Interview

The invasion in Ukraine has heightened the risk of cyberattacks both from nation-states and non-state actors prompted by the disruptions caused by the conflict. ThoughtLab asked sponsors and advisors of our Cybersecurity Solutions for a Riskier World program to share their views on the fast-moving cybersecurity landscape.  

 

1. Forbes recently noted that suspected Russian-sourced cyberattacks increased 800% in the two days immediately following the breakout of conflict between Russia and Ukraine in late February. What impact is the war in Ukraine and related geopolitical risks having on the cybersecurity landscape? What new or larger risks does it present for companies? 

Gary McAlum, Former CSO & VP, Enterprise Security, USAA: Today’s cyber risk environment has never been more fragile, with cyberattacks increasing in sophistication, intensity, and scope. The current geopolitical situation in Ukraine has only exacerbated the risk implications for companies across the board but especially for critical infrastructure companies and their supply chains. Recent government warnings about the potential for increased cyberattacks have further increased the level of concern for Boards and senior management teams. While larger companies—particularly those in regulated verticals—continue to optimize their security environment, the greatest risk will be to those smaller and mid-sized enterprises where cybersecurity staffing and budgets are thin. 

Cory Simpson, Executive Vice President, Resolute: We have not seen the spike in Russian attributed cyberattacks against liberal democracies that many predicted at the onset of Russia’s illegal war in Ukraine. While the cause for this is currently unknown—perhaps aggressive US government “defend forward” efforts, lack of capacity, or others—what is known is that Russian cyber threat actors are very skilled, and any constraints they may have had previously on their actions are unlikely to continue in today’s environment. In short, we are not out of the proverbial woods, and as CISA (the Cybersecurity and Infrastructure Security Agency) has advised, “Shields Up.” 

Mandy Andress, CISO, Elastic: The cybersecurity landscape is significantly impacted. Cyber is another front in global geopolitical conflicts that’s often invisible, happening behind the scenes. Companies need to be prepared that their industry could be susceptible, or their actions and statements could lead to direct cyberattacks. Companies could also be targeted if they are seen as a means to access another targeted company that is a customer.   

Dr. Ivo Pezzuto, Professor of Digital Transformation, International School of Management: Experts expect that Russia may yet unleash a devastating online attack on Ukrainian infrastructure or in other western countries. The Ukrainian government has taken some appropriate measures to counteract and protect their networks. For example, to protect the Ukrainian railways, a team of American soldiers and civilians have found and cleaned up one particularly pernicious type of malware, which cybersecurity experts dub “wiperware”, which disable entire computer networks simply by deleting crucial files on command. 

Also, companies and institutions in Ukraine and other western communities are likely to face a massive onslaught of “distributed denial-of-service attacks” (DDoS), which are relatively unsophisticated attacks that take down networks by flooding them with demands for small amounts of data from a large number of computers. 

2022 has already seen a concerning number of cyberattacks on ports and terminals. In January, a cyberattack hit major European ports including Rotterdam and Antwerp. A ransomware attack has caused a full system outage at one of the container terminals at Jawaharlal Nehru Port Trust (JNPT) in India. Attacks to ports, terminals, and supply chain networks may further aggravate the current backlogs and bottlenecks in the global supply chains. Looking forward, cyber espionage capabilities and defense strategies are likely to increase significantly, as well as international coordination among countries in order to offset potentially dangerous cyberattacks. Along with cyber threats, Russia is also spreading misinformation about the Ukraine conflict. It seems that the age of cyber warfare is just beginning. And for Russia, the war with Ukraine is likely serving as a live testing ground for its next generation of cyber weapons.  

Steve Durbin, CEO, Information Security Forum: The speed of digital transformation and the consuming of cloud technologies/services (especially given accelerated uptake due to Covid) has made it increasingly difficult for organizations to enumerate their footprints and map these to geopolitical risk areas. It is difficult to say with complete certainty when and if organizations could be impacted by geopolitical events and regional instability. This is a risk hotspot at present. 

Hacktivists and lone wolves are supporting the cause in some cases, picking sides and launching ‘deregulated’ hostile activities against each other and towards the opposite side. Tracking their activities is increasingly challenging as threat intelligence bleeds with regulated OSINT and the poisoning of social and unofficial media feeds by multiple interested parties. 

Organizations who can be demonstrably directly or indirectly associated with political groups and regions involved in hostility could find themselves in the crosshairs of cyber ‘armies’ and hacktivist groups. 

Both direct and unintended consequences of these risks and threats present a clear and present danger across the globe.  Several national and international security organizations have issued ‘shields up’ instructions to industry, and the instances of such advisories will likely increase as digital transformation penetrates further and further into industry and commerce. 

 

2. What are the biggest threats that your firm (or your clients) are seeing and preparing for? Ransomware, denial of service, etc.? Which business areas, such as supply chains and critical infrastructure, are you (or your clients) giving the greatest attention?  

Deborah Wheeler, CISO, Delta Airlines: We are continuously risk assessing our environment and monitoring threat actors and others with an interest in our industry sector. Obviously, supply chains present a risk that we didn’t foresee two years ago (think Solarwinds), and it has caused us to be more specific in our questions of third parties and requires that we spend more time understanding our supply chain connectedness.  

Jamie Singer, Executive Vice President, Resolute: The ransomware epidemic continues to create havoc on organizations—operationally, financially and reputationally. The double extortion tactics of threat actors remain problematic for many companies, which must navigate the one-two punch of an operational disruption with the threat of data leaks/exfiltration. While critical infrastructure organizations—such as healthcare, manufacturing, etc.—continue to find themselves in the crosshairs of threat actors, no industry or sector is immune. Threat actors are also targeting under-resourced and under-prepared public-school districts, local governments and municipalities, and non-profit organizations—many of which have cyber insurance policies and often are compelled to negotiate ransoms.   

Mandy Andress, CISO, Elastic: We are focused on a variety of threats, including ransomware and denial of service, but are primarily focused on overall data protection to ensure the safety of our customers’ information. We are also giving supply chain significant attention to help ensure it is not a threat vector for us or our customers. 

Steve Durbin, CEO, Information Security Forum: Not only does any destabilization provide a convenient front for criminal activity, but it is also wholly possible that gangs and cartels sympathetic to the cause could ramp up operations to provide a line of funding to those involved (for instance, the activities of the ‘Lazarus’ group who provided funding lines for North Korea; a group strongly believed to be supported and bankrolled by the Kim regime). 

The rapid growth of the data economy and volumes of data/relative value has turned heads, with threat actors seizing the opportunity of manipulating data to misinform and misdirect  

Covid has exposed the frailties of supply chains in enterprise and the associated risk of disruption; geopolitical influences are yet another vector for this risk and we are already seeing examples of it. 

Critical infrastructure is becoming a more lucrative target for attack; the footprint of these environments has increased significantly enabled by tech such as IoT and communications innovations such as 5G whilst the maturity of ICS/OT in terms of cyber controls continues to be low. 

 

3. How prepared is your company (or are you clients) to address these escalating nation-state threats? What do you see as best practices to manage risk currently, and which areas are you (or your clients) beefing up, such as threat intelligence, attack simulation, scenario planning, business continuity awareness, and training?  

