This is going to be a Kickstarter, please. Welcome John Hammonds.
Good morning, everyone.
Good on come stay here. Okay. Give me a minute. Give a minute. Oh yeah. So what are you responsible for now at KPMG?
So I'm a partner with KMG. I'm responsible for the cybersecurity practice in the Netherlands. Also part of the global management board on cybersecurity and currently dealing with many engagements with boards and must Smith. That's a new hobby of me.
Okay. So your friend of the board, so to say, are you friend? I
Hopefully, hopefully, yeah, I've done.
Hopefully then being a friend there.
What, what's the most important question they're asking you?
Can you help me to decide where should I invest? That's I think the most important
Question. Okay. Will you give us some, some answers and
Absolutely. Yeah. Hopefully I will give you a couple of pointers and let's see what we can do. Okay.
Very good. Thank you.
Good,
Good morning everyone. Good morning. It's always difficult. If York is asking you, can you do the session on eight 30? I think this is my six, seven or eight, that and call, and this was called the espresso of the espresso session. And that means that every time people are just wandering in, because of course everyone is still still having a headache of yesterday evening, having beer or still having a hangover of the Byron game. They're losing a three zero. I must admit.
Yeah, that was not very good. Good. What I will do in 20 minutes, because I normally are taking a lot more. I will explain you a little bit. What we currently doing with, with boards. I must Smith in the past five to 10 years ago. Normally I was only speaking with it directors on cyber security on it, security. And now checking out in my diary, basically, I, I have meetings with CFOs, CXOs CEOs, CEOs, but also supervisory with board members. And I will say that's really fascinating.
And that's also a bit scary because that was of course a kind of a level, which I thought I'm never talking them to those kind of people. And of course, that's also the type of questions. What you're getting. There are so different than the type of questions, what we got in the past from it directors or, or, or CISOs. So I just start with a couple of very simple opening statements.
And of course, I'm going to ask you if you would agree or not would agree. So cybersecurity is here to stay, who, who disagrees good.
So, so everyone agrees. That's very good. So here's the other thing is of course, is that what we are currently seeing is that there is a kind of an very big increase and a change in our threat landscape. I will come back to that one. I notice I'm already some, almost 24 years in the it security industry. So when I started in somewhere in 94 with it security, I never thought that what's currently happening, that that, that could happen.
So I'm always saying to my board members saying, I just feel like a young boy, like a little James Bond now, because if we talk about state bond crime and organized crime, that's really something. What we saw in, in the past of the nice movies, the movies of James Bond, the second one, there's an increased market for cybersecurity and cyber crime tools and stolen information who would disagree with it, or who would agree and would like to comment it, how big is this industry?
That's also a question what I'm getting from board members.
So one of the questions that over asking John, how big is that this is a multi billion dollar business, cyber security, but also the dealing in of course, all kind of the kind of solar information IP or credit cards or dealing in just cybersecurity tools, which Pakistan could be using. That's a million dollar business. So what's the current list price of, of a thousand and stolen credit card numbers who knows that there are even websites, you can buy that. So I think the current list price is, is around $150.
And if those credit cards are not working, you just dial a help desk number and you're getting ones. So it's really a business.
Of course, the fact that we are hyper connected means that we are getting more and more and more of course, opportunities for attackers. And of course, that will still continue. And of course, and all organizations are currently, of course, in the past of further the digitalization of their organization using using cloud using bring your own device, they're using the big data. And of course, the time to market for actually getting, getting these kind of solutions out is getting faster and faster. So that means that inherently there are vulnerabilities in all those systems.
And of course, attackers will actually use that. And of course the last one is that the awareness on cyber securities is of course pretty low, but that's changing quite fast.
I think all of us, we all, we all engage in, in cyber awareness campaigns at our companies, but also you see that many governments are currently picking up certain campaigns. So actually to warn the, the public, basically on what to do with cybersecurity, we in, in, in the Netherlands, we have a couple of pretty good examples.
Normally I'm always showing now kind of a video on how can you earn 100,000 euros in five steps as a hacker. Then, then I don't have time for that, but that's also a kind of a campaign. It was from the, from the national society of banks actually showing what could happen, but I will probably send you that URL. So that's a very simple one. So what did change if you look from the viewpoint of managing risks, of course in the past, we were basically managing risk for checking out of some people or internal staff were committing fraud or misusing our systems that was in the past.
And of course, if you're currently looking is of course that we have a changing threat actor than the landscape from the, I always call it those 12 year old boys and girls had the scripted to really organize crime to state sponsors, crime who are really looking for valuable information. If you, if it is around organized crime and of course then state sponsors crime.
So if you then managing your cyber risk, these are your opponents. And then of course the, the, the question, the first question I'm always asking the, all the boards is saying, who are you really afraid of?
Are you really afraid of, of, of a little hacker, a 12 years old boy, who's basically only his only motivation is I would like to be in the, the wall of fame because I could prove that I hacked into that system of that large company. And of course we all say, Hey, that's really an image risk.
