Workday Podcast: Cybersecurity: An Inside View with Andreas Tomek of KPMG

Although the threat of cyber crime never goes away, an increase in the number of high-profile attacks has elevated the subject back into the mainstream media. What are the latest threats, and where are they coming from? In this podcast, I sat down with Andreas Tomek, Advisory Partner at KPMG to talk about these risks and where businesses are on their journey to fight back against these challenges. Take a listen:

   Listen on SoundCloud: Cybersecurity: An Inside View With Andreas Tomek of KPMG

   Listen on Apple PodcastsCybersecurity: An Inside View With Andreas Tomek of KPMG

If you’re more of a reader, below you’ll find the transcript of our conversation, edited for clarity. You can find our other Workday Podcasts here.

Greg Thomas: Malware, spearfishing, zombie computers mining cryptocurrency. Cybersecurity continues to be a top-of-the-line issue for companies and for CIOs. With more sophisticated attackers, including state-sponsored hacking, what’s the right strategy to minimize risk? The answer, it turns out, lies in a combination of technology and practices. I’m Greg Thomas from Workday. Today on the Workday Podcast we’ll talk more about cybersecurity, and with us to unpack all of that is Andreas Tomek, Advisory Partner at KPMG here in Vienna. Thank you for joining us.

Andreas Tomek: Thanks for having me.

Thomas: So, maybe before we dive into cybersecurity proper, can you give us a brief background on you and how you came to advise folks on this topic?

Tomek: Basically, I’ve been doing that for the last 15 years. I’ve always been interested in information security and systems. I’m from the original hacker school, where you want to dive in and see how systems work, and basically to make and break it. While studying at the University in Vienna we tried to establish some form of security education. This is the first time I came in contact with KPMG by doing and talking about standards, regulations, and things like that. I spent some years with KPMG back in 2004 to 2006, working as an IT auditor doing security. During the time I was doing pen testing, security testing, things like that.

Then I continued by building up a research center in that area and growing that team to over 100 people. Since 2016, I’ve been back with KPMG as a partner of the team here in Vienna. Security is one of our strategic initiatives. Locally we have a team of about 35 people and globally we are over 3,000, being one of the groups that is growing quite heavily. It’s quite a ride and always very interesting.

Thomas: You really came at it almost from the perspective of having done it?

Tomek: Yeah.

Thomas: You were having fun hacking, and it was a good place to be?

Tomek: It was a good place to be, yeah.

Thomas: Wonderful. Let’s start at a high level. For CIOs, what are their main concerns today around cybersecurity? There are, of course, a lot of things going on, but what do you think is really keeping them awake at night?

Tomek: What’s now in the public interest and always an interest of the CIO is that security has been shifting over the last few years. The main idea here is that you can’t protect against every threat there is. There will be a time when you get hacked, when you have an incident.

To be honest, that has been the case for a long time, but a lot of people didn’t realize it. Now security is shifting from very proactive to more reactive, being able to find your incidents, to limit the damage, to control the damage, and get back to normal. That has been a tremendous shift at the moment.

Thomas: So perhaps it’s less about preventing attacks and more about minimizing damage, minimizing the impact?

Tomek: Then also less about security, more about resilience, being able to come back up to speed. With that comes a lot of change, also in the technology. Being able to do things in the cloud enables you to be resilient, for example. It also has new security requirements. The other thing is that the more you digitalize your core business, the more that data becomes an asset, and everything gets connected. Security is part of all of it. That is one of the major shifts that we’re seeing. You have to have a holistic view of all of that.

It’s technology, processes, people all intertwined. Now also comes the regulatory and legal stuff with privacy and GDPR. It’s a very diverse field that has connectors in all the different areas of your business. That’s the main obstacle, I think. There’s also a real change in what you expect of a security professional. In the old days, it was the very tech-savvy people. Now you need a lot more management skills.

Thomas: We’re here at Workday Rising Europe in Vienna, and I’m curious—when you talk to your clients, the ones that are here in Austria, ones that are in Europe, ones that are global, do you see a difference in what they’re most concerned about or how they’re thinking about cybersecurity?

