The financial services industry is among the most sought-after targets for cyberattacks. When malicious actors steal data, it’s often just a means to a cash-rich (or bitcoin) end. Andreas Wuchner, advisor to many security startups and a formative contributor to Switzerland's National Financial Services Information Sharing and Analysis Center, has a thought or two on how to build cyber resiliency in critical banking institutions.
The financial services industry is among the most sought-after targets for cyberattacks. When malicious actors steal data, it’s often just a means to a cash-rich (or bitcoin) end. Andreas Wuchner, advisor to many security startups and a formative contributor to Switzerland's National Financial Services Information Sharing and Analysis Center, has a thought or two on how to build cyber resiliency in critical banking institutions.
In the latest episode of WE’RE IN!, Andreas challenges some status quo ideas in the industry, like: Is there really a cybersecurity talent gap? And he gets real about how AI can help unleash more capacity and productivity for security teams if paired with rigorous cyber standards.
----------
Listen to learn more about:
* Translating cyber for the C-suite
* How to achieve cyber resiliency
* Forming a worthwhile customer advisory board
[00:00:11] Blake Thompson Heuer: Hello, and welcome to WE’RE IN!, a podcast that gets inside the brightest minds in cybersecurity. I'm your host, Blake Thompson Hoyer, and I'm excited to be joined today by cyber and risk expert Andreas Wuchner, who advises an impressive list of cybersecurity startups based in the U.S. and around the world. Andreas was also directly involved in the creation of Switzerland's National Financial Services Information Sharing and Analysis Center, or FS ISAC, so we'll dig into the particulars of protecting the banking industry from existential cyber risks. But before we hear from Andreas and his thoughts on cyber resiliency Let's listen to a quick message from our sponsor, Synack.
[00:00:53] Narrator: Confusion in the marketplace about which is the best method of security testing is so real? Bug bounty, pen testing, pen testing as a service. What do they all mean? We break it down in our latest playbook, Navigating the Security Testing Landscape, to demonstrate the strategic value of third party security testing. We cherry pick the best elements across the security testing market to incorporate into a strategic, comprehensive pen testing solution, the Synack platform. Learn more at synack.com/playbook. That's S Y N A C K.
[00:01:36] Blake Thompson Heuer: Well, thanks so much, Andreas, for joining me on the We're In podcast. I'm really excited to have you on the program.
[00:01:42] Andreas Wuchner: Thanks for having me, Blake. It's a great pleasure.
[00:01:43] Blake Thompson Heuer: So you're known as something of a cyber and risk expert, and as I understand it, you even participated in a committee for the World Economic Forum on creating some principles and tools for boards to actually determine cyber resiliency. Now, this was kind of before the term cyber resiliency really gripped everybody's imagination and took hold in the mainstream, but I feel like that term can mean different things to different people. So I guess as we jump right in here to the deep conversations about cyber risk, what does resiliency really mean to you?
[00:02:15] Andreas Wuchner: You know, it's very interesting that you mentioned it this way because there was always this kind of business contingency and, you know, all this stuff was always there and it was. It's very clear to us that we need to do the same for cyber because cyber became more and more relevant, right? And cyber events, cyber accidents happen. So it was very logical to move ahead and go to the web and go everywhere and saying, Hey, we need to do that. You know, for me, business, uh, or the security more or less is just nothing else than a support function, which needs to support business acceleration at the end, right? And what we do, what I have in mind when we talk about cyber resiliency, then it's Preparing for, responding to, and recovering from any kind of cyber threats, right? These are the three things, and at the end, this is just good practice. We just need to be ready and prepared because cyber and cyber threats are just real. And so therefore, better prepare before you need to rush when something happens.
[00:03:15] Blake Thompson Heuer: No, that's a really good point. And it's interesting, you know, those, when you raise that three step kind of process, it's something I've noticed here in the United States where I'm based, the electric utility industry actually has been doing for quite some time, not only from a cyber perspective, but also from just a making sure that you're prepared for storms, prepared for different natural disasters. I feel like I've often heard in the context of discussions of cyber risks, like comparisons to hurricanes, even what do you make of those analogies? Can those fit sometimes, or do you have a preferred one?
[00:03:47] Andreas Wuchner: No, you know, whatever works, right? Whatever works to get the point across. In the meantime, the majority of businesses will fail if they have a major outage in IT or a major security outbreak, right?