And, but let me be very honest on that one being once ones in the, the media, that's not a problem twice in the media is also another problem, because I think most, this is really kind of so harmful but of homeless. But if you look into the other ones like organized crime or state sponsored crime, if that is the attack that you are trying to, to, to, to protect for, since you have some, some crown jewels who, who are so important, that's really something, I think that border than concern because that will really impact the continuity of your than of your business.
So the first question I'm always asking the people saying, who is your threat actor, who what's, so what are your, your crown jewels and who will be interested in that one and why, what is his or motivation?
So question back then, back to you who is using in his risk and as in, in his risk assessment, this kind of approach, first start with your, the ground jewel, and then look at the threat actor. Of course my colleagues here, but is this the first time you are seeing this? Or is this quite then quite generic? Come on. It's also early then for myself.
Good, look back. This is about managing risks, but then the question that yesterday, a couple of sessions on risk management, and nobody basically did post the question who owns this piece, who is in charge of cyber risk management. Who do you think who should be in charge of cyber risk management? Who is that chief risk? Chief risk officer. Okay. Others board. Yep. Okay. The interesting thing is that that in the most companies is still, it was up to now, it was the CIO, but basically it should be really somewhere in the board.
So what you're seeing in, in very mature organizations is either chief risk officer or sometimes what you and that's even better in my opinion is if it is so closely linked to the business, it's then it's your chief operating officer. So we did at K and G. We did half year ago. We did an in investigation in the UK. We basically checked out the F three 50. So the list, the big list of companies, and we're posing a couple of questions. And we're saying, we're asking, saying, who should be in charge?
And the interesting thing is, is that of those three 50 senior stakes people, almost 90% were saying the board should be in charge. So question back to you is, of course is in your company, is your board really in charge of cybersecurity? Who's having a board member, who's saying I'm in charge. Give me that card. And then I will visit him. I will put him somewhere on stage and will actually ask him, can you spread your news?
Because this is typically something new board members are not yet fully engaged with cybersecurity, not fully engaged with cybersecurity risk, it's improving, but we have a couple of challenges why they're not picking that up.
So the first one is that, of course, if you're looking to do board meetings, and of course we have an Analyst, we have a kind of a dual system. We have the supervisory board and we have a management board, I think in Germany, that's exactly the same, but you have in, in certain systems, you only have done one system.
So, so one, so one layer in most of those more, the board meetings is of course that it is very limited on the agenda of that board. There's not one board member in charge of it. So there's also not one board member in charge of than, than cybersecurity. And that's quite strange if you look into the whole that almost every organization can't do without it basically all then innovations are based on using the it, we making more and more and more money by using cleverly the it, so it is so strategic.
So it's quite, it's very strange that apparently in, in the board who are setting strategy, who were, who are performing oversight on a strategy, there's very limited attention for it and very limited attention for it. Security that's, that's quite strange. I come back to that later on. Second one is, of course, is that the knowledge, the it knowledge and, and the it experience of the most board member is very limited. So if you're looking in, in, in, in the most boards, you, you see their, most people do have either business then background or financial, then, then background.
And if you're looking in the supervisory boards, it's primarily financial backgrounds, come back to that. Of course, there is also a lack of a common business language or a common language. And I think that's something that's something for us, what we did wrong. So basically we as industry, we basically messed that up.
It, but also certainly it security. We are not able to communicate in a standard language, in a normal business language to our board members than to our business, because we always talk in abbreviations, right. We always talk in, in, in a kind of an it lingo and that's something, what board members don't understand. They really would like to link it to their business language. So if you're talking about risk and we had yesterday a session as well, and I did post the post the question saying, okay, how can we link it risk to, to business risk? That's really a question.
What people are asking us now saying, can you help me understand what is really at stake? And a risk is not that someone is hacking into my system. That's not a in business term.
The, the business risk is really that I can't do any business. And because that system is not anymore available or so I think we, we, as, as energy should really mature to actually start talking more, the more in business terms instead of in it, or it security terms.
And the last point is of course, that if we report to the board who, who reports to, to the board on it, security in the, in this audience, probably the, the most not, but if, but, but if you're seeing how people are now reporting down to the board, it's very, yeah, tactical, operational tactical.
We had last month, this amount of incidents, we had this amount of breaches, but is that really the, in the information needs that that boards would like to actually get to actually form the right strategy and to actually ask you the right questions so that you are taking the right measures to protect your company. A couple of facts, we did an investigation inlands a of weeks ago. We interviewed more than 100 P supervisory board members. And what we got back as well was that, of course, that, as I mentioned, everyone sees that the importance of then of it is, is there.
It's very, so it is strategic for actually running a business still. It's not on the agenda board members. They indicate what are the, what are the major than it challenges. And you'll see that security is listed third.
These are the most and relevant topics on the, on the board then agenda.
And again, it's strategy. It it's it's security. Interesting enough is that, of course, things like cost of than it are, are apparently never talked about.
