Right. And I think that's the realization that many organizations come to when they start this is that I actually don't know what I've got going on, right? So how do you get over that hump?
40:00 Indy Dhami
I mean, that's, it's probably sometimes a challenging moment, many people try to avoid knowing, you know, I've had, I've had some CISOs saying to me, I'd rather not lift up that paving slab, because of all the creepy crawlies that will come running out. And it will then land on my desk to try and remediate it. And I joined this one client of mine said, I joined the organization two years ago, but I can't be responsible for the previous 20 years of underinvestment, poor technology design. So, it's a, it's, as I said, a double-edged sword, but by going about it in the right way, by focusing on, okay, let's understand what we have, let's go out there and start discovering our enterprise a state. And it is a sprawling bowl of spaghetti. Now, let's, let's be honest, it's not an easy task to identify all your technology components, you know, and in the old ITIL days, maybe still ideal ITIL days, your CI as your configuration items. You understand, and you have a documented map and inventory of every single configuration item you have in your state, most organizations will probably say no.
But then how much of that you'd really need to know, right? To ensure that you're resilient? Maybe 80-90%, you could get away with you know, a variance. But unfortunately, many organizations probably are not even at that 80% of their visibility of their entire estate, especially when you have maybe more so with those organizations that are born primarily in the cloud, it's probably simpler for them. But it's not a done deal because then they have their third parties and then fourth parties. And some of the regulations are going to such a granular level of detail of expectations of you having visibility of what you're connecting parties and service providers have in connectivity to your estate is, again, something that's a little bit new for many organizations to absorb, and then have the capacity to go out and have that conversation with critical supplies.
41:57 Raghu Nandakumara
I'd say that cloud gives you the tools to make it easier. But if you're not following the best practice, you're potentially creating an even bigger problem, just simply because of the ability to so quickly spin up all kinds of types of resource, right, which at least as a gating function in your data center, which is, "Ah, you want to you want a new server in the data center, that'll be six weeks.”
42:23 Indy Dhami
But interestingly, you know, if you think about some of the large breaches that we've seen over the last few years, there have been a handful of them that have been in the cloud because of no access, access rights to a privileged user that have had been left orphaned. And then those are then being accessed by a threat actor and use to move across the organization. And interestingly, I'm seeing I'm not sure if you've seen this, there are conversations that some organizations are having around, is it cheaper for me to not be in the cloud anymore, because the costs are spiraling. And in particular, some of the new regulations that are having an impact on the cost that the cloud providers because the cloud providers are now also be under the spotlight for regulation. And the question is, who's going to be responsible? And who's taking the cost, who's absorbing that cost? And it's more than likely won't be the cloud providers that will be a knock on effect to their, their customers. And is it cheaper then to remain in the cloud or build their own data centers again, which is a really strange position to be in, because we're going back to how we were many years ago. And maybe it depends on the size and the scale of the organization. But for a small to medium, medium-sized enterprise, it may not be as cost-efficient as he told us many, many years ago.
43:45 Raghu Nandakumara
Yeah, I've definitely come across a lot of those a lot of those studies, and it all kind of boiling down to that in order to achieve the benefits of the cloud economics that are marketed, you kind of have to be very specific in sort of the types of application you run there, how you design them, so that you're benefiting from all of that sort of, like, on demand nature of it to truly optimize.
I want to go back to something that you said, right, you're talking about the amount of data, amount of information that you need, in order to be able to make progress. Right. And organizations struggle. And often, they typically don't necessarily even have like an 80% understanding of what they have in their estate. So how, like, how, how much information is enough to start making progress, right, because I think that's the barrier to Zero Trust adoption. One of the barriers is that I don't think I have all the right data points. And so I'm going to wait, so what's your response?
45:00 Indy Dhami
Yeah, I mean, that's a, it's a great, great point you've raised because, in many cases, now it's the point where it's okay not to have all the data, right? We can take some informed decisions, right? We can use the data points that we have, and, you know, build a in the past or build a dashboard for, for an executive leadership team to say, we're answering these four questions that you've, you've set us, you know, how secure are we, you know, what are we looking at? What are our biggest areas of focus? And when and the dashboard was fundamentally built on How much confidence we have in the data points that we have a red, amber, green status. We can answer this one question that you have because I have all of the data points and have all the logs that allow me to confidently answer this question of how secure are we. However, on some of the other points that you may have, you may have all the points of interest; we're only answering it to a 50% level because it's an amber status; we only have partially the information to be able to respond to that. And that's where things like cyber risk quantification is actually really coming in. Right now. We're seeing many of our clients coming and asking this. So, how do we apply cyber risk quantification if we don't have all the data points? because surely, this is an exercise where we need everything to be able to truly quantify it. And that's not the right approach. It's take what we have, use our existing knowledge, use some subjective judgment as well, to a certain point. But you know, moving to that risk quantification model, which is fundamentally built on what the finance industry has been using for years, right, when it comes to how do they make some of the predictions of how the market will move, you know, and applying that logic, which then allows you to speak up business language in the finance world, and but applying it to cyber has had a real big impact at the moment.