Jamie Singer, Executive Vice President, Resolute: Robust incident response planning is table stakes for any organization today. And given the significant reputational risks associated with today’s evolving cybersecurity landscape, an increasingly critical component of that process is comprehensive cybersecurity crisis communications planning. It is imperative that organizations invest the time and resources in developing clear and consistent communications protocols, including streamlining internal messaging review and approval processes, to ensure timely and effective communications responses to these complex issues. Executive-level tabletop exercises and trainings are also critical to building muscle memory and gaining internal alignment on messaging and communications strategies, in advance of a significant cybersecurity event.   

Gary McAlum Former CSO & VP, Enterprise Security, USAA: Not many companies, if any, are truly prepared to deal with an all-out, targeted attack by a sophisticated nation-state actor. These type of threat actors are backed by an almost unlimited budget and the very best cyber talent available. Add in the ability to stockpile zero-day exploits and you have an unfair fight, by any stretch of imagination.  Any company that is specifically targeted by a nation-state adversary will not be able to prevent an eventual penetration that leads to an undetected presence on their network.  However, as that actor attempts to exploit that presence, a sophisticated security team may have a greater chance to detect and effectively respond based on a security ecosystem that is overlapping and tightly monitored. 

Mandy Andress, CISO, Elastic: The most prepared companies are the ones that have really focused on the fundamentals of good security hygiene: knowing your environment, updating and patching your technology, changing default configurations, and utilizing layers of security. Being solid on the basics closes the large majority of avenues that attackers leverage to access or move through an environment. 

Dr. Ivo Pezzuto, Professor of Digital Transformation, International School of Management: More efforts are needed to strengthen international cooperation and resources but also scenario planning and simulations. Often the worst-case scenario assumptions in scenario planning process look more like a baseline scenario or at least one that is not truly severely adverse.     

Steve Durbin, CEO, Information Security Forum: The ISF continues to provide support to members in a number of areas aligned to this developing threat landscape and this is something we would consider to be industry good practice. We have: 

• delivered research and a methodology for protecting from, responding to and recovering from, Extinction Level Attacks, with specific materials dedicated to the topic of ransomware that are also available on our PWS. 
• conducted cyber simulation exercises both publicly and ad-hoc for our members, to allow them to understand their limitations and hone their skills following a fictitious scenario.  
• recently released the latest version of our flagship ‘Threat Horizon’ research, providing organizations with forward-thinking guidance on potential future threats, with supporting materials to facilitate the use of the research in the boardroom. 
• a strong offering on managing supply chain risk and is seeing renewed interest in this topic from our members. 

Barbara Kay, Senior Director Product Marketing for Risk, Security, and ESG, ServiceNow: So much is about hardening the weakest links in security programs. Most companies have longstanding investments in prevention and defense – so today’s emphasis is on review and upgrade of response visibility and readiness across systems and organizations. Using the MITRE ATT@CK framework to assess and enhance defense, monitoring, and response is a key element. We are also helping people tighten up their security operations, especially incident response, through automation, prioritization, and structurally linking security, IT, and other teams involved in reducing vulnerabilities and responding to a major incident.  

Since it is a joint responsibility of security and IT, we see investment in general attack surface hardening using established frameworks, and also business continuity/disaster recovery plans to build cyber resilience. There’s been a clear motion in recent years to encourage this collaboration, and ubiquitous, complex digital systems are turning the desirable into the necessary. This is crawl/walk/run country, and every organization is in a different place. The key point is to see where you are, and then build and activate your plan for progress. 

We recommend clients look at resilience and readiness. Every business has different points of failure, so it isn’t one single playbook, and each situation is heavily influenced by industry and maturity.  In addition to the guidance offered by both UK NCSC and US CISA cybersecurity agencies, as well as CIS and NIST, there are copious resources around operational resilience, business continuity management, and vulnerability management. 

 

4. Our survey of executives revealed that 30% of CISOs are becoming more involved in geopolitical risk management. Is that enough? How are companies ensuring their cybersecurity strategies are aligned with their political risk management? 

Deborah Wheeler, CISO, Delta Airlines: I think companies that have both a CSO and a CISO or have separated physical security from cyber need to be collaborating to understand how material physical threats can play out in cyber and vice versa. These worlds collide much more than they did years ago. Companies needs to look at their potential to thwart geopolitically motivated cyber risks before announcing geopolitical positions.  

Cory Simpson, Executive Vice President Resolute: No. Every CISO needs to have an awareness of the geopolitical risk factors in their organization’s operating environment and be a part of the strategy for best mitigating such risk. Just as the role of the CFO has evolved in the last 30 years from a budgetary gatekeeper to a strategic partner of the CEO in setting corporate strategy to manage financial risk in markets around the globe, we need the CISO’s role to quickly evolve in a similar way to help corporate leaders better mitigate geopolitical risk for their organizations. Companies should ensure cohesion between their cybersecurity and political risk management strategies. How this is best done will vary from company to company and market to market, but it all begins by ensuring a comprehensive, inclusive, and collaborative planning process. 

Mandy Andress, CISO, Elastic: Sharing information and building awareness is critical. For instance, share what types of attacks you are seeing with your security peers and your company’s employees. Phishing and social engineering are primary entry vectors. By spreading awareness and education as far and wide as possible we can help everyone be more vigilant for suspicious activities. 

Steve Durbin, CEO, Information Security Forum: This is a disappointingly low number and tends to suggest that the value opportunity of CISOs in organizations is still struggling to be recognized fully, with some CISOs still anchored to the more traditional tenets of information security and risk management. CISOs’ relationship with the business needs to develop further; this relationship is a two-way thing. CISOs need to become more business-aligned and business leaders need to be more aware of the relevance of cyber to their personal and corporate accountabilities. 

• Organizations with a more mature, holistic approach to enterprise risk management are able to bring multiple risk domains together so that they can become more complimentary in establishing an aggregate risk position.   
• Organizations with a maturing risk management framework and culture may still have separation, treating differing risk management domains in isolation to each other with some notable gaps (such as geopolitical risk).   
• Organizations with weak or no risk management framework and culture will be in a reactionary mode when it comes to geopolitical risk and certainly the current situation; likely they are contemplating the challenges of RUS-UKR for example as an operational challenge rather than a strategic risk, which is not effective in the longer term. 

 

5. What advice would you give CISOs for these riskier times? 

Deborah Wheeler, CISO, Delta Airlines: Stay calm; focus on the basics (patch management, access management enforcement of strong authentication, and educating end users about phishing), rehearse your IR plans and stay current on threat intelligence. They should have a good IR retainer in place should they need it and should have good partnerships in place with their company’s legal counsel and management and business leaders. Providing periodic written updates to leadership that address the heightened cyber risk environment and how the company is preparing for or is prepared to withstand certain types of events, allows management to gain confidence in the CISO and their organization, gives visibility to where investments have been made, and can also be used to alert leadership to where certain risks might have greater chance of resulting in an exposure.   

Cory Simpson, Executive Vice President Resolute: Speed and agility. CISOs must ensure they develop their people, processes, and technologies with the speed and agility required by today’s volatile, uncertain, complex, ambiguous, and interconnected environment.     

Gary McAlum Former CSO & VP, Enterprise Security, USAA: In today’s cyber risk environment, the potential for a major incident has dramatically increased. CISOs should be continuously focused on ensuring their security posture is as robust as possible, particularly security patches updated as quickly as possible. However, this is also a time to ensure a comprehensive incident response plan is in place and, preferably, recently validated through a table-top exercise or some other walk-through review. For example, ensuring good contact information for key external agencies, such as law enforcement, is a lot easier to do now than when the balloon goes up.  

