Securing the Future: Traditional IT vs. Blockchain in Banking | The Pair Program Ep55

Welcome to The Pair Program from hatchpad, the podcast that gives you a front row seat to candid conversations with tech leaders from the startup world. I'm your host, Tim Winkler, the creator of hatchpad, and I'm your other host, Mike Gruen. Join us each episode as we bring together two guests to dissect topics at the intersection of technology, startups, and career growth. Hello everyone, and welcome back to The Pair Program. I am your host, Tim Winkler, alongside my co host, Mike Gruen. Uh, so Mike, I was recently reading that, uh, Lego is releasing a set that they're calling the Endurance. Uh, which is a model that kind of commemorates the Explorer Ernest Shackleton. Um, and it's like a 3, 000 plus piece set, so kind of led me down this path. I know that you've done, you know, a number of Legos down, down, uh, your career. So what, what's, uh, what's a, like the largest Lego set that you've ever assembled and what was it?

Oh, the largest. Oh, that's interesting. Ah, it was definitely something when I was a little kid. It was some sort of space station. I don't remember. Um, I mean, it was the, the blue and red, like it was the old school space stations. It wasn't like, you know, Star Wars branded stuff. So. Uh, something along those lines. Um, definitely sat with my kids to do some of the bigger sets. But first of all, I have to say kudos to you for remembering to call it Lego and not Legos. Uh, so good for you

on

that one.

Yeah, I can fact check myself.

Um, I do have a good Lego fact. They make more tires than anyone else. They're the largest tire manufacturer in the world. That is a fun fact. That's pretty

cool. That's great. What about you guys? Jacques, Sandeep, any, any, uh, you know, memorable Lego sets that you built either solo or with your family?

Yeah, of course. I believe a black star of Darth Vader or something like that. It must have been. Yeah. That's the biggest.

Yeah. Yeah. That's a big one though. I've, I've, I've had a few employees that, that have assembled that one. Um, Sandy, how about you?

I didn't do much when I was a kid, but more with my nephew these days, and then his demand kind of keeps going up. So it started with like the small hundred dollars one. And the last thing is like, he's asking for 400, 1000. I don't know what is the next demand that is going to come through, but the kind of Legos he requests just keeps shooting up. Yeah.

Yeah, I had a, I had a little flashback down memory lane on this too, and I had one that was like this, uh, it was like a medieval knight's castle from like the early 90s. Um, Definitely wasn't 3000 piece set. It was, yeah, we're talking a couple of hundreds here, but, uh, it was, it was a large one and, uh, yeah, it was a good, good little, um, uh, memories talking about Legos. I know that's like one of like the, the go to toys that we hit on one episode, Mike, of, uh, the goat toy.

It's yeah, I mean, I use mine structurally to, I, uh, I there's things that I've built to like for computers and things to like,

just to prop up your, your laptop

to prop up. I've actually got, uh, in my old apartment, I was popping up some furniture with some Legos, so to keep it from falling forward, uh, they're pretty strong, uh, it's pretty impressive. Yeah, anyway,

great, great, great dual use example. Uh, all right, uh, well, let's fill the listeners in on what today's episode is all about. So, um, today we are diving into a topic that. Is reshaping the landscape of tech. And that is, you know, cybersecurity specifically within the banking sector, uh, and specifically kind of comparing traditional it environments and blockchain and banking. Uh, so joining us are two, uh, distinguished leaders within cybersecurity. First off, we have Jacques Beauchamp. Uh, Jacques is the CEO of Howborn, a cybersecurity firm specializing in blockchain, Jacques brings a wealth of experience in IT and cybersecurity, uh, specifically in protecting digital transactions in the blockchain space. Uh, and then alongside Jacques, we have Sandeep Wadhyay. Uh, Sandeep is the managing director and global head of emerging technology risk at BNP Paribas, one of the leading banks in Europe. Sandeep has over two decades of specialized experience in cybersecurity, operational risk, and compliance across several verticals. Jacques Sandeep, thank you both for joining us today on the pod.

Pleasure to be here. Thank you.

Thank

you.

Thank you. Excellent. All right. Now, before we dive in, we do like to kick things off with a fun segment called pair me up. Here's where we all go around the room. We spit ball a complimentary pairing of our choice. Mike, why don't you lead us off on, uh, what you got for us today?

Yeah, uh, well, I'm feeling under the weather and I was all clogged up. Uh, and so my go to when I'm stuffed up is to pair that with, uh, something really spicy. So I had, uh, I looked for the hottest, uh, salsa we had in the house and, uh, scarf some of that down and help clear out my sinuses. So, uh, clogged sinuses and, uh, hot salsa would be my, my pairing today.

And then hopefully a box of tissues nearby.

Oh no, we did that earlier. I made sure to, you know, we're all good.

Yeah. Yeah, I, I hear you, man. I just had, um, I, my go to for something like that is a bowl of pho and just a little bit of extra sriracha in there. That was Saturday.

Uh, so yeah, Saturday, my son and I went out for pho and, uh, we have a great place right near the house. And, uh, yeah, sriracha and jalapenos and all kinds of stuff to make it nice and spicy. Okay.

Nice. Well, hopefully, uh, hopefully you're, you're feeling good enough to, to get through this episode here. We'll, uh, we'll, we'll, we'll keep checking on you throughout. Um, I'm going to go, I'm going to go with the changing of seasons and, um, thermostat wars. And, you know, this is something that, you know, living here in the DC area, specifically around this time of year, we've got these crazy swings and temps that could go anywhere from 65 degrees during the day. We'll, Down to 25 degrees at night. And so my wife and I are pretty polar opposites in the sense that I tend to run a little bit hot. She's always a little bit cold. And then, yeah. So during these times, like I'll check our little nest thermostat and. You know, it's constantly getting turned up and down throughout the day. And then before we go to sleep at night, you know, I'll check it and make sure it's at a certain temp. And then I'll wake up the next morning and notice that it's magically settled, you know, a few degrees higher. Um, and this is how we would, you know, what we would classify as these thermostat wars in our household where it's kind of like undisclosed. Like my wife will, won't say like, Hey, is it, are you cold or warm? I turn it up or down, she'll just go do it. And then I'll just go do it. And so it's this fun little game that we, we both play during the. changing of the seasons, but it keeps us keeps us on our toes. That's, that's my pairing for today. It's going to be the changing of these seasons and these thermostat wars that my wife and I play. Um, I'll pass it over to Sandeep. Sandeep, how about a quick intro from yourself and your pairing?

