Hi, everyone. I'm Mirela Ciobanu Lead editor with The Paypers, a global financial publication. And we are live at cyberevolution with Andrzej Kawalec, head of cybersecurity for Vodafone Business.
Hi
Andrzej, Yeah, hi. Nice to meet you. And I'm curious to learn more about your professional background.
Yeah.
And, yeah, you once said that security is the enabling layer for innovation. Maybe to connect these two ideas.
So as you said. So I responsible for security for Vodafone business, which now we look after 6 or 7 million different businesses around the world. And they face a vast array of threats. But I think, you know, what I've learned over the years running large security organizations is CTO, HP working with NATO and other people. Is that security really isn't an environment to say, no in, security lets you go faster, it lets you use technology in a better way. I often described as the brakes on a car and nobody would say, well, the brakes don't let you go faster. But actually, if you ask any racing driver, what's the most important part of the car? It’s the brakes! They let you slow down. They allow you to drive faster because you know, you can stop if you need to, or you can navigate the road. So I always say, security is like the brakes on a car. They let you go faster and then they can stop you when you need to. And I think if you think of it that way, not only does it protect you, but it enables you to use the digital world in in really cool ways. I think if we hold on to that, then security isn’t the Department of “No” it's the Department of “Go faster!”
Since you mentioned go faster. So at Vodafone lots has lots of customers users and some of them most many of them are SMSs. I am curious if I were the CISO of a, yeah, a smaller merchant or payment service provider, how can I make my car? Yeah. Go faster. And how can I make sure that they have the right brakes, taking into account the fact that there are many things that I should be concerned about. So first, what should I be concerned about? And then how to to pull those brakes?
Yeah. That is a great question. And I think and we we talked to a lot of our customers, we have over 1.6 million people who, you know, who consume our security services every day. But what we've noticed is you said if I was the CISO for a small organization, small organizations don't have CISOs. They don't have chief information security officers. They don't have a security team. At best, they're are a group of people trying to do their very best, you know, in retail or manufacturing or services, but they don't have an IT team and they don't really understand the same big challenges that are facing everybody, governments, banks, Vodafone, we're facing a dynamic and relentless threat, an adversary that's trying to steal our secrets, our data and our money. We face technology that's moving faster than we can really keep up with. We'll talk about AI, I am sure. But what does that mean? Small organizations don't know. And we're also facing regulation that is complex, sometimes aggressive, and often different by country, by region, by state. So if you're a small business, you look at that picture and you're not a security expert, you're really, really bewildered about, as you said, which brakes to buy, which you know, which which controls to put in place. And small customers just need help. So we we looked across Europe and there's, I think, 24 million small businesses across the European Union. That's nearly as the vast majority of all businesses in the EU, 85 million employees and two thirds. So two out of every three of those organizations do not have a plan for security.
And then what's the plan? How can we help them?
Well, I think it starts. So it starts with, as you would at home. You know, if I said to you, what's the most important things in your house? And you talk about, well, it's, you know, sensitive objects. It's passing me my passport. Maybe it's money. Of course. My my family, my loved ones, my pets. And I think you have to go through that process with your business. What is the most important assets you have and how do you protect them? How do you use them but lock them up when you're not using them? How do you protect your employees? When you think about each person in your organization, their identity, their devices, their email, how did you train them and let them understand where to go in the event of a cyber fire? When you think about it through the lens of the most important things I have, the most important people I have. And then particularly, what would I do if there was an emergency? Who would I call? Who would, you know, who would be my cyber fire brigade? If you can answer those questions, you've made a massive step forward.
So now you've portrayed a bit of, the strategy, the points to take back home. But now I'm thinking strictly of technology and technological solutions or what those solutions might be AI, digital identity, both more.
