January 12, 2024

EP 43 – Breaking Things in the Name of Cyber Resilience

Guest Dr. Magda Chelly, Managing Director and CISO of Responsible Cyber, joins Trust Issues host David Puner for a conversation about third-party risk management and cyber resilience. Dr. Chelly underscores the imperative of prioritizing identity management, particularly as decentralized work environments are becoming the norm in today’s evolving digital landscape. She also explains how breaking things played a critical role in propelling her into a career in cybersecurity – and then in fostering and advancing it. The interview unfolds against the backdrop of Dr. Chelly’s extensive experience and recently authored book, “Building a Cyber Resilient Business,” which serves as a handbook for executives and boards navigating the complexities of cybersecurity. If you’re seeking insights on how to gain stronger visibility and control over your organization’s digital identities, this episode is for you.

Join us to learn how build resiliency against today’s ever-growing array of cyber threats – and what’s to come in 2024 and beyond.

[00:00:00] David Puner: You’re listening to the Trust Issues podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security.

[00:00:25] David Puner: Happy New Year and welcome to another episode of Trust Issues. Sometime well before 2024, Pablo Picasso said, “Learn the rules like a pro, so you can break them like an artist.” That seems like a fitting quote to lead into my conversation with today’s guest, renowned cybersecurity researcher, author, speaker, entrepreneur … Dr. Magda Chelly.

[00:00:49] David Puner: She’s also the managing director and CISO of Responsible Cyber, the Singapore-based firm she co-founded. And getting back to Picasso, it’s breaking rules or breaking things that resonate in today’s talk. Breaking things or breaking into things to determine how to protect them. And, breaking things down, making complex topics accessible, understandable like translating cyber risk into financial figures the C-suite can readily understand to align disparate priorities.

[00:01:22] David Puner: Dr. Chelly has a PhD in telecommunication engineering. And while you might presume that means she’d talk about cybersecurity and risk management at a very complex level – her message is that they must be discussed in ways that can be readily unpacked by whomever the audience, organization, or client may be.

[00:01:41] David Puner: To a certain degree, it also comes down to effective communication, like breaking things down. It’s knowing how to break things to get ahead of the bad actors who are also trying to break them. There’s artistry to it. Dr. Chelly explains how breaking things played a critical role in propelling her into a career as a cyber protector, and then in fostering and advancing that career. At its core, it’s a philosophical take. Here’s my conversation with Dr. Magda Chelly.
Dr. Magda Chelly, Managing Director and CISO at Responsible Cyber. Welcome to Trust Issues.

[00:02:21] Magda Chelly: Hi, David. Thank you very much for having me.
David Puner: Absolutely.

[00:02:24] David Puner: Thanks for joining us.

[00:02:25] David Puner: Where, where are you today? It seems like you’re in some sort of a secret, top secret location.

[00:02:29] Magda Chelly: I am hidden. I’m hiding. It’s usually at the end of the year, I always have the opportunity to travel across various conferences. And this year as well. So, from October, the conferences start and they accelerate in November and they usually take two weeks at the end of the year vacation, which is the only time where I actually can rest across the year because everyone is trying to take some leave.

[00:03:00] Magda Chelly: So, I was traveling around. So I was in Istanbul, Turkey. I was in Norway, after Singapore and now I’m in North Africa and Tunisia. So, a little bit around the world.

[00:03:10] David Puner: Wow. And you live in Singapore. So, will you be heading back soon?

[00:03:15] Magda Chelly: Yes, that’s correct. I’m based in Singapore. The company is headquartered there and I should be going back after New Year’s.

[00:03:22] Magda Chelly: Yes, absolutely.

[00:03:23] David Puner: Well, you are, you are a road warrior, that’s for sure, and we appreciate you taking the time to join us today. Why don’t we start with how you got into the cybersecurity industry and how it led to your current role with Responsible Cyber?

[00:03:37] Magda Chelly: Thank you, David. So, I think, you know, coming back to how I made it, I think the beauty of traveling in so many countries is also to see how different technologies are and especially the internet connectivity.

[00:03:51] Magda Chelly: We’re talking about the digital divide where I lived that there’s definitely not the same level of connectivity depending on where we land. [00:04:00] And that also is a very interesting perspective from cybersecurity aspect. So, whenever we are working, you know, even if you assume like coming back to your question, how did I get into cybersecurity?