And the same way we prepare extra offices and we did everything for Corona and so on, secure is just another. Example, you know, we are so reliant in the term of our digital transformation on IT systems, downtime is just not acceptable anymore. And you know, for you, if there's the water coming out of the pipe or the electricity, everything is dramatic, right?
And the same is true for our digital services in the meantime. So therefore whatever works, works, but it is exactly the same thing. Cyber risk is a business risk.
[00:04:31] Blake Thompson Heuer: And how do you go about communicating that point? I mean, you say it so clearly, cyber risk is a business risk, but I know saying it clearly and getting chief information security officers and CEOs and board members to actually take that to heart and hear that is a different story.
So when you have these leaders asking about cyber risk and assessing it, how do you go about communicating that?
[00:04:55] Andreas Wuchner: You know, most probably what I'm now saying is not very popular, but top down. The business and the leaders of an organization mostly ask very, very simple questions. Are we doing enough? Do we need to do more?
They know, you know, because they are used to manage risks. And for them, they read about incidents in the press, they hear it on the TV, there is another ransomware attack, someone got out of business. So for them, They know that this is something to take serious, and for them it's more to give them kind of a help to better understand because they don't understand really the nitty gritty details and they don't need to.
But how big of a problem is it versus for a C season is pretty well, right? And we all know this huge disconnect between the CSO and the management team on the on the other side, because they talk often talk a very, very different language and. I get often asked by CISOs, you know, what are the one two controls or what do I need to do to really get the message across, right?
And say, forget all your tech talk, use a standard, give them something where they can benchmark, you know, just be simple, but, you know, do your homework and have a good framework, which you can go back to. And if you do that, you know, even if you just. Take, for example, the U. S. standard, the NIST standard, right?
If you just concentrate on the five clusters of NIST, That's a fantastic start, protect, detect, recover, all that stuff, right? That's something you can always come back to. And if you're simple and if you're straightforward, you will absolutely get the audience and understand that as a, Hey, we are not as good as we should be, or our competitors are better, or we should be at three, but we're only at, that's something which people understand because it goes back to.
Are we doing enough? No, we don't, right? And if you as a security organization take these things more proactively and you go out and before they need to come back, you read the news as well, you see there is this ransomware attack, prepare a message, proactive, and they will love you for it because they hate to always ask and sound stupid and be proactive, give the message, you care, and they will And then they care as well.
I'm
[00:07:10] Blake Thompson Heuer: glad you mentioned the NIST standard, the cybersecurity framework there. That's in the US, the National Institute of Standards and Technology really has set the stage for a lot of the regulations ultimately that other agencies sometimes end up pursuing. And we've had some more concrete, enforceable regulatory pushes here in the US to get especially transparency around some of the cybersecurity expertise and how People are really thinking about risk, notably from the, you know, Securities and Exchange Commission, which is actually right down the street from me here in Washington, DC.
I guess, why is it important at a base level for companies to have some sort of cyber experience reflected on their boards? Or is that not as
[00:07:50] Andreas Wuchner: important? It is, in my eyes it is, right? And I think that it comes out now, or it just came out the last one, two years, just shows that. the fact of cyber risk being an enterprise risk or a business risk just became more clear and the rule of the regulator, the role of the regulator, is really to get the people aligned and make sure that everyone is somehow on the same level, right?
I think we need to be clear that there's a huge disconnect between what we see on the enterprise level and what we see in the small and medium businesses. around the world, right? There is no standardization, and you see everyone does a little here, a little there, but they're not comparable. But on the enterprise level, especially when it comes to critical infrastructure, banking, whatever, gas, electricity, water, you just need to make sure that the people do what they say, right?
Walk the talk. You know, honestly, personal liability of a director normally helps to get attention and to get some pressure. And, you know, my problem is a little, what is cyber knowledge really, right? Some of the elements are really not well defined. And so therefore I think we need another iteration, another round to really get better on it and say, what is good enough again?
Do I really need to have now NCISO on the board, which is bored 95 percent of the time because they cannot contribute versus, you know, have someone on the board who has someone in the background who helped that kind of stuff. So I think very good step in the right direction still needs to work out a little bit on the details there in my eyes.