Thank you. Thank you. Thank you everyone. Uh, again, uh, uh, I'm based in London. I've been with BNP Paribas for seven years now. And, uh, in terms of pairing up, uh, I think, Nothing can ever go wrong with a hot spicy curry. And that does help being from India. And then the fact that I was a little bit under the weather, but the good thing is I'm in Mumbai and I'm having a nice spicy curry from my mom and that has really helped me recover much faster than the cold weather in London. So I'm not complaining.

Yeah, I dig that. I love a good hot, spicy curry. Uh, yeah, ship some over to Mike here for, uh, for his next, his next, uh, nasal cycle. Um, well, it's a pleasure having you on here, Sandeep. Um, Jacques, about yourself, quick intro and your pairing.

Yeah, right. I am the CEO of Albon. I started just four months ago. Before that, I was, as you mentioned, CEO of another classical cyber security, and I spent 14 years. At Dell Technologies, and I am an educated nuclear physicist, which is maybe those days getting popular again. Um, now speaking about pairing, I don't know if you know that guys, you should, this year is the 50 years of something really well established in the nerd culture. What is it? You know, this year, that's anniversary,

50 years. I mean, I just turned 50, but I don't think that's what you're talking about.

If I tell you D& D, does that ring a bell? Dungeons and Dragons? Dragons, 50 years. Yes, really. So, uh, my pairing, which is very well suited to blockchain is from nerd culture to pop culture. This is what happened by the way with DND. It was nerd thing back in the days. Now it's pop thing because you know what, uh, Game of Thrones, all those things are deeply inspired by this, uh, by this game. And, uh, the same is happening with the blockchain. 2008 and now it's becoming at least in financial services, a pop culture, but Sandy will speak more about that. So that's my pairing guys. I like it. Love it. Love it.

Yeah. That's, that's a great, uh, comparison. And. Honestly, so, you know, doing a lot of tech recruiting, we've, we've recruited a lot of folks out of little dungeon and dragon, like micro communities around here when we were doing more local, local recruiting, some of our, our employees were, you know, parts of these big dungeon and dragon networks. And they've hired engineers from these communities. So it's certainly, uh, yeah, it's gone from nerdy to cool. I agree with you.

Awesome.

All

right. Well, that's a it's becoming cool. Is it a problem? You know, some, somebody will ask me the question, can it be still trendy, but another, another conversation.

Yeah. Yeah. We'll have to revisit this in like 50 years. Um, Awesome. All right. Well, appreciate the intros. The pairings were awesome. Let's go ahead and shift gears into the heart of today's discussion. So, as I mentioned, we are talking about cybersecurity and the banking sector and comparing traditional IT versus blockchain. So, you know, why does this matter to us? Um, I'll go in the highlight, uh, just a few common scenarios of Your digital banking that nearly everyone can relate to and underscore that critical role of cybersecurity in our daily lives. So whether it's withdrawing cash from an ATM. To sending a payment to a friend via Venmo or PayPal, or simply receiving, you know, your paycheck through direct deposit. And these are all digital transactions that require robust cybersecurity measures to protect us against fraud and theft. And, you know, we, we continue to hear more and more of these, of these days, like of these stories that pop up of. You know, some hackers pulling off a bank heist from their couch. Uh, I, I can specifically recall during the pandemic, this huge spike in phishing scams where, you know, cyber criminals would try to swipe cash and by personally, um, sending personal or asking for personal info by pretending to be our banks. Uh, and so I, I, I just, you know, I, it's a scary world out there. It continues to get scarier. The more that tech modernizes, uh, and it's continued efforts from professionals like our guests, Jacques and Sandeep kind of keep our digital transactions safe from these external threats. So, um, I I'm excited to have this conversation. I'm excited to continue to build awareness on this, even if this. Podcast is one small source of information to get more intel out there. I think it's super important. So the way that I kind of see this conversation flowing is to first have our guest paint the picture of the current landscape in both of these environments. We'll discuss some of the challenges and the innovations in cybersecurity. And then we'll wrap with some insights on what the future of digital banking and security might look like. Um, let's start with you Sandeep, uh, you know, with, with your perspective, you know, what, what are the primary kind of cybersecurity challenges that are facing the traditional banking systems today, uh, and then we can jump over to you Jacques for an overview more on the, on the blockchain side.

Sure. Absolutely. Um, I think, um, from a traditional banking perspective. If you look at the challenges, obviously, I think the number 1 has been more around business disruption as a result of ransomware attacks, even if not directly on financial services institutions on our supply chain and the impact of the supply chain disruption on the bank as a whole. So, I think 1 is definitely in terms of traditional or the legacy it in financial services. There has been a lot of focus on ransomware campaigns. There's a lot of focus on. Geopolitical disruptions, uh, particularly cyber attacks as a result of geopolitics, which is again is a focus of attention. And then generally, I would say phishing campaigns or cyber enabled fraud, which is again a big attention point for large financial institutions. So, so what has happened over a period of time is. You, you have had essentially. Uh, an ID, which is kind of almost like trying to catch up with the evolution on the cloud journey and, and, and, and different ways of doing digital working. Uh, so, so, and then that has kind of exposed some fault lines, uh, in terms of, uh, different vulnerabilities that attackers try to exploit. Uh, whether then it is end user computing, whether then it is essentially the infrastructure you have to deliver services to clients. And then it has been a bit of a uphill battle because, uh, the way we landed in this traditional IT journey is the technology is kind of, you know, scaling it up. And at the same time, we are trying to build security around it, not into it. So what has happened is. Uh, you, you, you almost like had a situation, uh, where, where you started to build security around the technology, which was inherently vulnerable from day one, because if you look at the history of internet, internet was not designed to be secure. It was designed to be collaborative. That's, that's where they started first saying, you know what, we should open everything. We should talk to each other, uh, but let us talk about security a little bit later. Uh, and that's, that's what, what, what we have in all this it journey, uh, where, where, where, where we are building on top of, uh, uh, legacy it, which has been inherently vulnerable. And that has been like quite a challenging journey, I would say.