It's a great question. So I think it comes down to, again, what do we use the most genuinely. So identity super important I understanding the digital identity, how you authenticate your passwords, your permissions, really important. The things we use, the devices, the laptops, the phones that we all carry all day, every day that we use to connect, and the, you know, the applications. So really controls around those. So endpoint detection identity as well as, you know application and access services. Those are really really key. I think, So a focus around the employee a focus on secure connection. So can you really work securely from anywhere? As we learned through the pandemic and to work for extended periods of time and collaborate with people around the world in different homes, in different cities, in different countries, can you work securely from anywhere and connect to anything that you need to? And then I think the third sort of discrete solution is being able to monitor and detect and respond. So those MDR, those managed security services where somebody like, you know, Vodafone or any partner can really help you and tell you when you're being attacked and what you should do. We’re all trained, I think from an early age, you know, in the event of a fire, right, an alarm will sound and you should exit the building and you'll be met by somebody. You should use the stairs, not the lift. You should, you know, take one important thing, not wait. Most cyber emergencies don't have those rules. People don't understand where to go, what to do. So, for example, if you're being it, you know, the subject of a cyber attack, should you use your email or not? Should you turn your computer on or not? At that point, you need advice, need somebody that you can speak to who can advise you and say, that's great, we've got it from here. Go and have a cup of tea. You'll be okay. And I think everybody needs that peace of mind. So really focus on the employee, the individual, the controls around identity and device and application connect securely from anywhere to anything. And we you know, there's lots of ways of doing that. And then really have somebody there who's got your back. Right. So when the emergency does happen, you know, you've got somebody you can speak to, somebody you can help and advise you.
And if I were to yeah, work with somebody that would help me through all of this process. Would it be challenging for me to implement all these system? So what should I do? Should I change, my employees mindset, how to integrate all this within my business?
I think that's such a such a really brilliant question or discussion because you you picked on two things. One is, is this hard to integrate?
Yeah.
Yes. It's hard for trained IT and security professionals. Big organizations have on average 90 different security controls that they try to integrate.
So I've seen this event. Yeah, yeah. The boxes and course. Yeah.
But smaller organizations have an average 17. You ask most small organizations could you name the 17 security controls you have? You've already bought and they wouldn't know. So yes, they need to be integrated. I mean, we we take a very simple approach that says, yeah, these things need to work together. and they need to give you a single traffic light view of your organization's risk. Right. Are you A, B, or C? Are you good or bad? How does that work? But the second point you raise is I think is as important. And that's the people.
The people. Yeah. Changing behavior.
Changing behaviors or actually helping people become more literate around security, help them understand what the things are. We often in security we describe people as the weakest link. We say things like, there's no there's no patch for people. Well, actually, we should turn that on its head, right? People are your first line of defense and helping them understand the risks and recognize threats. We asked about 3000 people in the UK very recently if they felt prepared to respond to an AI phishing attack. 95% of them said no, -95.
So we need to help people. Yeah. Almost everybody. I mean, would you feel comfortable responding to an AI phishing attack?
The rest were the CISOs.
Yeah, yeah
And big corporations. Yeah.
So we really have to keep investing in our people, helping them understand the risks and know what to do when they get that email or that phishing attack that looks real, but they're not sure. We have to ask people to really question things, but know what to do when that happens. So training and awareness and that human risk is as important as the technology and the security risk.
And since we mentioned technology security we're here at the yeah, cyberevolution. What are some trends or ideas that you take back home from the event?
I think there's a couple of observations. One is, as you said, security is so complicated, so many different aspects of it. And as an industry, we need to really simplify security for businesses of all sizes. I think it's something we can do better at. So my first observation is we make things deliberately complicated. Secondly, when we start to think about the promise of let's take AI there’s huge advantages from a defensive perspective, but there's also huge advantages for the attackers. And I think that's what makes security so dynamic. Every time we.
This interplay...
Exactly. Every time we create a new piece of defensive technology or control or process.
We need to improve our brakes.
We need, we need to keep improving our brakes. As our cars get faster. We need to improve our brakes so that they never stand still. And there is room, and there are room for experts in this. But we need to really make sure we understand how to deliver these things at scale.
Yeah, great. Thank you Andrzej And, yeah, we look forward for our next interview. Next edition. Hopefully we'll film it with in the Car. A little bit. Amazing. Thank you.