[00:09:25] Blake Thompson Heuer: Yeah, that makes sense. I mean, you can have, for instance, if you have a clear pipeline of information getting up to the board, okay, maybe you don't need a CISO per se sitting on the board, but you just need to have that level of cyber knowledge, like you said, and figuring out what that is and what's the acceptable range.
And it is so hard, it can be so hard to find cyber knowledge, just even from a talent pool perspective, there's limited cybersecurity expertise, you know, in a highly competitive field, even in this constrained tech business environment. But, How do companies go about getting some of that expertise?
[00:09:57] Andreas Wuchner: Let me challenge you on that.
IT in general, security as well, is very good on marketing, right? And we are very good at making things big and drama and things like that. And whenever there is a project to be made, there's always a, Oh, I need more people. I need more money. I need more tools and all that stuff. Whatever
[00:10:14] Blake Thompson Heuer: the latest 3. 4 million or, you know, cybersecurity professionals needed in one small state or whatever, right?
There, the stats get bandied around.
[00:10:22] Andreas Wuchner: Exactly that. And whenever I hear. There is a shortage of skills. I agree, right? Security has grown fast and there is a need, but do we, on one side, use our capabilities to the fullest already? Things which come to my mind are automation, right? Do we really need to do everything manual?
Can we use artificial intelligence in a smarter way? Look what Microsoft and the big boys are doing at the moment. Are we using and leveraging our service providers and cloud services to the fullest extent? You know, when you talk with the cloud providers and they tell you, yeah, 60 to 70 percent of our security tools are not used or leveraged because our customers don't have the capabilities, not the people, the capabilities at hand, then you really wonder.
The other thing which I'm really wondering is. We haven't really started on the big scale, big scale, right, to educate inside out. You know, there's so many good IT people and there's so many good students, which they study IT, educate them internally, run programs, make them security experts, educate them really well.
And you know, the thing which annoys me most as a guy, whenever And you know, for my CISO, I still get requests about, Hey, would that be a good job for you? Wouldn't you be interested? If you look at the job profiles, which I'm currently the most of the time getting, they're written for males. And not for females, you know, females tick different, they have different trigger points, you know, and they say, Oh, you need to be fluent in English.
A guy is 60 percent fluent and there's no problem, right? I speak English, right? I apply. The female most probably, I'm not good. You know, that kind of stuff. You still see a lot of job profiles which are not open minded, which are not inviting other people and especially females and others to it. So I guess while I agree we need more people, we need more smart people, at the same time I think there's a lot what we can do better and smarter and get to the point that what we have and what all the talents which are around to educate them better.
[00:11:52] Blake Thompson Heuer: I'm so glad you mentioned that point about the job descriptions. It is something that comes up often, right? Like maybe, okay, I only have seven years of experience in a certain field and I go ahead and apply anyway for the 10 years plus mandatory, you know, requirement on the job, right? And actually at SYNAC, we hosted a women in the boardroom breakfast that really Open my eyes to some of the challenges associated with landing some of these really senior level roles where you can truly make a difference on a company's strategic posture and, you know, security practices. you're on the CISO advisory board of Cover, a startup, you know, that sets out help risk professionals really financially quantify cyber risk. How does one go about joining a CISO advisory board in the first place? Do you have to seek that out? Is it your best experience, you know, with a CISO title that informs that, or how does that come about?
[00:12:11] Andreas Wuchner: Every advisory board, there are different ones, right? But the CISO ones, I think, are very specific. A lot of companies make. A mistake by seeing these CISOs and CISO advisory boards as an extension to their sales group, right? And with that, You see there are tons of tables to sit on, but you, as an expert on the other side, need to be really, really careful and smart and looking and asking good questions.
What's the table I really want to sit on? Where can I add value, right? And some people are super cool and, you know, I don't have problems and become a salesperson. You know, I don't believe in that. You know, if you are sitting on an advisory board, I think you need to have a skin in the game. So that means either you have some shares, you are invested, or you are a big customer, whatsoever.
If you just sit on a table, just to sit there and say, Oh, I have an opinion, this is not going to be, to work really well, right? It's all about value. And, you know, again, there are people which are bored and they love to talk and it's all cool. But if you really want to take this serious and gain something from it, join a company where you have skin in the game in whatever function.
Have a look at the leadership of the organization, if they really want to discuss with you a strategy, go to market, you know, there's nothing wrong with helping with contacts and do recommendations, but if you just become a cheap sales extension. Just stay at home, right? Just don't do it because it's not worth it.