[00:04:13] Magda Chelly: It was basically having the opportunity to work on my laptop and try to research and break things. Like many of peers in the field and that was many years ago. So, that is only possible if you have an internet connection and that works. Otherwise, you won’t be able to do much. So, coming back to that, I am from education and telecommunication engineer.

[00:04:36] Magda Chelly: So, I have done a lot of research but not in cybersecurity actually. Initially, I was doing more around network and telecommunication networks specifically. So, everything that relates on how the old mobile phones worked, you know the 3G, we’re not talking about 4G, 5G.

[00:04:52] David Puner: 3G, That’s yeah, that’s a blast from the past.

[00:04:56] Magda Chelly: Exactly.

[00:04:57] Magda Chelly: Well, I was, you know, researching that and [00:05:00] learning how it works. And that’s how I started my career, a long time ago, again. While I was doing research and my PhD, I was really curious about other areas and specifically about how to break into things. I wasn’t really understanding that much security aside what I had,

[00:05:17] Magda Chelly: in a few hours into my education path. Which basically, as you know, when you’re a student, you just have something that a teacher shows you, but you don’t really understand. How is that applied in the real world? What does it really mean? And I wasn’t honestly, when I was young, I was passionate about technology, but not security specifically.

[00:05:37] Magda Chelly: But when I was doing my research, I spent so many hours on my laptop that, at some point, I was looking at all this technology coding a lot. But what about the security part of it? And then I started looking at how to break things and characteristics of networks, in terms of, again, the aspect of how can you protect them and what are the ways [00:06:00] to break into them.

[00:06:01] Magda Chelly: So, it literally made my PhD research much more interesting and exciting. And that’s how it started.

[00:06:10] David Puner: Okay, So, you get your PhD and you’ve got this obsession with breaking into things. Then, then what?

[00:06:19] Magda Chelly: Then, David, no one wants to hire cybersecurity people.

[00:06:23] David Puner: They don’t? Really?

[00:06:23] Magda Chelly: No, we’re talking about 17, 20 years ago.

[00:06:28] David Puner: Okay.

[00:06:28] Magda Chelly: No one was interested yet, at least in France, where I was at that time into security. It was more like a digital transformation. CRM was a very big hit. Every, like kind of digital tools that allows to, for example, get and improve customer relationships in general, were a massive focus. So, I started by being an IT generalist consultant.

[00:06:53] Magda Chelly: I wasn’t focusing on security at all. And what made me evolve into that role, or basically, companies really liked me to [00:07:00] be in that role, is that when you are a consultant, you need to talk with the clients, a lot. And clients need to like you. Otherwise, you know, if they don’t understand them, if you talk a different language, they might not find themselves comfortable into explaining their challenges.

[00:07:16] Magda Chelly: And, as well, they don’t feel that you understand their business to support them as a consultant. And I had this tendency that I really liked to talk to people. So, I talked to people, I learned from them and I worked with banking, with insurance, with even airlines and every time the consultancy companies really like that fact of me and the fact of course that I had the technical part, so they were really loving to sell me to clients. And I ended up doing this like massive and different project all based on IT and digitalization.

[00:07:47] Magda Chelly: We, for example, the first discovery in the banking industry about security again, but it wasn’t really the [00:08:00] only focus. And when I look at it now, especially after so many years – again, I really mean it – very few companies were looking at cybersecurity. It was more digitalization, was more the fascination about those new tools and how can we improve efficiency, productivity, or customer relationship. ut security wasn’t there really very much yet.

[00:08:23] David Puner: Fast forward to about eight years ago and that is around the time when the dawn of your company, Responsible Cyber. How did that come about? And what is your role there today? What do you do within your managing director and CISO role?

[00:08:38] Magda Chelly: I think the journey was really interesting, because if I look at it and of the reasons why I have decided to start Responsible Cyber, is because I found that I was looking towards something that would be more intellectually stimulating – and digitalization in general – and no offense to anyone who’s doing that. It actually lacked more in-depth understanding of how things work and really trying to find additional technical challenges. I was really looking for that and I have done so many roles in my career. I worked three jobs at the same time because, I really like to do a lot of things – learn continuously. So, I have discovered a lot of things. And then, I had a friend who actually was mentioning to me, “But you are good technically you like to break things, you actually code. You do this and you do that – why don’t you do cybersecurity for real job? You know, like you take that challenge and you actually make out of it the living.” And I’m like, “I don’t know, you know. I’m, not sure.” And I had my doubts and my doubts were biased by what I have seen in the market.

