Introduction and Guest Introduction
00:00:05
Speaker
Welcome to Perspectives from HSBC. Thanks for joining us. And now, on to today's show.
00:00:13
Speaker
Hello and welcome to this edition of the HSBC Perspectives podcast ah being recorded live at the HSBC Global Investment Summit in Hong Kong. and My name is Mark McDonald, Head of Data Science and Analytics for HSBC Global Research.
00:00:28
Speaker
I'm delighted to be joined by Isabel Meyer from Zendata Cybersecurity. It's great to have you here. and Should maybe begin by, if you give a brief introduction to who you are and what Zendata does for our our listeners.
Isabel Meyer's Background and Cybersecurity Focus
00:00:40
Speaker
Yes, definitely. Well, funny enough, I'm a lawyer. I've been doing M&As for most of my careers, but about 14 years ago, I started a cybersecurity company out of Switzerland.
00:00:51
Speaker
We specialize in various different projects in cybersecurity, but we mainly work with governments, I would say about 30%. mainly on threat intelligence, managed services, and then international companies, most of their critical infrastructure, OT, these kinds of environments.
Cybersecurity in SMEs and Financial Growth
00:01:11
Speaker
We're going to be talking about cybersecurity and AI and its involvement. And a lot of time, cybersecurity would focus on the major and environment. But, you know, the SMEs are a very big ecosystem, very important in society, and they cannot be forgotten as well.
00:01:26
Speaker
Yes, it's going to be a very exciting conversation and lots to talk about. I guess many of our our listeners are likely to be sort of investors. ah So thought maybe if we could begin with the financial side of cybersecurity. Obviously, cybersecurity as a business has grown dramatically over the last 10, 15 years.
00:01:44
Speaker
ah Could you maybe give us some sense of the scope and the scale of how this has grown? If you're looking at the impact of AI in cybersecurity and looking at where to to drive through this, right?
Post-COVID Shift and AI's Role in Cybersecurity
00:01:56
Speaker
If we go back to the COVID era, this is where everybody jumped into cloud computing. And that was done in a very, very quick way. And often the cybersecurity was left behind.
00:02:08
Speaker
um You take about companies like Wiz, I mean, best example, 2020, cloud computing protection, and it was sold just recently to 32 billion to Google.
00:02:20
Speaker
Well, now we have this chance as well for startups, for investment to participate. But this time we can really bake security from within. And I would say to really not only focuses on company that will be looking at building AI, but regulating it, protecting it, right?
AI's Dual Role in Cybersecurity
00:02:39
Speaker
it's ah It's quite of a big race. We've been using AI forever. I mean, you're you're in this for a long time as well. It's been decades, right? But when suddenly the large language language model came in, LLM, so as we know it, the OpenAI, area yeah yeah chat GPT or deep sea came in, we kind of had this terminator effect. You know, maybe the robots will be taking over the the world.
00:03:03
Speaker
Maybe they will, by the way, but maybe not now.
Future Tech and Investment Priorities
00:03:06
Speaker
um But we have to think that at the moment, it's not the machine the problem. It's really the humans behind it. uh were really giving a very big leverage to threat actors uh to the bad actors the bad guys before hacking shooting a ransomware it was difficult you needed to know how the tool you needed to be working at it now it's accessible i mean you can buy it on the dark web uh you have kitty scripts that are very easy to deploy right so
00:03:36
Speaker
When we're looking at this and we're looking at where to really do your investment and where to start thinking about it, I would say everything regarding regulation, data protection, and this, I mean, I hope we can talk about it because data protection is becoming an increasingly big, big, big risk as well.
00:03:56
Speaker
and for For people to be a successful security professional, I suspect you probably need a fairly unusual mindset, a kind of playful, ah constantly looking for ways to poke holes in systems. um Do you think investors in this space also need to have an unusual mindset? I'd imagine that there's very much a sort of bad news, is good news aspect to cybersecurity.
