Emerging technologies and evolving regulations are shaping cybersecurity strategies in the financial sector.
Adapting early is essential for banks and financial institutions in order to continue to provide critical services and secure the vast volumes of sensitive data they hold.
During the London Gartner Security & Risk Management Summit 2025, Debbie Janecek, CISO at Dutch bank ING, spoke to Infosecurity about how CISO strategies in finance are being defined today.
Janecek is a member of the board of directors at the Financial Services Information Sharing and Analysis Center (FS-ISAC) and throughout her career has worked across both sides of the Atlantic having experience at two financial institutions in the US and two in Europe.
She shared her views on how technology shifts have impacted recruitment in cybersecurity, the impact of regulations like the Digital Operational Resilience Act (DORA) and how ING is implementing quantum-safe cryptography.
Infosecurity Magazine: What are the most significant differences working as a cybersecurity leader in Europe compared to the US? What lessons can each region learn from each other?
Debbie Janecek: In the US, you have more hierarchical decision making, which in many cases allows you to move faster. In Europe its more consensus-based, which values everybody’s opinion but it does slow you down.
In the US we have big hub areas so it’s easier to consolidate talent for cybersecurity, although when you think of the big tech companies like Google and Microsoft, it also makes competition for recruiting talent fierce.
In Europe we are more geopolitically separated. We’re working across borders so you have to make sure you’re aware of the cultural and communication differences in different countries. That adds a different nuance you don’t have in the US.
When you look at the regulatory landscape, one of the things I like about Europe is that the relationship with regulators is different – they act more like partners where you can influence policy more. Whereas in the US its more market led, so innovation first and regulatory later.
In the US there’s more of a “fail fast” mentality, where security can be an afterthought and you’re trying to catch up to innovation. In Europe, innovation slows down because we don’t take the risks that the US takes.
I think there could be a good combination where we combine the partnership of regulators in Europe, but we also bring in faster innovations that have security embedded.
IM: How has DORA influenced how you manage third-party risk at ING?
DJ: It’s had a huge impact. At ING we have done entire programs to drive compliance with DORA, which helps keep us on track.
It’s very fragmented how different third parties do their risk management, so DORA brings a framework to it.
DORA also takes the responsibility of third-party risk from just a compliance and procurement responsibility to a board-level responsibility.
It’s also driving the way we look at third-party risk. It used to be to send and answer a questionnaire at a single point in time. Now it is changing to continuous monitoring of your third-party vendors, including on-site assessments.
That adds nuances because then how do you scale to do onsite security assessments of all third-party vendors? You can’t. You need a framework built on what are your most critical third parties and which ones should we do the onsite assessments on.
When you think of how reliant companies are on their third parties, it’s a good thing. It adds a lot more work, but it also helps make us more resilient.
IM: This year, we’ve observed attackers frequently target third-party IT suppliers through sophisticated social engineering techniques. How does third-party risk management need to evolve to meet this threat?
DJ: When we see attacks on third parties, we learn what we need to do to keep ourselves secure by taking those tactics, techniques and procedures (TTPs) and changing our security approaches.
Also, look at how we engage with our vendors. The relationship with our vendors has to be very close. I have vendors who will text me and say, ‘check your email, we’ve been breached and this is how it affects you.’
If you don’t have that partnership you might not get the immediate flag that you need to check your security.
In the past two years we have seen a massive shift in threat actor behaviors – the tactics are faster, more precise and more targeted. My background is in intelligence, so I’ve always known how vital it is.
"In the past two years we have seen a massive shift in threat actor behaviors – the tactics are faster, more precise and more targeted"
Today it is more important than ever that we have a very robust cyber threat management that is closely following trends, building out threat models, understanding not just the TTPs, but knowing what’s coming next.
Threat intelligence is key to organizations getting ahead of threats and informing the board of what that threat is, why we should be concerned and why we should invest in certain areas.
IM: To what extent have emerging technologies and evolving regulations changed the types of roles you are recruiting for in your cybersecurity team?
DJ: I would argue that one of the biggest challenges for today’s CISO is that talent shift. It’s no longer ‘I need a SOC analyst or threat hunter,’ its ‘what do I need to help protect the business from these new threats.’
It’s not just technical skills, we need governance. For example, AI governance experts to govern how we’re using AI.
We also need to look at a shift in CISO roles, from technical defense to business partners. We need people who can communicate to a non-technical group of people.
Quantum computing is another area, when that happens how are we ensuring we are quantum safe and that we have the talent to drive that change?
Also how do we use AI for defensive purposes, we need talent which is different to what we’ve had in the past.
IM: Could you tell us about any initiatives you are involved in to make systems quantum safe at ING and the wider financial system?
DJ: Quantum readiness is something I’m passionate about because it’s not something that can wait. It’s very complex when you think of where all your cryptography is in your environment and your legacy systems. You have to start preparing now.
At ING we are preparing now, as are a lot of companies. From the FS-ISAC point of view collectively as a financial sector we need to be ready. We need to help the smaller and medium-sized banks that don’t have the big budgets of the big banks to be ready.
On a sector level we’re involved, from a company level we’re addressing it. One of the first things that companies need to do is have a cryptographic inventory, which is complex to do.
You need that inventory to then prioritize where you are going to change the algorithms first, using the US National Institute of Standards & Technology (NIST) Post-Quantum Cryptography Standards.
It’s not just a CISO thing, it’s a company thing. A lot of the cryptography is in production areas. It’s driven by CISOs but it’s a company initiative to make sure that we get that inventory.
Then testing the new algorithms, we’re involved in the quantum consortiums and research.
Also, third party risk – it’s going to be one of the questions we are going to look at for the future to make sure our third-party vendors are quantum ready.
IM: What are the biggest barriers to implementing quantum-safe cryptography in enterprises?
DJ: Complexity is the biggest barrier. You have new systems, you have legacy systems, if you roll out the quantum safe algorithms you have to check if it’s going to break the legacy systems.
It’s a continuous process, it’s not a one and done. It is a program that you are going to have to keep building because cryptography is going to change over time.
IM: What are your biggest concerns in cybersecurity today?
DJ: The rapid change in the threat landscape. We have AI, geopolitical issues and quantum computing all converging at once. It is a dynamic landscape which as CISOs we have to be ready for and make sure we are agile to be able to defend against this new threat landscape.
IM: What are your biggest successes in cybersecurity today?
DJ: One of the things as a CISO which I try to drive is the shift from CISO’s being the person that says no, the blockers, to risk executives and driving value creation for the business.
It’s a shift that all companies will need to do because of the continuous changes. We have to think about how we become value creators and support the business. Not just doing compliance-based security founded on the tech stack, it’s a holistic thing you have to do as a company.
IM: If you could give one piece of advice to fellow CISOs, what would it be?
DJ: As CISOs, we get pulled down into the operational technical aspect. But we need to drive strategy.
We need to hire brilliant people to drive the operational technical and as CISOs in our organizations we need to be that strategic driver for the company, for the future of the company.
I’m in a lot of CISO forums and there’s a lot of technical discussions. But I want to know things like how are you driving strategy, how are you changing your data center strategy to deal with the new threat of hybrid warfare? Those are the conversations I want to be having to help the company get to the next level of security.