[00:09:54] Magda Chelly: And that market again, even if you’re talking 10 years ago, we need to understand that every country and every region has a different maturity. What we see today in the States is not what is in Europe. It’s not what it is in Africa. It’s not where it is in the Middle East. Every region has a different level of maturity and when it comes to cybersecurity ten years ago, it was still emerging in certain regions. And in 2015, things started. But if I look even today, Asia is maturing aside Singapore and other countries around. They, for example, don’t have cybersecurity legislations. So, it’s again, it was a journey and I took the opportunity because of the right time, the right place to set up my company and build Responsible Cyber.

[00:10:46] David Puner: And here you are now, almost eight years later and you’re, a renowned cybersecurity expert. Looking back to when you founded Responsible Cyber, would you ever envision that you would be a world-renowned cybersecurity expert?

[00:11:03] Magda Chelly: My objective was very clear when I started that is to build a reputation and share knowledge.

[00:11:09] Magda Chelly: Reputation, of course, because when you have a company, you need to build a brand. And the brand was me sharing knowledge. And that’s as well a passion that led to many initiatives. But I think you can see how much late nights and wrinkles it created.

[00:11:26] David Puner: No, I can’t see that with the laptop cam. No, you look good from here.

[00:11:30] Magda Chelly: That’s good to know. Thank you. But yeah, it’s definitely, something that required a lot, a lot of effort, a lot of work, many sleepless nights. And when I say sleepless until today, until 2023, I’m not saying that I encourage, you know, a lack of work-life balance. But when someone has their own company, they need to understand that it requires a lot of effort and work.

[00:11:57] Magda Chelly: And the more you grow, the more you need to put in energy, the more you need to put in the right focus. And I have days where I work 18, 20, 22 hours a day. And how do I function? Well, you know, I very often get that question. Vitamins and coffee. That still works. I don’t know how long it’s gonna work, but it still works until today.

[00:12:23] David Puner: Okay. Well, thank you for interviewing yourself, first of all and asking yourself how you do that. I appreciate that. You’re making my job easier. And I appreciate you also mentioning that we’re in 2023 as we record this conversation. We’re at the tail end of 2023. This episode will be coming out in 2024, most likely our first episode in 2024.

[00:12:42] David Puner: And we’re gonna look back at 2023 in a little bit and talk a little bit about what’s to come in 2024. But before that, I want to ask you about social media, where you’re pretty vocal about risk management. It’s something you seem to be really passionate about. What should organizations be thinking about when it comes to things like third-party risk management?

[00:13:06] Magda Chelly: First of all, I’m really passionate about risk management, like you say. But as well, linking risk or technical risk into the business priorities, which I believe is today still the main challenge for our industry as well as for businesses in general. I hear a lot of times presentations, discussions where we talk about vulnerabilities, where we talk about technical areas – but the reality is businesses do not have a lot of times or mainly cybersecurity backgrounds.

[00:13:36] Magda Chelly: When we talk to a CEO to the CTO to a CIO, they don’t understand us. And we cannot assume that by bringing those topics in the way that we do it, we will be able to have the business to take informed decisions. So that’s why I got passionate about it.

[00:14:00] Magda Chelly: And the other areas that I really like in general is cyber risk quantification, or basically translating cyber risk into quantified version of cyber risk with financial figures. While it’s debatable, while it might not be accurate, many peers, they will say, but we don’t have enough data. We don’t have enough historical information.

[00:14:23] Magda Chelly: But, having a number is better than not having a number at all, in my view. Knowing if you’re gonna lose half a million or five thousand dollars, it’s different than saying to someone, “This is red or orange or green.” Because the decision or the decision-making process will be different, if you give them the same kind of dictionary. So, if they talk about financials, you talk about financials, you don’t talk about colors.
David Puner: Right.

[00:14:55] Magda Chelly: Because again, that’s not their priority. They can’t understand you.

[00:14:59] David Puner: So, a lot of it has to do with communication and being able to speak their language rather than expecting them to speak your language, so to speak – your cybersecurity language. Making it accessible because cybersecurity is something that everybody needs to talk about – they just need to talk about it in a way that they understand it.