Tomek: Yeah, what we are seeing locally is that things that happened in the U.S. and Germany with larger corporations, that this kind of security obstacle and also measures that are now trickling down to smaller companies. They also realize there is a risk and that they need to do something about it. A lot of companies on the local level are now starting to think about security in a strategic manner—to have awareness at the top level, at the C-levels, being on the CEO’s agenda, even, and doing something about all kinds of information security.

Also in comparison between the U.S. and Europe, they have a very different approach on how to try to tackle security. In the U.S., it’s much more feature and technology driven whereas in Europe, it’s much more process and people driven, normally.

Thomas: What do you attribute those differences to?

Tomek: Maybe budget. First you want to have people, then maybe also you want to have solutions. Especially with our larger clients we see that they are now also investing first in people, then in solutions. Whereas in the U.S. they are more feature heavy all the way, with larger corporations being used to purchase a lot of solutions and using them from day to day.

I think also Europeans stick more to technology they first buy. They do not shift that easily. Then we see a lot of differences in how issues like privacy are tackled. They’d rather go for local provider, local solution, on-premise solution, whereas the U.S. is very open about the cloud and using different solutions from time to time and shifting over. Both of these ways have very different requirements in terms of security. Things that we’ve seen in the U.S., like third-party risk management, are only now coming to Europe and getting more important.

Thomas: You spoke of those different kinds of approaches in Europe versus the United States, for example. One of the things that I’ve heard others talk about is that the threat landscape is changing a lot and has been changing a lot—that there’s still a lot of automated attacks happening but more and more it’s spearfishing. It’s social engineering. It’s treating a company’s employees, perhaps, as that entry point into compromising their systems. How does it look from your perspective? And if it is about more social engineering type of attacks, what’s the best defense or the best way to be resilient against those things?

Tomek: We see a lot of social engineering attacks and intertwined attacks where people are using, on the one hand, social skills and then also the technology that enables them to get a foothold, and from that foothold, then expand and stay as well into the company. If you look at all the research, you see that basically once you are in a network you stay in the network for quite a long time—most probably undetected.

Therefore, you need to find the first way in. People are always one of the weakest links, just because of sheer mass. If you have a workforce of 50,000 people, the chance that you can find 10 that will respond to a kind of attack is quite easy.

I think what we really need to do is educate people about the different angles that attackers are using, and enable the technology to detect that something is happening. This is obviously a very big contradiction to how privacy is typically done in a corporation because if you’re monitoring employees—what they are doing and how they are doing it—then this is typically always a point of great discussion.

Education is key in that area, but on the other hand, there are so many new angles, so many new attacks that I think most of the employees don’t stand a chance of finding all of them. That’s the main problem that we are facing. As an attacker you just need to find one weak link; as the defender, you need to defend all your bases. That has always been the problem, and it gets worse and worse as more technology is applied and with more people being there.

Thomas: You spoke earlier about the posture of moving away from pure defense to being resilient to attacks. Talk a little bit more about that. What does resilience mean in the context of cybersecurity and how do you minimize risk, minimize exposure, and minimize damage?

Tomek: What we have seen in the old days of IT and security has been that confidentiality was the key issue. If you talked about security, it was always about secret information, corporate secrets, things like that. What we are now seeing is that this is shifting, not really away, but now in addition to confidentiality, integrity, and availability is becoming more of an issue.

People need to get their mind right about these new scenarios that they are now facing. This becomes more dominant. There’s more technology being used in areas where we previously didn’t have computers making decisions or controlling life, controlling safety. The more you use computers for that—and everything is a computer nowadays, be it your car, your industry systems, CAD systems, home device, whatever it is—the more you have the same rules applying to all this kind of stuff. But still, the same unsecure principles are there—because the internet wasn’t designed for security. Computers, therefore, are not really normally assigned for security firsthand.

Thomas: Are there any good examples of things you’ve seen over the last year that illustrate some of these threats without giving away someone’s secret?

Tomek: A lot of work has been done with our major clients where they try to build up their capabilities. Just a few examples: one of the areas in which we are doing a lot of work is banking and finance. These have been used for security for a very long time. But it now also has changed for them, with a more flexible, more attractive, and with a better user experience.

They’re facing quite a lot of different requirements and are shifting their security model to be much more agile, much more reactive.