46:47 Raghu Nandakumara
Yeah, and I think, absolutely right, because you need to have a way of being able to make progress with so many unknowns, right, that and often unknowns that you have that you have no control over. Right, and not otherwise, it's usually just going to stagnate and perfection is sort of the enemy of progress.
So, just sort of like looking forward, right? Actually, before we look forward, I want to come back again to that news item that you mentioned about an organization at a financial services organization essentially reducing their cyber risk for some. Sorry if I misquoted it, it just their risk function, right? The focus, like reducing their risk function in order to because it was hampering their ability to transform. Right, and innovate. And surely, the approach that organizations should be taking is bringing those functions closer together. So that innovation can happen in a secure way, right, secure by design, and all that. So that so that you're sort of the things that you're building, security are involved early, so that when they are when they're built, you know that they're secure. It's not You're not going asking for approval later. I mean, what's your thoughts on that? Is that that's been taken, because surely that's against what we're sort of preaching as best practice.
48:26 Indy Dhami
It is. And I think there's an opportunity to harmonize. And this is something that I've been preaching about for many years. And actually, one of the whitepapers I wrote years ago was actually now's the time to converge risk, security and fraud, right, from the financial services perspective. And unfortunately, those functions, I still see maybe risk and security coming together more often. But fraud is still a siloed capability. Which, you know, it doesn't make a lot of sense, because the things that you'd monitor for would overlap with the things that cybersecurity teams are monitoring. But they've gone invested in significant tooling. And that's probably part of the problem is that siloed based approach has caused significant amount of spending for a number of tools. You know, some overnight, one client said to me, if you think of all of the tools in the cybersecurity market, I probably got one of each. Right? Yeah, budget, is that that sizable? But are they really getting the most value out of it, they're not optimizing. There are some organizations that I worked with had close to 20 different SIEM tools across the globe, because an organization in Germany had gone off from procured ones built their own operations, and someone in the US had done the same thing. And that's probably still the state that we're in. And which then, you know, the business won't be as business leaders are looking at the cost of it’s fundamentally quite expensive. So, the answer was, let's cut some of this risk team. You know, it will reduce some of the costs and it'll allow us to innovate, but then it exposes them to a number of other areas that they probably haven't considered yet or maybe they have, because some organizations are prepared for have contingency set aside for a breach or a GDPR fine. And it's sometimes it's a business decision that will accept that the worst will happen to us. And we'll have to deal with it as and when, when it happens, if it ever happens. Because I've had this said to me before, but you know, "All this cyber stuff is, it's a bit of an insurance policy really, isn't it? Because it might not happen to us. We don't get our money out of our investment."
50:31 Raghu Nandakumara
But it helps you make money, safe in the knowledge that you're, you're protected to the best efforts possible.
50:40 Indy Dhami
Sometimes that's not enough.
50:45 Raghu Nandakumara
Sometimes that's not enough. So okay, so let's look into the future teller looks into his crystal ball. Right? What do you see as the challenges from a cyber perspective, that are going to be facing the financial services industry kind of over the next few years.
51:00 Indy Dhami
So for me, there's, you probably won't be surprised, I'd say, the use of AI, both from a detective and control perspective, but also the threat actors who are who are using a number of different AI tools, machine learning to fundamentally automate some of their attacks, which lowers the cost of entry for them. Because some of these, as I mentioned, some of these highly organized threat actors, they have people working manual effort. That reduces their cost but also increases the attack surface, so they can continuously attack while they sleep. So, AI being one, and the emergence of quantum computing, which will have a knock-on effect on everything, because it can, it can then defeat all of the encryption measures and things that you have in place. So, for me, that's probably not just for FS. That's the industry for every sector.
52:01 Raghu Nandakumara
Yeah, and for those who watch the video be wondering what I was doing, it's my daughter unplugged my charger, so I had to go and plug it in before I got cut off. So yeah, and I think we hear that, I mean, both the effects of AI, and then the sort of the potential that quantum computing offers, particularly about sort of how it potentially makes current crypto algorithms essentially, not useless, but very sort of vulnerable, right to be able to, to be sort of broken in in measurable time. But in terms of the AI, of course, highly topical, no surprise that you that you went there, in terms of the real use of attack by attackers of AI, right, we obviously hear, let's say, okay, they could create deep fakes, they could create brilliant phishing emails that you that, that you and I would be susceptible to, right, forget sort of my dad clicking on everything he receives, but what about the threat of let's say, like, ransomware that is in your organization that has got access to sort of gen AI? In order to adapt in real time? Do you see that? Like, we've seen examples of that from research, but how real Do you think that's going to be? It?