Dr. Ivo Pezzuto, Professor of Digital Transformation, International School of Management: Companies, banks, and institutions are paying greater attention to the future impact of Quantum Cryptography, in particular in Canada, the Netherlands, Australia, the UK, and the U.S. Banks are investing in PQC (Post-Quantum Teams) in order to improve their readiness to the quantum migration.  

NATO is aiming to strengthen its internal proprietary network with the use of quantum cryptography. It seems that the algorithms they use in the VPN are not safe enough against quantum attacks, thus they may be subject to data breach and vulnerabilities. 

Steve Durbin, CEO, Information Security Forum: Socialize the topic with business leaders, generate the conversation and offer support and assistance. CISOs are NOT expected to have all the answers, but the value is created when they broker effective conversations between business, technology, risk and security, and offer their subject matter expertise to broker solutions to identified problems. 

Now is an opportune moment to renew relationships with your professional network; the value of knowledge sharing across different organisations and vertical markets cannot be understated in times like this (not to mention the mental health benefit of supporting each other). Resist the urge to leverage the situation to drive a personal agenda, always offer problems AND solutions, not just problems. 

Be accessible to your teams AND your business. Now is the time to show true leadership in your business, not hide in the shadows behind others. 

Barbara Kay, Senior Director Product Marketing for Risk, Security, and ESG, ServiceNow: COVID accelerated usage of digital technology throughout every BU of every organization and throughout every supply chain. Now the security posture and resilience of this extended enterprise infrastructure will be tested by both known and new tactics, techniques, and procedures. Last year’s challenges (Solarwinds, ransomware, and log4j) were a dry run. “Targeted attack 3.0” sophistication will be applied to a “Resilience 1.0” level digital business infrastructure.  

Let’s take all that we have learned, especially MITRE ATT&CK insights, and tighten up our threat recognition and response. Let’s team with IT and Risk stakeholders to turn policies into rules, controls, continuous monitoring, and prioritized management. Let’s collaborate. There’s so much tech and wisdom that is not just possible, but proven, to help any team get stronger. Let’s put it to work. 

Major cyberattacks are fast multiplying globally, impacting businesses, cities, and national governments. CISOs need insights to take a more effective, analytically driven approach to cybersecurity. In this increasingly dangerous digital-first world, they also need to collaborate with their peers and partners to bolster cyber protection across all levels of the company. Cybersecurity can no longer remain restricted to the IT department. CISOs need to be prepared for when, not if, they experience a breach.  

To offer CISOs fresh thinking on how to weather the brewing cyber-storm, ThoughtLab is conducting a multi-client research program titled Cybersecurity Solutions for a Riskier Digital World. We asked experts and sponsors of the study to provide us with valuable decision support and best practices. 

 

As security and resilience become top of mind for corporate boards, what do you see as the biggest change in the role of the CISO?   

Larry Clinton, President/CEO Internet Security Alliance: CISOs need to vastly expand their skill set beyond technical expertise (which, of course, they must maintain). They need to lead a full integration of enterprise-wide security structures and help to develop a full culture of security and work far more collaboratively with other elements of the enterprise, such as audit, legal, human resources, public relations, and others. These all need to be integrated into an enterprise-wide risk management team, and the CISO needs to help lead that collaborative structure.   

Steve Durbin, CEO, Information Security Forum: The role of the CISO varies significantly across industries, regions, and even individual organizations in terms of seniority, authority, budget, team size, and influence. Engagement with CISOs from ISF member organizations has revealed that CISO job descriptions do not accurately reflect the extent of the role being fulfilled. Roles often expand without additional funding, resources, or support. CISOs are increasingly being held responsible, and sometimes accountable, for circumstances beyond their control. The biggest change in the role of the CISO is the need for the individual to balance opportunity with risk and find their own voice within the organization.  

Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: A broadening of the role to think more strategically about the business as a whole and the impact of cyber on the broader business and planning for resiliency outside of just the cybersecurity space.  

Simon Chassar, Chief Revenue Officer, Claroty Inc: The biggest change in the role of the CISO is the need to be a business partner at the board level, protecting the organization’s corporate strategy, along with continued production of food or motor vehicles, acquisition or new market entry, the continuous delivery of safe healthcare with protected patient data, etc. and the need to be the secure digital transformation advisor while keeping the corporate strategy functioning securely.  

Ravi Srinivasan, CEO, Votiro: Security leaders are business leaders first and IT leaders second. Successful security leaders are collaborating with the lines of business leaders in the company to secure new digital processes and enable secure user productivity.  

Mandy Andress, Chief Information Security Officer, Elastic: The role of the CISO has become much more complex over the last 20 years. Responsibilities have grown from leading the team handling real-time threats and mitigation of attacks, to overseeing the security architecture and the protection of the corporate infrastructure, implementing security policies and management designed to foresee and address risk, and maintaining compliance with a growing population of regulations and industry requirements.  

And, so-called “soft skills” have become just as important as technical skills. Creating resilience for a company is also about being a trusted communicator, understanding how cyber risks fit into the business overall, and building partnerships across the C-suite. 

The pandemic has expanded enterprises’ attack surface area, posing greater threat and risk for possible opportunistic or malicious attacks. Ensuring a strong security program in a remote environment will be a top priority for CISOs in the next few years as they work closely with their peers across the leadership team to build employee awareness of security protocols, and invest in appropriate technology to meet the intricate needs of globally distributed organizations. 

Gidi Cohen, CEO and Founder, Skybox Security: CISOs have a starring role in the new normal. Cybersecurity has become a central part of how businesses grow and operate. Their influence with the CEO and board has greatly increased. Radical change brings an opportunity for a dramatic shift in how organizations approach their security programs. The CISO role will no longer be primarily technical. CISOs will broaden their purview to include the ‘business’ of cybersecurity. The modern CISO will make the business case for cybersecurity initiatives and address overall business risk. They will also need to quantify the return on investment of those initiatives. CISOs will be highly knowledgeable about the state of cyber security and the threat landscape. They will share this knowledge with the board in business terms and build proactive security posture management programs that take this global picture into account. 

Darren Thomson, Head of Cyber Intelligence Services, CyberCube: Culturally, the CISO needs to be capable of talking to a board of directors in a language that they understand in order to take a strategic, top-down approach to risk management in cyber. One of the challenges here is having the ability to translate cyber risk into financial terms. What will be the ROI from my invest in security? How much risk is the organization carrying? What is our preferred risk posture?

 

Which cybersecurity best practices should CISOs follow to succeed in today’s riskier world?  

Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: I am a big fan of the Center for Internet Security’s (CIS) Critical Security Controls. Those controls map well to other standards and frameworks but for a strategic view of what a strong security program should accomplish, the CIS Critical Controls are a great starting point.  

Larry Clinton, President/CEO Internet Security Alliance: The most important point is not to confuse regulatory compliance with actual security. The technical best practices probably ought to be a mixture of the various frameworks (NIST/ISO/FISMA, etc.) but need to be adjusted based on the uniqueness of the organization’s technology, culture, and business plan. However, the organizational best practices that are the most clearly documented as enhancing security are the ones outlined by the National Association of Corporate Directors in their cyber risk handbook (available free of charge at www.nacdonline.org).  