By doing that they are investing heavily in user education; in getting directly into projects to be part of development, part of the requirement space already—by also placing data privacy as one of the top priorities. And then also having capabilities like finding security problems on their own. So they established threat hunting teams to try to hack the bank from inside to find information that shouldn’t be there. They now are required to do regular penetration testing from the outside, and also find information that has leaked somewhere.

Thomas: You talked a little bit earlier about talent and skills. How is what companies need in terms of their cybersecurity teams changing? And even in terms of the talent itself, people coming into the field. Are there different skills that they need? You mentioned management experience earlier, for example. How is the world of talent evolving?

Tomek: There’s always been two analysts who look at information security. So you have on the one hand the very technical side that comes from being tech savvy and trying to break systems—the original hack mind-set. Then you have the more risk-oriented approach that typically did a lot of management work, did a lot of policy work and things like that.

What you see now is that those two are coming together. Then you try to have effective security, but communicate it in a way that people can understand.

Thomas: There’s a principle—I forget what it’s called—but it’s the notion of security by design, of building security into processes and the way that things are built from the beginning. How is that—or even is that—changing the kind of talent that people are looking for, or the way that teams are operating to ensure that security is not an afterthought as it maybe was many years ago?

Tomek: I think that the more mature organizations are already understanding that it is needed. So on the one hand, you have technical people to try to evolve. And some of the examples that I’ve seen, basically former security testers being now part of this kind of team, are providing a tremendous possibility and opportunity there. Because they are really understanding what the real threats are and they can test it right away. They are just in the middle there. So, technical skills are very much basically needed, required. But only in combination with this business need and mind-set. IT shouldn’t be there for itself. It’s there to fulfill business needs and, therefore, also security.

Thomas: Are there any technologies that you’re watching that you think might really change the cybersecurity landscape, artificial intelligence, machine learning, block chain, things of that nature?

Tomek: So, what we’re seeing at the moment is that it’s an arms race. It always has been. And that we have a skills shortage. So what we need is basically the possibility to automate everyday tasks in this field. So the first step would be automation and robotics in this area. Second step would be then AI and being able to apply AI for finding a text and basically also maybe preventing a text or reacting to that certain reaction.

Thomas: Right. And some industries have been doing this for a long time. Fraud detection, anomaly detection, in financial services credit cards.

Tomek: And it’s coming more and more also to the security field. There are a lot of solutions. Basically now everything is big data in AI. But also here you have to find what is really the need. As I said, it’s an arms race. It has been shifting all the time and still is shifting. And you see that with that big security competitions where human teams really try to compete with AI on trying to hack and secure stuff. So, this is an area where we’ll see a lot of development.

The other thing is having new technologies that enable you to do stuff securely. So, blockchain is one of them, and maybe or most likely the most interesting one, although not everything should be solved by blockchain. It can, and will, bring some very new and interesting ideas too, especially how to secure information in distributed ledgers and how to enable everyone to basically prove that a transaction was genuine.

Thomas: The auditability.

Tomek: The auditability is built in, as I said, there are also security implications because everything is on the blockchain. Not every scenario would be an ideal blockchain scenario.

Thomas: Right, and so that need to educate employees around phishing attacks and use things like multi-factor authentication. Those things are not going away.

Tomek: No, those I don’t think will go away, although multi-factor is becoming more convenient. I wouldn’t say more secure, but much more convenient.

Thomas: With apps and the like.

Tomek: So, if I can use a face ID or a fingerprint to authenticate, it’s not much better than a four-digit code, but it’s much more convenient.

Thomas: Takes some friction away.

Tomek: Yeah. I think that’s one of the main opportunities if you have a secure technology that is really usable for people, and people are using it on a day to day basis. It’s marginally better than a password. That’s one thing where you really have a lot of opportunity in the market. We see crazy stuff. Also, combining technology with psychology. So for example, if you’re looking at why people update their phones, which is always a security issue because only if you’re on the latest version of the operating system are you secure, or much more secure. Then if people aren’t doing it because of the security, they are doing it to get new emojis, that’s fine. That may be the big motivation for end users, but still you can use that for security.

I think security people have to be more creative about what really motivates people and use that to bring their goals to an end.