I think the best example of that is like email, right? Like this idea of like, why would anybody spoof an email? Why would anybody send an email from someone who they don't predict? Like that's the 60s, 70s, when email from academia and now like, right. There's a lot trying to retrofit to make it so that, you know, this email came from who it's supposed to come from and. And the rest of it, I think it's kind of the, the, the history of the internet and how we got, you know, it's a, yeah, it started in academia and in research and collaboration. Why would you need this stuff to be secure? It's a, it's an interesting evolution.

Yeah. And we'll expand on that a little bit more. They

built it, actually. It was a very trusted vehicle, right? They never, they never thought that the community is going to be so big. Right when, when they started building, you know, uh, the, the, the, the original network they never thought that in 20 years time, like 1 billion people or a couple of millions of people would be connected to internet every day. Right. So, so that, that throws like an interesting challenge. Yeah.

Yeah, and I don't think anybody thought digital currencies was going to be a thing at any point back then either and here and here we are, and this is a good, good segue. I want to, I want to expand on some of that stuff, Sandeep, uh, but first, you know, and kind of keeping with tradition of catching the other perspective real quick here, uh, Jacques, let's, let's just real quick get, uh, your, your viewpoint on how, you know, blockchain technology is evolving with the financial services sector and why cyber is critical with this evolution.

Right, right. So real quick, I believe we have to look back because for me, I have been in it for 20 years plus big difference of financial services. With any other industry, now it's converging, but the big difference is that IT has always been the factory in financial services. Without IT, there is no bank, and that has been like that for many years. In fact, the first digital transformation of banking happened in the 70s, 80s, and 90s, where they got rid of paper and went into centralized ledger technology. And then at the beginning of this century, 2010, they had the second digital transformation, which did not really impact the business processes. That was adoption of e banking, was adoption of private cloud. That was really a huge simplification of the basic infrastructure of IT in banking. And now what we believe at Albon, and what I believe is that we are reaching the third digital transformation. Which is a blockchain adoption for three things. You mentioned it just now. You said, okay, digital currency. That's one thing. So CBDC for central banks. Second thing, insurance of security. And third thing, which is really big in terms of efficiency in the system, settlement and clearing happening on chain. Which will reduce the lead time and mitigate the risk. I know Sandeep, risk is a big thing in your, on your plate. So this is what is happening now. But when you speak about all that in that new digital transformation, security is everything. Because unlike in the classical perimeter, where between detection and response, you have a little bit of time. Till ransomware is fully established with the first indices of compromise. You can have several hours, sometimes a day, depending on the industry. Whereas on chain, if something is happening, your cash is gone. So we have a real hold up type of robbery situation, which is really unique to that new digital transformation. And that requires a decentralized system, a totally new way of thinking. Yeah,

I, I've got a lot of questions to build on that, uh, as well, just in terms of, you know, things like smart contract audits and some of the things that Halborn's is doing. If maybe you just take, take lead on that right now and talk through some of those strategies that you all are taking on and this is a good, good segue into, you know, what Halborn specifically is doing.

Right, right. So, uh, as, as you mentioned in the beginning, Halborn, we are. We are solely focused on financial services and web3 and on cyber security for those kind of institutions. So our customers are decentralized finance. But more and more tried five because of the adoption, we were just mentioning before. And indeed, we do plenty of those things. Mark contract audit is our bread and butter, really our daily bread and butter because more and more on the tail end. You have the ability to create an environment that enable those fast transaction, enable this, uh, uh, equity issuance on chain. So it's really creating a new attack surface like no, nowhere before. And it's really creating a stress factor also for the traditional banking institution when they move into that space. So we do those smart contract audit. We do design of architecture, we call that secure by design, which combine both the web tool, and we can speak about that after, so the traditional perimeters, and the blockchain aspect of things, because you always have a combination of it. The smart, for instance, uh, crypto wallet, It's more a web to thing than a non chain thing. So anyway, and you have API and API are like cloud pen testing. You need to pen test those things. So that's web to infrastructure. So we, we do that combination of things. We focus a lot on trying to bring our customers to make the secure by design. I think Sandeep mentioned that before. Okay, we, we just added layer of security on an infrastructure. How do we think secure by design on chain as well, and in a complex combination of on chain and off chain systems? And this is where we, we set our focus.

The Secure by Design was actually on my shortlist to kind of talk with you, Sandeep, on I don't know, it's, I mean, it's obviously, it's relevant. Um, uh, Sandeep, can you, can you kind of quickly tally on this in terms of how, you know, traditional banks adapting their security strategies in response to the evolving digital landscape, like technologies like AI and blockchain?

