Emerging technologies and evolving regulations are shaping cybersecurity strategies in the financial sector. Adapting early is essential for banks and financial institutions in order to continue to provide critical services and secure the vast volumes of sensitive data they hold. During the London Gartner Security & Risk Management Summit 2025, Debbie Janecek, CISO at Dutch bank ING, spoke to Infosecurity about how CISO strategies in finance are being defined today. Janecek is a member of the board of directors at the Financial Services Information Sharing and Analysis Center (FS-ISAC) and throughout her career has worked across both sides of the Atlantic having experience at two financial institutions in the US and two in Europe. She shared her views on how technology shifts have impacted recruitment in cybersecurity, the impact of regulations like the Digital Operational Resilience Act (DORA) and how ING is implementing quantum-safe cryptography.

Infosecurity Magazine: What are the most significant differences working as a cybersecurity leader in Europe compared to the US? What lessons can each region learn from each other? Debbie Janecek: In the US, you have more hierarchical decision making, which in many cases allows you to move faster. In Europe its more consensus-based, which values everybody’s opinion but it does slow you down. In the US we have big hub areas so it’s easier to consolidate talent for cybersecurity, although when you think of the big tech companies like Google and Microsoft, it also makes competition for recruiting talent fierce. In Europe we are more geopolitically separated. We’re working across borders so you have to make sure you’re aware of the cultural and communication differences in different countries. That adds a different nuance you don’t have in the US. When you look at the regulatory landscape, one of the things I like about Europe is that the relationship with regulators is different – they act more like partners where you can influence policy more. Whereas in the US its more market led, so innovation first and regulatory later. In the US there’s more of a “fail fast” mentality, where security can be an afterthought and you’re trying to catch up to innovation. In Europe, innovation slows down because we don’t take the risks that the US takes. I think there could be a good combination where we combine the partnership of regulators in Europe, but we also bring in faster innovations that have security embedded. IM: How has DORA influenced how you manage third-party risk at ING? DJ: It’s had a huge impact. At ING we have done entire programs to drive compliance with DORA, which helps keep us on track. It’s very fragmented how different third parties do their risk management, so DORA brings a framework to it. DORA also takes the responsibility of third-party risk from just a compliance and procurement responsibility to a board-level responsibility. It’s also driving the way we look at third-party risk. It used to be to send and answer a questionnaire at a single point in time. Now it is changing to continuous monitoring of your third-party vendors, including on-site assessments. That adds nuances because then how do you scale to do onsite security assessments of all third-party vendors? You can’t. You need a framework built on what are your most critical third parties and which ones should we do the onsite assessments on. When you think of how reliant companies are on their third parties, it’s a good thing. It adds a lot more work, but it also helps make us more resilient. IM: This year, we’ve observed attackers frequently target third-party IT suppliers through sophisticated social engineering techniques. How does third-party risk management need to evolve to meet this threat? DJ: When we see attacks on third parties, we learn what we need to do to keep ourselves secure by taking those tactics, techniques and procedures (TTPs) and changing our security approaches. Also, look at how we engage with our vendors. The relationship with our vendors has to be very close. I have vendors who will text me and say, ‘check your email, we’ve been breached and this is how it affects you.’ If you don’t have that partnership you might not get the immediate flag that you need to check your security. In the past two years we have seen a massive shift in threat actor behaviors – the tactics are faster, more precise and more targeted. My background is in intelligence, so I’ve always known how vital it is.

"In the past two years we have seen a massive shift in threat actor behaviors – the tactics are faster, more precise and more targeted"