Steve Durbin, CEO, Information Security Forum: Applying an approach which is business-centric, risk-based and value-driven. The ISF Standard of Good Practice (SOGP) provides an effective framework for information security policies, standards, and procedures, and is mapped to industry-recognised standards such as NIST CSF, ISO 27002, CIS Top 20, and PCI DSS.  

Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: Start with the basics: patching, patching, patching! Limit/restrict access and require strong authentication mechanisms. Limit your blast radius—if something bad gets in, limit where it can go and what damage it can do.  

Simon Chassar, Chief Revenue Officer, Claroty Inc: Answering this from the perspective of OT and IoT—understand the connected assets across their environment and supply chain to assess the inherent risks. Drive programs of increasing cyber posture across their estate; patches and updates to the latest firmware and versions; and secure connectivity. Apply the three lines of defense across their business and connected industrial environments with the first line of defense as the OT environment, second the SOC, and third the GRC with re-enforcement and governance of the audit committee.  

Ravi Srinivasan, CEO, Votiro: Follow the data. CISOs need to shift their focus from infrastructure-centric security to Zero Trust Data Security. Understanding how business-critical data and IP are used in all the new digital processes will help security leaders focus on what matters: enabling secure user productivity and mitigating exposure to data breaches.  

Mandy Andress, Chief Information Security Officer, Elastic: Every security program is unique to the company’s needs. When faced with new challenges, people often turn to new technology, but it’s security practitioners who develop new ideas, threat intelligence, and approaches to prevent bad actors from impacting the systems that are so important to keeping organizations functioning. At a high level, CISOs should consider the following best practices: 

• Train your staff. Make it meaningful for your environment. There should be ready access to training materials as part of your onboarding process and at regular intervals throughout an employee’s tenure to help ensure your employees are up-to-date on the latest and greatest. After all, humans are the most vulnerable points in any security system.  

• Test your system. Send test messages to help train your employees. Hire consultants or have an internal red team to find your weak spots and commit resources to fix those weak spots. 

• Understand your data flows. Security teams first need to understand the data flows in their environments so they can ensure that their data only goes where it’s supposed to go. The tools and processes you use should also provide security metrics and, equally importantly, review the data you collect to identify any patterns that may indicate a security vulnerability or team that needs additional education.  

 The best security programs are simple but effective. It is the responsibility of security leaders to balance the people, processes, and technology to defend their organization. While it is important to choose the right cybersecurity technology, that investment should be proportional to the people running the products and the processes that define their work. 

Gidi Cohen, CEO and Founder, Skybox Security: Avoid the avoidable. There is no excuse not to fix a known vulnerability that is exploitable. Many of the attacks over the past few years were caused by bad actors who exploited known vulnerabilities that organizations had enough time to deal with prior to the breach. By proactively conducting exposure analysis, organizations can identify exploitable vulnerabilities and correlate them with their unique infrastructure configuration and security controls to determine where cyber-attacks pose the highest risk. 

Darren Thomson, Head of Cyber Intelligence Services, CyberCube: There are any number of standards, regulations and best practices that can be followed and organizations need to focus on those that their specific geographies, regulatory specifications and vertical nuances dictate. As a good, general guidance, the NIST and ISO cyber security standards are a good place to start.

 

What single piece of advice would you offer CISOs as they aim to secure their organizations against future cybersecurity threats?  

Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: Ensure your security journey has commitment from the highest level of your organization’s leadership chain. Developing and implementing a strong security model that enables the business requires commitment from all parts of the organization. Ensure you have the necessary support from above and across your organization.  

Larry Clinton, President/CEO Internet Security Alliance: CISOs need to embrace some of the modern cyber risk management tools such as FAIR or X-Analytics that move beyond the traditional check-the-box models favored by regulators. While these compliance regimes may be necessary, the effective CISO will be using these more progressive risk assessment tools that include analysis of the economics of cybersecurity and ties security procedures more closely to the organization’s risk appetite.  

Steve Durbin, CEO, Information Security Forum: Engage proactively with stakeholders at all levels inside the organisation—e.g., be forthcoming with the business, drive the conversation with the board, fight for time beyond quarterly meetings where cyber is only a small part of the agenda, help address and answer difficult questions regarding cyber, and demystify misconceptions.  

Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: Focus on the basics of good cyber hygiene. Once the foundations are in place, you can build on top of that to address specific types of threats or tools needed to address unique requirements your business may have.  

Simon Chassar, Chief Revenue Officer, Claroty Inc: Implement best of breed control technology. Prioritize risk management and identify critical assets that drive business continuity and minimize business operational risks. Address both your baseline cyber posture, GRC, and monitor the environment for threats. Increase your cyber skills capability and increase cyber awareness training for non-cyber personnel. Leverage the latest threat intelligence and do tabletop exercises on breaches or attacks, including negotiation training with mal actors.  

Ravi Srinivasan, CEO, Votiro: Outsource security operations and response so that you can free up resources to focus internal efforts on securing data and the usability of new digital business services. Evaluate any new security technologies based on usability for new digital businesses, open APIs for ease of IT integrations, and simplifying operational support. 

Mandy Andress, Chief Information Security Officer, Elastic: Focus on the basics. The fundamentals of security hygiene for any environment are still the best protection to today’s threats. Change defaults, disable unnecessary services, default deny inbound network traffic, and patch! 

Gidi Cohen, CEO and Founder, Skybox Security: Don’t focus on threats; focus on vulnerabilities. Threats are changing all of the time, are out of your control, and most are irrelevant to your organization considering your security posture. However, all of your vulnerabilities are yours to address. Focus on what you can control, such as eliminating exposure to cyber risk. This includes assessing, prioritizing, and remediating vulnerabilities on time to avoid a breach. It also includes tightening processes and implementing automation to ensure you don’t open your organization to new risk through misconfigurations or making policy changes without validation. 

Darren Thomson, Head of Cyber Intelligence Services, CyberCube: Enlist help from specialists. Do not try to do everything yourselves. Make sure that you have access to world-class solutions, threat intelligence and data through carefully selected partnerships.

 

What is the largest mistake that CISOs should avoid making in the future? 

Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: While the concept of a “Zero Trust” security model sounds good and everyone agrees, it is a complex journey that is not easy or cheap. The biggest mistake a CISO should avoid is thinking that Zero Trust can be achieved with just a new technology solution. Reworking the existing security architecture to incorporate more micro-segmentation, continuous monitoring and analysis, and attribute-based adaptive authentication will be a significant investment.  

Steve Durbin, CEO, Information Security Forum: Overestimating or making assumptions regarding the organization’s cyber resilience capabilities and, thus, not testing them (i.e., not conducting regular assurance activities such as cyber simulation exercises).  

Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: Avoid thinking that all your employees need to come from a traditional IT, computer science, or data management background and that they need a four-year degree. We need creative problem solvers—hackers  do not restrict who can hack! We need to be as “open minded” about the resources we employ to fight the good fight, as the threat actors are about fighting to bring us down.  

Simon Chassar, Chief Revenue Officer, Claroty Inc: Assuming that they will not be breached, attacked, or be a victim of a supply chain impact. 

Ravi Srinivasan, CEO, Votiro: CISOs maintain their responsibilities to govern security policies and compliance, while the lines of business continue to rapidly innovate, migrate, and adopt new technologies and multi-cloud services. CISOs should partner with the business leaders to balance modernizing mid-/long-term initiatives (often infrastructure-centric) with near-term initiatives (data-centric) to secure digital business enablement.  