[00:15:18] David Puner: Is that sort of what I’m picking up here?

[00:15:20] Magda Chelly: Absolutely.

David Puner: Okay.

Magda Chelly: I think it’s also really important because if we look at risk management, today for an organization that is mature enough, they should, including the management, understand that they are not operating in a silo. The internet allows companies to be interconnected and therefore you’re exchanging with external stakeholders with external companies continuously. And that might change your risk profile.

[00:15:51] Magda Chelly: So, if we look at across the maturity of companies, we see that they are companies are very good at it. They have already a risk management in place, including third-parties. But there’s a lot of companies that have only addressed the internal threats and are able only to manage their own risk. But not yet the external risk coming from those vendors, suppliers, partners, even customers, because theoretically a customer is a third- party.

[00:16:21] Magda Chelly: It’s a legal entity that is outside yours. And if they’re communicating with you or integrating with you, even worse, then, there is a risk associated with that collaboration that goes beyond just the traditional risk management or risk assessment perspective.

[00:16:41] David Puner: So then from a supply chain standpoint, what can organizations do to protect themselves, if we’re talking in generalities, because obviously you’re talking to all sorts of different organizations?

[00:16:55] Magda Chelly: Well, I think the first point is really to understand the scope. Because like I mentioned to you, even customers can represent a third-party. But, of course, you cannot, as an organization, allow yourself to perform everything. You have a limit in budget. You have a limit in time resources. So you need to first define your scope.

[00:17:19] Magda Chelly: What is the ecosystem that you’re operating with? And that’s an extremely important aspect. So, one of the very common questions that I actually run with my clients is, “What is exactly a third-party for you?” Before even going into assessment, before even going into classification, into tiering or monitoring or whatever you want that is part of third-party risk management, “Who really do you actually care about, and who is important for your business?”

[00:17:53] Magda Chelly: And that changes the conversation because it allows to scope it. And I give you a very practical example. For some financial institutions, especially in the FinTech, what is very important for them is not only vendors, they are the partners. Partners can be banks. Banks that are actually allowing them to integrate and perform some transactions.

[00:18:16] Magda Chelly: So, it’s a very different scope of assessment and monitoring. Now, if you go to a traditional business, they might only focus first on the vendors and suppliers. That are specifically providing, for example, digital services. They’re not looking at other providers like, you know, selling chairs or selling physical assets, because just a limit in bandwidth, resources and perhaps budgets.

[00:18:43] Magda Chelly: So again, I think if I go or take a step back, this is a very, very important first question that companies need to ask themselves and have an answer and then understand as well who could be involved in this third- party risk management and how can it be part of the wider risk management that is in place within the company.

[00:19:08] David Puner: So, when you go through that third-party discovery process, are there any common surprises when you start to do this discovery process with customers? Do they say, “Oh, oh yeah, that’s a third-party. We never thought of it that way.”

[00:19:23] Magda Chelly: Honestly, yes, very often, especially in our industry. Surprisingly, when I talk about third-party risk management to cybersecurity professionals, the first thing that they tell me is, “Oh, we have these IT tools.”

[00:19:38] Magda Chelly: And they only talk about IT tools. What about the accounting tool? What about the HR tool? What about the marketing tool? All those are digital tools and most of them nowadays are actually cloud-based platforms. And they somehow, in less mature organizations, perceive the third-party risk management only focusing on that scope, and they forget everyone else – and forget all the other departments that are really important in a company.

[00:20:11] David Puner: How do employees’ individual cyber practices help or hurt their organizations’ overall cybersecurity and what are some common instances that you see there?

[00:20:23] Magda Chelly: I think one point, you know, that I have seen very often is – and again, as I mentioned, I will take a step back around the third-party risk management and how it, often is not integrated into the enterprise risk management, but it’s done separately.

[00:20:38] Magda Chelly: And I think that aspect creates a lack of awareness or understanding as well. That it’s not an activity that should be siloed. It is an activity that should be part of understanding the risk of the company. And of course, that means that the decision-makers would be able to give, for example, approvals or not, or recommendations, depending on what they feel like around their risk appetite about the vendors, about the tools that they’re using, etcetera.

[00:21:11] Magda Chelly: And this is very subjective from what I have seen. I don’t have very clear data about it, how many people understand it, how many take the right decision. But today, if we go into an enterprise-level setup, often we see that there is a budget approval, but there is no process about risk appetite approval.