So that's, that's also an interesting one. If you look into board members and of course I'm also almost 50, so I'm also getting a little bold, bold, and gray of those 100, then board members, almost everyone indicated we don't have sufficient knowledge and experience in our board on, on it. And basically that's, that's three courses, because as I mentioned, most board members, they never did something in it. There were finance director, there were he, or she was in charge of actually done running a business. But to most board members, they were never in charge of it.
Of course, as we all see, there's also a huge there. There's also a very rapid change in the it that most of the senior done board members, they have difficulties in actually understanding what does that change actually mean? And how can I apply then these new new technologies to get a competitive advantage. And the third reason of course is the average age of a board. That's probably over 55, right? If you're talking about supervisory board, and I must admit if you're dealing with board members is always funny.
What's the biggest mistake.
What you can do if you are having a session with them, with a board member to talk about cybersecurity what's. So what do you think? What's the biggest thing, what you can do? What what's really wrong. I once invited one of my hackers, I thought we have 10 board members and let's, let's them see how hackers are working. And of course I have very good hackers. I have 25 hackers in my team at the best of the world and best class. And of course in three minutes they showed that everything was vulnerable and they could be doing everything. I know what happened, who's living on the countryside.
I do. And of course, if you're driving on the countryside and you're speeding, and of course during night, sometimes you're seeing rabbits hopping around, right? And what's happening. If there's a rabbit on the road and seeing, and looking your traffic lights of your looking at your, then your lights there, it's, it's freezing. And that's basically what what's happening now with our boards, this topic, since we make it too complicated.
And if you talk only about it, lingo, inviting hackers, people are freezing because they can't handle that topic because it's for them too difficult, then too complex. They can't relate it back to saying, why is this important for me around own being informed.
Again, there board members are really not interested in, in getting all those dashboards and all those, you know, piles of people in the indicating, you know, the levels, the levels of incidents. And they would, they would really like to actually know saying, okay, can you help me out to answer a couple of questions? So question one is what is the likelihood that I, our company is really under attack. And that's a, that's a very tough question, right? What's the likelihood that my company is under attack of one of those threat actors. And of course what we, it, people do.
And it security people normally doing. We always come back with those worst case scenarios.
Oh, look at Sony. Look at target. That can happen as well. Is it? So if you don't have a clue about your level of vulnerability, if you're, if you are probably not into the same business models that Sony and also then target of light. So to be very precise, to be very fact based on what's the likelihood that that might happen at our company. That's one question. The second question is, of course, what I'm getting is they're saying what are levels of investments, what we should apply, which is fitting to our needs to risk appetite, to our risk posture.
And of course, what we all do is then of course, when we go to a kind of a multi client study, we're going to ask all other companies, how, how much do do you invest? Because that's of course a very difficult question to actually be very precise or what's the level investment, what we need. And then we normally use an Analyst. I have 43 seconds. Yeah. Okay. That's good. And then we say, of course, the average it spend of the it security spend is three to seven to 7%, but that's not enough. We need to be very precise on saying, what do we need to invest in? And how much is that?
So we need to be able to actually also articulate saying in what kind of measures are we investing and whatnot.
So last slide, just a couple of pointers. If it is not already on the board of your organization, put it on the board, help your management, understand if it is strategic or done for you. It security, cybersecurity should be on the agenda, take a risk based approach. So start with your crown jewel threat actors. Look at your vulnerabilities, look at your legal framework.
Look, what is your, your cyber risk and profile and use that for, for steering your investment. If the board is saying, Hey, it security. That's him, that's decis or DCO. That's not the right answer. So it's not it. Security is not a department. It's the task of the board to actually manage that management and reporting of course are very important. And the final of course, is that this is not a onetime exercise is a journey. And we will continue that journey the next years, because these threats won't go away. Ska.
Thank you very much, John.
So, I mean, one important thing is you say don't scare. Yeah. The board members with hacker demonstrators demonstration stuff. I've done that in the past as well. And indeed it turns out to be like, it's
Not working, it's
Not working, it's freezing the people.
So what, how, how what's a good approach. I mean, of course, besides calling KPMG, coming and helping, but what is the good approach to talk to board members to open them up?
I mean, they do not understand it. They, they, they, their primary source of information is probably the, the daily newspaper, whether hackers information is explained is not explained as mentioned.
No, I think the most important thing is that board members are really top specialists in dealing with risk management. So this is just risk management, business, risk management as usual. So bring it back to, to the same level, to a conversation as if they would like to, to do business in a new country. They also do kind of a risk. They look to the opportunity and look to the risks. That's where the, where the top the experts in.
So we need to bring that back to that same, same dialogue,
But I would, that could mean that they have to bear more risks for, for keeping their current business working.
Absolutely.
That's something they don't like.
No, no, no. I'm not agreeing with you. If you're doing business, doing business means taking risk.
Yeah, sure. Taking well informed risk. So I think it's all about saying, okay. Our board members, well informed to actually take the right decision and that's the most important thing. How do we get them well informed to take the right level of risk in line with what I would like to achieve? Nothing else, nothing more.
Okay. Thank you very much, John. Thank
You.
Thank you.