It just gives everyone, it brings everyone to a point where the people then say, Oh, it's disappointing and I'm not getting what I want and all that stuff. So be picky. I get often asked, right? Because I'm good, I'm an investor, I do a lot of stuff, but there are really, really big differences and there are companies who are doing it extremely well and others which are not so much.
So watch out for your time. You know, we are all busy and Get to a point that you really add value. And if you don't get asked, right, talk with your companies, which are really important to you, which you're working with, especially the smaller ones that really benefit from having expertise in a certain capacity.
So therefore, don't be shy. It's totally fine to go out and say, Hey guys, we do this business with you. Are you doing anything? Do you have a customer advisory board? Do you have a CISO board? I really want to be more engaged and things like that. And you can see most of the companies. Oh, that's pretty cool.
[00:14:47] Blake Thompson Heuer: Well, yeah, and COVR, you know, I was reading a little bit about that effort to really help risk professionals quantify cyber risks. And, you know, it's interesting. I came to this space and, you know, it was for many years, a journalist reporting on really big critical infrastructure cybersecurity attacks, the kind that can, you know, if they're executed and carried out to a T can really.
Destroy companies, really, and even endanger human life in some cases. But we've had now so many decades of cyber incidents, large and small, whether, you know, these huge ransomware attacks with NotPetya dealing billions in damages to smaller ransomware. And I say ransomware twice, because that's has a very clear dollar figure attached, but why is it still such a challenge to actually attach dollars and cents to a concept like organizational cyber
[00:15:37] Andreas Wuchner: risk?
Think about it. What do you need to know, really? You need to know, just take one business process which you make money with, right? You need to understand where this service is all being delivered from. Internal, external, service provider, third party, fourth parties. You need to understand the data which is in there.
You need to understand the services which are linked. You need to know what assets are linked. So now go back and think about yourself, you know, which company do you know who says I have a 100 percent accurate asset database? That's very thin ice. If you then go to data inventory, the ice becomes even thinner.
And if you then look into service inventory, business process linkage, all this, it becomes much worse, right? So IT is not at the point yet in many languages to do it, right? But they do it then for one, two, three, four business processes. So, you need to do your homework first and you need to understand really the stuff to make this easy.
What Cover, as you just mentioned, does differently is they come with a helping hand, right? They ask you, what business are you in? Where are you? What's your jurisdictions? What are your partners? So, they give you an answer. Just based on information, which are out there and attack surface information, which are known, they give you an already in starting point.
Okay, now here, this is 50, 60 percent of your picture. The more you then add, you get more transparency, right? It's more a top down, outside in view than saying, Oh, now I need to go, oh, which is this server? And there's these apps running on it. However, you know, they just come from the other end. And. So far, I've seen two or three clients, four of them, where it works really, really well.
And that's the reason, you know, you asked before about the advisory. This is an area where we as CISOs and experienced people can really add value because we can help, can say, look, hey, look, that's how you normally do it. Why is the asset database not accurate? Okay, that, you know, what can we do with, that's helpful.
And that's where I think there's a win win situation for everyone and we as an economy, the security economy, will just get better and benefit on the larger scale from it.
[00:18:00] Blake Thompson Heuer: It's interesting, the companies that undertake that sort of analysis, some of them find things that are so important to their profile or to their risk stature that they simply cannot be lost.
And that, you know, identifying that crown jewels, as it were, is certainly relevant to the planning portion of the cyber risk piece that you mentioned at the outset of our conversation. It's funny, some, some organizations in the U. S. actually have adopted this model, perhaps you've heard of it, called consequence driven cyber informed engineering.
And it's a fancy word salad way of saying, Maybe if you have something so important, you really do your best to actually disconnect it from the internet or try to have some sort of manual backstop in place. I guess, you know, with everything moving to the cloud and that getting increasingly difficult to perhaps execute in practice, I'd be curious to hear your thoughts.
You
[00:18:52] Andreas Wuchner: know, if you see what the cloud providers offering with micro segmentations, air gapping, it's addressing exactly that one, right? Some call it then zero trust to give it another marketing angle, but that's exactly what happens there, right? And again, this is not new, right? If you look back in the nineties and you went to healthcare life science providers, they always had their Research engines, and where they did really huge amount of critical data production there, they always had that separate, right?