[00:21:31] Magda Chelly: You have an employee and they tell you, “Yeah, it’s okay. I’m going to use this tool. It doesn’t matter if you tell me that I don’t recommend it. I will use it anyway, it’s a business decision.” How can you take a business decision that might eventually lead to half a million of losses, if you don’t have even the budget of 10,000? You see the analogy that I’m making?

[00:21:55] David Puner: Yeah, for sure.

[00:21:55] Magda Chelly: And I think this is a very common issue that happens in companies and it’s something that happens very, very often.

[00:22:05] David Puner: That’s really interesting. And I’m sure very eye-opening for those customers or clients that you’re speaking with. When they start to realize the scope of all this, do they feel calmer about things, or do they take sort of a spike of the opposite of being, sort of, I guess, anxious about all of it before they can get calmer?

[00:22:25] Magda Chelly: When you think that you’re doing something, right –like for example, you have a list of companies and then you have a grading – and then you understand that actually third-party risk management is a much wider activity. Then you’re like, “But why I’m not doing this? I don’t have tiering, I don’t have a scope, I don’t understand how my vendors are doing.

[00:22:46] Magda Chelly: I’m not reassessing them, I’m not monitoring them.” So, many issues come into the picture and, of course, it’s always, who’s gonna do that, that’s a lot of work. And, you know, it’s basically feeling overwhelmed. Worried comes as a second step, I think, in my view – or second feeling. And the reason is being, in my view, mainly because of a lack of understanding of consequences.

[00:23:13] Magda Chelly: So, there’s so much information. There’s already a focus on cyber risk internally – for the company, from within the company. And, now we are talking about external as well – exposures and potential risk coming from vendors and suppliers. It’s like, okay, it’s later, it’s for later. We need first to actually try and address the priorities.

[00:23:35] Magda Chelly: And of course, it’s always about prioritization. But when you work with a critical vendor. And you depend in terms of operations from that vendor or suppliers, that becomes a very big priority for you. You cannot just say no, third-party risk management will be a later thought.

[00:23:56] David Puner: You recently wrote a book called, “Building a Cyber Resilient Business,” which is billed as a cyber handbook for executives and boards.

[00:24:03] David Puner: How did the book come about? How does prioritization figure into it? And then how do you typically communicate the importance of cybersecurity to non-technical stakeholders within an organization?

[00:24:17] Magda Chelly: The book writing was a fantastic journey. It took so much time, David. It was actually several years. It wasn’t even just a few months.

[00:24:26] Magda Chelly: It’s really a lot of work.

[00:24:28] David Puner: I’m sure. You’re working 22 hours a day. Where are you finding the time to write a book?

[00:24:32] Magda Chelly: Well, that’s why it took so long because honestly, it was so exhausting. But it was really interesting. Why? Because, not only I took my knowledge, my experience, but I had as well co-authors and that helped to actually get their knowledge as well.

[00:24:50] Magda Chelly: And furthermore, we needed to do a research that was really an in-depth research to understand the perspectives of people who are not in cybersecurity at all. And I think the whole objective of that book is exactly that. To get out of our comfort zone, the cybersecurity view, the cybersecurity understanding and see, what are others actually worried about.

[00:25:16] Magda Chelly: Why would someone working as a COO, as a CTO, as a CIO be interested into fixing our problems when we go and tell them, “Hey, you need to fix cybersecurity.” Maybe they have other priorities that are very important for them. So how can we, in terms of cybersecurity professionals, fit those priorities to align with theirs?

[00:25:43] Magda Chelly: And the whole book is about that, but with very practical examples. Not only practical examples, but as well tips on how to do it, how to understand those people who are stakeholders, decision-makers, what can we do to facilitate the discussions, where things go wrong and we go even far, like examples of cyber risk quantification for the CISOs and how that can support, for example, getting budget. Like if you go to a CFO and you tell them, “Hey, I need 1 million more.”