Thomas: In the past, some people have said the cloud is not as secure. I think that’s largely been debunked. What do you see in your practice around the notion of cloud and people’s acceptance and thoughts about security?

Tomek: I think that now, people are really contemplating much more about whether the cloud is more secure or not. As always, they are mixing up security and privacy, so you need to look at both things if you talk about the cloud, especially from a European standpoint. But, I think the amount of security that a cloud provider can do if it is really a large-scale cloud provider. You can’t possibly do the same amount of security as a small to medium enterprise because a cloud provider just might have more specialized technology, people, large workforce, 24/7, whatever it is.

Thomas: It’s an issue of scale.

Tomek: It’s an issue of scale, which doesn’t mean there can’t be errors, but that’s like the same problem with your own operations. On the other hand, you also get new features in new security scenarios, so what we are seeing is that clients who didn’t do the cloud years before and now are doing a lot in the cloud now have a specialized team only thinking about security with cloud-enabled applications. Also, with the delivery model having an always-on approach, you basically can get new versions every day, new features every day—features that might have security implications. You just need to think about if you want to roll out the feature or not. Does it have any security implications? Do you need to train your staff about it? Things like that. There’s actually quite a lot of tasks that you still need to do on a local level, although you’re getting the stuff out of the cloud.

Thomas: Yeah, basic security hygiene still applies.

Tomek: Yeah. And second, not only basic but thinking differently about the scenarios that are now interesting. I don’t need to worry that much more about availability but I need to worry much more, for example, about authentication and identity. I don’t need to worry that much about monitoring and things like that because I get that just out of my logs and my system. I need to worry much more about where people are accessing this kind of stuff, things like that. So, you have different angles that you need to look at. The faster delivery models also are a requirement that not every company can fulfill.

Thomas: People need a strategy.

Tomek: You don’t get the same speed.

Thomas: That’s right.

Tomek: As I said, with this kind of privacy there’s a different story. Also, you can deploy good privacy models, but you have to look into them and you have to think about that. It can’t be the solution that the only good privacy area would be in-house, so that doesn’t scale and basically your scale is off the market. If you don’t use that kind of solution, you’re limiting yourself to half of the technological providers available. Maybe some but not all application security challenges can’t be solved, but most of them should be solved and should be solvable. I think users need to work quite a lot closer with vendors on that kind of issue, and the larger vendors are largely in discussion with their main European clients about that, I think.

But, as I said, both of these things are quite interesting, quite new. I think most of my clients basically don’t have enough employees to really understand all the implications, and that we also have a training issue there. Basically, not enough people are skilled in cloud technology, and this requires a lot of learning, to be honest. We don’t have enough people that have these kind of skill sets because technology, on the one hand, for the market, for business, it’s sexy. Still, in Europe, also in Austria, we don’t have enough women in that kind of profession, although there would be enough space and their skills would be highly appreciated. We’re seeing that diverse teams, the mixed teams, are really better at doing this kind of work, but still, there is not enough skill out there.

Thomas: Andreas, this has been a fascinating conversation. Last question. If someone’s listening and they’re thinking about their own cybersecurity challenges, what advice would you give them? Where should they start or what’s most top of mind for you?

Tomek: I think they should start by getting a clear view of what they really want to protect and what they don’t. You have to think about the kind of data you want to share and the kind you don’t. And then get your security basics right—things like passwords and patching, all this kind of stuff. These things, on a personal level but also on an enterprise level, all are still one of the main obstacles out there. Think about the kind of information that is important to you, the kind of information you want to protect. So, what we’re still seeing in a lot of corporations is that they actually don’t know all their assets. You can’t protect something if you don’t know it exists.

Finally, it’s not like this isn’t a project. It’s something that will be there most likely forever, so just establish the right people, the right processes, to basically be able to grow with the technology. So, security should be part, basically, of every digitalization effort; therefore, from the start, try to get it right and try to build it in and have the capabilities to do so. Build up the right team, build up the right people. And have a strategy.

Thomas: That’s all the time we have for today. I want to thank Andreas Tomek from KPMG for joining us on the Workday Podcast. If you’d like to hear more, please subscribe to our podcast. I’m Greg Thomas from Workday, and thank you for listening.