At that time, someone bought a CD from A to B, you know, this was much more cumbersome, but they were always air gapped in a certain way, right? And what we see now with Zero Trust Networks and all that stuff is just the evolution after 20, 30 years of these kind of ideas. And even the mainframe had already segmentations, right?
data classes or clusters which were not accessible by everyone, things like that. That's the way to do it, right? And I guess everyone would, oh, you need to disconnect. For sure, there are things which most probably forever will be somehow, but day to day stuff, if you want to do business, you need to be accessible.
You need to be on time and you need to be accurate and things like that. No one is waiting for you anymore. You know, how easily do you change? A service provider, if the service is not available, one, two, three times, or if your mobile provider sends you too many ads and you're getting annoyed, you just move on to the next one, right?
I don't think it's really realistic to think about, okay, we, we disconnect things and we isolate things in our world, right? There are, maybe if you talk about nuclear plants and nuclear weapons, different story, right? But the way that the stuff we, you and I deal with on a daily base, this is really going to happen.
We'll see a lot of it.
[00:20:40] Blake Thompson Heuer: No, that makes sense. And that's a good point. Yeah. If I had had trouble logging into this podcasting platform a few times, I would have tried a different browser and just immediately connected to something else. Right. We always are itching to take those paths of least resistance.
And that just means it makes disconnecting all the more difficult. You know, you kind of mentioned what's old is new again, there with the connection to the nineties. And now I feel like the pendulum has swung back to talking about AI and the notion that AI is coming for us all. I guess, what are. Your predictions for its impact on some of the work that you're doing in the cyber industry writ large?
[00:21:14] Andreas Wuchner: Huge. You know, AI will change the way we do things in a good and in a bad way, right? Because like every other technology, AI is already now used as an attack vector, right, an attack technology to become smarter, better, and all that stuff. The same way we use AI to detect and be more agile on some of the reaction patterns, AI will have an impact to the world we are living in and the way we do things.
And if you see how easy it is nowadays to deepfake a video, a face, a voice, all that stuff. The thing what we do today, like, oh, let's call quickly the bank and authenticate with the voice and this will not happen in a couple of years anymore because it's just not trustworthy anymore because it's so easy to, so AI will have a huge impact in whatever level of our daily life and in security, especially, you know, why is Microsoft putting so much effort on their AI empowered security suite?
They're pretty smart, right? They know where this is going to, and they have their, it's their own interests, right? Because everything in Azure and all that stuff. So no one wants to end up again in the press and say, oh, Azure is not available or a major breach somewhere. It has a huge impact. And at the moment, we're only seeing the tip of the iceberg.
The thing is, if you look from a financing and investor point of view, the whole thing is very interesting, right? Because there's so many startups and great ideas and people are saying, Oh, this is, I have this cool thing and I reinvented the wheel. And all of a sudden, one of the big ones say, Oh, by the way, we do this, this, and hundreds of ideas just die there, right?
This hype currently on the VC and investor side, and everyone needs to have an AI portfolio. I guarantee you, there will be huge write offs and huge losses, just as long as the big ones are putting effort and muscle power in it, because I can have the greatest idea if someone big fish goes after it and has it done in a couple of days.
Then you just have a big number two on your back, I think. Not an idea anymore.
[00:23:24] Blake Thompson Heuer: That's a good point. Yeah. The big fish are certainly well on top of this particular issue, whether it's Microsoft, Google. I mean, you can take your pick, right? Everybody's doing something. It's interesting. You mentioned the AI used for more nefarious purposes.
Now you have me worried that somebody is going to take our voices from this podcast recording that we're pushing out there and try to contact our banking institutions. Oh no. So as I understand it, you're normally based in Zurich, which is an absolutely stunning city and also one of the main financial hubs of Switzerland.
And so, you know, I imagine that the famed Swiss banks are, you know, facing more than their fair share of cyber threats. And I'm picturing right now, Matt Damon from like the Bourne movies, if you've ever seen the Bourne Identity movies, trying to social engineer his way into a bank somehow, or put on a different costume.
And, but how should financial institutions in the face of these AI threats? Uh, just constant barrage of, of cybercriminal activity and even nation state, how should they be thinking about cyber risk and hacking threats today?
[00:24:21] Andreas Wuchner: Honestly, you know, the banks or the, let's call it financial services are at the forefront of that.