[00:26:16] Magda Chelly: At the end of the day, it’s a cost for a CFO. So we need to understand how do we approach that. And there are some really, again, funny but really interesting examples of how to start the conversation, how to help and support the requests. And, of course, how to win the support and the – I would say it’s not only about getting that money –

[00:26:39] Magda Chelly: it’s also about getting people to support your initiatives, to agree with you on certain aspects that you’re doing. If you go and you can run a cyber awareness program, you will need the support of everyone within the organization that has a decision. So, it becomes effective. So, the book is very rich and enabling all those aspects and bringing, as I mentioned, practical examples, some real data, finding some thoughts from people working in different positions as well.

[00:27:10] Magda Chelly: So, it’s not like, you know, it’s all coming from our imaginations. It’s actually something that is real. And it’s honestly, if I look at it from, like now, it’s nothing that exists really like today. What do I mean by that? If you go in organization, you will never find that level of maturity where cybersecurity is integrated in every single process within the company.

[00:27:41] Magda Chelly: I have never seen – even big, very big banks – they are aiming that, but it’s not to that extent. And we have tried to bring the details in really, like if you are a recruiter or a CHRO, how does that fit into that [00:28:00] roadmap of that person? CIO, how does that fit and what are the benefits of cybersecurity for that person?

[00:28:08] Magda Chelly: Because that’s exactly the secret.

[00:28:10] David Puner: Right. It’s both organizational buy-in and organizational understanding at every level from every different role and perspective in these large enterprise organizations. Shifting over then to entrepreneurs and that kind of approach, what should aspiring entrepreneurs be thinking about cybersecurity as they start their businesses and how important is it to their ultimate success?

[00:28:37] Magda Chelly: I think there are two aspects here that I would like to touch on. First is, in general, the startup founder was not in cybersecurity, building some tech and believing that the cybersecurity is an afterthought. Because of course of a cost, because they have resources that are limited. I will go into that journey, I tell you, “Okay, believe it that it’s like that, wait and then try to hire.”

[00:29:08] Magda Chelly: The first thing that will happen is that as a founder of a startup, you will not be able to win very big contracts. And you will not be able to penetrate new markets. Why? Because big companies today require even the smallest of the startups to go through an expanded and usually really heavy cybersecurity assessment.

[00:29:36] Magda Chelly: They will not onboard a technical tool without having minimum security in place. And I say, a minimum – usually, again, depends on the risk appetite – some will completely deny, some will give you some leeway, some will tell you, “Let’s onboard together and have a plan to fix your gaps. But, as a founder, if you want today to ensure the growth of your business, you need to integrate cybersecurity from the beginning.

[00:30:05] Magda Chelly: You need to understand that as part of the decision making and due diligence that enterprises do too on board. If it’s a consumer tool, then numbers speak by themselves. 60 percent of consumers say that if they find out that the tools that they’re using is not protecting their data, they will go away.

[00:30:26] Magda Chelly: So, it’s very clear. And the privacy laws today, as well, do not make it easier.

[00:30:32] David Puner: Do you feel like from your perch that executives generally think of cybersecurity as a business enabler these days, or are they still coming around to that?

[00:30:43] Magda Chelly: We cannot say that around the world people reached a maturity where they understand how much technology is impacting their lives and how much it actually impacts their security, in general.

[00:30:56] Magda Chelly: So, from an individual point of view, but as well as a [00:31:00] professional working in a company. For example, they don’t realize how much disruption it can create when there is a cyberattack. So, there is this kind of scenarios that I think they help them understand, but also we don’t have enough of those examples.

[00:31:18] Magda Chelly: Usually we say, Oh, cyberattack on a company, there’s a big headlines and that’s it. But we don’t actually talk about real scenarios, stories that are understandable by people that are not working in cybersecurity basically.

[00:31:37] David Puner: Do you think that C-suite priorities have changed in 2023, when it comes to cybersecurity and regardless how do you think they’ll shift in 2024?

[00:31:47] Magda Chelly: What I see currently, of course there is an increase in consideration. And I mean consideration, or I use the term, because a lot of times it’s not full belief in the added value. But based on obligation – obligations can be driven by regulatory requirements. And this is something that we see around the world.

[00:32:11] Magda Chelly: New laws come into place requiring companies not only to comply with privacy acts or privacy laws that have very strong security requirements. And we are seeing, for example, a new one in Europe as well that is coming, that is DORA and goes really far even in the third-party risk management. But in general, in Asia, where it’s a very immature region in general, we see new regulations every year coming up.