Mandy Andress, Chief Information Security Officer, Elastic: Learning from my own mistakes, focus on people first. I have always looked at security as the equal combination of people, process, and technology. While I talked about them in that order, I usually focused on technology first, then process, and people last. No technology can fully protect an organization in today’s environment. Having the right people in the right roles that can creatively apply technology to your environment, adapt defenses to new threats, and communicate to your users with a high degree of empathy will further the success of your program more than any technology or process. 

Gidi Cohen, CEO and Founder, Skybox Security: Don’t underestimate what is required to transform cybersecurity programs. Buying more point products won’t solve your problems. This creates a false sense of security. Instead, you should focus on maturing your security programs to a place where it is at least properly managed and monitored, if not continuously optimized and improved. Tighten your processes to manage the products you do have, ensure you are getting the full value from those products and put the right talent in place to manage your entire security estate. 

Darren Thomson, Head of Cyber Intelligence Services, CyberCube: Taking a “technology first” approach to risk mitigation. Start with business strategy, governance and gap analysis. Technology needs to be deployed in line with these and not in a reactionary way.

Digital innovation is a double-edged sword: while necessary for driving performance, it exposes companies to much greater cyber threats. The COVID-19 pandemic opened even more opportunities for cybercriminals, who adapted their attacks to exploit vaccination mandates, elections, and the shift to hybrid work, while also targeting organizations’ supply chains and networks. With such criminals becoming smarter and more resourceful, cybersecurity is no longer just an IT issue: it is a strategic imperative for the C-suite and government officials. 

To understand how companies are addressing these issues and beefing up their cybersecurity defenses, ThoughtLab is conducting a multi-client research program titled Cybersecurity Solutions for a Riskier Digital World. We asked experts and sponsors of the study to offer their perspectives on how the pandemic has affected cybersecurity and the implications for their businesses.  

  

How has the pandemic permanently changed the cybersecurity landscape and agenda for companies? 

Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: The pandemic has driven organizations to a more dispersed and distributed employee model as well as exposing supply chain dependencies. For many companies, the risk equation has changed for the worst, driven by a dynamic threat environment that has increased in frequency, intensity, and sophistication. 

Larry Clinton, President/CEO Internet Security Alliance: The pandemic has altered cybersecurity, although it is far from the most important change. If confined to the pandemic, I would say the most notable change is the evolution of a substantial work-from-home community without adequate consideration of security procedures, which has spurred a tremendous increase in vulnerability for the entire system and a resulting significant increase in cybercrime. 

Steve Durbin, CEO, Information Security Forum: The pandemic has resulted in masses of employees working from home long term, personal devices being employed for corporate uses, and spikes in social media usage rates, among other changes, which have broadened the attack surface.  

This shift in landscape has required organizations to reprioritize strategic objectives and key risks—e.g., accelerating digital transformation programs and migration to the cloud.  

The Internet Organized Crime Threat Assessment (IOCTA) 2021 report highlights that COVID-19 has resulted in a sharp increase in cybercrime. Cybercriminals have been identified to be employing the following attack vectors: malware (e.g., ransomware and mobile malware), payment fraud (e.g., sim-swapping, mobile banking trojans and ATM attacks), social engineering, and phishing. 

Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: Ransomware and malicious cyberattacks rose significantly during the pandemic and impacted many industries. Demand for cyber talent has increased and the shortage of skilled resources has driven the cost of that talent much higher. As a result of the types of attacks seen, many industries are seeking talent that perhaps before, they thought they could get away without hiring or with hiring one or two resources. Now they realize teams of cyber experts may be needed because these threats are here to stay. 

Simon Chassar, Chief Revenue Officer, Claroty Inc: The pandemic affected the cybersecurity industry because of the implications of remote working and isolation from traditional hands-on configurations and installations. The remote office created a need to re-architect or accelerate to secure access service edge (SASE) within Software Defined Wide Area Networking (SD-WAN), with cloud and full corporate security policies for email, data, and access beyond the officer perimeter. This permanently changed the approach and accelerated the need to design in cybersecurity for all solutions; and cybersecurity with COVID became the enabler of digital transformation acceleration—Secure-by-Design. The further need to build in resiliency into business operations has increased the drive to public cloud, multi-cloud, and hybrid cloud, with remote access and software-defined security controls. 

Ravi Srinivasan, CEO, Votiro: Cybersecurity is no longer enterprise IT’s jobs. The accelerated digital transformation of back-office processes, rapid application migration to multiple clouds, and modernization of the data platforms have brought the business and security leaders to collaborate on new cyber strategies and execution. The pandemic has changed the landscape, shifting the focus away from infrastructure to data-centric security approaches. As enterprise users have experienced the risks of cyber, there’s heightened awareness of the need to be vigilant. CISOs will prioritize investments in more cloud-native, usable security services—not large security platforms—to enable secure digital business.    

Mandy Andress, Chief Information Security Officer, Elastic: The pandemic transformed the role of the CISO virtually overnight – from forcing a shift to remote operations to rethinking how to best support employee productivity. Now that companies have weathered the initial changes, CISOs are reassessing their IT security practices, tools, operations, and employee processes for long-term stability and growth within a distributed environment.  

The pandemic has expanded enterprises’ attack surface area, posing greater threat and risk for possible opportunistic or malicious attacks. Ensuring a strong security program in a remote environment will continue to be a top priority in the next few years as we work closely with our peers across the leadership team to build employee awareness of security protocols and invest in appropriate technology to meet the intricate needs of globally distributed organizations. 

Gidi Cohen, CEO and Founder, Skybox Security: The reality is that current security practices are not keeping up with the changing security landscape. Attack surfaces grew significantly during the pandemic. Accelerated digital transformation, cloud migration, and increased remote working all contributed to this growth. Further, the pandemic put to test many of the systemic failures of the cybersecurity industry. Organizations are plagued with massive, fragmented networks, decentralized, inconsistent configurations and change management processes, unsafe cloud and network configurations, and the continual increase in vulnerabilities.   

As the economy recovered, the great resignation had significant implications for cybersecurity programs.  Already resource-constrained, organizations are losing the institutional knowledge and talent needed to run cybersecurity programs effectively.  As a result, security organizations suffer from loss productively, inefficiencies, and risk of human error.   

Cyber security organizations are making significant changes to address the expanded attack surface, fragmented and complex environments, and loss of talent. They are increasingly focused on moving from reactive approaches to proactive security posture management.  Gaining visibility across hybrid, multi-cloud, and OT networks has become a top priority. And they are embracing automation at record levels to optimize workflows, implement changes, and validate network security policies.   

Darren Thomson, Head of Cyber Intelligence Services, CyberCube: We are yet to determine precisely how the move to remote working will change working practices in the long term but we are sure that the balance between office work and remote working will not return to previous norms in many industries. This has implications for cyber security as enterprise attempt to make their employees and their data as secure when accessed from home as it is behind the company firewall. In addition, communication practices have fundamentally changed and this dynamic offers cyber criminals new opportunities and a plethora of new attack surfaces.

 

What do you see as the biggest cybersecurity challenge that companies will face over the next two years?   

Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: As cyberattacks continue to increase in scope and scale, the government is taking a more active role in defining and prescribing new security regulations. In addition, data privacy laws are becoming more rigid and complex. In already regulated sectors, the requirements are increasing even more. Balancing compliance with the day-to-day reality of operational cybersecurity challenges will be a huge challenge.  