And, you know, at least every. Bigger bank, which I'm aware of, they have this on top of the list. They know exactly what they do, where they spend money, which risks they accept and all that stuff. I'm not really concerned on the big ones. Sure, there are big targets, right? Absolutely. If you win, you only need to win one of once or be successful once and then you're the hero.
But I would much more worry about the smaller ones. and the little wealth manager, the asset managers and all that stuff somewhere, which are not having the muscle power of a bank of America or in UBS and things like that, because for them it's much more difficult really to see because they are much more.
Dependent, they have much more third party and fourth parties, dependencies, which make them vulnerable to all kinds of events, right? So the big ones are pretty, pretty on top of the list. And, you know, if you see who are the big beta trial customers of the Microsoft, the Googles of the world, They are all the big banks, right?
Because they have the knowledge, they have the bandwidth, they have also the capability and knowledge in people to really do that and say, okay, look, is this helpful? Does this bring me further? Should I do it on my own? Because still a lot of banks do stuff on their own, right? And the smaller ones just don't have that.
And, you know, even if you, you mentioned Switzerland, Switzerland is full of private banks, right? And they're not huge, but they, they host. Billions of value from large or rich customers, these are the ones which I would be much more concerned about and which I would go for and say, Hey, how, how are you really doing this?
Is there an advantage, is there an edge to it, which you can use better? This is for sure also
happening.
[00:26:16] Blake Thompson Heuer: Yeah. And there are so many moving parts to think about, including API security. And as I understand it, you're on the board for a company called Traceable AI. We recently had Corey Ball, a leader in API security training on the podcast.
And I'd be curious to hear why you think API security is important.
[00:26:34] Andreas Wuchner: Think about what we are driving really, where are we going to, right? If you look at the IT, the big picture, we talk about machine to machine, we talk about automation, integration, all that stuff. And if you look at it, the API. Honest, the bloodline to connect services and transfer data, right?
In these kinds of environments, and if the bloodline is not clean, protected, all that stuff, we will see major issues, right? And don't know if you've seen that, but Gartner predicted, I think last year already, that 90 percent of the web application have a higher attack surface through the APIs. Then through the user interface, and that means a lot, right?
You know, why do I need, if for user interface, I need to deal and we Trick someone. If I just can sit and wait and watch what is happening and just figure out where the, where the problem is and go in there. And the likelihood that I get caught is so much smaller. And until someone is recognizing it, most of it takes far more time.
So the future is definitely API security or the future, a part, an element of the future is definitely API security. And you see organizations now are learning and learning and learning and educating. You see, also you talked about jobs earlier, right? So. You see more specialization in universities and all that stuff.
You see all the tool landscape about, you know, it's not only code scanning. It's really about API stuff. It's really to say, okay. Out, in, status, all that stuff. So, I think we are still young, the whole industry is still young. There are still a lot of people not believing in it. Oh, why should someone attack me and blah, blah, blah.
There is far more to come and again, from the investment point of view, it will not be as hot as an AI, obviously. But the API security arena is for sure an interesting investment area to look deeper into it because there is far more to come. Oh, I
[00:28:28] Blake Thompson Heuer: completely agree. And I am a little bit of a biased source on that front, given that it's an area that we've looked into at Cineq as well.
But I will say, you know, this application programming interface, it sounds so, so wonky and so technical. And then I was shocked when Corey was talking about it. Accounting for the vast majority of web traffic nowadays is actually routed through these APIs. So to your point about, you know, why wouldn't an attacker want to just sit there and use that leverage point to, you know, some nefarious end.
That really shocked me. I. 10 years ago, if you had told me API, I wouldn't know what you're talking about. I would be like, what is, what is that? What is that? And now all of a sudden, it's most of web traffic. It just goes to show how fast moving some of the cybersecurity. The hot shit of IT
[00:29:13] Andreas Wuchner: now.
[00:29:14] Blake Thompson Heuer: Yeah, exactly.
Exactly. Yeah. The risk
[00:29:16] Andreas Wuchner: of getting caught is so much lower in this space, right? Because, you know, if I, Steal something from a user, he will cry and yell immediately, right? But if I do the things in the background and I can hide myself and all that stuff, this is such a brilliant way to do things and be very.
Impactful. Let's call it like this.