[00:32:41] Magda Chelly: And that is a driver for companies and business owners to actually comply or do something about cybersecurity. And while it’s debatable, is it good or not? Well, if we don’t have that, nothing can change for years and years and years to come. You have a data breach, you have a cyberattack, you close doors, but you don’t change your mindset.

[00:33:03] Magda Chelly: So, we need something to force those entrepreneurs, business owners and stakeholders to actually perform some minimum fundamental security controls to protect the data, protect their businesses and keep the business sustainable.

[00:33:19] David Puner: Not long ago, you were on an AI panel in Singapore alongside CyberArk Labs’ Andy Thompson, who has been on this podcast a few times and is a friend of the show.

[00:33:30] David Puner: How do you see the role of artificial intelligence and machine learning, really for that matter, playing a role in cybersecurity from both defensive and offensive standpoints?

[00:33:41] Magda Chelly: Very interesting question, right? A very trendy question already that exists and many have given their opinions about it. Now, I want to address it from a different perspective, which is actually the fact that today we cannot ignore this technology.

[00:33:59] Magda Chelly: As cybersecurity professionals, we cannot as well limit the usage of this technology. So, when you are working in a company and you decide to write or define policies where you don’t allow users to take advantage of a technology that facilitates their work that makes them more productive, you will lose.

[00:34:24] Magda Chelly: And that actually comes to something called usability, as well as aligning with the business objective and understanding the employees. So, when you decide, on how you’re gonna protect the company while adopting new technologies. That’s where you need to consider that and come from a very pragmatic approach.

[00:34:45] Magda Chelly: Because otherwise, employees will always find a way anyway to use this new technology, especially if it’s so amazingly helping them to achieve, you know, let’s say, hours of work in 30 minutes. I mean, I’ve seen that, right? But if it comes to cybersecurity on the same way like this technology allows to improve the productivity of many other areas in business, we’re talking about marketing, we’re talking about content, we’re talking about financials, prediction – whatever domain we want to address, there are use cases. For the usage of AI and machine learning that helps us to improve, the same applies for cybersecurity.

[00:35:29] Magda Chelly: Now, of course, that means that the same challenges come into place. Privacy, but also accuracy of the output as well as the input. So, input and output then, basically. In the early stage of AI, I had these companies with a very low maturity level asking me, do you have any AI tool that we can implement? I’m like, it’s not a magical tool.

[00:35:53] Magda Chelly: It’s not a tool that, hey, we’ll do this and all your problems are fixed. It’s part of your strategy and you need to choose the right tool with the right dataset that allow you to get the right resultswith a human touch that ensures that the results are actually improved over time. So again, will that be still used?

[00:36:16] Magda Chelly: Is that something that we need to focus on? Absolutely, yes, this is undeniable. How? It really depends on the priorities of the company. This technology has been embedded in a lot of tools. I cannot say most, but a lot. Today, I believe from a business perspective – forget about cybersecurity – from a business perspective, if you don’t adopt AI, you’re behind.
David Puner: Right.

[00:36:40] Magda Chelly: So, if I am a CEO, if I’m a founder, AI is part of my strategy and my growth. And that means, that as a security professional, I need to consider that as well to protect my company, my business, my stakeholders from these new tools. But, as well, to use this new technology to protect and embed into my cybersecurity tools.

[00:37:04] Magda Chelly: So, it’s not a yes or no answer. It actually just requires maturity requires understanding how it works. What are the challenges? What are the advantages? And taking an informed decision. So yeah, it’s fascinating, honestly. I’m still learning every day about it.

[00:37:24] David Puner: So many nuances and it’s changing so fast.

[00:37:27] David Puner: What are some of the top cybersecurity topics you’re thinking about going into 2024?

[00:37:34] Magda Chelly: I think just coming back on a perspective of 2023 and what we have seen, we have seen a very big hype – and I want to use the word hype about artificial intelligence, because every time there’s a new technology, everyone talks about it.

[00:37:48] Magda Chelly: We have seen that in the blockchain, now as AI –and I’m going to bring another word that is going to be, in my view, a hype is, of course, quantum computing. Now, I’m not saying that because I believe it’s a hype, but because I realized two things … One, that a lot of people think that it’s very far away from being a reality, which I disagree with.

[00:38:12] Magda Chelly: And second is that it’s actually forecasted to be commercialized much quicker than we imagined. And that will definitely change the situation. Now, the commercialization of such a technology won’t happen, of course, within one or two years, but we need to understand that it might happen within a decade.

