Hi, everybody. Ed Amoroso here, and I'm sitting with my good friend, Elena Kvochko, a cyber security expert that I've known for some time. Welcome to our video series. Thank you so much, Ed. Thanks for coming. Hey, tell us a little bit about how you first got interested in cyber security. Sure. I started in my career actually in technology and technology implementation. And I've been working with large international development institutions implementing broadband access, basically making the world more connected and open. And I realized that by providing access and openness, by not integrating security right from the beginning, we may potentially be integrating long-term risks and vulnerabilities. So this is how I shifted my career to cyber security. Then I joined an international organization where I managed a portfolio of 100 companies working together jointly on a cyber security agenda that was of interest for all the industries. So basically, we were working on issues that will be relevant for a broader set of executives and industry leaders that would be of interest for a lot of industries to make our industries more connected and more aware of security risks. And since a few years ago, I joined financial services industry where I'm currently CIO of the security function, working to implement next generation security models and controls. Wow, what a great answer. Sometimes, people say I got interested by hacking my PC. So it's a wonderful path to doing cyber. So you work in financial services now. I would imagine that's a challenge. It seems like in financial services, there are so many hacks going on and all kinds of issues. Do you see that as a pretty vibrant area for cyber security? Yes, our industry is actually one of the most targeted industries and it's part of the critical infrastructure of the United States and globally. So, we do see a lot of innovation, we invest a lot in cyber security. But what I'm particularly proud of is that we were able to develop a new model of implementing cyber security. We call it holistic security. So I think a lot of the times organizations struggle with having visibility or having this holistic, unified view of what's going on. And if you have a security incident in one part of the organization, that's not necessarily connected, or we, executives, are not necessarily able to connect it to an incident that's going on in another part, in another business unit or function, whereas in fact, they are connected. So what we have done, and we became the first large financial institution to do so, is we merged physical security with cyber security and we added capabilities such as intelligence, investigations, resilience that are resting on underlying data platform that helps inform those decisions. So we're now implementing this model. I think this is the right way forward for the industry. And I think a lot more companies will be looking at how do we merge these various data streams and information that they get on the cyber security incidents that they face. That's so exciting. There are a lot of young people watching. They're probably thinking, "Gosh, how can I get a great career like that?" What would be your advice for people who are mulling over a career in cyber security and think they might want to do something similar to what you're doing? Sure. I think the good news and the bad news is that cyber security needs all kinds of skills. So if you're now studying any field not related to technology, don't get discouraged because our industry needs all kinds of experts and you can get trained and companies invest a lot in training. Right now, there is a clear shortage in cyber security skills and experts, so we do encourage more people to join our industry. What I would say that even if you decide not to join our industry but go to marketing, HR, or finance, or any other business discipline that you decide to pursue, it is still very important to know about cyber security because, now, every company is a technology company and every business is digital business. If you're not operating digitally, you're not able to grow. So basically, no matter what you do, no matter what your role in the company is, you have to know basic cyber security hygiene and controls. I want to ask you about threat. When I first started, the cyber security threats we dealt with were pretty simple: people breaking into computers and defacing websites. It wasn't much more than that. But now, it seems like a way more complex set of threats. How should people be thinking about them? When you think about cyber security threat, is there a way you sort of organize that in your mind? Sure. I think this is probably the hardest question. How do you prioritize your efforts and where do you focus on? So the way we're looking at it and the way I'm looking at it is, on the one hand, you have to know your assets, your vulnerabilities, and what tools and technologies you have at your disposal. On the other hand, you do have to know who your adversaries are, what are they targeting, and what methods are they using. So once you put two and two together, you're able to see where the gaps are and where you can focus your investments or decisions and what your landscape looks like. Do you think it's harder now that nation states are getting involved? It used to be hackers. The hackers haven't gone anywhere. But now, it's countries doing it. It seems like it's considerably more difficult. Am I reading that right? It is considerably more difficult. They are the threats that we're seeing. They're highly professionalized, targeted and sophisticated. So we need professionals who are able to help us resolve them. Of course, it requires a lot of training and therefore, it's great that you're launching this course with NYU and Coursera. Thank you for doing that. Oh, thank you. That's great. Hey, what do you think is on the horizon? Are you more optimistic or pessimistic about cyber security prospects? Do you think, for example, the defense can never catch up and catch up to the offense? What do you think? I'm generally more optimistic for several reasons. First of all, I think a lot of them, previously, why it was so difficult to defend against cyber threat is because incentives were misaligned. It was much easier and it was cheaper to be a hacker than to pursue a regular career. But I think now, the world is coming together to realize that incentives have to be aligned and it should not be easy, it should not be an unpunishable activity to go and hack organizations. So I think, once we look at the incentives and work together on a national, organizational, international level, that will become much harder. And the second reason why I'm optimistic is because, right now, you literally see the whole world, the smartest people coming together to solve a problem. And I think, when you have literally the world's smartest and best experts coming together to solve the cyber security problem, we will see a lot of progress and we do see a lot of progress now compared to just a few years ago. Kind of underscores how important it is to be sharing, not just threat, but I guess techniques as well. Do you get involved in some sharing groups? Are you part of some community? Yes. And we even established our own community, it's called Cyber Defense Alliance. It's a community of critical infrastructure banks, mostly European-based, where we do share information and where we do share methods of potential breaches and how we responded to those. That works best when it's groups of trusted participants. Right, peer-to-peer. It seems like that's the best way. Well listen, on behalf of our whole community here, our learning community, I want to thank you for stopping by our studio here in New York. Thank you. Thank you so much for coming and sharing with us and best wishes to you and your work. Thank you so much, Ed. Best wishes in your course as well. Thank you. We'll see you later.