Larry Clinton, President/CEO Internet Security Alliance: The biggest challenge for companies is that they are being vastly over-matched by the growing sophistication of the attack community. Not only nation-states and state-affiliated attackers but also criminal syndicates are accessing increasingly sophisticated attack methods and technologies that will be very difficult for private firms to compete with. 

Steve Durbin, CEO, Information Security Forum: There are three challenges organizations will increasingly face over the next two years: 

1. 1. Being confident in the level of cyber capability currently protecting the organization, in terms of people, processes, and technology, and whether they ensure risks fall within the organization’s acceptable risk tolerance.
2. Dealing with significant levels of technical debt from legacy systems and proprietary systems. This is a burden to the organization as it can often be more expensive to update an outdated IT estate compared with replacing it completely. 
3. Meeting the ever-changing and more complex compliance obligations. Upcoming regulations, such as requirements aiming to improve the reporting of cyber incidents to authorities, can distract CISOs, and have implications for incident management teams, resourcing (workforce), and budget allocation. 

Simon Chassar, Chief Revenue Officer, Claroty Inc: The biggest cybersecurity challenge will be the continued increase in the sophistication of threats for financial gain across a broad increased and connected threat surface. This means that lateral movement of malware is a real concern. We have seen a huge increase in the volume of malware impacts on industrial environments, from oil and gas and water to healthcare and manufacturing. These environments have been increasing in connectivity in OT and IoT due to automation and optimization of production for efficiency with real-time demands. This has led to an increased and unprotected environment because of legacy systems and unfamiliar protocols. Therefore, I believe that industrial environment protection or cyber-physical systems will be the biggest challenge over the next two years.  

Ravi Srinivasan, CEO, Votiro: Remote/hybrid work is here to stay. Security leaders need to focus on protecting digital data and files wherever they are used. This will drive the growing adoption of Security Services Edge, but SSE adoption will hit some operational headwinds as leaders need to address more data risks from the realities of multi-cloud, hybrid IT infrastructures, and usage of more cloud applications.  

Ransomware fatigue will increase. Ransomware attacks are here to stay. Crypto is a force to reckon with and, as business leaders debate to pay or not to pay for ransomware incidents, security leaders will shift focus to prevention approaches and outsource the detection and response efforts to managed services providers.    

Hyper-digital connections will create more data risks. Digitizing old business processes leads to the use of more supply chain connections, exposing more homegrown applications in the cloud and increasing users’ access to new services from outside the traditional enterprise network.  This leads to bad actors exploiting these new digital services, such as weaponizing files used by employees, applications, and data platforms; misconfigurations of application and data platforms in the cloud; more high-profile supply chain exploits; and increased personalized phishing attacks.  

Too many security frameworks lead to too many tools in use. Enterprise and security architects will need to rationalize and adopt frameworks based on a business-led security strategy: securing what matters most for the businesses (data and intellectual property) and adopting security as a service. 

Mandy Andress, Chief Information Security Officer, Elastic: While the threat of malware, ransomware, and data breaches will only continue to rise, the biggest challenge in front of many security executives is finding the next generation of cybersecurity professionals. While cybersecurity is a technology issue, it’s also a human one and an organization’s employees are the first line of defense.  

In its Cybersecurity Workforce Study 2021, industry body (ISC) finds that 2.7 million information security jobs remain unfilled worldwide. While this number is down from 3.1 million in 2020, we’re a long way off where we need to be. In the face of increased digitization and a rising tide of attacks, the current cybersecurity workforce of 4.2 million people globally needs to grow 65% to keep up with the demand for its skills. 

In other words, we’re going to need to draw from a wider talent pool to plug the gaps. 

Our industry’s over-reliance on specialists with the ‘right’ qualifications and educational backgrounds might actually be a weakness — a point of view reinforced for me by David Epstein’s 2019 book, Range: Why Generalists Triumph in a Specialized World. In the book, Epstein argues that generalists with wide-ranging interests are more creative, more agile, and able to make connections that their more specialized peers can’t see, especially in complex and unpredictable fields – a description that is a good fit for cybersecurity.  

Many of the hiring challenges in cybersecurity can be alleviated by taking important steps to diversify the talent pipeline, which not only expands the talent pool but also contributes to a healthier overall cybersecurity culture. 

Gidi Cohen, CEO and Founder, Skybox Security: As the economy continues to recover and cybersecurity budgets increase, there will be increasing pressure to develop strategic approaches that increase cybersecurity efficacy and not just tactically react to pressures during the earlier days of the pandemic.  Organizations will focus on strengthening their cybersecurity controls, processes, and compliance programs to reduce risk and exposure to cyberattacks.  This requires a fundamental shift in mindset from reactive to proactive cybersecurity.  Security by design will become the focus and the challenge.  Organizations will rethink security architectures to unify and better optimize security across hybrid, multi-cloud, and OT environments. In tandem, security leaders will need to decide how to approach zero trust and address the architectural implications. Secure cloud adoption and migration will continue to be a challenge. Organizations will also need to manage and consolidate fragmented infrastructures that include disparate security products with sub-optimal use. And processes will need to be optimized and automated to avoid catastrophic errors and address resource constraints.  

Darren Thomson, Head of Cyber Intelligence Services, CyberCube: Ransomware. Anybody that believes that ransomware, as a malware type, is a passing trend is mistaken. Ransomware will evolve and become more impactful and devastating in the coming years and organizations need to understand better how to protect themselves from this threat.

New trends are pushing wealth and asset management firms into becoming digital-first businesses offering clients immersive digital experiences and real-time support, together with more personalized products and services. The industry will also rethink their environmental, social and corporate governance investments, pushing sustainability to the forefront of their priorities. 

To shed light on how these shifts will transform the industry, ThoughtLab is conducting a multi-client research program titled Wealth and Asset Management 4.0. We asked experts and sponsors of the study to offer their perspectives on how the pandemic has affected investor behaviors and preferences, trends in the industry, and the implications for their businesses.
 

How is your firm rethinking its strategies, processes, communication, and business models to succeed in a digital-first world? How are you leveraging AI, cloud, blockchain, and other latest technologies?  

Joe Norburn, CEO, Recordsure: Wealth and asset management firms should be focused on utilizing the latest advances in Machine Learning and AI to support their operations. Strategically thought-out implementation of AI analytics and RegTech tools deliver significant business benefits – address key pressure points, manage risks, and offer business efficiencies at scale. 

Manish Moorjani, Senior Director Product Management, PublicisSapient: Shortening time to market for new tools and features and early validation through A/B testing enables firms to stay competitive and provide value to end clients. Sentiment analysis of media and news for investment decision making is also valuable, by leveraging AI and Cloud capabilities. Another best practice is adopting best in breed products and platforms for order execution and accounting and focusing on the firm’s strength. 

 

How is the nature and location of work likely to change in the years ahead? How will employee experiences and process change, particularly for financial advisors? 

Mike Park, CEO, TCC Group: Healthy organizational culture plays a prominent role in delivering commercial success. Being forced to move away from traditional office working opened fresh opportunities to utilize digital communication channels, reduce business travel and offer greater flexibility to the way we work. With many employees enjoying the advantages of increased flexibility, a hybrid way of working is expected to be the future – yet it is poised to bring new challenges. Less direct contact between employees on a daily basis could potentially increase conduct risk due to the decreased opportunity to directly observe behaviors. Processes that worked in the office or in a short-term wholly virtual environment may not be sustainable for a hybrid future. Focusing on culture and the desired behaviors of employees will help firms successfully manage the operational shift ahead. 

