10/03/2022
CRACKS of technology’ is a weekly series of interviews, through which we want to give voice to those IT professionals who are absolute geniuses of technology in Spain. We want to hear from them, to know and recognize the work they do in these companies; to know what they are passionate about and what advice they have for those who will come after them.
Spain has some of the best cybersecurity professionals on the planet. It is one of those professions that generate an impact on the world we live in, and one of the most demanded at the moment by companies. Its main function: to ensure the protection of information, putting its knowledge and time at the service of a secure Internet.
Among the organizations that ensure the online security of some of the major brands and companies with which we interact every day, KPMG stands out. In 2010, this ‘Big Four’ incorporated a then very young expert, Javier Aznar. He is currently a partner of the firm, in charge of a specific team dedicated to mitigate the cyber-technological risk of his clients, from a 360-degree perspective. His obsession, as he explains in this interview, is to avoid, identify and counteract the moves of the bad guys. Here’s how cybersecurity watchdogs are fighting the battle against digital crime.
Javier Aznar García, cybersecurity and technology risk partner at KPMG.
Q.- Is a cybersecurity professional born or made?
A.- In the past, you had to be born for it, or at least have a certain inclination or interest in cyber issues. Now there are specific cybersecurity degrees! I started my degree in 2001, the plan was from 1997 and, of course, we didn’t teach anything about cybersecurity. There was a lot of programming and a lot of systems and network maintenance, because those were the natural outlets for computer scientists. As they did not attract my attention, when I finished my studies I started to work in cyber issues, I was lucky that my boss paid for a master’s degree…, and I still do today.
It is a pleasure to go to forums or to the faculty and see that now the graduates are much better prepared than we were. However, I still believe that the bulk of cybersecurity knowledge is acquired after studies, with experience. And the best ones always have two qualities in common: they are proactive people and they love cybersecurity.
Q.- They love it and they are good at it, in every sense of the word. We already know that the word hacker is sometimes associated with cybercrime, although fortunately that is changing…
A.- A hacker is not a criminal, although in many headlines they are sometimes used as synonyms. In fact, Spain is not an emitter of viruses or malware, but quite the opposite. The reality is that we have very good people in our team, who also dedicate their free time to look for any kind of exploit or vulnerability, altruistically or in response to a challenge launched by a company.
Fortunately, as you say, the pedagogy is bearing fruit and the figure of the hacker is increasingly valued in Spanish society. It is a didactic work that we have to continue so that our work is known and recognized. Paradoxically, the better the cybersecurity, the less we hear about it.
“Paradoxically, the better cybersecurity gets, the less we hear about it.”
Q.- Do you think that cybersecurity is sufficiently known and recognized in companies, outside the technology sector itself?
A.- Awareness of the importance of cybersecurity has skyrocketed in recent years. According to our studies it has been in the ‘top 5’ concerns of CEOs since 2016, having climbed to the top spot since 2019.
Today, cybersecurity is an issue that is being addressed by the boards of directors of large companies and is of concern to managers of all business units, because they are already aware that a cyberattack or a breach of privacy can be very costly. KPMG ‘s evolution in cyber is a clear proof of this change: in 2010 there were only 3 people in the company dedicated to cybersecurity consulting. Today we are 150.
Q.- What does cybersecurity consulting, such as the one you offer at KPMG, consist of?
A.- In short, the idea is to help clients understand their current level of maturity and, from there, to accompany and advise them in order to improve their robustness.
On many occasions, our work involves making very specific knowledge available to clients that they may not have within their organization. Other times, we help IT or Technology teams to structure and defend a cybersecurity plan to the company’s senior management. And, in general, we observe that large Spanish companies are already demanding a preventive – and not only reactive – approach to cybersecurity, and we help them to put it into practice.
The truth is that a company’s ability to respond to an unexpected phishing or ransomware attack, for example, will depend a lot on having previously carried out a good analysis of your processes, your assets and your risk points. It will be of little use to invest millions of dollars in security technologies, from every conceivable vendor, if it is not planned.
“A multi-million dollar investment in security technologies will be of little use if it is not planned”.
Q.- But a preventive strategy requires investments whose ROI can be uncertain, and the economic context does not support this… How can you justify an increase in investment in cybersecurity?