53:22 Indy Dhami
I think it will be real, you know, I've been thinking about AI for several years now and wrote a blog post about, you know, is it opening a Pandora's job, rather than box? Because technically, it was a job. And I think we're at that stage where, you know, actually one of my, one of my good friends and colleagues, he said, you know, the use of AI? His view was that, it's, it's like, inviting a vampire into your home. And it's too late there in. So it's potentially one for your threat actors. It's your own internal use of AI. How can you trust it? Is it delivering on the outcomes you're expecting it to do? Can it be tampered with? Right? Does the model then create something that was completely unexpected, which then has a knock-on effect on a number of your other business components? So that erosion of trust is a big concern to many organizations, and you touched on the deepfake and element and we're seeing some very, very sophisticated, deepfakes that, as you said, the security professionals will be easily fooled by.
So it's a very worrying era that we're living in right now. Because it's, you know, how do you really trust, and how can you then verify whether the person that you're speaking to, on the other end of this podcast, for example, is the person you're expecting it to be?
54:54 Raghu Nandakumara
Exactly, I mean, I may not be Raghu at all, right? Just a deepfake version. I'm speaking to a deepfake version of Indy. So, as we wrap up. You, you're obviously very focused on highly regulated industry, right financial services amongst the most regulated if not the most regulated globally. What excites you, but then also what scares you about sort of the near the near future?
55:21 Indy Dhami
So what excites me is, actually, its people. The people that I work with, and the clients that I work with, and you do some really interesting things, there's a lot of innovation happening. Like the world has changed a lot. If you go back to how we're engaging with everything on a day-to-day basis, the technology is around us everywhere, for really smart purposes, really interesting use cases, some health benefits, too. So, you know, the ingenuity and innovation of man, you know, it's great I love I love reading about new technology, and also love reading about some of the technologies that allow us to see further and further into space. It blows my mind when they discover some of these planets that the sheer size of them you can't fathom. But what scares me is that sometimes I still see organizations doing the same thing over and over again and expecting a different result. And that, for me, is the definition of insanity.
56:18 Raghu Nandakumara
Yeah, totally. I mean, I completely agree. And this is where I think that actually when we think about how we protect our future, it's not about having to do new things necessarily. It's really about being firm in how we do so many of the basics that have underpinned, say, like, cyber for so long, right? And I think that to me, as a practitioner, is the bit that I always get concerned about, whenever I see the next new technology, I think that's great. But there's so many things that we still just need to fix.
56:57 Indy Dhami
The foundations, the fact the foundation elements, you know, and I'll go back to that point that I made around a time at Mercedes. We built this quality management system that had all of the processes, security was embedded, I still have some my colleagues that no longer work there, we moved on to take them Indy, "What we were doing there at that time was so far ahead of you know, we still don't see that now." Sometimes, you go into organizations to show me your documented processes. And you have, you know, a whole bunch of different systems are probably out to date, the policy has not been updated in many, many years. Now, and I think it's get your foundations right before you start trying to go and buy the new silver bullet shiny, whizzy technology. Right. But if you can't get the foundations right, think about how you mitigate your risk and get your risk management controls in place. And this fundamentally goes back to what cyber resilience is about and what operational resilience is about. Have those foundational elements in in place that allow you to continue to operate if you're under attack, if you're if you've lost your office space for whatever reason, you can still operate as a business because it goes back to the whole point is what is your core purpose of any business? Right. And if we can support them in our journey as a security leader, then fantastic, and that's what motivates me.
58:15 Raghu Nandakumara
Yeah, absolutely right. Get your foundations right, to allow you to continue to operate and continue to innovate.
58:25 Indy Dhami
Exactly.
58:29 Raghu Nandakumara
Oh, Indy, it's been a real pleasure speaking to you. I think we've covered so that we could go on for probably a couple of more hours, quite easily on for a few hours. Like I said, right? I think we could give you a season three or 12 episodes just for you. Right and unpick Mercedes, unpick your time at KPMG, Accenture, etc. But thank you so much.
To our listeners, check the show notes for a link to Illumio's DORA compliance resources, where you'll find everything you need to know about this significant ordinance. Zero Trust security helps achieve compliance with DORA, which impacts all banking, financial services, and insurance entities that operate within the EU. Stay tuned for an upcoming episode dedicated to exploring the EU's DORA regulation in detail.