Sure, sure. So, so I think If, if you look at, uh, blockchain as an example. And I've done a lot of conversations on emerging technologies in general, blockchain and AI together in terms of how it's going to change the trajectory for financial institutions globally. Um, uh, and if you look at blockchain, I think the one thing that you need to understand in blockchain is it requires two parties to play. One party cannot play because can I run a blockchain in my data center? Not really. It has to be somewhere where more than two parties can come and then validate the transactions, operate the nodes and run that distributed ledger blockchain. What that means then is it technically it is collaboration outside the boundaries of my network. And, and if you see all blockchains projects globally, you will see that they're outside the organizational boundaries of a financial institution. Maybe in AWS, maybe in Microsoft, maybe in Google, but not in their data center. So that changes rules of the game because now you have a technology that is forcing you go outside your perimeter. And the moment you go outside your perimeter, the rules of the games are different because it's a different environment, different technology and layers. That's part one. Part two, if you take like artificial intelligence as an example, And take a step back and ask yourself, generally speaking, right from politicians to bankers to CEOs of large corporations, how do they take their day to day decisions? They take their decisions based on open source intelligence. It's surprising, but it's true. It's based on what they see on social media, what they read on financial times, what they see in market data in terms of Bloomberg or LexisNexis. It's a fairly open data. Where is the data coming from? The data is coming from open sources. So now you have the dependency on artificial intelligence to tap into various data sources. In terms of various decision making, which means again, from a collaboration perspective, you're tapping into outside data sources, you're connected to different providers, you're connected to different types of data sources to make your AI better. And then that changes the security landscape and the security around it, which means. You're dealing with multiple parties with an access to your infrastructure. You're looking at components you have never had before, particularly in the case of blockchain. You have the blockchain itself can be Ethereum, can be hyperledger, uh, the security of that blockchain, but then there is underlying infrastructure. You're running nodes. The nodes need to be managed. So you really need to look into all this, all the different, I would say artifacts associated with the technology and how that would be secure. But And coming to a realization that one party doesn't control the security because it's a shared environment. So then you really need to look into the risks associated with shared environment as well. So I think blockchain is essentially kind of forcing organizations to relook more. So what does their multicloud journey means to them? Because this is a multicloud journey. This is a dependency on other parties in conducting business and how you go about conducting that business. With like shared acceptance of the risk as well, because the risk will never go down to zero. When it's in your infrastructure, you can try your best to reduce the risk, you know, to minimum level, but in a shared infrastructure, it's very difficult. So blockchain brings some new realities, new technologies, and new components, but also in a way, I will need you to make it much more, more better and more scalable in terms of, you know, uh, running different use cases and, and, and, and, and, and, and experiments.

Yeah, I, I wanted to ask you Jacques, cause I, you know, I'm going to, I'm going to assume that a lot of our listeners, you know, have a common sense of, of, of some of these items that we're talking about, but I like to try to simplify some of it as well, just to, uh, make it a little bit easier for, for our listeners to wrap their head around, can you expand a little bit more, um, on the approach to smart contract audits and, and why that's so crucial for blockchain security?

Right. So we were just speaking about Dungeon and Dragons. So I'd like to go back to the gospel again, but another gospel. So, you know, in 2008, that was a famous white paper of Satoshi Nakamoto. That's an original Bitcoin white paper, you remember. And in that white paper, there was a diagram comparing the privacy model of traditional finance Versus a non chain finance. Okay? And if you look at those two diagrams comparing those two things, I mean, the difference is mind blowing and is somehow, I would say, an executive summary of everything we are discussing. So in the blockchain world, okay, you have identities. Of the people making the transaction, which are hidden, but then the transaction is totally public. Okay. In traditional finance, stratified transaction, identities, transaction, third party, so the banks, counterparty in the transaction are all hidden from the public. So the Chinese role is placed totally differently. In the decentralized ledger, uh, technologies that we call a blockchain. And, and that's really important because that makes a hell of a difference. So you have access to all those transactions. So you need to keep identity hidden. That's why, by the way, millions of billions of dollars are still with Satoshi Nakamoto. We know that they are with him, but we have no clue who this guy is. So at least we can say that he was very consistent. With his own diagram in his white paper. So that's, that's really setting everything in the future. That's a paradigm that is setting everything when we speak about blockchain. So big banks, so I can, sorry about that, Sandeep, I need to mention another bank that I know. They made, they made recently, UBS has made recently and they have published that. So it's all public knowledge. They have made at scale transaction model. Uh, with digital currency between, uh, customers of their, okay, cross border transaction. And they have done all that on the serial. So on the public chain, that's one model, but I know another very, very large custody. Okay. Who is doing in New York city? You will guess whom I'm speaking about and they are doing a lot of things. So they are moving into permission blockchain, which is. Within the perimeters of the bank, having one blockchain, okay, which enables them to have some centralized means to manage, to orchestrate and manage security. So what I'm trying to tell you here is that the, I would say the outset is totally different between classical perimeter security that Sandeep and myself know very well, the blockchain world, you have different models. And the smart contract, I am not ignoring your question about the smart contract audit. So smart contract audit is a big thing because smart contract audit sitting on top of a blockchain enable everything else. They enable all those DeFi. They enable those automated market maker. They enable those decentralized exchange, all those things that people in crypto love and use at scale. And, and those guys have all the benefit and the drawbacks of sitting on a public blockchain with exactly, uh, the conditions I was referring to, which are so well described in the Satoshi Nakamoto's white paper. So it's, it's really a total, totally different paradigm on top of the fact that I was mentioning in the beginning that if you have a breach, your money is gone, just like that. Again, not the same in the

classical perimeter. Yep. Mike, did you have anything on that? I know that you're obviously minds in cyber.

Yeah, no, I think it's, um, it's interesting. I think there's nothing specific. I mean, um, but when I think about trying to, you know, thinking about our audience and trying to bring it to their level, are there, like, what are some of the things that are Like when we look ahead and that's really going to have impact on say the public and others like how, you know, we talk about this, but you don't, it's just not, I don't feel like everybody feels it just yet, um, what's happening with blockchain and the rest of it. And so, yeah, yeah, right.