 

Which regulatory and tax trends are having the biggest impact on your business? How will your firm adapt its strategies, systems, and services to meet client needs, while staying compliant?  

Chiara Gelmini, Solutions Marketing Lead, Appway: We learn from our customers that Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) are going to be major focus areas in the regulatory compliance domain, specifically thinking of the due diligence impacts on CLM practices. It’s the ‘Era of the KYX’, aka Know Your ‘Everything’.  

KYC (Know Your Customer) it’s going to require more and more attention and dedicated resources as well tools, with WM’s SMEs proximity to client facing functions being a crucial aspect to fix.  

A growing focus around KYT (Know Your Transaction), with more stringent requirements arising across jurisdictions and demanding dynamic, collaborative and informed approvals and RFI and EDD orchestration.  

KYI (Know Your Investment), with increasingly blurry lines between KYC and suitability profiling, it is now time for more conscious and thorough understanding of client’s investment goals and decisions. All tying into ESG and rising social responsibility. 

Overall, compliance officers are seeing further pressure and cost coming into their operations to mitigate new challenges – continuing the trend of being asked to do more with less. The ‘holy grail’ is improving efficiency and agility, while reducing TCO – and this is possible with the right combination of tools, but the effort should not be underestimated.
 

Joe Norburn, CEO, Recordsure: To help organizations drive operational resilience and stronger compliance, the implementation of AI-driven RegTech tools should feature as the key priority on the technology strategy roadmap. Compliance monitoring across recorded conversations and case file documentation truly sets firms apart as it provides the ability to cover every interaction, spoken and written, between firms and their clients. Introducing the right RegTech solution also means cost savings as less time is spent on administrative tasks and files reviews, improved risk management, more insights and better client outcomes. 

 

How far will organizations need to go to incorporate ESG into their business strategies? Will that involve new investment products? Better analytical tools? Greater public-private partnerships? Other? 

Sabrina Bailey, Global Head of Wealth Management, Refinitiv: In the past, the prevailing mindset was that ESG investing was no more than corporate altruism.  This perception has steadily changed, with investors increasingly viewing ESG investing as central to their investing strategies and wealth firms differentiating their services using ESG criteria. This trend is set to continue, and we expect ESG-related considerations to have ongoing and ever-greater implications for the wealth industry. We see tremendous opportunity in offering access to complete data that is transparent, granular and standardized.  There is also an urgent need for detailed analytics to deliver actionable insights with intuitive visualization that helps market participants make sense of data.  Furthermore, ongoing education will remain crucial as investors continue to define what good governance looks like. 

Olivia Fahy, Head of Culture, TCC Group: Firms need to fully embed ESG considerations into their strategies rather than treating ESG as an add-on. Purpose can be an excellent driver for ESG considerations as it helps organizations determine how they provide social value and embed practices that support this throughout the business. Focusing on driving a healthy and purposeful organizational culture will incorporate many considerations that fall under the ESG acronym. With organizations coming under more pressure from clients, employees and investors to demonstrate robust ESG strategies, future-oriented firms are already incorporating ESG into their organizational culture to their advantage. 

 

What lies ahead: Wealth 4.0 

What are the biggest opportunities and challenges that lie ahead for your organization?  What will be the impact of demographic, regulatory, digital, competitive, and economic shifts? 

Olivia Fahy, Head of Culture, TCC Group: Firms are facing social and environmental challenges, such as the need to break barriers around diversity and inclusion and make progress in relation to climate change and sustainability. Such challenges can generate new opportunities, providing firms with the chance to positively impact the world, drive change, and make a real difference for the future. Implementing these kinds of changes requires culture change, an ambitious yet gratifying task. Culture transformation leads to strategic advantages, better treatment of employees and clients, and a more sustainable business.    

Joe Norburn, CEO, Recordsure: One of the biggest challenges for firms is to ensure continuity and to be prepared for the unexpected. Wealth and asset management firms have the unique opportunity to better their operational excellence by implementing new technologies such as RegTech. Technologies and AI do not replace people but make them more efficient at what they do by focusing on priorities. RegTech offers unique monitoring and reviews that help address key pressure points and compliance, mitigate risks, and deliver cost-efficiencies. 

 

What will the wealth and asset management industry look like in five years? What advice would you give to wealth management firms to ensure their place in tomorrow’s new marketplace? 

Mike Park, CEO, TCC Group: Employees, clients and investors are increasingly expecting wealth and asset management firms to be more purposeful and responsible. Firms need to listen and act on these expectations, or risk people voting with their feet. By focusing on culture with the same level of importance as business strategy, firms can drive the right behaviors, do the right thing, add social value, and ensure their place in the future. 

Sabrina Bailey, Global Head of Wealth Management, Refinitiv: Obviously digital transformation is crucial. However, it’s important to remember that the investor should always come first. The future of the investment and wealth management industry being about digital and human elements coming together. Trust will continue to be the cornerstone of strong relationships and will continue to be supported by robust, and evolving, digital tools that drive rich human connection.

Joe Norburn, CEO, Recordsure: The wealth and asset management industry is facing new exciting times of transformation. The incredible advances in the wealth technology solutions available are already paving the way for operational resilience and stronger compliance. Firms that deliver high-quality advice to their clients, coupled with rich and engaging well-monitored technology, will be incredibly successful over the coming years.

The coronavirus pandemic has accelerated digital, social, economic, and demographic shifts across the world and across industries. Within the wealth and asset management industry, investor attitudes, needs, and expectations are undergoing lasting changes, and the playing field for investment providers is shifting. Investment providers will need to act quickly to compete in the next era of wealth management.

To investigate these developments and how digital, social, and economic shifts will transform the industry, ESI ThoughtLab is conducting a multi-client research program titled Wealth and Asset Management 4.0. We asked industry experts and sponsors of the study to offer their perspectives on how the pandemic has affected investor behaviors and preferences, trends in the industry, and the implications for their businesses.

The Impact of Disruption: The megatrends transforming the industry

 

What are the biggest disruptions affecting the wealth and asset management industry today? To what extent will these megatrends transform the industry? Do you see the rise of a new normal?

 

Mike Park, CEO, TCC Group: The shift towards organizations being purpose-led with a focus on creating social value and benefiting society rather than just generating profit has the potential to transform the wealth and asset management industry and signals a major culture change. The significance of organizational culture to business success has been well documented over the years, yet the global pandemic highlighted its critical importance. Where traditional objective-driven operations struggled to adjust during challenging times, firms with a focus on their culture—promoting collaboration, innovation, and empathetic leadership—showed a better ability to adapt and perform during the crisis. With employees, consumers, and investors increasingly demanding that firms step up regarding social and environmental responsibility and proactive management of diversity and inclusion, firms who do not take their culture seriously will soon get left behind. A healthy culture is a must have, not a ‘nice to have.’

Chiara Gelmini, Solutions Marketing Lead, Appway: In the past years, the financial services industry has been hit by multi-dimensional, dynamic disaggregation with impacts across the value chain, channels, data and systems, and the regulatory landscape. Now, the industry is challenged on a whole new degree of disruption, impacting primarily client engagement, productivity, and business composability. As in every crisis, 2020 was a catalyst for true change, and we’ll see its impacts over the next five years.