00:04:18
Speaker
Is there anything else unusual that you think is needed about the mindset for investors in this space? It's a very good question. Okay. So I always think no matter what, the soft skills needs to be there. But this I think it's in any profession. And the people that really makes it are people that are not the traditional people.
00:04:37
Speaker
And it's very funny because we're surrounded by thousands of bankers right now. but that's kind of But i'll I'll say something a bit crazy and hopefully. So we were we we were talking about cloud computing, right? So if you're looking at Cloud computing was really, really where the investment was. We were we needed to protect the cloud. That was really yesterday.
00:05:00
Speaker
Now today, we are talking about ai So today's priority is AI and AI protection.
Cybersecurity in Space
00:05:08
Speaker
What's coming up in the future and what people are forgetting to think, and if I may, I'd like to go to the Russia-Ukraine war. Okay. Okay.
00:05:18
Speaker
I know you did not expect me to go there, but you said different mind. Let's make it different. So when you're looking at Ukraine, most important, valuable assets, it wasn't the tank, the drones, the aircraft.
00:05:31
Speaker
It was the the the satellite communication, right? Starlink that was provided by Elon Musk. So it wasn't really a surprise when you had Russia that one of their first moves was to hit the satellite communication.
00:05:43
Speaker
And why? Because it's old. And satellites are just, you know, computers floating around our heads. ah It's not being set with the latest cybersecurity technology.
00:05:54
Speaker
We can't access access them. We can't patch them. we can't update them. So it's really, really old. So if you know we were talking about the cloud today, AI, the future for me, if I'm an investor, it would be investing in protecting satellite communication.
00:06:12
Speaker
Think outside the box. And we were just selected by one of the governments now to start building cybersecurity protection in space. Whoa. Yeah, that was also my reaction.
00:06:24
Speaker
That's very cool. It is because if you're sitting and in front, actually someone from Oxford actually like you is is leading the think tank. And you know I'm sitting in front of around of all those those brains and we we really want to create this and because there's so much to do.
00:06:39
Speaker
um And I'm like, wow, it's even hard now to protect what we have on Earth. Land in space. But yes, so I would agree, like if you're going to be an investor, if you're going to be looking at what's next, you really need to think outside the box.
AI's Impact on Cybersecurity Operations
00:06:55
Speaker
You've alluded a couple of times already to the way in which AI and cybersecurity are becoming like increasingly intertwined. I think for many people that aren't an expert in in either space, that's probably unintuitive as to why these worlds are becoming so intertwined. Could you maybe expand a little bit on on why the the worlds are so interlinked?
00:07:16
Speaker
Yeah, definitely. and I mean, this is is fascinating. We really switched in the latest years from having a kind of defensive cybersecurity to a really proactive, intelligent cybersecurity and in so many different layers.
00:07:33
Speaker
So for example, you have security operation centers, right? I would describe them as let's say your alarm system in the house, when you leave the house, you put your code and it's 24 seven, it's monitored.
00:07:45
Speaker
So we do this for extremely large companies. Some companies externalize it, some companies have it in house. um Those layers, the amount of vulnerabilities that are created each year by the big boys, the Microsoft, the Cisco, all of this has a lot of different, a lot of vulnerabilities and you have over 30,000 vulnerabilities a year.
00:08:08
Speaker
So there's no way nowadays human can actually triage, patch and do this as quick as possible. There's no way the human speed can actually outpace the human machine speed.
00:08:21
Speaker
So now in those security operation centers, we have entire layers that used to be manual work that is done by AI agents. whether it is treating cybersecurity, threat detection, incident response, threat intelligence.
00:08:40
Speaker
So what used to take us days, I would even like to say weeks, now takes seconds. you have the layer regarding software development. We know that those vulnerabilities are created from human error, right? In the way of coding.
00:08:57
Speaker
So now it's not that suddenly we will not have any more software developers, but we can suddenly have a much more en enhancing code. We can have codes that are protecting from within and making sure we can flag vulnerabilities, mistakes from the start.
00:09:16
Speaker
um and everything regarding talents. Now I think the number is we're lacking six million cyber security professionals in the world. So everybody that have kids, like please, they can go in cyber, but or just change your career path.