You know what I mean? But you know, to this point, if I may, I don't know if you saw the news today, but there was a nature, which is a scientific. Publications, they really, so Google released, uh, their new, uh, paper about their quantum computing. And they claim that in 2030, they will be able to release a commercial computer for 1 billion. So cheap price, so 10 times cheaper than what it is today. And it will have 1, 000, 000 qubits, okay? And guess what? It seems that qubits is exactly the computing capacity you need to break the code of the hashing function SHA 256. That is used, for instance, on the Bitcoin protocol. Okay, so that's very concrete, the statement I'm making here. So, so even for the blockchain world, we have to think in the time frame of six years about a post quantum security. And I know that in the classical perimeter world, everybody's thinking about that. But when, once we can break that code, okay, it means that you can unfold A chain, okay, a Bitcoin or a fork of Bitcoin, and you can, uh, undo all the transactions potentially. So, uh, so there are big problems which are valid for the two side, flip side of the coin. So the coin, the side which is Web 2 security and the coin Web 3 security. For smart contract audit, what we do is really to, to make code assessment. So we assess the code dynamically in the environment where you deploy the code, but we assess it also statically line by line. And we more importantly, we assess the business logic because the business logic is the key. Because, you know, a smart contract, it use connection to the outside world, and that's what Sandeep was mentioning before, to trigger some events. For instance, to trigger an exchange of an Ether for a Bitcoin, okay? And if you can manipulate, Those oracles, which are the name of those trigger from the outside world on the chain, you can have devastating impact on, uh, I would say, uh, the integrity of your smart contract. So those things we do, we redo those analyses on the technical level. And as well as on the business level of the smart contract.

Yeah, it's, it seems like we're going to have to run a follow up episode in 2030 here, uh, when quantum is a little bit more readily available. And that sounds terrifying. I mean, once you have quantum, you're going to have lots

of problems with, uh, back splitting encryption and, and going, being able to go back in time and, uh, decrypt a whole bunch of stuff. It's almost going back on time, you know, in time. You're right. Right. Yeah. Yeah. Right. I mean, that's the biggest concern is that notion of security for the future, not just, uh, not just, um, not just securing transactions today, but knowing that they're going to stay, um, uh, secure years.

Yeah. Sunday is back.

Yep.

Yeah, Sandeep. Uh, I got a quick, quick question for you going back into more of the, you know, kind of traditional, um, IT environment here. So, you know, we talked a little bit about AI machine learning. Um, and you know, how, you know, how is that going to play into the future of IT security for banks? I'd love to hear your Your thoughts on this, particularly in areas of like risk assessment and threat detection, you know, what, what are some of these strategies that you all are, you know, taking on at BMP, for example, to kind of, to, you know, to combat some of these areas within these specific areas. Parts of security within like risk assessment, threat detection.

Sure, sure. And then your question is more specific to risk assessment and threat detection on traditional or, or you're referring to blockchain or this is in general question In tradition. In traditional. In traditional. In traditional, yeah. Yeah, yeah. So I think there is a formative, uh, impact of ai, uh, specifically on how we look at, uh, risk assessments because, uh, if, if, if you look at. The job of any cyber or risk, uh, I would say executive or a practitioner, uh, it is essentially understanding how policy or regulations apply to our job. And then based on that, right, a set of controls and then using those set of controls, either rewrite those controls to make sure that they're aligned with policy and regulations. Or then use these controls to perform risk assessment and all of these actually can be done by AI seamlessly and it doesn't involve any personal or confidential data because it's all related to ICT systems. So, so what we have with AI and particularly AI for cyber security is opportunity to industrialize risk assessments completely. Because risk assessments are ICT is a system specific, they do not contain personal information. They do not contain any confidential information. And when I say risk assessments, there can be different types of risk assessments. Can be a third party risk assessments, can be a merger and acquisition due diligence, can be a counterparty assessments. So I think AI is going to have a formative impact on risk assessment in general as to how they are conducted and executed. And that would also mean, because large. Percentage of staff in house also in consultancy world is actually used for these assessments, which, which would then significantly change in next three years or so as to how it is done. Uh, and I think threat detection is a very interesting area. Um, and, and the spotlight is changing very fast because traditionally we were looking at, uh, looking at zero day vulnerabilities, uh, for, for, for an example, and now you're looking at. How does geopolitical tension change? What kind of new vulnerability is exploited? Because then you're looking at nation state actors having a much advanced tools to exploit a zero day that was not on your radar before. So, so geopolitical tensions come into play. The new one, which we, I'm sure it has been talked about is deepfakes, narrative intelligence, and that is the new thing is the speed at which the attackers are able to create synthetic IDs or fake IDs, and then they use it to launch different types of scam. Is also becoming an interesting attack vector. So how do you go around detecting these threads, which is like a brave new world? And then specifically, uh, a nation state in case of a geopolitical conflict, the kind of tools they have as a private corporation, you are never going to match that tool and, you know, the armory in a way. So it makes threat detection very, very interesting topic. And, and what, what I've seen in last one year or so, there is more and more, I would say. Technologies or startups coming to play in this space to help large organizations cope up with cope up with these, you know, threat detection capabilities, because this is a new kind of attack vector, which, which has not been tackled before. And. It has also the supply chain implications, which has not been very well thought through, to be honest, is, uh, what happens in the case of a geopolitical, uh, event, how many of my suppliers are based in that conflict zone, or how many of my suppliers, critical suppliers are based in that conflict zone, because then it is going to have an indirect impact on us running our operations. And if that is not enough. A supplier can be my customer as well. So then I'm not, I'm not talking about liquidity risk. If I look, if I look at a very large I. T. services company without taking name, one of the top 10 I. T. services companies and all of a sudden they're at crossroads in Asia Pacific in some conflict zone. And they are my investment banking customer. So it's now I have a double whammy. One, our operations are going to get impacted. Second, I'm dealing with liquidity risk as a result of, you know, that customers or investment in that customer is getting, you know, written off. So I think geopolitical triggers and the impact on supply chain are bringing some really new realities.