Joe Norburn, CEO, Recordsure: The pandemic-driven disruption to traditional face-to-face interactions between clients and agents has led to fundamental changes in the wealth and asset management industry. Faced with business continuity challenges, firms introduced new alternative methods of communication. While such decisions were made of necessity, the new client-agent communication channels are quickly becoming the new norm due to their convenience and flexibility. Similarly, monitoring and analysing customer interactions across all channels to ensure fair treatment and compliance is quickly growing into a significant operational requirement.

 

How has the pandemic accelerated the transformation of the industry? What lasting changes in wealth and asset management should we expect from the pandemic?

 

Sabrina Bailey, Global Head of Wealth Management, Refinitiv: Digitalization has been a megatrend for quite some time; the pandemic exponentially accelerated this as a focus for many firms. The lack of face-to-face interaction encouraged firms who may have previously been reluctant to transform or adopt digital tools to do so, or risk losing out to competitors and falling behind. The way in which the wealth advisors interact with clients, and the way in which clients define “white glove” service, have changed at a fundamental level. The constant challenge with digitalization is the continued increase in hyper-personalization expectations. Communicating with clients and providing investment advice digitally is one thing; the real differentiator is the ability to personalize these interactions in order to build strong, sustainable, and trusted relationships. This is especially true in an environment of fee compression, robo-advisors, and new forward-thinking start-ups. Providing sound investment advice, personalized to the specific needs of investors by truly understanding their situation, needs, wants, values and desires, will be the real differentiator in wealth management.

Mike Park, CEO, TCC Group: The rapid operational adjustments that wealth and asset management organizations endured in response to the pandemic emphasised regulatory compliance issues. As we are entering the post-pandemic world and the emerging hybrid model of home- and office-working, firms continue to be exposed to client mismanagement and compliance issues. Firms will need to carefully consider how to drive a healthy culture in the new working environment to mitigate these potential conduct risks. Healthy company culture plays an integral role in linking compliance and commercial success for wealth and asset management organizations.

Chiara Gelmini, Solutions Marketing Lead, Appway: In the past decade, innovation dominated strategic priorities, though with “arbitrary” and shifting emphasis. Although more hybrid models of interaction were emerging, the high-touch physical interplay was seen as the “Plan A” in wealth management, while digital engagement was the “Plan B”. Today wealth managers are forced to not only innovate but to transform by revising digital strategies—along with the corresponding tools and technology—in order to adapt to the shift in circumstances. Digitally empowered human interaction is now the default “Plan A”. Being innovative via digital means, doesn’t equal less human touch. WM customers are typically complex in their nature, they have large households and center of interests, with many cross-jurisdictional nuances and impacts. Hybrid models are going to be crucial to be able to deliver that high touch service that’s core to the WM industry, across whatever type of channel and journey customers are going to choose.

Joe Norburn, CEO, Recordsure: The global pandemic accelerated the deployment of new technology-led solutions that enabled financial services organizations to ensure business continuity and remote-working management. Despite the swift introduction of these solutions, innovative technology tools, such as client interactions monitoring and regulatory compliance management, are proving to drive operational efficiencies and excellence—thus are here to stay. The next challenge for organizations is to carefully assess their new technology portfolio and ensure true alignment with long-term technology and business strategy.

Manish Moorjani, Senior Director Product Management, Publicis Sapient: The pandemic made digital the only mechanism for advisors and their clients to engage; it accelerated digital tool adoption by advisors who felt their HNW/UHNW clients only wanted an in-person white glove service. As we go back to a new normal world post-vaccination, we expect that the engagement model will continue to be a hybrid of in-person and digital engagement as both clients and advisors saw significant value at limited to no degradation of service. In fact, it provided an opportunity to share much richer insights for them to discuss and led to engaging conversations.

 

The Next Generation Investor: Meeting changing investor needs and expectations

What key shifts are you seeing in investor expectations, behaviors, and priorities? How are these playing out by wealth, age, education, gender, and other investor demographics?

 

Sabrina Bailey, Global Head of Wealth Management, Refinitiv: Investors expect to be known. Companies like Netflix and Amazon are leading the way in terms of personalization and understanding what their customers want by leveraging the data available and providing personalized recommendations through a simple, intuitive digital interface. Expectation for daily, personalized, and tailored interactions are moving into the financial services arena at a faster pace than ever before. Investors expect that the advisors know them and can recommend solutions to meet their needs based on understanding “clients like them”. Breaking these expectations down by wealth, age, education, or gender is a precarious game given that expectations are also driven by stage in life, income, place of residence, engagement preference, risk level, etc. For example, my high school two daughters have been exposed to investing their entire lives because of my career. Our oldest daughter (persona: The Protector) is conservative by nature, would prefer to meet in person, and would invest no more aggressively than a moderate risk portfolio. She cares more about protecting her money than making the most she can. Our younger daughter (persona: The Thrill Seeker) would invest straight off Instagram, never talk to an advisor and invest in the highest risk single stock she could find because she loves the thrill of the chase even if it means losing everything. Given the move to personalization, wealth firms would be well served to understand their investor personas and adapt both sales and customer service techniques to meet their personas.

Olivia Fahy, Head of Culture, TCC Group: Socially responsible investing is an increasing priority for investors. For firms, this means investing with purpose. Younger investors are particularly concerned about investing responsibly, and so this new trend is set to influence wealth and asset management firms’ culture and their approach to investment—especially as wealth begins to transfer from baby boomers to millennials through inheritance. It should be noted that this shift has been growing in importance over the last few years, but it has been brought into sharper focus more recently by topics like climate change, the BLM movement, and the pandemic, highlighting how firms are part of a much broader infrastructure. Progressive and purpose-led organizations have been shown to be best placed to respond to this pivotal shift in the market and steal a march on their competitors.

Manish Moorjani, Senior Director Product Management, Publicis Sapient: For millennials across wealth, education, gender and demographics, omni-channel engagement is an expectation, not just a “nice to have” anymore. Priorities now include doing more sustainable investing (ESG) to ensure that there is a broader picture in mind besides making returns. They also have a shared control behavior in terms of making investment decisions as they are exposed to lot more information and insights and are looking for a partner not just an advisor.

How is your organization adapting its products and services to meet evolving investor needs? How will value propositions, investor experiences, and market approaches need to change?

Sabrina Bailey, Global Head of Wealth Management, Refinitiv: We are focusing on developing and using digital tools and solutions to address changing investor expectations by delivering the data, insights, and capabilities that can be delivered in a personalized way to a broad range of personas to enhance the overall experience.

Joe Norburn, CEO, Recordsure: The new way of interacting with clients via multiple communication channels requires more transparency than ever before. The fast changes to business operational models have emphasised the need to fast-track the deployment of analytics tools to monitor, analyse and review all client-agent interactions at scale. This requirement is critical as firms are faced with the responsibility to ensure fair treatment of clients, be vigilant to vulnerability, and to always maintain supervisory oversight and regulatory compliance across all communication channels.

 

Anna Szterenfeld is Director of Editorial Operations for ESI ThoughtLab. She is a multilingual writer and editor with 30 years of experience assessing and forecasting global political and economic risk, policy trends and business operating conditions, with a particular focus on the Americas. For many years she served as Regional Manager and Latin America Editor with The Economist Group, where she supervised analysts and editorial teams in Mexico, Brazil, London, and Gurgaon (India), as well as a contributor network in more than 20 countries.