00:09:33
Speaker
ah And actually they're getting more and more expensive and rightly so. um But really, Everything regarding the soft skills and enhancing that this layer is extremely important. But not only that, if you're looking at the lack of cybersecurity professional and the environment of SMEs, now everybody can be smart.
00:09:57
Speaker
That's the beauty of AI. But with the SMEs, I mean, you have the wealth managers, you have the investors, the family offices, the law firms, all of these have extremely high sensitive data.
00:10:11
Speaker
ah The risk tolerance is extremely low and the budget is the first budget is not going to be necessarily in cyber and not to have the real full on cyber team. So this is where AI is really coming a lifeline for them.
00:10:23
Speaker
And we're seeing it like every single day, how useful it is for them.
AI, Human Oversight, and Misconceptions
00:10:28
Speaker
one of the things that we're seeing in our conversations with investors is that the the pace of change of of AI has been so rapid over the last few years.
00:10:37
Speaker
as I think many people are sort of experiencing the technology without really having had time to ah develop like an appropriate intuition for how these models work.
00:10:48
Speaker
And this is leading to sort of all kinds of misconceptions about AI. And often it stems from things like, you know, these generative models are trained to produce human-like content. So people anthropomorphize the models and think that they must, and whether they can think at all is open for debate, but they think that they think or learn in the same way that humans do.
00:11:07
Speaker
Of course, they don't and they fail in strange ways or ways that seem strange to humans. and This leads to people not trusting them and and all sorts of downstream problems. um Do you find that there are similar kind of poor intuitions and misconceptions in the world of AI in cyber that you're constantly trying to fight? and If so, like what are the what are the main myths that you're busting on a regular basis with the people you interact with?
00:11:33
Speaker
No, but yes, and you are right. And I think we have to be careful. I mean, at the end of the day, all of these AI will be open source. I mean, open AI is open source and we're getting to this, right?
00:11:45
Speaker
The competitions, for AI is huge and who's leading. Now we, we okay, the US is leading, ah China now with DeepSeek is making AI more efficient, cheaper, you know, scary because as you know, better than me, AI works with your data.
00:12:05
Speaker
The data is really the fuel out of it. So if you don't protect it, it's either you protect it, you implement it within your AI, you make it grow, or you're just giving it to threat actors. And yes, you have this misconception even in cybersecurity, you just deploy and they do the work.
00:12:22
Speaker
And it's true for the training. And I've been in security operation center in massive companies in the Middle East where usually we would have hundreds of cybersecurity analysts and they had three. three who And I was shocked. Okay, they had all the budgets in the world. They had a lot of different backups in case, but it's working, but you need to take the time.
00:12:44
Speaker
And it's not only teaching it in one way, training it one way, but there's a lot of case studies. There's over hundreds of case studies each time and you can actually untrain it as well.
00:12:56
Speaker
I find it fascinating, but it's not everything is good. um and i think we have this This is where the soft skills comes in all the time. You still need to use your brain, if I may say so. It would be the best way I can say it.
00:13:12
Speaker
Yeah, I think you're right. Although these tools can make you more efficient, they're really tools designed to help the human. they They're not going to ever plausibly take the human out of the loop.
00:13:22
Speaker
Enhancing. ah One of the things that you mentioned that AI gives us is it it's the ability for everyone to be smart. Yes. and it's kind of I think that is kind of the fundamental thing about this new AI development is that a lot of the changes that are going to happen are you suddenly you've now got abundant intelligence. And so it can change the way in which you approach problems. So instead of having a human do one draft manually, you can have AI do 20 drafts and then select the best amongst them and similar things like that.
00:13:52
Speaker
um I can see obviously we discussed lots of good aspects of that. Is it a double-edged sword? Does this abundant intelligence also just make the attackers like more sophisticated and better prepared to to
Balancing AI's Benefits and Risks
00:14:06
Speaker
attack you? And how do you help companies and governments to in ensure that the benefits are more to the good people and less to the threat better attackers?