I mean, I think the, the dependency, I think, uh, Jacques was talking about earlier too, about how all these systems now, like everything depends on everything, right? Like when I started in my world, I, I had very little third party code that would get included in our product. We just built everything in house and whether we're secure or not is another thing. Um, But, um, as we've gotten bigger, like we have more and more dependencies. And I think that the risk in that, especially in open source products and projects, and think about, um, one of the areas, you know, vulnerabilities and dependencies is one thing. And there's lots of stuff out there to look for the alerts and things to manage that, but even the, the, the people who contribute to those projects, and there have been cases of people taking over open source projects and. Bad actors taking over open source projects and being able to insert things in and I think that has like these very big implications when you start talking about how now our financial services are moving towards things like blockchain, like all of these dependencies and it can all come down to some crappy JavaScript library that nobody should have included and it has this huge, it has this potential and rippling impact throughout the entire world. Like ecosystem and, you know, some type of stuff that I think where AI and other things, that's the only way we're going to be able to deal with it at any layer level of scales. There's just so much. And I'm, I'm just sort of curious what you're seeing in that space or, um, um, if you're seeing, you know, any companies trying to tackle some of that stuff, um, sort of in that vulnerability, uh, in that dependency management side. Either. It's for anyone who wants to answer. Sorry, it was very long.

No, I know. I completely agree. I completely agree that this is like one of the biggest areas because with AI based coding and the dependency on open source components in releasing your core product. Means you really don't know which nation set actor build that library that you are so fond of and that is now integrated in your mainstream, you know, production delivery. So, so I've, I've also seen that as a focus area in terms of hunting down, making sure every like, you know, the, the bill of material and making sure that you know where that particular component is coming from.

Jacques, as far as, um, you know, some of the things that Sandeep touched on in terms of the traditional, you know, IT security environments, uh, are you seeing similar trends, uh, when we think, you know, carry this over into more of the blockchain security environments? Or, you know, anything else that you're, that's on your mind right now, when we're looking ahead on what innovations you're foreseeing playing a pivotal role in, in blockchain.

So because of the nature of blockchain and because of the speed, the ability of the money to vanish so quickly on the blockchain, we don't have all, I would say this infrastructure of cyber security is that classical perimeter which is. In many cases articulated around the security operation center, SOC, they are deployed on the server endpoint, an endpoint protection platform, and then they have what we call a security incident. And event management system, which is correlating and, uh, you know, uh, collecting all those logs and creating out of the logs, which is like a white noise creating in understanding patterns. Okay. And that's where, by the way, uh, AI is playing more and more a big role because next generation security is CM as we call it. are really totally integrated with, uh, with AI capabilities. So, so AI is playing at the same time the offense and the defense, which is, thanks God. So it's part of the armor as well as part of the missile trying to penetrate the armor. But, Now, what we need to do and what we are doing in blockchain is to think about some of those models in classical while taking into account the very short response time we have. So we cannot really do a proper managed detection and response, okay, which is really the big, the big world in the classical cyber defense, classical perimeter. But we are, we are coming with some tools for, for instance. So it's something that I'm sure Sandeep knows very well called CVSS, which is Common Vulnerability Scoring System, okay, to assess a system. So at Albon we have developed a BVSS, Blockchain Vulnerability Scoring System, which is also based on exploit. easy to exploit and impact what kind of impact you have, but also if you can reverse back or if you cannot reverse back. So we have, we have developed a system around that. We have also developed another system which goes into what I call policy enforcement. So in banks, Being able to enforce your policy across your IT system is very crucial. So we have, uh, we have developed a smart contract which sit on top of other smart contract in which enable you to make transaction simulation. So you can make, like in the sandbox, in fact, you can, but on real, on the blockchain, on the productive environment, the main chain, if you, if you wish. You can really simulate transaction and you can also impose, uh, policies. So it's a policy enforcement tool. And last but not least, it's a breach prevention tool. So it's some level of centralization and now it becomes interesting. It's some level of centralization in some things that should be, you know, a kind of insurgent model, which is a decentralized ledger, uh, uh, technology. So we, we are adding those components. To make the blockchain more and more, I would say, compatible with some centralized component of classical perimeters and more importantly, with a heavy regulated and compliant IT of a bank. So those are some of the key initiatives we take. Does that make

sense? Yeah, it does. Actually, it's funny because the um, I've filled out my fair share of security questionnaires um, from banks and it is always interesting the questions that they ask and how, how it's clear that these are, these questionnaires that are, these assessments are really built on this traditional model of how we've deployed software in the past. And I'm sure that there's impacts in, you know, how we're doing, how they're working internally and all the different changes like. What does it mean? You know, what's, you know, if you're running in a serverless architecture, what do you, you know, how does, how do I even answer some of these questions? Because they don't make sense. Um, you know, I mean, like, they're just, and I know what they're asking, but like, wait, I want to, can I just get on the phone with someone and explain what architecture is? And then they'll, they'll say like, oh, yeah, this whole set of questions is irrelevant to you. Um, but yeah. Um, and it's interesting to see the banks. I imagine it's even more of a struggle internally, right? Like, I'm just an external vendor trying to sell in and I can, you know, and I'm just throwing out these things. But I imagine internally, there's a lot more that's going on on those assessments and trying to figure out what does security mean within when you're talking about people who are used to a more traditional model and then trying to adopt or, you

If I may, I have an anecdote, in fact, in fact, uh, Albon developed that centralized, um, uh, smart contract system to, to make this policy enforcement two years ago, and they tried to sell it to DeFi. Decentralized finance. No chance, excuse my English, no F chance to sell that or defy. Okay. So when I joined, I said, Oh, look at that thing. This is, this is fascinating. Some components of centralized management, again, police enforcement. Banks should be interested. And banks starting with permissioned blockchain, for instance. And guess what? That's exactly the corner which is showing interest into that. So in this kind of a wild west of distributed nodes and decentralized ledger, for banks to bring some kind of central control, and I'm also curious to hear Sandeep on that, by the way, was all of a sudden, uh, was raising some appetite for that and we are having multiple conversations on that currently.

Sande, we'd love to hear your thoughts on that. Sounds like Jack has a personal request.