[00:29:35] Blake Thompson Heuer: Oh yeah. For sure. Well, Andreas, I really appreciate all your insights and we've covered a lot of ground here. We got API, we got AI, we had financial institution risk, cyber risk address. So really appreciate your expertise in this array of subjects. I did want to ask something that we ask of all of our guests on the podcast, actually a little less cyber focused perhaps.
And that's something that we wouldn't necessarily know about you just by looking at your LinkedIn profile. So You know,
[00:30:02] Andreas Wuchner: for me, I give a lot of presentations. I stay a lot on stages and give speeches and talk to board members and all that stuff. And a lot of people think that I'm a very extroverted because I don't have problems to speak in front of people.
But at the same time, Me personally, I'm far more introverted than most of the people think. I enjoy far more enabling people and getting, you know, like startups, like university students, to give them a chance and make them successful and see them growing. And, you know, as an investor, also benefit from them being successful than being the front runner and say, Hey, how great I am.
So, you know, when you see me at an event where I know a lot of people, then everything is cool. If you see me at an event where I don't know anyone, I'm not the one, and you know, me, and blah, blah, blah, blah. So that's just not me. But most of the people are always surprised when I talk about that. And they're like, really?
You know, you don't come across like introverted, but
[00:31:00] Blake Thompson Heuer: I am. Well, I know you travel a lot. So if you ever are in Washington DC for an event, I hope you won't feel like it's an event where you don't know anybody. So come say hi and we'll catch up and same in Switzerland or Dubai or wherever, wherever travels take us.
Now, before we stop recording, I did want to ask, was there any subject that you wanted to be sure we covered just to kind of like questions that we didn't get a chance to get around to before we stopped recording that you can think of? Cause I always like to check on that.
[00:31:25] Andreas Wuchner: Didn't think about that, but.
You know, you mentioned we had this discussion about this advisory boards, right? And I would recommend, you know, every startup company, everyone who is investing into an idea and want to grow something and think they have this. Billion dollar idea. They all struggle at a certain point in time, right?
Either they're too technical or they're too high, high flyer. And I think I personally believe that if you get yourself surrounded by industry experts who have done this, who advise. You know, you don't need to hire and whatever and marketing men and all that at the beginning. Get people around who have done it and trust them and share them and listen.
Even if you agree to disagree and say, that's not the way I want to do it. But at least that you have someone who told you once that you thought about it. And, you know, being open, being bullish. Open to listen and take informed decision on that. That's what I would recommend to everyone. And that's, I think, an easy, cheap way to prevent a lot of mistakes, which you otherwise just do because of not knowing things.
Very simple.
[00:32:39] Blake Thompson Heuer: Oh, no, that's a great point. And it does make me think of what's going on with open AI lately of like, Oh my goodness. But again,
[00:32:46] Andreas Wuchner: look how great Microsoft reacted, right? Microsoft owns 49 percent of open AI. They don't have a board seat, so they were not involved. So they see that happens. And obviously there's a reason why that happened, right? Because the guy's involved in so many other activities and why the board was concerned. That's all cool. Now they say, look. Your hours here at Open Door make us successful, right? What a smart move. The investment in OpenAI was a smart move. Now this one is a pretty smart move. They can only win with that. So therefore, good example of good investment management.
[00:33:24] Blake Thompson Heuer: Definitely. If you liked what you heard today, I hope you'll give us a five star rating and review. It's a big help. And please share this episode if you know anyone who could appreciate a little InfoSec wisdom on their morning commute. We have a whole catalog of episodes well worth a listen, so you may want to check out past interviews as well. Finally, if you know someone who might be a good fit to appear on the podcast, or have any comments or feedback, drop us a line at wereinpodcast@synack.com. That's S Y N A C K dot com. Until next time!
[00:33:57] Narrator: WE’RE IN! is brought to you by Synack. If you're looking for on demand, continuous access to the world's most skilled and trusted security researchers, you can learn more at Synack.com. Synack recently launched its Empower Partner Program so that partner organizations can more easily offer the Synack pen testing platform to their own customers. This approach helps optimize Synack partners technical competencies and allows them to better integrate Synack into their portfolios. It's a way that partners can win new business by adding continuous, best in class solutions to cybersecurity, cloud, and DevSecOps offerings. Synack partners with organizations around the world to make them safer. More resistant to cyberattacks and more capable of finding and fixing dangerous vulnerabilities before attackers are able to exploit them. Learn more at synack.com. That's S Y N A C K dot com.