00:14:16
Speaker
This is a race that we will have to balance out. I mean, Stuart that did also a podcast that is the CISO of HSBC Global was telling me this morning that he has done a research couple of years ago. It's fascinating that he took bunch of emails, phishing emails and good emails through that in chat GPT.
00:14:38
Speaker
It was 100% accurate of knowing which one is the right email and which one is the phishing email. It's fantastic. Nowadays, with ChatGPT, you can do pen testing, penetration testing of your environment.
00:14:51
Speaker
You can actually have some red teaming exercises, tabletop exercises. So yes, in the way of thinking, it's becoming you know it's extremely useful, but then you have everything from Now we were joking about this before, of having people within your company that are starting to chat GPT their emails and sending them. We know, we know. There is also, I think it's going to be more and more open, but yes, what used to take days to be able to prepare an attack for threat actors for a bad actor now can take question of hours um you can actually have a ransomware for purchase and you go on the dark web the deep web you buy them and then you find out how to deploy them and it's done so yes
00:15:43
Speaker
Can we ah keep up? I always have this debate. So the blue team is the protectors, right, is the one. And are the blue team better equipped than the hackers?
00:15:56
Speaker
I don't wanna be pessimistic because I do think that the actors are quite quicker. But as soon as they develop a technique, we are the reactive one. So we really have to be the one taking back the advantage and be more creative in this.
00:16:09
Speaker
um And one way to be creative is not about the type of toolings. We've seen this too much often. I mean, people will put layers of tools of tools of tools. is Tools is not cyber security.
00:16:21
Speaker
There's tools, that's process, there's people, we talk about this a lot, but there's prioritizing, making sure you're crowd jewel or protecting as well. There's budget that comes into this. So there's a lot of different layers to take into account.
00:16:33
Speaker
And for now, we're not doing too much
Future Developments and Challenges
00:16:35
Speaker
of a bad job. I think globally, all companies. ah Very good. um So, I mean, obviously, it's very hard to make predictions and in this space.
00:16:44
Speaker
If we've have gone back six or seven years and tried to predict where AI was going to have the biggest influence, um we'd probably have said things like driverless cars and humanoid robots. And it turned out that actually all the excitement's been in, you know, the ability of generative AI to do office work.
00:17:00
Speaker
um With those caveats notwithstanding, um what do you see as the like key likely developments over the next few years in in this space? I will go back as well to the cyberspace.
00:17:12
Speaker
I don't know why it's it's talking within me. ah You're looking at all the development that China has done, Russia, the US. You look at the people like Elon Musk. There's a reason why they're focusing up there.
00:17:26
Speaker
and all of the debris we have right now in space.
Global Data Protection Challenges
00:17:29
Speaker
The data centers, now we are just in the UAE in 2026, we're going to be launching data centers up there. um It makes sense, it's not simple, but it makes sense to have them there.
00:17:40
Speaker
So I think in the next six, seven years, we're going to see much more of that. And a lot will be focusing as well on computer quantum computing. I mean, we can't hide it. It's something that is not new. We've been talking about it a lot.
00:17:55
Speaker
Nobody was taking a lot of care of it. Government will actually now start. But we need to think that everything that's been developed now needs to be quantum secure.
00:18:07
Speaker
And we don't even know yet what quantum secure is. So this is really where we should be looking at. And one of the aspects you mentioned a few times here is the importance of ah data protection. Yes.
00:18:20
Speaker
If you were to advise our listeners about you know what's the like one thing that they should focus on in their work, is that the area that they that companies should be focusing on? Or are there were other low hanging fruits that they should deal with first if they haven't already?
00:18:35
Speaker
Okay, two points. Data protection is not, I would like to say, it's a wish.
Threat Intelligence Sharing
00:18:40
Speaker
ah You just take a bank like HSBC, global bank, multiple countries.
00:18:47
Speaker
The regulation is so complicated, the patchwork of regulation is impossible to follow. I mean, I'm seeing it at Zendata. We work with over 45 countries.