Sure. So I, no, I think I, I, I, I completely agree. If, if you, if you look at, for example, uh, the, the comparisons what, what Jack has given, um, and I can, I can start with like the, the layman analogy is. In financial services, you have Moody's and standards and poor's to give you a rating of, you know, how good a financial institution it's then. You move a little bit towards cyber and IT, and then you have bit sites and security scorecards who are essentially trying to do the health and hygiene check and tell you, oh, okay, from a health and hygiene perspective, this is what your score looks like. And I think that missing piece of puzzle, which Jack probably has, you know, put a spotlight on, is What is your security rating or maturity rating for blockchain adoption looks like? And then, and I think, uh, where Halbon has come up with that approach makes a lot of sense. Because, uh, uh, even though we may all agree on the basic health and hygiene, unless you create a scale, people don't know what to match up against. So it's very important that someone goes there and says, this is what the health and hygiene indicator scale looks like me in relative to this scale. Where are you? So I think it does help. And, and it, it helps on the security side, but it also helps on, uh, you know, uh, what again, uh, Jack tried to focus on is what we call again, in terms of our terminology is the risk metrics coming from blockchain, because one of the reasons you're trying to do a blockchain adoption. And if you look at the history of financial services industry, why is blockchain so attractive? The blockchain is so attractive because it gives you the data and metadata by means of smart contracts, where you can do risk analytics much more efficiently. And then when I say risk analytics. In the distant future, not today, but three to five years down the line, if you have your real world assets tokenized, your bonds tokenized, your mortgages tokenized, imagine able to do stress testing in one click. If you, if you ever try to figure out how many people are needed in a bank to do stress testing and be compliant with those financial regulations, you'll be amazed, you'll be amazed and the infrastructure required to do that because, because you have to have all these data from disparate sources. And then do that liquidity stress test or against different economic scenarios as to, you know, in a nuclear event, what's going to happen, are we going to survive as a bank? And now blockchain opens a completely new door because you know what? You don't have to struggle to get the data from 10 different sources to tell you how much liquidity position perspective. Blockchain makes it way more easier. So I think. The, the reason we are in a lot of excitement about blockchain, we need to understand it very clearly. One is payments because it removes intermediaries and it makes so much easier to do it securely without having intermediaries in between. That is the reason why we see so many payments, you know, uh, pilots going on. tokenization. You know why? Because fractionalization, you can fractionalize assets, you can bring more participants in, you can open it to more broader part of the society, which was not the case before. So that makes it more easier. The third is that the smart contracts, because It takes three to five days, maybe more going between different teams, including legal, by the way, every time you make certain changes in, you know, in, in, in your, your, uh, your interest rates or anything else. And with smart contracts is on the fly, you can make those policy changes much more faster. So I think https: otter. ai Make blockchain like really stand out, uh, in terms of, you know, how, where the adoption is going. So, so I, I, I couldn't agree more with Jack in terms of, you know, the health and hygiene indicators. The, the, the ability to enforce policies, which is very, very important from a financial institution perspective, because then you're able to establish certain baseline and rules, and then you're a little bit confident that you know what, at least there is no deviation from this baseline behavior and the infrastructure is running at a certain maturity level that I expect it to run. So it does make a lot of sense to me.

I think it's a great kind of stopping point, kind of put a, put a bow on it here. It's also reinforces why I love this format because I, you know, I think hearing that from your perspective, Sandeep, and then Jack, having you kind of, you know, speak to it, you know, firsthand on some of the work that you're doing in real time, I think it's, it's great to kind of hear it from both sides and, um, you know, Sandeep, I think that last little segment there, I was It's just helpful to, to process it and, and make it a little bit easier for everyone to kind of understand when it's going from, you know, those more traditional environments. Um, and so, um, yeah, kudos to you guys for, for, you know, being a great one, two team there to, to help bring this conversation to light. Um, you know, we, uh, we definitely want to, you know, wrap things up with our, our final segment here. It's a, it's a fun segment called the Five Second Scramble. Uh, we're going to just spitball a couple of rapid fire questions. Try to give your answers within five seconds if you can. And, uh, some will be business, some personal, um, Mike, why don't you lead us off with Sandeep and then I'll get to Jack.

Sounds good. All right. Uh, you ready? Uh, what's the most important skill you look for in a new hire?

Attitude. Attitude. I, I, I, I look for that individual's attitude to things. Okay. And then how, how they essentially handle situations. Yeah.

Uh, what's the best piece of advice you've ever been given?

There is no meeting that cannot be rescheduled. So focus on your well being. So your well being, your well being takes priority over a lot of things in life. So there is, there is no meeting. There is no appointment that cannot be rescheduled.

Yeah, well said. Uh, what's the biggest misconception about working in traditional banking? In it, in i, in traditional banking,

the level of maturity, uh, uh, uh, the, the, unless you come in, uh, uh, from outside it looks really, really glorious. Uh, but, but then when, when you, when you go inside, uh, uh, uh, the, the, the scale, the scale of eight is like, yeah, it's, uh, like I, and, and then trust me. This will come from anyone who is actually working in a large international bank. So, so, but again, I think, uh, on that topic, if you ever watched Barack Obama's interview, uh, he said it really nicely. He said, I've met world leaders and then there are no more than ordinary people and making the same mistakes anyone else would make. So, so, uh, so I would say large corporations are no different. It's the same people dynamics that you would find anywhere else in the world. Cool. I like it.

Uh, what's your favorite part of the company culture at BNP?

We're very people centric. We take care of people. We look after people. I really like that. And you will not find actually anyone living BNP Paribas. If you ever go on LinkedIn, you'll find that people stay with the bank for 20 30 years. I'm probably the least experienced person in BNP as of today because everyone else at my level has been there for 30 years.

Aside from AI and blockchain, What is an emerging technology that you're excited about?

Uh, uh, artificial intelligence.