[00:38:37] Magda Chelly: So, if we look at a very big enterprises preparing itself to such a change, won’t take one month or a few months – it might take five years even. So there is a really important awareness and maturity that needs to start around that. Maybe one day we wake up and we understand and realize that we can use already computers available to buy online, for example, and we haven’t considered that before. So, I think it’s, it’s really important.

[00:39:07] David Puner: And so, when you’re thinking about quantum computing and how commercialization of it, that’s to come, how much of that, when you’re thinking about it involves decryption and encryption and that sort of thing? What are your top considerations?

[00:39:23] Magda Chelly: A lot, of course. First of all, I actually think that we could compare the day that everything would be available to the year 2000. When, you know, nothing worked, we didn’t consider that change.

[00:39:36] Magda Chelly: I think there was a lot, a lot of issues and challenges. And I have seen already, especially financial institutions preparing. And preparing because there’ll be a very big part of the encryption strategies, tools, of course algorithms, that will need to be protected. And there are ways available in the market today that we call actually as well, post-quantum, pre-quantum, it depends on where and how do you want to install their hardware, actually, that I have seen – that help companies to have a strategy.

[00:40:12] Magda Chelly: So, you want, like imagine you are a big enterprise and tomorrow all the encryption that you have in place doesn’t work. I’m going into an exaggeration into something that, you know, just to explain how that will look. You can’t change that immediately. You can’t just say, “Okay, guys, we’re not going to use AES-256 tomorrow.

[00:40:35] Magda Chelly: We’re going to change everything.” It doesn’t work like that, right? So, it needs a strategy that is thought of and it needs as well to understand and prepare towards a maturity or a world where certain companies, certain countries,will have capabilities that are much stronger than others. And that will actually create a very big divide where, you know, there might be other threats that come into place and situations that will be really challenging for companies.

[00:41:09] David Puner: Are there any other big topics that you’re thinking about now in the top of 2024 that you think are going to resonate throughout the year and beyond?

[00:41:15] Magda Chelly: I definitely think ecosystem risk management. So not talking only about enterprise risk management or vendor supplier risk management. It’s about ecosystem risk management.

[00:41:28] Magda Chelly: We are talking about an interconnected world. There’s no companies that are able today to work in silos. They work with other companies and that creates an ecosystem with a shared responsibility. And I use the word shared specifically, where everyone has a role to play. And the moment that companies understand that, then there will be a better overall protection, better level of understanding of risk as well and a better balance between responsibilities.

[00:42:02] Magda Chelly: So, it’s not like one company does a lot of things, implements many tools, many solutions, and the other one doesn’t have anything. In my view, the focus would be to have a more balanced approach where we try to take up the maturity of the ecosystem that we are collaborating with, rather than looking at company by company.

[00:42:27] David Puner: What about identity should every organization be thinking about or focusing on in 2024?

[00:42:34] Magda Chelly: I think this is a very good and important question because, at the end of the day, if you’re not able to control and protect the identities that you’re managing, you can’t protect your organization. What I see nowadays around the world is that there is a lack of visibility and control.

[00:42:52] Magda Chelly: So, the lack of visibility doesn’t allow you to control, and the lack of control doesn’t allow you to react whenever something happens. Even though the maturity of companies improved, even though we are seeing new legislations – coming back to fundamentals, where how do we access the digital assets, how do we access what is valuable for us as an organization, is still very often lacking that security and lacking that control.

[00:43:21] Magda Chelly: So, I would say, managing your identities, not only with visibility, but as well control, is a very important part that especially we, the decentralized, environment where employees nowadays are working from anywhere and companies are focusing on hiring worldwide, should be and should continue being a priority for companies.

[00:43:47] David Puner: Dr. Magda Chelly, thank you so much for coming onto Trust Issues. Really appreciate it. This has been great.

[00:43:53] Magda Chelly: Thank you very much, David, for having me. It is my pleasure, and I really enjoyed this discussion.

[00:44:10] David Puner: Thanks for listening to Trust Issues. If you liked this episode, please check out our back catalog for more conversations with cyber defenders and protectors. And, don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. And, let’s see … oh, yeah – drop us a line if you feel so inclined. Questions, comments, suggestions, which come to think of it are like comments: our email address is [email protected]. See you next time.