A.- Everything, or almost everything, can be measured. It is easy to stipulate the cost of shutting down a power plant or a ticketing platform for 24 hours. It is more difficult to calculate, for example, the reputational cost of violating privacy laws in the processing of customer data, but in any case we can estimate the impact that each of the possible scenarios would have on OPEX and CAPEX. Quantifying the risk can be very useful in convincing the steering committee…
Here too, however, the maturity of the companies has greatly improved. I always say that every euro spent on prevention is equivalent to five euros in response. In other words, the cost of a preventive strategy will always be much lower than the cost of patching…, and it must be assumed that the probability of suffering a cyber-attack or loss of information is already 100%.
“Every euro spent on prevention is equivalent to five euros in response. We have to assume that the probability of suffering a cyberattack or a loss of information is already 100%.”
Q.- Do you perceive differences between the degree of cyber maturity of large companies in Spain and in other countries?
A.- No. Large companies in Spain have cybersecurity projects that are perfectly comparable to those of their international competitors. In addition, I think it is fair to highlight the technical quality of the cybersecurity specialists we have in our country.
Generally speaking, the level of digital maturity of organizations has more to do with size than with country of origin. The smaller a company is, generally, the more reluctant it is to invest in cybersecurity consulting and prevention.
Q.- What is the value of being part of a global services firm when it comes to designing preventive cybersecurity plans?
A.- From my point of view, it brings a lot of value. On the one hand, the firm provides you with the means to continue training and to expand the team as the market demands it. And, above all, being part of a group such as KPMG gives you a more complete picture of customers’ cybersecurity needs, because we work with specialists in the different businesses and processes.
In practice, for example in the projects we do to strengthen the security of a client’s supply chain, we do not limit ourselves to helping them protect their systems, information privacy or business continuity, but we also addresscompliance issues. Similarly, we strive to ensure that cybersecurity and physical security are not two separate worlds, but are treated in a convergent manner, and thus avoid any cracks between the two.
Q.- Lately we have been hearing a lot about the ‘zero trust’ approach, which is closely related to everything we are talking about. What does it consist of and how do you apply it at KPMG?
A.- Basically, ‘zero trust’ urges us to rethink how cybersecurity is articulated, because the technological perimeter of companies has grown a lot. In fact, there is often no such thing as a delimited perimeter anymore. Many of us access business applications from personal devices, we work from different locations, we connect with people outside the organization…
The ‘zero trust’ approach consists of assessing whether it makes sense to put the focus of cybersecurity on data, applications, devices or users. In some cases, we will choose to set up a model in which, depending on access permissions, authentication or the location of the device, some controls or others are imposed.
At KPMG, we encourage clients to analyze where they are, how much it would cost them to transition to a zero trust model and how effective their current model is. The mere fact of analyzing, questioning and, if necessary, updating the models implemented from time to time is always positive.
Q.- And to complicate everything a little more, now comes the Internet of Things!
A.- (laughs) It reminds me of when we were in school and they would give you a sheet of paper with a drawing of the human body, and then they would give you transparencies with the organs, the bones, the veins… As you added layers, the lesson became more and more complicated. Something similar happens here, because as time goes by, the technological infrastructure of companies becomes more and more complex. That is why it is so important to never lose sight of the planning that gives meaning to all projects. cyber hanging from it.
In this context, since the last year and a half to two years, many customers are asking us for specific cybersecurity audits for entire environments, such as a manufacturing plant, a refinery or certain automated systems. Especially in critical infrastructures and the automotive sector, due to regulatory impositions. This is yet another example of how, increasingly, a 360º vision of security is being sought.
“Many customers are asking us for specific cybersecurity audits for environments such as a manufacturing plant. One more ours of how we are moving toward a 360-degree view of security.”
Q.- Regulatory requirements that are going to increase?
A.- Europe is getting its act together and, indeed, new legislation is coming in related to cybersecurity, for example, in artificial intelligence environments, automotive manufacturing, non-personal data, soon in 5G networks and equipment, product certification requirements, and so on. Not surprisingly, in my team at KPMG we have quite a few jurists.
Personally, these changes encourage me because they force me to be always moving and studying to keep up to date. And, of course, being surrounded by experts capable of analyzing and interpreting legal texts gives me great confidence.
Q.- However, despite all these audits and investments in technology, some workers continue to fall into carelessness or traps such as phishing. What can be done to better protect this link?
A.- Awareness, and this is achieved through training. We have to invest in training employees and in different types of campaigns. Those that incorporate gamification elements tend to work very well. Also, controlled phishing campaigns, where it is the company itself that launches the ‘trap’ emails to help raise awareness among employees who fall for them.
Q.- And do many fall?
A.- Many more than anyone would like to admit, and at all hierarchical levels!