Now, aside from AI and blockchain, those are

too easy. Oh, except for, so, uh, uh, I would say the next one in my list would be quantum for sure. Very, very much excited about quantum. And, uh, I think, uh, people are going to miss, uh, the tipping point on quantum as well. Because they didn't see a chat GPT coming in 2022 and then we will have similar moment with quantum where people think that, oh, it's 10 years away and boom, and the tipping point comes faster than you think. And then you're not prepared for it.

Totally agree. I think. Yep. I'll save that for a different day. Um, what's the most outdated piece of technology you can't let go of

my iPod. Yep. I still have it, uh, 160TBs with all songs. I love it. And, and I somehow I can't let it go because it, yeah, because you know, you can't be disturbed when I have that iPod and music on. Uh, there is no disturbance actually, and it's so easy to flip around and change the music and everything else. It feels so much better, actually.

That's smart. That's awesome. Um, what's something you did as a kid that you still enjoy doing?

I've been like a big networking guy all, all my life. I always wanted to connect with people, make friends, socialize. And I, I do this even today. I, even though I'm in managing director in a bank, I make it a point to at least Meet five to 10 new people every week. So, so, uh, does, does keep on top of technology and what's going on. So, yes, I, I am a prolific networker and, and that, that's the habit that stayed with me. Since I was a kid.

That's cool. Um, what's a charity or corporate philanthropy that's near and dear to you?

This is an interesting one, but which is something we do in the UK every year. We do Whitehead Ball first last week of January every year to raise money for NSPCC. Uh, which runs child child line, uh, which is essentially, uh, a telephone line to help children's in distress. So we do this every year. I've been going to Whitehead Ball probably six, seven years for now. Uh, it's a, it's an excellent charitable initiative. Roughly 800 professionals attend it every year. I think if I'm not wrong, we raise roughly like a million plus every year for the charity. Yeah.

Nice. Uh, if you could live in any fictional universe,

which would you

choose?

Oh, Marvel. A hundred percent.

I assume as a superhero, not just as a regular person who's just getting murdered. Um, and what's something that you still enjoy doing, but are really bad at?

That's a good one. That's a good one. Cooking, cooking. So, uh, yeah.

Nice. Alright. That wraps it up. Nice. Alright, uh, Jacques, let's get over to you. Let's kick it off with, you know, give us the quick pitch of how you describe Halborn.

Oh, Halborn, we are a cyber security company committed to enable the next digital transformation in financial services in a secure way, thanks to our knowledge of blockchain technology and the surrounding web to constraints and dependencies.

What's your favorite part about the culture at Alborn?

Uh, it's proof of work culture, meaning that people needs to demonstrate what they can do, uh, be engineers or other people. That's one thing. And the other thing is that we, we are totally a decentralized company. So we are following the lead of our blockchain focus.

Excellent. What, what kind of technologists would you say thrives at Alborn?

Oh, zoom teams, all those things, since we are totally decentralized, that's the way we work together. No, no other option.

Somebody who cannot, uh, operate virtually. It sounds like, um, what kind of. Tech roles are you hiring for at Halborn?

We are hiring engineers. So, um, level one, level two, level three engineers, uh, focused on the blockchain technology, but we are also hiring cyber security cloud specialists. And that's exactly what I was saying in the beginning because we are able to combine the two things, which is the only answer for big banks like BNP, by the way, because they really want to speak with somebody who can both. I'm just on classical preliminators and the new distributed ledger technology.

Very cool. What would you say is the biggest challenge that's you, you all will be facing as a business in 2025?

Uh, so we, we are essentially a professional services company. So what we do are services. We deliver services. So recruiting talent is always very high on our scorecard.

Aside from AI, blockchain, and quantum. What's an emerging technology that you're most excited to see?

Okay. Maybe sometimes nuclear fusion.

We just raised the bar. I love it. I love it. Dates

to TBD. Dates TBD. Well, it has been emerging for 70

years. So, I mean, once we have the AI and quantum, I think that we'll be able to figure it out. Like we'll just have general, general, but

you still have some physical limitations that even AI cannot overcome.

That's true. Uh, quickly describe your morning routine.

Oh, uh, I wake up early, I do sports, uh, and then I am always coming back to work. I am not taking breakfast, just a tea.

All right. What is your favorite app on your phone?

My favorite app on my phone. What's up?

Nice. What's a charity or a corporate philanthropy that's near and dear to you?

Okay. We don't do corporate philanthropy. I do personal philanthropy for the people in Ukraine.

Very nice. If you could have dinner with any tech icon, past or present, who would it be with?

Ha! Um, Richard Feynman. He was a guy, he was a physicist back in the day, who really thought about the quantum computing. He was really the guy at the very root of everything. And he was a true genius. And very funny guy. So on top of that, it would not be boring. We cannot say that of all the tech tycoons that we know nowaday.

Mike, you lit up, you know, this guy, I know that guy.

Yeah. There's some great videos. Yeah. Whatever.

He was in the movie. Hymer, by the way, he had, he was playing as a plane. The character, the character in Oppenheimer, yeah.

Oh, okay. Uh, all right, a couple more here and then we'll wrap it up. Uh, what is the worst fashion trend that you ever followed?

That I did follow, okay, moustache.

You know, it depends on who you ask, but that's sometimes coming back as a great fashion trend.

Right, right. That's why I was getting that. It's a provocative provocation, right? All right.

Yeah. It's a safe, safe answer. Uh, alright. What was your dream job as a kid?

Uh, dream job as a kid. Uh, pillar of a jet fighter. Cool. But then, then that came very similar. Forget it. Yep. Forget it.

Yeah. Uh, awesome. All right, well that is a wrap. I wanted to thank you both so much for joining us and you, you've been fantastic guests and sharing your insights on this. Obviously critical topic that, uh, is cyber security and banking and, uh, appreciate your time. And yeah, thanks for joining us on the pod. It

was awesome. Thank you so much, Sandy. Nice meeting you. Thank you guys. Thank you. Thank you.