00:18:57
Speaker
it's the the only way it The only thing it's creating is really giving more space to hackers to maneuver. The low hanging fruit for companies, and I'd like to to jump into threat intelligence.
00:19:12
Speaker
um And I'll give an example. Often companies think that if you're having, ah you know I don't want to say names of tools, but you're having this tool implemented, this is threat intelligence. It's not.
00:19:24
Speaker
Threat intelligence is really gathering different corroborating points, corroborating data, and ingesting it in your environment to making it operational. And for this, you need multiple tools, but multiple analysts and AI agents, and to make it really functionable.
00:19:40
Speaker
um And also, too often, the misconception is about, oh, if I know this, I will keep it for me because I have a leverage on my competitors. Well, actually, the only leverage you're giving is the threat actors.
00:19:53
Speaker
And if I may give an example, during COVID, Putin and Biden met in Geneva. It's beautiful, beautiful blue lake, green mountains.
00:20:04
Speaker
they We look very rich as a Swiss country. And they talk about three things. One of them was cybersecurity. I won't hack you, you won't hack me. Okay. Well, within a second, there was a new threat actors group that started to attack Switzerland.
00:20:19
Speaker
Thousands of attacks. We were the first one with the police to intervene on the first incident. It was the first time a group was going through an infrastructure of a company through a hypervisor.
00:20:31
Speaker
ah That was new and it's extremely important data. But by the time this is debrief, brought up to the government, the gov source that we have, and brought it back to us so we have a green light to be able to disclose it to critical environment, I don't want to say the amount of time it took, because this is public, um but we had thousands of attack in Switzerland. from the airports, the post, the thousands.
00:20:59
Speaker
And this, when I'm talking about threat intelligence sharing, this is the perfect example. It costs nothing. On TV, hey, guys, by the way, when you're deploying your security stack, don't forget your hypervisor.
00:21:11
Speaker
It would have been simple and saved billions to the country. So first, a low-hanging fruit, making sure you have the right communication and so like your environment that you can get data and you can give data. You need to talk to each other and that costs nothing.
00:21:30
Speaker
Yeah. Okay. So that's the advice for institutions. What about the individuals, the the people listening to this podcast?
Practical Cybersecurity Tips for Individuals
00:21:37
Speaker
um what What do you feel are the low hanging fruits that individuals miss out on that leave them vulnerable to cyber attack?
00:21:45
Speaker
I don't have it on me. It's quite rare. Smartphone. but You wake up in the morning, you check your messages. You go to bathroom, you have your phone. You go tonight, you check out your messages. Your smartphone.
00:21:57
Speaker
And what people don't realize, you don't have firewalls. So every time you're going to a restaurant and all this and you're doing clicking for the QR code, please don't. Do old school. Ask for the menu or the iPad.
00:22:09
Speaker
um Every time you're walking to a Starbucks and you're going on the free Wi-Fi or even not free Wi-Fi But you don't know if this Wi-Fi has been as malicious agents in it or not apps you have malicious apps Listening device you have so you also have to have a twenty four seven protection on your smartphone. It's called an MTD.
00:22:33
Speaker
So we do this. ah People believe that it's very expensive. It's not. But the first step is to actually just be very careful. You don't need to click on everything.
00:22:44
Speaker
um And the best free advice for this is every every night, restart your phone. Shutting down, restart it. The police does it. Everybody does it.
00:22:56
Speaker
It's free. And it's actually because 99% of any malicious application that would have been put inside your phone cannot resist the shutdown. Wow.
00:23:06
Speaker
So it's an easy step. It's free. and You can do it. But I think that's a really first low-hanging fruit. Okay, that's low-hanging fruit that I didn't know about, so I'm definitely going to start doing that as well.
00:23:17
Speaker
Thank you very much for for being on the podcast. It's been a fascinating discussion. Thank you so much. It was a real pleasure. Thank you for joining us for this episode of Perspectives.
00:23:28
Speaker
Make sure you're subscribed to HSBC Global Viewpoint to stay connected.